Edit tour

Windows Analysis Report
Contrarre.exe

Overview

General Information

Sample name:	Contrarre.exe
Analysis ID:	1591666
MD5:	7d5c5b164f59713af8da5f243608ac8e
SHA1:	6ab62a0707e6f742e79b2f5a27b6f3b95ce8f01f
SHA256:	c470eab16e537bf777506e63bbedd58114c0403965e9a01965507ffd731dde4d
Tags:	exeSPAM-ITAuser-JAMESWT_MHT
Infos:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected MassLogger RAT

Yara detected Telegram RAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to detect virtual machines (SIDT)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Contrarre.exe (PID: 7488 cmdline: "C:\Users\user\Desktop\Contrarre.exe" MD5: 7D5C5B164F59713AF8DA5F243608AC8E)

powershell.exe (PID: 7664 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 8020 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7700 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DWKfptrbzzV" /XML "C:\Users\user\AppData\Local\Temp\tmp303B.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Contrarre.exe (PID: 7816 cmdline: "C:\Users\user\Desktop\Contrarre.exe" MD5: 7D5C5B164F59713AF8DA5F243608AC8E)

DWKfptrbzzV.exe (PID: 7912 cmdline: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe MD5: 7D5C5B164F59713AF8DA5F243608AC8E)

schtasks.exe (PID: 8108 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DWKfptrbzzV" /XML "C:\Users\user\AppData\Local\Temp\tmp3F7E.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 8116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

DWKfptrbzzV.exe (PID: 8164 cmdline: "C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe" MD5: 7D5C5B164F59713AF8DA5F243608AC8E)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "serverhar244@gpsamsterdamqroup.com", "Password": "         feXwu@m?K@@L               ", "Server": "fiber13.dnsiaas.com", "To": "benfavour015@gmail.com", "Port": 587}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.2961029373.0000000000403000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000006.00000002.2961029373.0000000000403000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2961029373.0000000000403000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000006.00000002.2961029373.0000000000403000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xdfa7:$a1: get_encryptedPassword 0xe2cf:$a2: get_encryptedUsername 0xdd42:$a3: get_timePasswordChanged 0xde63:$a4: get_passwordField 0xdfbd:$a5: set_encryptedPassword 0xf919:$a7: get_logins 0xf5ca:$a8: GetOutlookPasswords 0xf3bc:$a9: StartKeylogger 0xf869:$a10: KeyLoggerEventArgs 0xf419:$a11: KeyLoggerEventArgsEventHandler
00000007.00000002.1766440510.00000000041E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000007.00000002.1766440510.00000000041E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.1766440510.00000000041E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.1766440510.00000000041E9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xfb37:$a1: get_encryptedPassword 0x26957:$a1: get_encryptedPassword 0x3d577:$a1: get_encryptedPassword 0xfe5f:$a2: get_encryptedUsername 0x26c7f:$a2: get_encryptedUsername 0x3d89f:$a2: get_encryptedUsername 0xf8d2:$a3: get_timePasswordChanged 0x266f2:$a3: get_timePasswordChanged 0x3d312:$a3: get_timePasswordChanged 0xf9f3:$a4: get_passwordField 0x26813:$a4: get_passwordField 0x3d433:$a4: get_passwordField 0xfb4d:$a5: set_encryptedPassword 0x2696d:$a5: set_encryptedPassword 0x3d58d:$a5: set_encryptedPassword 0x114a9:$a7: get_logins 0x282c9:$a7: get_logins 0x3eee9:$a7: get_logins 0x1115a:$a8: GetOutlookPasswords 0x27f7a:$a8: GetOutlookPasswords 0x3eb9a:$a8: GetOutlookPasswords
00000000.00000002.1727668667.0000000004199000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.1727668667.0000000004199000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1727668667.0000000004199000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1727668667.0000000004199000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x398ef:$a1: get_encryptedPassword 0x5070f:$a1: get_encryptedPassword 0x39c17:$a2: get_encryptedUsername 0x50a37:$a2: get_encryptedUsername 0x3968a:$a3: get_timePasswordChanged 0x504aa:$a3: get_timePasswordChanged 0x397ab:$a4: get_passwordField 0x505cb:$a4: get_passwordField 0x39905:$a5: set_encryptedPassword 0x50725:$a5: set_encryptedPassword 0x3b261:$a7: get_logins 0x52081:$a7: get_logins 0x3af12:$a8: GetOutlookPasswords 0x51d32:$a8: GetOutlookPasswords 0x3ad04:$a9: StartKeylogger 0x51b24:$a9: StartKeylogger 0x3b1b1:$a10: KeyLoggerEventArgs 0x51fd1:$a10: KeyLoggerEventArgs 0x3ad61:$a11: KeyLoggerEventArgsEventHandler 0x51b81:$a11: KeyLoggerEventArgsEventHandler
00000006.00000002.2963909253.0000000002B33000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.2964165589.0000000002AA3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1727668667.0000000004A02000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.1727668667.0000000004A02000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1727668667.0000000004A02000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1727668667.0000000004A02000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x243bff:$a1: get_encryptedPassword 0x243f27:$a2: get_encryptedUsername 0x24399a:$a3: get_timePasswordChanged 0x243abb:$a4: get_passwordField 0x243c15:$a5: set_encryptedPassword 0x245571:$a7: get_logins 0x245222:$a8: GetOutlookPasswords 0x245014:$a9: StartKeylogger 0x2454c1:$a10: KeyLoggerEventArgs 0x245071:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Contrarre.exe PID: 7488	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: Contrarre.exe PID: 7488	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Contrarre.exe PID: 7488	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Contrarre.exe PID: 7488	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Contrarre.exe PID: 7488	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x79e26:$a1: get_encryptedPassword 0xb2443:$a1: get_encryptedPassword 0x7a089:$a2: get_encryptedUsername 0xb275c:$a2: get_encryptedUsername 0x79be8:$a3: get_timePasswordChanged 0xb21f2:$a3: get_timePasswordChanged 0x79cfd:$a4: get_passwordField 0xb2313:$a4: get_passwordField 0x79e3c:$a5: set_encryptedPassword 0xb2459:$a5: set_encryptedPassword 0x7b23a:$a7: get_logins 0xb3d5c:$a7: get_logins 0x7af97:$a8: GetOutlookPasswords 0xb3a0d:$a8: GetOutlookPasswords 0x7ae05:$a9: StartKeylogger 0xb37ff:$a9: StartKeylogger 0x7b19f:$a10: KeyLoggerEventArgs 0xb3cac:$a10: KeyLoggerEventArgs 0x7ae62:$a11: KeyLoggerEventArgsEventHandler 0xb385c:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Contrarre.exe PID: 7816	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: Contrarre.exe PID: 7816	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Contrarre.exe PID: 7816	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Contrarre.exe PID: 7816	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x18da5:$a1: get_encryptedPassword 0x190be:$a2: get_encryptedUsername 0x18b54:$a3: get_timePasswordChanged 0x18c75:$a4: get_passwordField 0x18dbb:$a5: set_encryptedPassword 0x1a6be:$a7: get_logins 0x1a36f:$a8: GetOutlookPasswords 0x1a161:$a9: StartKeylogger 0x1a60e:$a10: KeyLoggerEventArgs 0x1a1be:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: DWKfptrbzzV.exe PID: 7912	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: DWKfptrbzzV.exe PID: 7912	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: DWKfptrbzzV.exe PID: 7912	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: DWKfptrbzzV.exe PID: 7912	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: DWKfptrbzzV.exe PID: 7912	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x25fac:$a1: get_encryptedPassword 0x262c5:$a2: get_encryptedUsername 0x25d5b:$a3: get_timePasswordChanged 0x25e7c:$a4: get_passwordField 0x25fc2:$a5: set_encryptedPassword 0x278c5:$a7: get_logins 0x27576:$a8: GetOutlookPasswords 0x27368:$a9: StartKeylogger 0x27815:$a10: KeyLoggerEventArgs 0x273c5:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: DWKfptrbzzV.exe PID: 8164	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.Contrarre.exe.400000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
6.2.Contrarre.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.Contrarre.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.2.Contrarre.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
6.2.Contrarre.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x141c1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x136bf:$a3: \Google\Chrome\User Data\Default\Login Data 0x139cd:$a4: \Orbitum\User Data\Default\Login Data 0x147c5:$a5: \Kometa\User Data\Default\Login Data
7.2.DWKfptrbzzV.exe.41e9990.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.DWKfptrbzzV.exe.41e9990.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.DWKfptrbzzV.exe.41e9990.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.DWKfptrbzzV.exe.41e9990.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
7.2.DWKfptrbzzV.exe.41e9990.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x123c1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x118bf:$a3: \Google\Chrome\User Data\Default\Login Data 0x11bcd:$a4: \Orbitum\User Data\Default\Login Data 0x129c5:$a5: \Kometa\User Data\Default\Login Data
0.2.Contrarre.exe.41c3748.2.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.Contrarre.exe.41c3748.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Contrarre.exe.41c3748.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Contrarre.exe.41da568.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.Contrarre.exe.41da568.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Contrarre.exe.41da568.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Contrarre.exe.41c3748.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
0.2.Contrarre.exe.41da568.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
0.2.Contrarre.exe.41c3748.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x123c1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x118bf:$a3: \Google\Chrome\User Data\Default\Login Data 0x11bcd:$a4: \Orbitum\User Data\Default\Login Data 0x129c5:$a5: \Kometa\User Data\Default\Login Data
0.2.Contrarre.exe.41da568.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x123c1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x118bf:$a3: \Google\Chrome\User Data\Default\Login Data 0x11bcd:$a4: \Orbitum\User Data\Default\Login Data 0x129c5:$a5: \Kometa\User Data\Default\Login Data
7.2.DWKfptrbzzV.exe.42007b0.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.DWKfptrbzzV.exe.42007b0.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.DWKfptrbzzV.exe.42007b0.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.DWKfptrbzzV.exe.42007b0.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
7.2.DWKfptrbzzV.exe.42007b0.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x123c1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x118bf:$a3: \Google\Chrome\User Data\Default\Login Data 0x11bcd:$a4: \Orbitum\User Data\Default\Login Data 0x129c5:$a5: \Kometa\User Data\Default\Login Data
0.2.Contrarre.exe.41da568.0.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.Contrarre.exe.41da568.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Contrarre.exe.41da568.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Contrarre.exe.41da568.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
0.2.Contrarre.exe.41da568.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x141c1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x136bf:$a3: \Google\Chrome\User Data\Default\Login Data 0x139cd:$a4: \Orbitum\User Data\Default\Login Data 0x147c5:$a5: \Kometa\User Data\Default\Login Data
7.2.DWKfptrbzzV.exe.42007b0.0.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.DWKfptrbzzV.exe.42007b0.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.DWKfptrbzzV.exe.42007b0.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.DWKfptrbzzV.exe.42007b0.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0x25dc7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0x260ef:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0x25b62:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0x25c83:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x25ddd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x27739:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x273ea:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x271dc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x27689:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler 0x27239:$a11: KeyLoggerEventArgsEventHandler
7.2.DWKfptrbzzV.exe.42007b0.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x141c1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2ade1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x136bf:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a2df:$a3: \Google\Chrome\User Data\Default\Login Data 0x139cd:$a4: \Orbitum\User Data\Default\Login Data 0x2a5ed:$a4: \Orbitum\User Data\Default\Login Data 0x147c5:$a5: \Kometa\User Data\Default\Login Data 0x2b3e5:$a5: \Kometa\User Data\Default\Login Data
0.2.Contrarre.exe.4bdb838.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.Contrarre.exe.4bdb838.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Contrarre.exe.4bdb838.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Contrarre.exe.4bdb838.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x6a3c7:$a1: get_encryptedPassword 0x6a6ef:$a2: get_encryptedUsername 0x6a162:$a3: get_timePasswordChanged 0x6a283:$a4: get_passwordField 0x6a3dd:$a5: set_encryptedPassword 0x6bd39:$a7: get_logins 0x6b9ea:$a8: GetOutlookPasswords 0x6b7dc:$a9: StartKeylogger 0x6bc89:$a10: KeyLoggerEventArgs 0x6b839:$a11: KeyLoggerEventArgsEventHandler
7.2.DWKfptrbzzV.exe.41e9990.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.DWKfptrbzzV.exe.41e9990.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Contrarre.exe.4b80418.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.Contrarre.exe.4b80418.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Contrarre.exe.4b80418.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Contrarre.exe.4b80418.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xc57e7:$a1: get_encryptedPassword 0xc5b0f:$a2: get_encryptedUsername 0xc5582:$a3: get_timePasswordChanged 0xc56a3:$a4: get_passwordField 0xc57fd:$a5: set_encryptedPassword 0xc7159:$a7: get_logins 0xc6e0a:$a8: GetOutlookPasswords 0xc6bfc:$a9: StartKeylogger 0xc70a9:$a10: KeyLoggerEventArgs 0xc6c59:$a11: KeyLoggerEventArgsEventHandler
0.2.Contrarre.exe.4bdb838.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x6f3e1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x6e8df:$a3: \Google\Chrome\User Data\Default\Login Data 0x6ebed:$a4: \Orbitum\User Data\Default\Login Data 0x6f9e5:$a5: \Kometa\User Data\Default\Login Data
0.2.Contrarre.exe.41c3748.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.Contrarre.exe.41c3748.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Contrarre.exe.4b80418.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0xca801:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc9cff:$a3: \Google\Chrome\User Data\Default\Login Data 0xca00d:$a4: \Orbitum\User Data\Default\Login Data 0xcae05:$a5: \Kometa\User Data\Default\Login Data
7.2.DWKfptrbzzV.exe.41e9990.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Contrarre.exe.41c3748.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Contrarre.exe.41c3748.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0x25fc7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0x262ef:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0x25d62:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0x25e83:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x25fdd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x27939:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x275ea:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x273dc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x27889:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler 0x27439:$a11: KeyLoggerEventArgsEventHandler
0.2.Contrarre.exe.41c3748.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x141c1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2afe1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x136bf:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a4df:$a3: \Google\Chrome\User Data\Default\Login Data 0x139cd:$a4: \Orbitum\User Data\Default\Login Data 0x2a7ed:$a4: \Orbitum\User Data\Default\Login Data 0x147c5:$a5: \Kometa\User Data\Default\Login Data 0x2b5e5:$a5: \Kometa\User Data\Default\Login Data
7.2.DWKfptrbzzV.exe.41e9990.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0x25fc7:$a1: get_encryptedPassword 0x3cbe7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0x262ef:$a2: get_encryptedUsername 0x3cf0f:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0x25d62:$a3: get_timePasswordChanged 0x3c982:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0x25e83:$a4: get_passwordField 0x3caa3:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x25fdd:$a5: set_encryptedPassword 0x3cbfd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x27939:$a7: get_logins 0x3e559:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x275ea:$a8: GetOutlookPasswords 0x3e20a:$a8: GetOutlookPasswords
7.2.DWKfptrbzzV.exe.41e9990.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x141c1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2afe1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x41c01:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x136bf:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a4df:$a3: \Google\Chrome\User Data\Default\Login Data 0x410ff:$a3: \Google\Chrome\User Data\Default\Login Data 0x139cd:$a4: \Orbitum\User Data\Default\Login Data 0x2a7ed:$a4: \Orbitum\User Data\Default\Login Data 0x4140d:$a4: \Orbitum\User Data\Default\Login Data 0x147c5:$a5: \Kometa\User Data\Default\Login Data 0x2b5e5:$a5: \Kometa\User Data\Default\Login Data 0x42205:$a5: \Kometa\User Data\Default\Login Data
Click to see the 50 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Contrarre.exe", ParentImage: C:\Users\user\Desktop\Contrarre.exe, ParentProcessId: 7488, ParentProcessName: Contrarre.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe", ProcessId: 7664, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DWKfptrbzzV" /XML "C:\Users\user\AppData\Local\Temp\tmp3F7E.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DWKfptrbzzV" /XML "C:\Users\user\AppData\Local\Temp\tmp3F7E.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe, ParentImage: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe, ParentProcessId: 7912, ParentProcessName: DWKfptrbzzV.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DWKfptrbzzV" /XML "C:\Users\user\AppData\Local\Temp\tmp3F7E.tmp", ProcessId: 8108, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DWKfptrbzzV" /XML "C:\Users\user\AppData\Local\Temp\tmp303B.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DWKfptrbzzV" /XML "C:\Users\user\AppData\Local\Temp\tmp303B.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Contrarre.exe", ParentImage: C:\Users\user\Desktop\Contrarre.exe, ParentProcessId: 7488, ParentProcessName: Contrarre.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DWKfptrbzzV" /XML "C:\Users\user\AppData\Local\Temp\tmp303B.tmp", ProcessId: 7700, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Contrarre.exe", ParentImage: C:\Users\user\Desktop\Contrarre.exe, ParentProcessId: 7488, ParentProcessName: Contrarre.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe", ProcessId: 7664, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DWKfptrbzzV" /XML "C:\Users\user\AppData\Local\Temp\tmp303B.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DWKfptrbzzV" /XML "C:\Users\user\AppData\Local\Temp\tmp303B.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Contrarre.exe", ParentImage: C:\Users\user\Desktop\Contrarre.exe, ParentProcessId: 7488, ParentProcessName: Contrarre.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DWKfptrbzzV" /XML "C:\Users\user\AppData\Local\Temp\tmp303B.tmp", ProcessId: 7700, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T09:19:08.549660+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49733	193.122.6.168	80	TCP
2025-01-15T09:19:12.127586+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49737	193.122.6.168	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Contrarre.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe

Avira: detection malicious, Label: HEUR/AGEN.1311126

Found malware configuration

Source: 0.2.Contrarre.exe.41da568.0.raw.unpack

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "serverhar244@gpsamsterdamqroup.com", "Password": " feXwu@m?K@@L ", "Server": "fiber13.dnsiaas.com", "To": "benfavour015@gmail.com", "Port": 587}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe

Virustotal: Detection: 31%

Perma Link

Multi AV Scanner detection for submitted file

Source: Contrarre.exe

Virustotal: Detection: 31%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Contrarre.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Contrarre.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49734 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49738 version: TLS 1.0

Source: Contrarre.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 4x nop then jmp 00F19731h	6_2_00F19480
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 4x nop then jmp 00F19E5Ah	6_2_00F19A40
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 4x nop then jmp 00F19E5Ah	6_2_00F19A30
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 4x nop then jmp 00F19E5Ah	6_2_00F19D87
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 4x nop then jmp 00E19731h	11_2_00E19480
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 4x nop then jmp 00E19E5Ah	11_2_00E19A40
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 4x nop then jmp 00E19E5Ah	11_2_00E19A30
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 4x nop then jmp 00E19E5Ah	11_2_00E19D87

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168
Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49733 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49737 -> 193.122.6.168:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49734 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49738 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: Contrarre.exe, 00000006.00000002.2963909253.0000000002A8E000.00000004.00000800.00020000.00000000.sdmp, DWKfptrbzzV.exe, 0000000B.00000002.2964165589.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: Contrarre.exe, 00000006.00000002.2963909253.0000000002A8E000.00000004.00000800.00020000.00000000.sdmp, DWKfptrbzzV.exe, 0000000B.00000002.2964165589.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: Contrarre.exe, 00000006.00000002.2963909253.0000000002A82000.00000004.00000800.00020000.00000000.sdmp, Contrarre.exe, 00000006.00000002.2963909253.0000000002A8E000.00000004.00000800.00020000.00000000.sdmp, DWKfptrbzzV.exe, 0000000B.00000002.2964165589.00000000029FE000.00000004.00000800.00020000.00000000.sdmp, DWKfptrbzzV.exe, 0000000B.00000002.2964165589.00000000029EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Contrarre.exe, 00000006.00000002.2963909253.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, DWKfptrbzzV.exe, 0000000B.00000002.2964165589.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Contrarre.exe, 00000006.00000002.2963909253.0000000002A8E000.00000004.00000800.00020000.00000000.sdmp, DWKfptrbzzV.exe, 0000000B.00000002.2964165589.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: Contrarre.exe, 00000000.00000002.1727668667.0000000004A02000.00000004.00000800.00020000.00000000.sdmp, Contrarre.exe, 00000000.00000002.1727668667.0000000004199000.00000004.00000800.00020000.00000000.sdmp, Contrarre.exe, 00000006.00000002.2961029373.0000000000403000.00000040.00000400.00020000.00000000.sdmp, DWKfptrbzzV.exe, 00000007.00000002.1766440510.00000000041E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Contrarre.exe, 00000006.00000002.2963909253.0000000002A8E000.00000004.00000800.00020000.00000000.sdmp, DWKfptrbzzV.exe, 0000000B.00000002.2964165589.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: Contrarre.exe, 00000006.00000002.2963909253.0000000002AAC000.00000004.00000800.00020000.00000000.sdmp, DWKfptrbzzV.exe, 0000000B.00000002.2964165589.0000000002A1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: Contrarre.exe, 00000006.00000002.2963909253.0000000002AAC000.00000004.00000800.00020000.00000000.sdmp, DWKfptrbzzV.exe, 0000000B.00000002.2964165589.0000000002A1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: Contrarre.exe, 00000000.00000002.1727182623.0000000003341000.00000004.00000800.00020000.00000000.sdmp, Contrarre.exe, 00000006.00000002.2963909253.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, DWKfptrbzzV.exe, 00000007.00000002.1764883683.0000000002A18000.00000004.00000800.00020000.00000000.sdmp, DWKfptrbzzV.exe, 0000000B.00000002.2964165589.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Contrarre.exe, 00000000.00000002.1727668667.0000000004A02000.00000004.00000800.00020000.00000000.sdmp, Contrarre.exe, 00000000.00000002.1727668667.0000000004199000.00000004.00000800.00020000.00000000.sdmp, Contrarre.exe, 00000006.00000002.2961029373.0000000000403000.00000040.00000400.00020000.00000000.sdmp, DWKfptrbzzV.exe, 00000007.00000002.1766440510.00000000041E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: Contrarre.exe, 00000006.00000002.2963909253.0000000002A8E000.00000004.00000800.00020000.00000000.sdmp, DWKfptrbzzV.exe, 0000000B.00000002.2964165589.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Contrarre.exe, 00000000.00000002.1727668667.0000000004A02000.00000004.00000800.00020000.00000000.sdmp, Contrarre.exe, 00000000.00000002.1727668667.0000000004199000.00000004.00000800.00020000.00000000.sdmp, Contrarre.exe, 00000006.00000002.2961029373.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Contrarre.exe, 00000006.00000002.2963909253.0000000002A8E000.00000004.00000800.00020000.00000000.sdmp, DWKfptrbzzV.exe, 00000007.00000002.1766440510.00000000041E9000.00000004.00000800.00020000.00000000.sdmp, DWKfptrbzzV.exe, 0000000B.00000002.2964165589.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Contrarre.exe, 00000006.00000002.2963909253.0000000002A8E000.00000004.00000800.00020000.00000000.sdmp, DWKfptrbzzV.exe, 0000000B.00000002.2964165589.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: Contrarre.exe, 00000006.00000002.2963909253.0000000002A8E000.00000004.00000800.00020000.00000000.sdmp, DWKfptrbzzV.exe, 0000000B.00000002.2964165589.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
Source: DWKfptrbzzV.exe, 0000000B.00000002.2961464632.0000000000C65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189s

Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.Contrarre.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.Contrarre.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.DWKfptrbzzV.exe.41e9990.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.DWKfptrbzzV.exe.41e9990.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Contrarre.exe.41c3748.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Contrarre.exe.41da568.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Contrarre.exe.41c3748.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Contrarre.exe.41da568.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.DWKfptrbzzV.exe.42007b0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.DWKfptrbzzV.exe.42007b0.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Contrarre.exe.41da568.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Contrarre.exe.41da568.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.DWKfptrbzzV.exe.42007b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.DWKfptrbzzV.exe.42007b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Contrarre.exe.4bdb838.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Contrarre.exe.4b80418.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Contrarre.exe.4bdb838.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Contrarre.exe.4b80418.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Contrarre.exe.41c3748.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Contrarre.exe.41c3748.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.DWKfptrbzzV.exe.41e9990.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.DWKfptrbzzV.exe.41e9990.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000006.00000002.2961029373.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000007.00000002.1766440510.00000000041E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1727668667.0000000004199000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1727668667.0000000004A02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Contrarre.exe PID: 7488, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Contrarre.exe PID: 7816, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: DWKfptrbzzV.exe PID: 7912, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_03034224	0_2_03034224
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_03034208	0_2_03034208
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_03037D98	0_2_03037D98
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_0634F400	0_2_0634F400
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_063480B8	0_2_063480B8
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_0634FB58	0_2_0634FB58
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_0634E888	0_2_0634E888
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_063485B3	0_2_063485B3
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_063412F8	0_2_063412F8
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_063412C0	0_2_063412C0
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_0634F370	0_2_0634F370
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_0634F3AA	0_2_0634F3AA
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_0634F3E6	0_2_0634F3E6
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_0634F3DB	0_2_0634F3DB
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_0634F3CF	0_2_0634F3CF
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_0634E8C1	0_2_0634E8C1
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_07B505B0	0_2_07B505B0
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_07B544C8	0_2_07B544C8
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_07B54088	0_2_07B54088
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_07B55B30	0_2_07B55B30
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_07B54710	0_2_07B54710
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_07B54703	0_2_07B54703
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_07B5D768	0_2_07B5D768
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_07B5D759	0_2_07B5D759
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_07B536E8	0_2_07B536E8
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_07B536D8	0_2_07B536D8
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_07B505A0	0_2_07B505A0
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_07B534B8	0_2_07B534B8
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_07B544B8	0_2_07B544B8
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_07B534C8	0_2_07B534C8
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_07B54446	0_2_07B54446
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_07B563E0	0_2_07B563E0
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_07B563D3	0_2_07B563D3
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_07B5D330	0_2_07B5D330
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_07B52288	0_2_07B52288
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_07B52278	0_2_07B52278
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_07B57153	0_2_07B57153
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_07B50006	0_2_07B50006
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_07B5407B	0_2_07B5407B
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_07B50040	0_2_07B50040
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_07B5EF68	0_2_07B5EF68
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_07B5EF58	0_2_07B5EF58
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_07B54EB0	0_2_07B54EB0
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_07B54EA0	0_2_07B54EA0
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_07B52E38	0_2_07B52E38
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_07B52E28	0_2_07B52E28
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_07B55B23	0_2_07B55B23
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_07B54A68	0_2_07B54A68
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_07B54A58	0_2_07B54A58
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_07B569B8	0_2_07B569B8
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_07B569C8	0_2_07B569C8
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_07B53960	0_2_07B53960
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_07B53950	0_2_07B53950
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_07B5F82F	0_2_07B5F82F
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_07B5C828	0_2_07B5C828
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_07B5F840	0_2_07B5F840
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_08355AA8	0_2_08355AA8
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_08350006	0_2_08350006
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_08350040	0_2_08350040
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 6_2_00F1C530	6_2_00F1C530
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 6_2_00F12DD1	6_2_00F12DD1
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 6_2_00F19480	6_2_00F19480
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 6_2_00F1C521	6_2_00F1C521
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 6_2_00F1946F	6_2_00F1946F
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 7_2_02874224	7_2_02874224
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 7_2_02874208	7_2_02874208
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 7_2_02877D98	7_2_02877D98
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 7_2_072B4368	7_2_072B4368
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 7_2_072B3F28	7_2_072B3F28
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 7_2_072B59D0	7_2_072B59D0
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 7_2_072B0850	7_2_072B0850
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 7_2_072BC7D0	7_2_072BC7D0
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 7_2_072B2648	7_2_072B2648
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 7_2_072B2658	7_2_072B2658
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 7_2_072BD6E0	7_2_072BD6E0
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 7_2_072B45A2	7_2_072B45A2
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 7_2_072B45B0	7_2_072B45B0
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 7_2_072B4358	7_2_072B4358
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 7_2_072B3208	7_2_072B3208
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 7_2_072B6271	7_2_072B6271
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 7_2_072B6280	7_2_072B6280
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 7_2_072B02D1	7_2_072B02D1
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 7_2_072B31F9	7_2_072B31F9
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 7_2_072BEF20	7_2_072BEF20
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 7_2_072B3F1A	7_2_072B3F1A
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 7_2_072BEF10	7_2_072BEF10
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 7_2_072B3D21	7_2_072B3D21
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 7_2_072B3D30	7_2_072B3D30
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 7_2_072B4D40	7_2_072B4D40
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 7_2_072B4D50	7_2_072B4D50
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 7_2_072BDB09	7_2_072BDB09
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 7_2_072BDB18	7_2_072BDB18
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 7_2_072B3AA8	7_2_072B3AA8
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 7_2_072B3AB8	7_2_072B3AB8
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 7_2_072B4908	7_2_072B4908
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 7_2_072B59C2	7_2_072B59C2
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 7_2_072B6868	7_2_072B6868
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 7_2_072B0840	7_2_072B0840
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 7_2_072B6858	7_2_072B6858
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 7_2_072B3888	7_2_072B3888
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 7_2_072B3898	7_2_072B3898
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 7_2_072B48F8	7_2_072B48F8
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 11_2_00E1C530	11_2_00E1C530
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 11_2_00E19480	11_2_00E19480
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 11_2_00E1C521	11_2_00E1C521
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 11_2_00E12DD1	11_2_00E12DD1
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 11_2_00E1946F	11_2_00E1946F

Source: Contrarre.exe, 00000000.00000002.1737742504.000000000AA50000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Contrarre.exe
Source: Contrarre.exe, 00000000.00000000.1696366215.0000000000ED4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamexUBj.exe< vs Contrarre.exe
Source: Contrarre.exe, 00000000.00000002.1737176160.00000000085C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Contrarre.exe
Source: Contrarre.exe, 00000000.00000002.1727182623.000000000334F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs Contrarre.exe
Source: Contrarre.exe, 00000000.00000002.1727668667.0000000004A02000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Contrarre.exe
Source: Contrarre.exe, 00000000.00000002.1727668667.0000000004199000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs Contrarre.exe
Source: Contrarre.exe, 00000000.00000002.1727668667.0000000004199000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Contrarre.exe
Source: Contrarre.exe, 00000000.00000002.1725752163.00000000015BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Contrarre.exe
Source: Contrarre.exe, 00000006.00000002.2961310537.00000000009A7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Contrarre.exe
Source: Contrarre.exe, 00000006.00000002.2961029373.000000000041A000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs Contrarre.exe
Source: Contrarre.exe	Binary or memory string: OriginalFilenamexUBj.exe< vs Contrarre.exe

Source: Contrarre.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 6.2.Contrarre.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.Contrarre.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.DWKfptrbzzV.exe.41e9990.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.DWKfptrbzzV.exe.41e9990.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Contrarre.exe.41c3748.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Contrarre.exe.41da568.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Contrarre.exe.41c3748.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Contrarre.exe.41da568.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.DWKfptrbzzV.exe.42007b0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.DWKfptrbzzV.exe.42007b0.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Contrarre.exe.41da568.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Contrarre.exe.41da568.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.DWKfptrbzzV.exe.42007b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.DWKfptrbzzV.exe.42007b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Contrarre.exe.4bdb838.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Contrarre.exe.4b80418.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Contrarre.exe.4bdb838.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Contrarre.exe.4b80418.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Contrarre.exe.41c3748.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Contrarre.exe.41c3748.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.DWKfptrbzzV.exe.41e9990.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.DWKfptrbzzV.exe.41e9990.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.2961029373.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000007.00000002.1766440510.00000000041E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1727668667.0000000004199000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1727668667.0000000004A02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Contrarre.exe PID: 7488, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Contrarre.exe PID: 7816, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: DWKfptrbzzV.exe PID: 7912, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: Contrarre.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: DWKfptrbzzV.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@16/11@2/2

Source: C:\Users\user\Desktop\Contrarre.exe

File created: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7720:120:WilError_03
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7672:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8116:120:WilError_03

Source: C:\Users\user\Desktop\Contrarre.exe

File created: C:\Users\user\AppData\Local\Temp\tmp303B.tmp

Jump to behavior

Source: Contrarre.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Contrarre.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Contrarre.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Contrarre.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Contrarre.exe, 00000006.00000002.2963909253.0000000002AEE000.00000004.00000800.00020000.00000000.sdmp, Contrarre.exe, 00000006.00000002.2963909253.0000000002B0C000.00000004.00000800.00020000.00000000.sdmp, Contrarre.exe, 00000006.00000002.2963909253.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp, DWKfptrbzzV.exe, 0000000B.00000002.2964165589.0000000002A5E000.00000004.00000800.00020000.00000000.sdmp, DWKfptrbzzV.exe, 0000000B.00000002.2964165589.0000000002A7C000.00000004.00000800.00020000.00000000.sdmp, DWKfptrbzzV.exe, 0000000B.00000002.2964165589.0000000002A6E000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Contrarre.exe

Virustotal: Detection: 31%

Source: C:\Users\user\Desktop\Contrarre.exe

File read: C:\Users\user\Desktop\Contrarre.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Contrarre.exe "C:\Users\user\Desktop\Contrarre.exe"
Source: C:\Users\user\Desktop\Contrarre.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Contrarre.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DWKfptrbzzV" /XML "C:\Users\user\AppData\Local\Temp\tmp303B.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Contrarre.exe	Process created: C:\Users\user\Desktop\Contrarre.exe "C:\Users\user\Desktop\Contrarre.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DWKfptrbzzV" /XML "C:\Users\user\AppData\Local\Temp\tmp3F7E.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process created: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe "C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe"
Source: C:\Users\user\Desktop\Contrarre.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DWKfptrbzzV" /XML "C:\Users\user\AppData\Local\Temp\tmp303B.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process created: C:\Users\user\Desktop\Contrarre.exe "C:\Users\user\Desktop\Contrarre.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DWKfptrbzzV" /XML "C:\Users\user\AppData\Local\Temp\tmp3F7E.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process created: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe "C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Contrarre.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Contrarre.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Contrarre.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Contrarre.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Contrarre.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_06341B03 push 840590A5h; iretd	0_2_06341B0D
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 0_2_0634EBFB push ecx; ret	0_2_0634EBFC
Source: C:\Users\user\Desktop\Contrarre.exe	Code function: 6_2_00F1B3A8 push eax; iretd	6_2_00F1B445
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Code function: 7_2_072B2081 push ebp; ret	7_2_072B20AC

Source: Contrarre.exe	Static PE information: section name: .text entropy: 7.540925361404492
Source: DWKfptrbzzV.exe.0.dr	Static PE information: section name: .text entropy: 7.540925361404492

Source: C:\Users\user\Desktop\Contrarre.exe

File created: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Contrarre.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DWKfptrbzzV" /XML "C:\Users\user\AppData\Local\Temp\tmp303B.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Contrarre.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Contrarre.exe PID: 7488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DWKfptrbzzV.exe PID: 7912, type: MEMORYSTR

Source: C:\Users\user\Desktop\Contrarre.exe	Memory allocated: 2FF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Memory allocated: 3190000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Memory allocated: 5190000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Memory allocated: 8660000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Memory allocated: 7CA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Memory allocated: 9660000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Memory allocated: A660000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Memory allocated: AAB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Memory allocated: BAB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Memory allocated: CAB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Memory allocated: F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Memory allocated: 2A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Memory allocated: 4A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Memory allocated: 2870000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Memory allocated: 29E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Memory allocated: 49E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Memory allocated: 76F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Memory allocated: 86F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Memory allocated: 88A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Memory allocated: 98A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Memory allocated: 9DF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Memory allocated: ADF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Memory allocated: E10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Memory allocated: 2980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Memory allocated: 2720000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Contrarre.exe

Code function: 0_2_07B58E90 sidt fword ptr [eax]

0_2_07B58E90

Source: C:\Users\user\Desktop\Contrarre.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7527			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1941			Jump to behavior

Source: C:\Users\user\Desktop\Contrarre.exe TID: 7508	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7908	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe TID: 7936	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Contrarre.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Contrarre.exe, 00000000.00000002.1725752163.00000000015F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: Contrarre.exe, 00000006.00000002.2961415154.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, DWKfptrbzzV.exe, 0000000B.00000002.2961464632.0000000000C65000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Contrarre.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Contrarre.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe"
Source: C:\Users\user\Desktop\Contrarre.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Contrarre.exe

Memory written: C:\Users\user\Desktop\Contrarre.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Contrarre.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DWKfptrbzzV" /XML "C:\Users\user\AppData\Local\Temp\tmp303B.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Process created: C:\Users\user\Desktop\Contrarre.exe "C:\Users\user\Desktop\Contrarre.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DWKfptrbzzV" /XML "C:\Users\user\AppData\Local\Temp\tmp3F7E.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Process created: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe "C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Users\user\Desktop\Contrarre.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Users\user\Desktop\Contrarre.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Contrarre.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Queries volume information: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Queries volume information: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Contrarre.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 6.2.Contrarre.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DWKfptrbzzV.exe.41e9990.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.exe.41c3748.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.exe.41da568.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DWKfptrbzzV.exe.42007b0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.exe.41da568.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DWKfptrbzzV.exe.42007b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.exe.4bdb838.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DWKfptrbzzV.exe.41e9990.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.exe.4b80418.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.exe.41c3748.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2961029373.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1766440510.00000000041E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1727668667.0000000004199000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1727668667.0000000004A02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Contrarre.exe PID: 7488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Contrarre.exe PID: 7816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DWKfptrbzzV.exe PID: 7912, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 6.2.Contrarre.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DWKfptrbzzV.exe.41e9990.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.exe.41c3748.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.exe.41da568.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DWKfptrbzzV.exe.42007b0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.exe.41da568.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DWKfptrbzzV.exe.42007b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.exe.4bdb838.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.exe.4b80418.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DWKfptrbzzV.exe.41e9990.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.exe.41c3748.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2961029373.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1766440510.00000000041E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1727668667.0000000004199000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1727668667.0000000004A02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Contrarre.exe PID: 7488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Contrarre.exe PID: 7816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DWKfptrbzzV.exe PID: 7912, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Contrarre.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 6.2.Contrarre.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DWKfptrbzzV.exe.41e9990.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.exe.41c3748.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.exe.41da568.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DWKfptrbzzV.exe.42007b0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.exe.41da568.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DWKfptrbzzV.exe.42007b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.exe.4bdb838.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DWKfptrbzzV.exe.41e9990.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.exe.4b80418.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.exe.41c3748.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2961029373.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1766440510.00000000041E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1727668667.0000000004199000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2963909253.0000000002B33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2964165589.0000000002AA3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1727668667.0000000004A02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Contrarre.exe PID: 7488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Contrarre.exe PID: 7816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DWKfptrbzzV.exe PID: 7912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DWKfptrbzzV.exe PID: 8164, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 6.2.Contrarre.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DWKfptrbzzV.exe.41e9990.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.exe.41c3748.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.exe.41da568.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DWKfptrbzzV.exe.42007b0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.exe.41da568.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DWKfptrbzzV.exe.42007b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.exe.4bdb838.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DWKfptrbzzV.exe.41e9990.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.exe.4b80418.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.exe.41c3748.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2961029373.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1766440510.00000000041E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1727668667.0000000004199000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1727668667.0000000004A02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Contrarre.exe PID: 7488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Contrarre.exe PID: 7816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DWKfptrbzzV.exe PID: 7912, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 6.2.Contrarre.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DWKfptrbzzV.exe.41e9990.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.exe.41c3748.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.exe.41da568.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DWKfptrbzzV.exe.42007b0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.exe.41da568.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DWKfptrbzzV.exe.42007b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.exe.4bdb838.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.exe.4b80418.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DWKfptrbzzV.exe.41e9990.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Contrarre.exe.41c3748.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2961029373.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1766440510.00000000041E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1727668667.0000000004199000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1727668667.0000000004A02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Contrarre.exe PID: 7488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Contrarre.exe PID: 7816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DWKfptrbzzV.exe PID: 7912, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	41 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	13 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Contrarre.exe	32%	Virustotal		Browse
Contrarre.exe	100%	Avira	HEUR/AGEN.1311126
Contrarre.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	100%	Avira	HEUR/AGEN.1311126
C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe	32%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.96.1	true	false	high
checkip.dyndns.com	193.122.6.168	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false		high
http://checkip.dyndns.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.apache.org/licenses/LICENSE-2.0	Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com	Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designersG	Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/?	Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/bThe	Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers?	Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.orgd	Contrarre.exe, 00000006.00000002.2963909253.0000000002AAC000.00000004.00000800.00020000.00000000.sdmp, DWKfptrbzzV.exe, 0000000B.00000002.2964165589.0000000002A1B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.tiro.com	Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	Contrarre.exe, 00000006.00000002.2963909253.0000000002A82000.00000004.00000800.00020000.00000000.sdmp, Contrarre.exe, 00000006.00000002.2963909253.0000000002A8E000.00000004.00000800.00020000.00000000.sdmp, DWKfptrbzzV.exe, 0000000B.00000002.2964165589.00000000029FE000.00000004.00000800.00020000.00000000.sdmp, DWKfptrbzzV.exe, 0000000B.00000002.2964165589.00000000029EC000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers	Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.goodfont.co.kr	Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.carterandcone.coml	Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sajatypeworks.com	Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.typography.netD	Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/cabarga.htmlN	Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/cThe	Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/staff/dennis.htm	Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn	Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/frere-user.html	Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189l	Contrarre.exe, 00000006.00000002.2963909253.0000000002A8E000.00000004.00000800.00020000.00000000.sdmp, DWKfptrbzzV.exe, 0000000B.00000002.2964165589.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.comd	Contrarre.exe, 00000006.00000002.2963909253.0000000002A8E000.00000004.00000800.00020000.00000000.sdmp, DWKfptrbzzV.exe, 0000000B.00000002.2964165589.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	Contrarre.exe, 00000000.00000002.1727668667.0000000004A02000.00000004.00000800.00020000.00000000.sdmp, Contrarre.exe, 00000000.00000002.1727668667.0000000004199000.00000004.00000800.00020000.00000000.sdmp, Contrarre.exe, 00000006.00000002.2961029373.0000000000403000.00000040.00000400.00020000.00000000.sdmp, DWKfptrbzzV.exe, 00000007.00000002.1766440510.00000000041E9000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.jiyu-kobo.co.jp/	Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189d	Contrarre.exe, 00000006.00000002.2963909253.0000000002A8E000.00000004.00000800.00020000.00000000.sdmp, DWKfptrbzzV.exe, 0000000B.00000002.2964165589.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	Contrarre.exe, 00000006.00000002.2963909253.0000000002AAC000.00000004.00000800.00020000.00000000.sdmp, DWKfptrbzzV.exe, 0000000B.00000002.2964165589.0000000002A1B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.orgd	Contrarre.exe, 00000006.00000002.2963909253.0000000002A8E000.00000004.00000800.00020000.00000000.sdmp, DWKfptrbzzV.exe, 0000000B.00000002.2964165589.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/DPlease	Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	Contrarre.exe, 00000006.00000002.2963909253.0000000002A8E000.00000004.00000800.00020000.00000000.sdmp, DWKfptrbzzV.exe, 0000000B.00000002.2964165589.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers8	Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fonts.com	Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sandoll.co.kr	Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	Contrarre.exe, 00000006.00000002.2963909253.0000000002A8E000.00000004.00000800.00020000.00000000.sdmp, DWKfptrbzzV.exe, 0000000B.00000002.2964165589.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.urwpp.deDPlease	Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.zhongyicts.com.cn	Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/d	Contrarre.exe, 00000006.00000002.2963909253.0000000002A8E000.00000004.00000800.00020000.00000000.sdmp, DWKfptrbzzV.exe, 0000000B.00000002.2964165589.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Contrarre.exe, 00000000.00000002.1727182623.0000000003341000.00000004.00000800.00020000.00000000.sdmp, Contrarre.exe, 00000006.00000002.2963909253.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, DWKfptrbzzV.exe, 00000007.00000002.1764883683.0000000002A18000.00000004.00000800.00020000.00000000.sdmp, DWKfptrbzzV.exe, 0000000B.00000002.2964165589.0000000002981000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sakkal.com	Contrarre.exe, 00000000.00000002.1733718715.0000000007662000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	Contrarre.exe, 00000000.00000002.1727668667.0000000004A02000.00000004.00000800.00020000.00000000.sdmp, Contrarre.exe, 00000000.00000002.1727668667.0000000004199000.00000004.00000800.00020000.00000000.sdmp, Contrarre.exe, 00000006.00000002.2961029373.0000000000403000.00000040.00000400.00020000.00000000.sdmp, DWKfptrbzzV.exe, 00000007.00000002.1766440510.00000000041E9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	Contrarre.exe, 00000000.00000002.1727668667.0000000004A02000.00000004.00000800.00020000.00000000.sdmp, Contrarre.exe, 00000000.00000002.1727668667.0000000004199000.00000004.00000800.00020000.00000000.sdmp, Contrarre.exe, 00000006.00000002.2961029373.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Contrarre.exe, 00000006.00000002.2963909253.0000000002A8E000.00000004.00000800.00020000.00000000.sdmp, DWKfptrbzzV.exe, 00000007.00000002.1766440510.00000000041E9000.00000004.00000800.00020000.00000000.sdmp, DWKfptrbzzV.exe, 0000000B.00000002.2964165589.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189s	DWKfptrbzzV.exe, 0000000B.00000002.2961464632.0000000000C65000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.122.6.168	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false
104.21.96.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1591666
Start date and time:	2025-01-15 09:18:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Contrarre.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@16/11@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 156 Number of non-executed functions: 38
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.23.242.162, 20.12.23.50, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Contrarre.exe, PID 7816 because it is empty
Execution Graph export aborted for target DWKfptrbzzV.exe, PID 8164 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:19:05	API Interceptor	1x Sleep call for process: Contrarre.exe modified
03:19:07	API Interceptor	19x Sleep call for process: powershell.exe modified
03:19:09	API Interceptor	1x Sleep call for process: DWKfptrbzzV.exe modified
08:19:07	Task Scheduler	Run new task: DWKfptrbzzV path: C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.122.6.168	Company introduction.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rDEKONT-1_15_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	mnXS9meqtB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	gGI2gVBI0f.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	ZpYFG94D4C.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	ZaRP7yvL1J.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	grrezORe7h.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	ty1nyFUMlo.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	prgNb8YFEA.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
104.21.96.1	k9OEsV37GE.exe	Get hash	malicious	FormBook	Browse	www.uzshou.world/kbd2/?EtJTX=_JVX4ryxDRQpLJF&cNPH=ufZ7RYF4yLxNXVSq5Vx/4TYieRbcnKjskkbM3L5RbgB1pAgqHA7sfCNkYWLyXRMMwBB3JLbYKUw1FAOWml6VLpxPVZ4qXf58MsNUIQgw/PJ5HUGIvLQvrl5frN9PrRFpPiAd2cDcH6Sr
	gH3LlhcRzg.exe	Get hash	malicious	FormBook	Browse	www.dejikenkyu.cyou/58m5/
	EIvidclKOb.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/0pqe/
	zE1VxVoZ3W.exe	Get hash	malicious	FormBook	Browse	www.aonline.top/fqlg/
	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/3u0p/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	pelisplus.so/administrator/index.php
	Recibos.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/1a34/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	Company introduction.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	rDEKONT-1_15_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	RFQ_AS0101402025.22025_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	QUOTATION REQUIRED_Enatel s.r.l..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	Confirm Bank Statement.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.64.1
	50201668.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	MB263350411AE_1.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.16.1
	ABG Draft.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.64.1
	RENH3RE2025QUOTE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
checkip.dyndns.com	Company introduction.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	rDEKONT-1_15_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	RFQ_AS0101402025.22025_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	QUOTATION REQUIRED_Enatel s.r.l..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Confirm Bank Statement.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	50201668.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	MB263350411AE_1.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	ABG Draft.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	RENH3RE2025QUOTE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	Company introduction.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	rDEKONT-1_15_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	RFQ_AS0101402025.22025_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	m68k.elf	Get hash	malicious	Unknown	Browse	193.122.239.186
	50201668.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	MB263350411AE_1.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	ABG Draft.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	http://ubiquitous-twilight-c9292b.netlify.app/	Get hash	malicious	Unknown	Browse	129.213.176.209
	slime crypted.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	MB263350411AE.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
CLOUDFLARENETUS	17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	104.16.185.241
	http://jfdhq.offerpeercheck.com	Get hash	malicious	Unknown	Browse	1.1.1.1
	NEW SHIPPING DOCUMENTS.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Company introduction.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	new order.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	https://qvg.soundestlink.com/ce/c/6783ea8fa36d871b210a875d/678648091eb09f6bc9efe05e/678648224da9c434ec77e1fc?signature=c3a7b24183dde70b3cc2cefa1e1d5f8ff6f1d434aea3b4c4cfdeccd85ad85929	Get hash	malicious	Unknown	Browse	104.18.42.178
	MDE_File_Sample_c404ec52446527b77da6860ca493ea2007ac03d5 (1).zip	Get hash	malicious	Unknown	Browse	104.16.148.130
	https://url.rw/ddj4f	Get hash	malicious	Unknown	Browse	1.1.1.1
	Invdoc80.pdf	Get hash	malicious	HTMLPhisher	Browse	104.21.18.22
	https://padlet.com/prowebsolutions488/new-message-jba6y6w7rg9tzzmn	Get hash	malicious	HTMLPhisher	Browse	104.22.67.248

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Company introduction.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	rDEKONT-1_15_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	RFQ_AS0101402025.22025_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	QUOTATION REQUIRED_Enatel s.r.l..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	Confirm Bank Statement.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.96.1
	50201668.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	MB263350411AE_1.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.96.1
	ABG Draft.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.96.1
	RENH3RE2025QUOTE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.96.1

Process:	C:\Users\user\Desktop\Contrarre.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DWKfptrbzzV.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379460230152629
Encrypted:	false
SSDEEP:	48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZeUyus:fLHyIFKL3IZ2KRH9Ougos
MD5:	28F8623974ADE7FF0B49C3406E91E372
SHA1:	739F9DD671D9788B182A7A2D506A3919CA1C6098
SHA-256:	3CFE86C229FC35A9886CD7D5A46DFF98C0389C9294C35AA82FA4F907A72E8269
SHA-512:	93E2DC72E86EE4006A29687F845FA384C4B3DF320191C77E64CF3EF751D641BB51328F5F36F31FF781F07233A4D3BF24DBC57CCE9B943756257D0A1E0912AB32
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b0qu3gam.4dg.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ddnza5ve.txp.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dennhzjv.3gz.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l1xeu1is.11h.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp303B.tmp

Download File

Process:	C:\Users\user\Desktop\Contrarre.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1577
Entropy (8bit):	5.12169131337877
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtabIaxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTC7v
MD5:	26BD6E6C53B138435A4CA6C84B5B89F0
SHA1:	9A98258B906B3C876FF3DCC32A6CAE1827223F9A
SHA-256:	3D5F0FD1D4A1E2DD0323303AB122CB6D4D1E9CC69BEDF828EDC2E3CB1733AAA4
SHA-512:	9BC100BF7D613B870DE0088309F49A0CDECC5B2652751EF5022845D31852740E0E758948080EEFA4AC93B6F33F00361C7F25AC8C6387D4A49D714B1FC470F913
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmp3F7E.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1577
Entropy (8bit):	5.12169131337877
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtabIaxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTC7v
MD5:	26BD6E6C53B138435A4CA6C84B5B89F0
SHA1:	9A98258B906B3C876FF3DCC32A6CAE1827223F9A
SHA-256:	3D5F0FD1D4A1E2DD0323303AB122CB6D4D1E9CC69BEDF828EDC2E3CB1733AAA4
SHA-512:	9BC100BF7D613B870DE0088309F49A0CDECC5B2652751EF5022845D31852740E0E758948080EEFA4AC93B6F33F00361C7F25AC8C6387D4A49D714B1FC470F913
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe

Download File

Process:	C:\Users\user\Desktop\Contrarre.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	662528
Entropy (8bit):	7.533364872703219
Encrypted:	false
SSDEEP:	12288:GeoJNhQ/cWS7stsLbolcbgBMZxWmerJIIqEXav/iMTgweuV7hsDJ7gW:GZJN+UVsa/olcJ3uIsm/pAshsDJs
MD5:	7D5C5B164F59713AF8DA5F243608AC8E
SHA1:	6AB62A0707E6F742E79B2F5A27B6F3B95CE8F01F
SHA-256:	C470EAB16E537BF777506E63BBEDD58114C0403965E9A01965507FFD731DDE4D
SHA-512:	24CF5B763062A6514877BC3CC61CFB7B79C13B194D1752913400C6E8FE5658C048E8197861159D24AF20E08AF1958E13085C24B91E93208D30216E2B2E9DB699
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 32%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..............0.............2"... ...@....@.. ....................................@..................................!..O....@..l....................`....................................................... ............... ..H............text...H.... ...................... ..`.rsrc...l....@......................@..@.reloc.......`......................@..B................."......H........a...N..............@r...........................................0..P............(....(..........s ...%s....o!....%s....o!....%s....o!....%s....o!..........0..\........~....r...po"....s#.....~....o$....+..o%.......o.......o....-....,..o......~....r;..po"..........#..@......".(&........0..E........('.....((....s=...().....(...rw..po+....s....(...........o,.......*............8.......0...........~....r...p.o-...o.....r...p.o-...r...p(/...s'......o)......o.....8.....

C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Contrarre.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.533364872703219
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Contrarre.exe
File size:	662'528 bytes
MD5:	7d5c5b164f59713af8da5f243608ac8e
SHA1:	6ab62a0707e6f742e79b2f5a27b6f3b95ce8f01f
SHA256:	c470eab16e537bf777506e63bbedd58114c0403965e9a01965507ffd731dde4d
SHA512:	24cf5b763062a6514877bc3cc61cfb7b79c13b194d1752913400c6e8fe5658c048e8197861159d24af20e08af1958e13085c24b91e93208d30216e2b2e9db699
SSDEEP:	12288:GeoJNhQ/cWS7stsLbolcbgBMZxWmerJIIqEXav/iMTgweuV7hsDJ7gW:GZJN+UVsa/olcJ3uIsm/pAshsDJs
TLSH:	83E4BFC03B29B711CDACB934853AEDB962642E34B00479E26EED3B5776DD103AA1DF44
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..............0.............2"... ...@....@.. ....................................@................................

File Icon


Icon Hash:	0066b49631f8dc38

Static PE Info

General

Entrypoint:	0x4a2232
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67871D0A [Wed Jan 15 02:27:22 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
lodsd
fiadd word ptr [eax]
add bh, ch
mov esi, CAFE0000h
add byte ptr [eax], al
mov esi, 000000BAh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa21e0	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa4000	0x126c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa0248	0xa0400	c10e48b452a8b6b0b6eeb2cf81a22782	False	0.8413306844773791	data	7.540925361404492	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa4000	0x126c	0x1400	bcb7cc526657c404378ed7901d0dc5fc	False	0.708203125	data	6.393315397728018	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa6000	0xc	0x200	8d1b5439e8734d3e81e2a74f87d18881	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xa4100	0xbdf	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9348469891411648
RT_GROUP_ICON	0xa4cf0	0x14	data	1.05
RT_VERSION	0xa4d14	0x358	data	0.4287383177570093
RT_MANIFEST	0xa507c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-15T09:19:08.549660+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49733	193.122.6.168	80	TCP
2025-01-15T09:19:12.127586+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49737	193.122.6.168	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 09:19:07.585364103 CET	49733	80	192.168.2.4	193.122.6.168
Jan 15, 2025 09:19:07.590265036 CET	80	49733	193.122.6.168	192.168.2.4
Jan 15, 2025 09:19:07.590341091 CET	49733	80	192.168.2.4	193.122.6.168
Jan 15, 2025 09:19:07.590598106 CET	49733	80	192.168.2.4	193.122.6.168
Jan 15, 2025 09:19:07.595434904 CET	80	49733	193.122.6.168	192.168.2.4
Jan 15, 2025 09:19:08.225408077 CET	80	49733	193.122.6.168	192.168.2.4
Jan 15, 2025 09:19:08.229705095 CET	49733	80	192.168.2.4	193.122.6.168
Jan 15, 2025 09:19:08.234620094 CET	80	49733	193.122.6.168	192.168.2.4
Jan 15, 2025 09:19:08.418520927 CET	80	49733	193.122.6.168	192.168.2.4
Jan 15, 2025 09:19:08.434020996 CET	49734	443	192.168.2.4	104.21.96.1
Jan 15, 2025 09:19:08.434057951 CET	443	49734	104.21.96.1	192.168.2.4
Jan 15, 2025 09:19:08.434284925 CET	49734	443	192.168.2.4	104.21.96.1
Jan 15, 2025 09:19:08.441513062 CET	49734	443	192.168.2.4	104.21.96.1
Jan 15, 2025 09:19:08.441540956 CET	443	49734	104.21.96.1	192.168.2.4
Jan 15, 2025 09:19:08.549659967 CET	49733	80	192.168.2.4	193.122.6.168
Jan 15, 2025 09:19:08.921442986 CET	443	49734	104.21.96.1	192.168.2.4
Jan 15, 2025 09:19:08.921557903 CET	49734	443	192.168.2.4	104.21.96.1
Jan 15, 2025 09:19:08.929930925 CET	49734	443	192.168.2.4	104.21.96.1
Jan 15, 2025 09:19:08.929953098 CET	443	49734	104.21.96.1	192.168.2.4
Jan 15, 2025 09:19:08.930397987 CET	443	49734	104.21.96.1	192.168.2.4
Jan 15, 2025 09:19:09.058147907 CET	49734	443	192.168.2.4	104.21.96.1
Jan 15, 2025 09:19:09.103337049 CET	443	49734	104.21.96.1	192.168.2.4
Jan 15, 2025 09:19:09.168421984 CET	443	49734	104.21.96.1	192.168.2.4
Jan 15, 2025 09:19:09.168580055 CET	443	49734	104.21.96.1	192.168.2.4
Jan 15, 2025 09:19:09.168755054 CET	49734	443	192.168.2.4	104.21.96.1
Jan 15, 2025 09:19:09.282402039 CET	49734	443	192.168.2.4	104.21.96.1
Jan 15, 2025 09:19:10.890260935 CET	49737	80	192.168.2.4	193.122.6.168
Jan 15, 2025 09:19:10.896008968 CET	80	49737	193.122.6.168	192.168.2.4
Jan 15, 2025 09:19:10.896120071 CET	49737	80	192.168.2.4	193.122.6.168
Jan 15, 2025 09:19:10.896542072 CET	49737	80	192.168.2.4	193.122.6.168
Jan 15, 2025 09:19:10.901377916 CET	80	49737	193.122.6.168	192.168.2.4
Jan 15, 2025 09:19:11.814064026 CET	80	49737	193.122.6.168	192.168.2.4
Jan 15, 2025 09:19:11.819557905 CET	49737	80	192.168.2.4	193.122.6.168
Jan 15, 2025 09:19:11.824690104 CET	80	49737	193.122.6.168	192.168.2.4
Jan 15, 2025 09:19:12.027838945 CET	80	49737	193.122.6.168	192.168.2.4
Jan 15, 2025 09:19:12.029557943 CET	49738	443	192.168.2.4	104.21.96.1
Jan 15, 2025 09:19:12.029644012 CET	443	49738	104.21.96.1	192.168.2.4
Jan 15, 2025 09:19:12.029733896 CET	49738	443	192.168.2.4	104.21.96.1
Jan 15, 2025 09:19:12.033085108 CET	49738	443	192.168.2.4	104.21.96.1
Jan 15, 2025 09:19:12.033121109 CET	443	49738	104.21.96.1	192.168.2.4
Jan 15, 2025 09:19:12.127585888 CET	49737	80	192.168.2.4	193.122.6.168
Jan 15, 2025 09:19:12.498369932 CET	443	49738	104.21.96.1	192.168.2.4
Jan 15, 2025 09:19:12.498470068 CET	49738	443	192.168.2.4	104.21.96.1
Jan 15, 2025 09:19:12.499675989 CET	49738	443	192.168.2.4	104.21.96.1
Jan 15, 2025 09:19:12.499703884 CET	443	49738	104.21.96.1	192.168.2.4
Jan 15, 2025 09:19:12.500098944 CET	443	49738	104.21.96.1	192.168.2.4
Jan 15, 2025 09:19:12.545567036 CET	49738	443	192.168.2.4	104.21.96.1
Jan 15, 2025 09:19:12.587425947 CET	443	49738	104.21.96.1	192.168.2.4
Jan 15, 2025 09:19:12.656800032 CET	443	49738	104.21.96.1	192.168.2.4
Jan 15, 2025 09:19:12.656950951 CET	443	49738	104.21.96.1	192.168.2.4
Jan 15, 2025 09:19:12.657151937 CET	49738	443	192.168.2.4	104.21.96.1
Jan 15, 2025 09:19:12.658934116 CET	49738	443	192.168.2.4	104.21.96.1
Jan 15, 2025 09:20:13.423793077 CET	80	49733	193.122.6.168	192.168.2.4
Jan 15, 2025 09:20:13.424088001 CET	49733	80	192.168.2.4	193.122.6.168
Jan 15, 2025 09:20:17.030445099 CET	80	49737	193.122.6.168	192.168.2.4
Jan 15, 2025 09:20:17.033823013 CET	49737	80	192.168.2.4	193.122.6.168
Jan 15, 2025 09:20:48.425060987 CET	49733	80	192.168.2.4	193.122.6.168
Jan 15, 2025 09:20:48.430146933 CET	80	49733	193.122.6.168	192.168.2.4
Jan 15, 2025 09:20:52.035355091 CET	49737	80	192.168.2.4	193.122.6.168
Jan 15, 2025 09:20:52.040877104 CET	80	49737	193.122.6.168	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 09:19:07.569432974 CET	57136	53	192.168.2.4	1.1.1.1
Jan 15, 2025 09:19:07.576361895 CET	53	57136	1.1.1.1	192.168.2.4
Jan 15, 2025 09:19:08.420389891 CET	60309	53	192.168.2.4	1.1.1.1
Jan 15, 2025 09:19:08.431073904 CET	53	60309	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 15, 2025 09:19:07.569432974 CET	192.168.2.4	1.1.1.1	0x25f0	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 15, 2025 09:19:08.420389891 CET	192.168.2.4	1.1.1.1	0x844b	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 15, 2025 09:19:07.576361895 CET	1.1.1.1	192.168.2.4	0x25f0	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 15, 2025 09:19:07.576361895 CET	1.1.1.1	192.168.2.4	0x25f0	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 15, 2025 09:19:07.576361895 CET	1.1.1.1	192.168.2.4	0x25f0	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 15, 2025 09:19:07.576361895 CET	1.1.1.1	192.168.2.4	0x25f0	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 15, 2025 09:19:07.576361895 CET	1.1.1.1	192.168.2.4	0x25f0	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 15, 2025 09:19:07.576361895 CET	1.1.1.1	192.168.2.4	0x25f0	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 15, 2025 09:19:08.431073904 CET	1.1.1.1	192.168.2.4	0x844b	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 09:19:08.431073904 CET	1.1.1.1	192.168.2.4	0x844b	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 09:19:08.431073904 CET	1.1.1.1	192.168.2.4	0x844b	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 09:19:08.431073904 CET	1.1.1.1	192.168.2.4	0x844b	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 09:19:08.431073904 CET	1.1.1.1	192.168.2.4	0x844b	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 09:19:08.431073904 CET	1.1.1.1	192.168.2.4	0x844b	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 09:19:08.431073904 CET	1.1.1.1	192.168.2.4	0x844b	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	193.122.6.168	80	7816	C:\Users\user\Desktop\Contrarre.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 09:19:07.590598106 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 15, 2025 09:19:08.225408077 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 08:19:08 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 15, 2025 09:19:08.229705095 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 15, 2025 09:19:08.418520927 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 08:19:08 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	193.122.6.168	80	8164	C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 09:19:10.896542072 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 15, 2025 09:19:11.814064026 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 08:19:11 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 15, 2025 09:19:11.819557905 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 15, 2025 09:19:12.027838945 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 08:19:11 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49734	104.21.96.1	443	7816	C:\Users\user\Desktop\Contrarre.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 08:19:09 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-15 08:19:09 UTC	857	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 08:19:09 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2243938 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=95BlYQrxiymOy5x1eN2VK7ANmWR%2FNvqdMIs58A0%2Ba8yeok8eAPXOni6NQUk%2FoJyA1AsA0ybBUx%2B1ibh3fAw25xo7qOk2tJpGEocp1Jw2oXXpw1nagaHRFSLgEBeHHgJQ8VcRpMZk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9024706de9fec32e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1519&min_rtt=1519&rtt_var=569&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1922317&cwnd=178&unsent_bytes=0&cid=4c89f71d0a3971e7&ts=266&x=0"
2025-01-15 08:19:09 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	104.21.96.1	443	8164	C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 08:19:12 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-15 08:19:12 UTC	855	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 08:19:12 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2243941 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GYSg3lmMUv93OnyVonNeFiNO8Fp1DMmwn51E1JsstHDFEpriWFBHa4w7bVfkce9auHAvn%2BuOPlOkE126kjiFGSEY%2BMcDAskzMDil59%2BHh8znkuConkei4MCLaoMHhFLL6Zl68gjW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90247083bb6742c0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1664&min_rtt=1659&rtt_var=633&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1713615&cwnd=212&unsent_bytes=0&cid=a43cc841a1ca6cac&ts=163&x=0"
2025-01-15 08:19:12 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	03:19:03
Start date:	15/01/2025
Path:	C:\Users\user\Desktop\Contrarre.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Contrarre.exe"
Imagebase:	0xe30000
File size:	662'528 bytes
MD5 hash:	7D5C5B164F59713AF8DA5F243608AC8E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1727668667.0000000004199000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1727668667.0000000004199000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1727668667.0000000004199000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1727668667.0000000004199000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1727668667.0000000004A02000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1727668667.0000000004A02000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1727668667.0000000004A02000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1727668667.0000000004A02000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:19:05
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe"
Imagebase:	0x660000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:19:05
Start date:	15/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:19:06
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DWKfptrbzzV" /XML "C:\Users\user\AppData\Local\Temp\tmp303B.tmp"
Imagebase:	0x6c0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:19:06
Start date:	15/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:19:06
Start date:	15/01/2025
Path:	C:\Users\user\Desktop\Contrarre.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Contrarre.exe"
Imagebase:	0x770000
File size:	662'528 bytes
MD5 hash:	7D5C5B164F59713AF8DA5F243608AC8E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000006.00000002.2961029373.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2961029373.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.2961029373.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000002.2961029373.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2963909253.0000000002B33000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	03:19:07
Start date:	15/01/2025
Path:	C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe
Imagebase:	0x570000
File size:	662'528 bytes
MD5 hash:	7D5C5B164F59713AF8DA5F243608AC8E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000007.00000002.1766440510.00000000041E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.1766440510.00000000041E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.1766440510.00000000041E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.1766440510.00000000041E9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 32%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:19:09
Start date:	15/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:19:09
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DWKfptrbzzV" /XML "C:\Users\user\AppData\Local\Temp\tmp3F7E.tmp"
Imagebase:	0x6c0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:19:09
Start date:	15/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:19:10
Start date:	15/01/2025
Path:	C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe"
Imagebase:	0x540000
File size:	662'528 bytes
MD5 hash:	7D5C5B164F59713AF8DA5F243608AC8E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2964165589.0000000002AA3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	11.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.3%
Total number of Nodes:	266
Total number of Limit Nodes:	25

Executed Functions

Function 063480B8 Relevance: 6.9, Strings: 5, Instructions: 651
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 06348C9B
Hbq, xrefs: 06348D25
Hbq, xrefs: 06348DE3
Hbq, xrefs: 06348C14
Hbq, xrefs: 06348B81

Memory Dump Source

Source File: 00000000.00000002.1732712585.0000000006340000.00000040.00000800.00020000.00000000.sdmp, Offset: 06340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6340000_Contrarre.jbxd

Similarity

API ID:
String ID: Hbq$Hbq$Hbq$Hbq$Hbq
API String ID: 0-1677660839
Opcode ID: 1ab9046e0bc29108028ef939492b61612480e24fbdbde5e43dd9398304cbdaad
Instruction ID: 7c9c1145273861bd72dea0a24c87097b91ac1c50ca28981ecfe87beb594630bf
Opcode Fuzzy Hash: 1ab9046e0bc29108028ef939492b61612480e24fbdbde5e43dd9398304cbdaad
Instruction Fuzzy Hash: F5424F30E00258CFDB94EF69C89079EBBF6AF88300F148569D509AB395DB34AD85CF95

Function 03034208 Relevance: 3.1, Strings: 2, Instructions: 588
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Pp^q, xrefs: 0303807B
d, xrefs: 03038702

Memory Dump Source

Source File: 00000000.00000002.1727069823.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3030000_Contrarre.jbxd

Similarity

API ID:
String ID: Pp^q$d
API String ID: 0-2169010058
Opcode ID: fdad9ddbbb5fff3a8b32ca06b68f732137597cba56b640d828d50f4a330b9816
Instruction ID: a5b11cae926b9cbb214566e16a3e8b21f5e373e5d855cd3fbac5d2d510f538d9
Opcode Fuzzy Hash: fdad9ddbbb5fff3a8b32ca06b68f732137597cba56b640d828d50f4a330b9816
Instruction Fuzzy Hash: D562D274901229CFCB65DF68C994BD9BBB2FF89300F0085E9E549A7264DB71AE85CF40

Function 03037D98 Relevance: 3.1, Strings: 2, Instructions: 580
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Pp^q, xrefs: 0303807B
d, xrefs: 03038702

Memory Dump Source

Source File: 00000000.00000002.1727069823.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3030000_Contrarre.jbxd

Similarity

API ID:
String ID: Pp^q$d
API String ID: 0-2169010058
Opcode ID: ddd497cc26fb11b6fa0a2756d57690b181adb37281d1087fcdf30125c04dba1d
Instruction ID: 60a1bf5a09c01d1abbbbaad00b474fe7aa1398c5f8e100f549da8bc2abcf396f
Opcode Fuzzy Hash: ddd497cc26fb11b6fa0a2756d57690b181adb37281d1087fcdf30125c04dba1d
Instruction Fuzzy Hash: 3D62D374901229CFCB65DF68C994BD9BBB2FF89300F0085E9E549A7264DB71AE85CF40

Function 03034224 Relevance: 3.1, Strings: 2, Instructions: 579
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Pp^q, xrefs: 0303807B
d, xrefs: 03038702

Memory Dump Source

Source File: 00000000.00000002.1727069823.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3030000_Contrarre.jbxd

Similarity

API ID:
String ID: Pp^q$d
API String ID: 0-2169010058
Opcode ID: 0154f3cc0b735e1b4e4dca22048903116db5871a28d161279e56fab071ad67b0
Instruction ID: d77b0b842f3f25e8e172bca92d46b9dbe2aa63547b2d5d03ec886dc16a6d3e4a
Opcode Fuzzy Hash: 0154f3cc0b735e1b4e4dca22048903116db5871a28d161279e56fab071ad67b0
Instruction Fuzzy Hash: 5752D274901229CFCB65DF68C994BD9BBB2FF89300F0085E9E549A7264DB71AE85CF40

Function 0634F3AA Relevance: 2.7, Strings: 2, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 0634F600
Te^q, xrefs: 0634F469

Memory Dump Source

Source File: 00000000.00000002.1732712585.0000000006340000.00000040.00000800.00020000.00000000.sdmp, Offset: 06340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6340000_Contrarre.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 759d4a67b3726565a5e61231fcbba50f7526abd478353c89e34e5d356a3e488c
Instruction ID: 6dfec214c5a6e748f8481511501ae8352dc1b84b5ad5b657ae459e2b28dd83ba
Opcode Fuzzy Hash: 759d4a67b3726565a5e61231fcbba50f7526abd478353c89e34e5d356a3e488c
Instruction Fuzzy Hash: 4C810674E002199FDB48CFA9C984AEEFBF2FF89300F14912AD905AB364DB349905CB50

Function 0634F3E6 Relevance: 2.7, Strings: 2, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 0634F600
Te^q, xrefs: 0634F469

Memory Dump Source

Source File: 00000000.00000002.1732712585.0000000006340000.00000040.00000800.00020000.00000000.sdmp, Offset: 06340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6340000_Contrarre.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 66e95456dad59892e1a70d68130cedd731afb42f949042736ed8cbc4c656ec69
Instruction ID: 557812ea818be950c71dbe707545b66caaddb9b246ee184b18483743fec5fe6e
Opcode Fuzzy Hash: 66e95456dad59892e1a70d68130cedd731afb42f949042736ed8cbc4c656ec69
Instruction Fuzzy Hash: 15810674E012199FDB48CFA9C980AEEFBF2FF89340F14816AD915AB354DB345905CB50

Function 0634F3DB Relevance: 2.7, Strings: 2, Instructions: 191
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 0634F600
Te^q, xrefs: 0634F469

Memory Dump Source

Source File: 00000000.00000002.1732712585.0000000006340000.00000040.00000800.00020000.00000000.sdmp, Offset: 06340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6340000_Contrarre.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 98847e06c12288a752ef72355631f474d3d8c2dc74a023b49f0a879ef3af64c2
Instruction ID: 572fe43d7822d6a64ad30eda1904461b14ecbe123095a3f598522bcef94b926b
Opcode Fuzzy Hash: 98847e06c12288a752ef72355631f474d3d8c2dc74a023b49f0a879ef3af64c2
Instruction Fuzzy Hash: 7181D474E012198FDB48DFA9D980AAEFBF2FF89300F14852AD915AB354DB345945CB50

Function 0634F400 Relevance: 2.7, Strings: 2, Instructions: 189
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 0634F600
Te^q, xrefs: 0634F469

Memory Dump Source

Source File: 00000000.00000002.1732712585.0000000006340000.00000040.00000800.00020000.00000000.sdmp, Offset: 06340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6340000_Contrarre.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: e603e5a8789352ceeb2f7d0e91bb2ff38e283cce193176f997fa3c9d2b20c440
Instruction ID: 585b5de60736f6c8e8412e5e5db5c74094c0bfc8b1062e288ee9aad8882e62a7
Opcode Fuzzy Hash: e603e5a8789352ceeb2f7d0e91bb2ff38e283cce193176f997fa3c9d2b20c440
Instruction Fuzzy Hash: DE81E574E002198FDB48DFE9C984AAEFBF6FF89340F14852AD915AB354DB346905CB90

Function 0634F3CF Relevance: 2.7, Strings: 2, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 0634F600
Te^q, xrefs: 0634F469

Memory Dump Source

Source File: 00000000.00000002.1732712585.0000000006340000.00000040.00000800.00020000.00000000.sdmp, Offset: 06340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6340000_Contrarre.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: a8ef101a200033676e5ce4157d660e202fb46e4dae28074987ccbe931815325e
Instruction ID: d899688e538bcbd9c0a34517be5a9216e71e57becb8babaaf8ef4f9e5d2ffe60
Opcode Fuzzy Hash: a8ef101a200033676e5ce4157d660e202fb46e4dae28074987ccbe931815325e
Instruction Fuzzy Hash: 7881E374E012198FDB48CFE9C980AAEFBF2FF89300F24852AD915AB364DB345945CB50

Function 07B5407B Relevance: 1.5, Strings: 1, Instructions: 249COMMON

Download Yara Rule

Strings

5{, xrefs: 07B54272

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID:
String ID: 5{
API String ID: 0-2291050889
Opcode ID: 942c8c067df2ea46e161572abc89e9018ae345b4d10451d50847f01f12546f03
Instruction ID: d0cae1844a086c0dd7be773274700548772759d326cb60f7d803be119f938817
Opcode Fuzzy Hash: 942c8c067df2ea46e161572abc89e9018ae345b4d10451d50847f01f12546f03
Instruction Fuzzy Hash: FBB139B4E05209DFCB04DFA9D5855AEBBF2FF89300F24846AD805AB364DB349A41CF65

Function 07B54088 Relevance: 1.5, Strings: 1, Instructions: 246COMMON

Download Yara Rule

Strings

5{, xrefs: 07B54272

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID:
String ID: 5{
API String ID: 0-2291050889
Opcode ID: 7b8d2dcc2cb745579d042815abc0bf1af7b364bb86fd49d0037cd0d1261d5d0b
Instruction ID: caf28f614cb61a9d0e227c052f36b39196e81bb5a73006a9fb7055d13e1369e7
Opcode Fuzzy Hash: 7b8d2dcc2cb745579d042815abc0bf1af7b364bb86fd49d0037cd0d1261d5d0b
Instruction Fuzzy Hash: E7A147B4E05209DFCB04DFA9D5855AEBBF2FF89300F248469D805AB364DB349A41CFA5

Function 07B55B30 Relevance: 1.5, Strings: 1, Instructions: 208COMMON

Download Yara Rule

Strings

j4$y, xrefs: 07B55D46

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID:
String ID: j4$y
API String ID: 0-2391584009
Opcode ID: 12b985e20e6285c77aabc6314a5add512a530824d2c018ad1f79d90d43443e4f
Instruction ID: b8bc4497d7325acc059b84ae4e326b662796402581f7f6ea16e91272434fa2be
Opcode Fuzzy Hash: 12b985e20e6285c77aabc6314a5add512a530824d2c018ad1f79d90d43443e4f
Instruction Fuzzy Hash: A88149B0D55209DFDB18CFA6D58499EFBB3FF89311F10942AE415AB264DB309A52CF04

Function 07B55B23 Relevance: 1.5, Strings: 1, Instructions: 207COMMON

Download Yara Rule

Strings

j4$y, xrefs: 07B55D46

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID:
String ID: j4$y
API String ID: 0-2391584009
Opcode ID: c30017ab3ebc3eb162fd1226d0a3e0c0c6187e66f9705efe89ccffe4ad10e6ac
Instruction ID: 6aa6c90c4982ff5c0f94d18d7be4445de678f915f1519722d4d5b07c71d0bf5b
Opcode Fuzzy Hash: c30017ab3ebc3eb162fd1226d0a3e0c0c6187e66f9705efe89ccffe4ad10e6ac
Instruction Fuzzy Hash: CC8158B0D15209EFDB18CFA5D5849DEFBB3EF89311F10942AE415AB264DB349A52CF00

Function 08355AA8 Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1736053995.0000000008350000.00000040.00000800.00020000.00000000.sdmp, Offset: 08350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8350000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21943fb6fa6a4e5626f4ec53dcddfd2ffe973165049fbade22f6eb4e4e411935
Instruction ID: 76bb47b51be289b61f04d2f2b5261212742d9cde80137fa8161bf780ffe6981b
Opcode Fuzzy Hash: 21943fb6fa6a4e5626f4ec53dcddfd2ffe973165049fbade22f6eb4e4e411935
Instruction Fuzzy Hash: 87C1B6357027048BDB29EB65C460BAAB7FAAFC9705F10846DD9468B3A4CF35E802CB51

Function 063485B3 Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732712585.0000000006340000.00000040.00000800.00020000.00000000.sdmp, Offset: 06340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6340000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df0ce4de112de80e4c5ef6ee5eb985a40731d9059e4c6b2a310ede70f8151cc0
Instruction ID: a33702a8df41c89360935cce760cfbc4591ac12dc9c21ea6518609748dc8a6f7
Opcode Fuzzy Hash: df0ce4de112de80e4c5ef6ee5eb985a40731d9059e4c6b2a310ede70f8151cc0
Instruction Fuzzy Hash: D4C15A31E102189FDF95EFA5C880799FBF2AF84310F14C5AAD409AB255DB35E989CF90

Function 07B54446 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e4409729076ed3d54abd78eccf972be971985286e7a2b21b9cbd44b2b8ff8a9
Instruction ID: 829c2c455baa92f54423ae00e79725fb67cf0db34443b146695a5f56e816a792
Opcode Fuzzy Hash: 1e4409729076ed3d54abd78eccf972be971985286e7a2b21b9cbd44b2b8ff8a9
Instruction Fuzzy Hash: 8F718EB0D1935A8FCB05CFA5E84559EBFB2FF8A300F1494AAD411E7261DB788941CF58

Function 07B544B8 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f17be69f1eef598556eabdce2632f3d72c50497cff8211feb79893e6bb50e947
Instruction ID: dcf67d3be73a4d659c2ddb0157866e8f22909a1d4bb55b2ad10c5b6e28ae1166
Opcode Fuzzy Hash: f17be69f1eef598556eabdce2632f3d72c50497cff8211feb79893e6bb50e947
Instruction Fuzzy Hash: 4D515CB0E142199FCB04CFA5E5455AEFFB2FF8A300F10986AE815E7254DB748A40CF98

Function 07B544C8 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a10413c0e44a261296898a12b423f3f459ef10f9aa6e8cbef7c4788e14cc8cd3
Instruction ID: 47615913c6c7f6bbad8addfa0cf0d988a92924a06fcc6f4e9d58071c9ea39bd0
Opcode Fuzzy Hash: a10413c0e44a261296898a12b423f3f459ef10f9aa6e8cbef7c4788e14cc8cd3
Instruction Fuzzy Hash: A9513BB0E152199FCB04CFA5E5455AEFBB2FF8A300F10986AE815E7254DB749940CF98

Function 0634FB58 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732712585.0000000006340000.00000040.00000800.00020000.00000000.sdmp, Offset: 06340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6340000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4b780cd510220cf249425611242e2e1617bd12ca1ad4b16ffcb5ab1daacbe69
Instruction ID: 6657ac2784c2d7345f7b2095466150f42a6951f49befd58cb1e71614e3237a3b
Opcode Fuzzy Hash: b4b780cd510220cf249425611242e2e1617bd12ca1ad4b16ffcb5ab1daacbe69
Instruction Fuzzy Hash: B05128B4D052099FDB48DFAAD9406AEFBF2FB88310F18D06AE419A7251D7345941CFA4

Function 07B57153 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab33288a44edcb4ce403b428cfde16a28002ee810671692f153f872808c1b1f5
Instruction ID: dd7e05f518104e7165303a64aef0a578dd008217d2c7026f2794ef0b97137716
Opcode Fuzzy Hash: ab33288a44edcb4ce403b428cfde16a28002ee810671692f153f872808c1b1f5
Instruction Fuzzy Hash: 484170B0F15209DFDB44CFA9D54569EFBF2EB8A310F24D4AAD805A7250DB348A41CF54

Function 0634E888 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732712585.0000000006340000.00000040.00000800.00020000.00000000.sdmp, Offset: 06340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6340000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b47e6d098470f62a3f5dc28460cc1d87c015b3c7df21b5bb37162640366f15b0
Instruction ID: 13eb8440a2b2ca47a70fd62f3c2b0e1af38ad427f35a2178bf0fe14e3e136ae3
Opcode Fuzzy Hash: b47e6d098470f62a3f5dc28460cc1d87c015b3c7df21b5bb37162640366f15b0
Instruction Fuzzy Hash: CD312675E053599BEB58DFABD80429EFBF7FFC9200F04C0AAD408A7265EB3419458B61

Function 07B505B0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36ba852af4ef8988d3724f3a63a52a183c942c0611e3c3de42ef25ffa8b747d2
Instruction ID: e76ddd732cb083da0868a9d4a16ce3ea8d07d7c6351860ffe10b9fef1f9e351a
Opcode Fuzzy Hash: 36ba852af4ef8988d3724f3a63a52a183c942c0611e3c3de42ef25ffa8b747d2
Instruction Fuzzy Hash: 6131E5B5E012188BDB58CFAAD8446DEBBB3BFC9310F14C0A9E809A7254DB355A81CE40

Function 07B505A0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb7453b8425aef2478b3f44d1e05cb79b0b6e49c9f015176d3c02d930201e628
Instruction ID: 07758bb606774dc56f44b0da41f202f7238ea4deb244eb8d105354ea51b6bb9e
Opcode Fuzzy Hash: bb7453b8425aef2478b3f44d1e05cb79b0b6e49c9f015176d3c02d930201e628
Instruction Fuzzy Hash: B321EAB1E016599BEB18CFABC8406DEBBF3AFC9310F14C17AD408A6258DB741945CF51

Function 07B58E90 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad4bd058884082546ec436e46c763359188238d7d726ac1602dacffbf75793c3
Instruction ID: 5b36508e1be9568cc46c7aa5874637b541a3500134ab44f80a4008c77a056034
Opcode Fuzzy Hash: ad4bd058884082546ec436e46c763359188238d7d726ac1602dacffbf75793c3
Instruction Fuzzy Hash: 4AF012B09093499FCB46DFB888006ADBFB0EF0A300F1085EAE85497252D7744A51DBA5

Function 08350BB7 Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 08350DF6

Memory Dump Source

Source File: 00000000.00000002.1736053995.0000000008350000.00000040.00000800.00020000.00000000.sdmp, Offset: 08350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8350000_Contrarre.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 943cf640a81de2e50830ed1c308b0a47caff13ada38af997f4395184835507e4
Instruction ID: ea97c30469cc02a5ab135887e169431756016847f14b5d58afc83c3a4652c636
Opcode Fuzzy Hash: 943cf640a81de2e50830ed1c308b0a47caff13ada38af997f4395184835507e4
Instruction Fuzzy Hash: 82A19D71D00A19DFDF24CF68C850BDEBBB2BF89310F1481A9E849A7250DB759A85CF91

Function 08350BC0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 08350DF6

Memory Dump Source

Source File: 00000000.00000002.1736053995.0000000008350000.00000040.00000800.00020000.00000000.sdmp, Offset: 08350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8350000_Contrarre.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: fb242f14793efabb63a2f37ef78fe8a073934744d05ff850a13104547cc004a7
Instruction ID: 9e500688b5cecfde945802f3192e3beb6102caeffdd569ab92b1cf8f8e1cf18e
Opcode Fuzzy Hash: fb242f14793efabb63a2f37ef78fe8a073934744d05ff850a13104547cc004a7
Instruction Fuzzy Hash: 63919D71D00A19DFDB24CF68C850BDEBBB2BF89310F1481A9EC49A7250DB759A85CF91

Function 0303C570 Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1727069823.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3030000_Contrarre.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 31c229253f5f51896b0f03a220f69a884626cc0665b35e6d7b5220b5f33bb670
Instruction ID: 5146a22279b6de50b17dbf6a903fcc43262098866763bcb61471ce8f54e40df3
Opcode Fuzzy Hash: 31c229253f5f51896b0f03a220f69a884626cc0665b35e6d7b5220b5f33bb670
Instruction Fuzzy Hash: DD715770A01B058FE764DF6AD44479ABBF9FF89300F04892DD48AEBA50DB75E845CB90

Function 03035D77 Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 03035E51

Memory Dump Source

Source File: 00000000.00000002.1727069823.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3030000_Contrarre.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b8a2e002b7904bd34b310de871c577d70567f5cd2ecb4f801fbca361d72f15fd
Instruction ID: b545725560b893e122f5fad1fea20e71b83c5e9b8e9ace35b84277610e990a87
Opcode Fuzzy Hash: b8a2e002b7904bd34b310de871c577d70567f5cd2ecb4f801fbca361d72f15fd
Instruction Fuzzy Hash: 274101B1C02718CEDB14CFA9C9457DDBBF5BF4A304F28805AD408AB261DB75698ACF90

Function 03034524 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 03035E51

Memory Dump Source

Source File: 00000000.00000002.1727069823.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3030000_Contrarre.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 94affc6472bfe87b79e690d5554ffb009cc88eca29da4e1c795d0de94344c986
Instruction ID: 5a3e246682ae6637d3ba77b09bcab7b4b379f5c1cfb937a99e42f7bccfba5890
Opcode Fuzzy Hash: 94affc6472bfe87b79e690d5554ffb009cc88eca29da4e1c795d0de94344c986
Instruction Fuzzy Hash: 3F41E2B0C01619CFDB24CFA9C844B9EBBF5BF4A304F24806AD408AB265DB756985CF90

Function 06348F88 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732712585.0000000006340000.00000040.00000800.00020000.00000000.sdmp, Offset: 06340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6340000_Contrarre.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 253c5ab15c2ad248ddaa43b4281187090bc629272846c81d980ff3e91c59e3d0
Instruction ID: c9716c7ddbc08bc62c7405372edd6800a729f348dd64b0396a5b4ada2d23f06e
Opcode Fuzzy Hash: 253c5ab15c2ad248ddaa43b4281187090bc629272846c81d980ff3e91c59e3d0
Instruction Fuzzy Hash: E4316772900299DFCB11DFA9D844AEEBFF8EF09310F14805AE954A7261C336A954DBA0

Function 08350530 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 083505C8

Memory Dump Source

Source File: 00000000.00000002.1736053995.0000000008350000.00000040.00000800.00020000.00000000.sdmp, Offset: 08350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8350000_Contrarre.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 44c6a0c90f681af3218787135be829ba0c986394d7d86b84af6a3ef1dbde9e6b
Instruction ID: 91ad1196bac4df395fbd7c4254615623d387ddf8949eea3541668f921d6c968a
Opcode Fuzzy Hash: 44c6a0c90f681af3218787135be829ba0c986394d7d86b84af6a3ef1dbde9e6b
Instruction Fuzzy Hash: 3C215C71900349DFCB14DFA9C841BDEBBF5FF48310F108829E959A7250D7759554CBA4

Function 08350538 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 083505C8

Memory Dump Source

Source File: 00000000.00000002.1736053995.0000000008350000.00000040.00000800.00020000.00000000.sdmp, Offset: 08350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8350000_Contrarre.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 35bed2e9c5802eb1566b7ceeafb2113f8c1ff0d29fb67b1b67f988c1214555b6
Instruction ID: 91a67bc591a8aa63bdb5ebb9252f8d8272406a7edfd904115c1ae94c77a5fe34
Opcode Fuzzy Hash: 35bed2e9c5802eb1566b7ceeafb2113f8c1ff0d29fb67b1b67f988c1214555b6
Instruction Fuzzy Hash: 4F2139B1900359DFCB10DFA9C885BDEBBF5FF88310F10882AE959A7250C7799954CBA4

Function 08350620 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 083506A8

Memory Dump Source

Source File: 00000000.00000002.1736053995.0000000008350000.00000040.00000800.00020000.00000000.sdmp, Offset: 08350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8350000_Contrarre.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: c942740744111251ea600636f5e43d496d90d45f046068350e91236f6e8e6ab2
Instruction ID: 560af32d4e462a46e42c029c4ae4af8565a2390fe1d9c7e320b7519c79570630
Opcode Fuzzy Hash: c942740744111251ea600636f5e43d496d90d45f046068350e91236f6e8e6ab2
Instruction Fuzzy Hash: CF2157B19002499FCB10CFA9C880AEEFBF0FF88310F10842EE859A7250C7799544CB64

Function 07B5FC70 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07B5FCF6

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c218ad2ca22cc4933b1350872afb01b1dbc2fed6849374c32b7344331d19abad
Instruction ID: fcda420068733b8db319a5d0b39c017a005464a174ae86ed268c6058e4ad7c84
Opcode Fuzzy Hash: c218ad2ca22cc4933b1350872afb01b1dbc2fed6849374c32b7344331d19abad
Instruction Fuzzy Hash: 8D2136B19002498FDB10DFA9C4857EEFFF0AF48324F14842DD859A7241CB789945CFA4

Function 0303E5D8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0303EA0E,?,?,?,?,?), ref: 0303EACF

Memory Dump Source

Source File: 00000000.00000002.1727069823.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3030000_Contrarre.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1b92c3b51d0af45291611fde0f4ff1d7bc6ce187dcc87aed74fcdf4d8532a33e
Instruction ID: b35338b1cfd40c5bf79c88ef4fe4a1c383f2f2a253abc554885249eb4fc0133d
Opcode Fuzzy Hash: 1b92c3b51d0af45291611fde0f4ff1d7bc6ce187dcc87aed74fcdf4d8532a33e
Instruction Fuzzy Hash: B921E3B5901248EFDB10CF9AD984AEEFBF8FB48310F14841AE954A7350D375A940CFA4

Function 08350628 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 083506A8

Memory Dump Source

Source File: 00000000.00000002.1736053995.0000000008350000.00000040.00000800.00020000.00000000.sdmp, Offset: 08350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8350000_Contrarre.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 1c678c6b484ebf4d225a2c2dec2477415338c7c6347f57e8935c47724ab3b61a
Instruction ID: 32139c024761c6ae18d87c469129bb5daf70a4f92ca59a4fd643995096b487fe
Opcode Fuzzy Hash: 1c678c6b484ebf4d225a2c2dec2477415338c7c6347f57e8935c47724ab3b61a
Instruction Fuzzy Hash: 072128B19003599FCB10DFAAC884ADEFBF5FF88310F10842AE959A7250C7799944CBA4

Function 07B5FC78 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07B5FCF6

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: b842296bb67d30c8637da6a7894f58f4840ba951672d51ad86659915213a7d3c
Instruction ID: 448b651d6a0368403f187d8ba5a1f4a783bf4634cfe8d5b783c65200423328e9
Opcode Fuzzy Hash: b842296bb67d30c8637da6a7894f58f4840ba951672d51ad86659915213a7d3c
Instruction Fuzzy Hash: 042138B19002498FDB10DFAAC4857EEFBF4EF48324F148429D859A7240CB789984CFA4

Function 08350470 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 083504E6

Memory Dump Source

Source File: 00000000.00000002.1736053995.0000000008350000.00000040.00000800.00020000.00000000.sdmp, Offset: 08350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8350000_Contrarre.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c3ed980df01881a01bcf0886bd8dac6bfa96fe50b044eb75db340828090f22fb
Instruction ID: 1eee4a9e616d04a15460a6e76d6f78dbfcd3014600412accf799d0a4e31113d4
Opcode Fuzzy Hash: c3ed980df01881a01bcf0886bd8dac6bfa96fe50b044eb75db340828090f22fb
Instruction Fuzzy Hash: 9E2167B19003499FDB10DFA9C844BDEBFF5EF89320F248419E859A7210C7359940CFA0

Function 06348104 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,06348FA2,?,?,?,?,?), ref: 06349047

Memory Dump Source

Source File: 00000000.00000002.1732712585.0000000006340000.00000040.00000800.00020000.00000000.sdmp, Offset: 06340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6340000_Contrarre.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 1ca6a6c76e7ecb2e8e8580c13c4867fc90bb57a05822649beed4c9b964f93d85
Instruction ID: faa137596a675e8f2f8bcd5b46b4d677bbae26179c848bc915b5cbac43891f22
Opcode Fuzzy Hash: 1ca6a6c76e7ecb2e8e8580c13c4867fc90bb57a05822649beed4c9b964f93d85
Instruction Fuzzy Hash: 441167B5900349DFDB10DF9AD844BEEBFF8EB48320F14841AE954A7250C379A950DFA4

Function 0303B073 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(0000004B), ref: 0303B0E5

Memory Dump Source

Source File: 00000000.00000002.1727069823.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3030000_Contrarre.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: ef748f5a86ff2208743c0e180dc76b11e39fb28aa7d29fe2e32957b15f25e97c
Instruction ID: a0789168d471e3b00b6b391e44dbb97fafe2d48437a4c61a7c96fb2b445f91fa
Opcode Fuzzy Hash: ef748f5a86ff2208743c0e180dc76b11e39fb28aa7d29fe2e32957b15f25e97c
Instruction Fuzzy Hash: CB11ACB1806298CEDB10CF99D4453EEBFF8EB15314F148099EA9AA3342C7399644CF65

Function 08350478 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 083504E6

Memory Dump Source

Source File: 00000000.00000002.1736053995.0000000008350000.00000040.00000800.00020000.00000000.sdmp, Offset: 08350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8350000_Contrarre.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 967ae4b26b054004d786e7d6a9ca6715bd5c6fb27a424c853d9d3b3ce6ed1d86
Instruction ID: 0efa45724450bc912e4d5c70374d3c5c40cc139da80821f1255c8f46ef7dba14
Opcode Fuzzy Hash: 967ae4b26b054004d786e7d6a9ca6715bd5c6fb27a424c853d9d3b3ce6ed1d86
Instruction Fuzzy Hash: C51137B19002499FCB10DFAAC844BDEBFF5EF88320F148419E959A7250CB76A954CFA5

Function 07B5F788 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07B5F7F2

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 54f665e6d530534d3a01a9300980ddc068b499df3e760ccb338913f8b27f6a01
Instruction ID: 672273728e19d8fb54f68afa758bdadcaa9757dfacc02f0bace434a507aca824
Opcode Fuzzy Hash: 54f665e6d530534d3a01a9300980ddc068b499df3e760ccb338913f8b27f6a01
Instruction Fuzzy Hash: 061158B1900289CFDB20DFA9C4457EFFBF4EB89324F248429D459A7250C779A944CFA4

Function 0303C224 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,0303C58C), ref: 0303C7C6

Memory Dump Source

Source File: 00000000.00000002.1727069823.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3030000_Contrarre.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7dfbe1c251e81f785f295ed2733e3004cf1ae14a8dc9ce5b9e9f504a7393e9e2
Instruction ID: 42ee792856258d59a1cd91a1b77a996cc0f5ed62006c96885de704b4cf33490d
Opcode Fuzzy Hash: 7dfbe1c251e81f785f295ed2733e3004cf1ae14a8dc9ce5b9e9f504a7393e9e2
Instruction Fuzzy Hash: 691132B6D016498FDB20DF9AC444BDEFBF8EB89310F14842AD819B7210C375A544CFA4

Function 0303B080 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(0000004B), ref: 0303B0E5

Memory Dump Source

Source File: 00000000.00000002.1727069823.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3030000_Contrarre.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: f5aa7438958bcabb592ba2951b82f9cf8de94408b282151a2ff470006e47b948
Instruction ID: dbc1d570f462c3704b5e30897c8976f1c343574d6a697da5e078795a26678990
Opcode Fuzzy Hash: f5aa7438958bcabb592ba2951b82f9cf8de94408b282151a2ff470006e47b948
Instruction Fuzzy Hash: B511DDB0802398CEDB10CF99D0053EEBFF8EB19314F148099D69AA3242C7399644CFA5

Function 07B5F790 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07B5F7F2

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d5c90600e560a048dd27844baef6565de3e306d491de6c0a2846f9d82aa8814c
Instruction ID: 8812e6651f9bc252ff16084f10320c38e435127020a5ae3fa0324290312ad336
Opcode Fuzzy Hash: d5c90600e560a048dd27844baef6565de3e306d491de6c0a2846f9d82aa8814c
Instruction Fuzzy Hash: 751136B19002498FDB20DFAAC4457EEFBF4EB88324F248429D459A7250CB79A944CFA4

Function 08350868 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 08354B65

Memory Dump Source

Source File: 00000000.00000002.1736053995.0000000008350000.00000040.00000800.00020000.00000000.sdmp, Offset: 08350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8350000_Contrarre.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 7d483b4e2dcfd57f2a5935d0305397d5c2c10033276550f19f898dd7a8acb311
Instruction ID: 3cd7fbabba10eb13825578482274604bed75a848e6863d8b1f28da68c0806bc3
Opcode Fuzzy Hash: 7d483b4e2dcfd57f2a5935d0305397d5c2c10033276550f19f898dd7a8acb311
Instruction Fuzzy Hash: 0C1103B5900349DFCB10DF9AD488BDEBBF8EB48324F10841AE959A7210C375A984CFA5

Function 08354B01 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 08354B65

Memory Dump Source

Source File: 00000000.00000002.1736053995.0000000008350000.00000040.00000800.00020000.00000000.sdmp, Offset: 08350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8350000_Contrarre.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 1393e4be448ec414b7cea1d92b72eae0112e71310f12959538fdbdc8fee10a4f
Instruction ID: f00e7ce5fc4989f8357397cca2e61d26f9806b1a6828f3d73ed4ab8dbb130dbc
Opcode Fuzzy Hash: 1393e4be448ec414b7cea1d92b72eae0112e71310f12959538fdbdc8fee10a4f
Instruction Fuzzy Hash: 6C1106B5800348DFDB10CF99C485BDEBFF8EB49324F108459D994A7210C375A584CFA5

Function 02F5D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726639565.0000000002F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f5d000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcd3108c72b68493d08af26172646fd613d1585ecd368c9942491185af58756d
Instruction ID: 33fa9d26b9a3b22a677961f9a95139343654527f225b4a8aacd21c1d2d6d1d87
Opcode Fuzzy Hash: fcd3108c72b68493d08af26172646fd613d1585ecd368c9942491185af58756d
Instruction Fuzzy Hash: 52212872601204DFDB09DF14DAC0B26BF65FB94354F20C169DF094B256C336E456C6A1

Function 02F5D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726639565.0000000002F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f5d000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1d78ef6376bff823ee0f690fadbd1ac3d6b3cbe7a4c659618b3d86dc2784b18
Instruction ID: a69ec2a18d53004855d321d7ffc085a82a8076b41d4c3b0740b8ff561788f331
Opcode Fuzzy Hash: e1d78ef6376bff823ee0f690fadbd1ac3d6b3cbe7a4c659618b3d86dc2784b18
Instruction Fuzzy Hash: 86212272A00244DFDB05DF14DAC0B2ABF65FB88358F20C569EF094B356C336D456CAA2

Function 02F6D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726725768.0000000002F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f6d000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 011b9f685ec0493769a7b4105e1eab3dd89b88febf404046d8df3224e34221e4
Instruction ID: 2b81273d1b6243ac986b06f88d71b3a397cc7d71b8797664a5c04ff1bdb08ab6
Opcode Fuzzy Hash: 011b9f685ec0493769a7b4105e1eab3dd89b88febf404046d8df3224e34221e4
Instruction Fuzzy Hash: AD212671B04204EFDB05DF14DAC8B36BBA5FB88354F24C66DEA094B256C336D446CA61

Function 02F6D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726725768.0000000002F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f6d000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d24e16408bd4778bb131351901336577431c4541e3ebcaf7817db4973c977c1
Instruction ID: bf65de62d6b0f8f570f489a6e218956f3d5dfef30ab1a51cdec2f10108ce4ef7
Opcode Fuzzy Hash: 5d24e16408bd4778bb131351901336577431c4541e3ebcaf7817db4973c977c1
Instruction Fuzzy Hash: 07212271704200EFDB14DF14D988B26BBA5EB88B54F20C569EA0A4B25AC33BD447CAA1

Function 02F6D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726725768.0000000002F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f6d000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5f70897d85913d7448a5b78fe6d6655391afc6da308f2b189375c81ec89fef7
Instruction ID: 6a4badaa403ba4b0009fd0851294997be61d1def713a305938a86788a6491c63
Opcode Fuzzy Hash: d5f70897d85913d7448a5b78fe6d6655391afc6da308f2b189375c81ec89fef7
Instruction Fuzzy Hash: 5E21A4755093C09FCB02CF24D594715BF71EF46614F28C5EAD9498F2A7C33A980ACB62

Function 02F5D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726639565.0000000002F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f5d000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 11118da6b53f69b26076f6bb1cf92390e6dcb5d2a1137f9bf3779694e8ef707d
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 5211B176904280CFCB16CF14D5C4B16BF71FB84318F24C6A9DE490B656C336D45ACBA1

Function 02F5D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726639565.0000000002F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f5d000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 18f16645fe398cc084258bd4adfc12b3e35e2876efbd13046f88440bfbcc3f8c
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: F4110372804240CFDB0ACF00D6C4B16BF72FB94324F24C2A9DE090B656C33AE45ACBA1

Function 02F6D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726725768.0000000002F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f6d000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: f3efd23ae3b9dfd351e42aecbbc347ae845e6e44f46a362b6de99bf9456cf1d1
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: BF118E75A04240DFDB15CF14D5C4B25BB61FB84214F28C6A9D9494B656C33AD44ACB51

Non-executed Functions

Function 07B52288 Relevance: 5.2, Strings: 4, Instructions: 174COMMON

Download Yara Rule

Strings

%O@8, xrefs: 07B523E4
tQ=), xrefs: 07B52325
%O@8, xrefs: 07B523F2
tQ=), xrefs: 07B5231E

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID:
String ID: %O@8$%O@8$tQ=)$tQ=)
API String ID: 0-749352435
Opcode ID: 5d6faa7e94c08ef37dcd55a590ec62262280cc9cfe05454a82dc24998a35fbaa
Instruction ID: 7d5e98efca25fc7493460f0ef88391c77bf9263ab8787d9da8fb98b623aee949
Opcode Fuzzy Hash: 5d6faa7e94c08ef37dcd55a590ec62262280cc9cfe05454a82dc24998a35fbaa
Instruction Fuzzy Hash: 4471E1B4E16219DFCB48CF99D5849AEFBF1FF89310F14856AE815AB220D730AA41CF50

Function 07B52E38 Relevance: 5.2, Strings: 4, Instructions: 162COMMON

Download Yara Rule

Strings

aY, xrefs: 07B53029
18', xrefs: 07B52F82
18', xrefs: 07B52F74
aY, xrefs: 07B53022

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID:
String ID: 18'$18'$aY$aY
API String ID: 0-3687307736
Opcode ID: 293aed99fdba50b7398887ab11cc9e037e5da002903ef1d43d40cbf1b853b9eb
Instruction ID: a55955ef4bfb10218088209a17f0bf86b56494c1080f2412b66f2f4e5671a077
Opcode Fuzzy Hash: 293aed99fdba50b7398887ab11cc9e037e5da002903ef1d43d40cbf1b853b9eb
Instruction Fuzzy Hash: A971F0B4E1120ACFDB04CF99D580AEEFBB1BF89350F14855AD815AB304D734A982CFA5

Function 07B52278 Relevance: 3.9, Strings: 3, Instructions: 177COMMON

Download Yara Rule

Strings

tQ=), xrefs: 07B52325
%O@8, xrefs: 07B523F2
tQ=), xrefs: 07B5231E

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID:
String ID: %O@8$tQ=)$tQ=)
API String ID: 0-2920369752
Opcode ID: a7ba85ee64d2ca56d3b29a1548fabfbdf76a3cead4bf3882199784b1ee718bbf
Instruction ID: 785cfef99ad1d1cd48deb48118d1c809a979bc9b8ac83deca1af6108d48422ae
Opcode Fuzzy Hash: a7ba85ee64d2ca56d3b29a1548fabfbdf76a3cead4bf3882199784b1ee718bbf
Instruction Fuzzy Hash: D571F3B4E16209DFDB44CFA9D5849AEFBF1FF89310F1485A6E815AB220D734AA41CF50

Function 07B53950 Relevance: 3.9, Strings: 3, Instructions: 118COMMON

Download Yara Rule

Strings

6yu[, xrefs: 07B53AB6
6yu[, xrefs: 07B53AAF
,uRR, xrefs: 07B53A38

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID:
String ID: ,uRR$6yu[$6yu[
API String ID: 0-86511755
Opcode ID: 2eba2d276f44a986b4d280c1984ab248035b1f944fe5b46190fd15fa71fe841d
Instruction ID: b2f84b0be3477cab10e8da1000c223a188d799189e794fcf716ad2979c9feccb
Opcode Fuzzy Hash: 2eba2d276f44a986b4d280c1984ab248035b1f944fe5b46190fd15fa71fe841d
Instruction Fuzzy Hash: 7E413AB0E1520ADFDB04CFA9C5805AEFBF2AF89350F24D5AAC805B7354D7349A41CBA5

Function 07B53960 Relevance: 3.9, Strings: 3, Instructions: 114COMMON

Download Yara Rule

Strings

6yu[, xrefs: 07B53AB6
6yu[, xrefs: 07B53AAF
,uRR, xrefs: 07B53A38

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID:
String ID: ,uRR$6yu[$6yu[
API String ID: 0-86511755
Opcode ID: 77f7ad73f7d8c81deca4228323a3c4ae0eec943000d74c8912a0ca1f547f44c6
Instruction ID: e1afc78cb66548f02d9708b8e546c572adf94fdc350559940d69948b387f1f3c
Opcode Fuzzy Hash: 77f7ad73f7d8c81deca4228323a3c4ae0eec943000d74c8912a0ca1f547f44c6
Instruction Fuzzy Hash: D0411AB0E1520ADBDB04CFA9C5816AEFBF2FB89340F24D5A9C805B7354D7349A418BA5

Function 07B569B8 Relevance: 2.8, Strings: 2, Instructions: 296COMMON

Download Yara Rule

Strings

9u"K, xrefs: 07B56A73
Zjsq, xrefs: 07B56A76

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID:
String ID: 9u"K$Zjsq
API String ID: 0-1261923490
Opcode ID: 267e33a78f0c3b6f87db2acef4aa40b191e118d1ca16b76543b2ec500c46746f
Instruction ID: d9193f9ba81dbdbef19d2eca43dde3064bc159719a10057aae707bd971f8e92c
Opcode Fuzzy Hash: 267e33a78f0c3b6f87db2acef4aa40b191e118d1ca16b76543b2ec500c46746f
Instruction Fuzzy Hash: EDC103B0E15219DFDB08CFAAD98059EFBF2BF89300F14D56AD819AB264D7309942CF54

Function 07B569C8 Relevance: 2.8, Strings: 2, Instructions: 295COMMON

Download Yara Rule

Strings

9u"K, xrefs: 07B56A73
Zjsq, xrefs: 07B56A76

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID:
String ID: 9u"K$Zjsq
API String ID: 0-1261923490
Opcode ID: 70ece7bdbb4dc715d907bd2a236840d020740cf76ef1a38845d62b0032dd139f
Instruction ID: 98df58005d046b4a54dcc01c9fd1fde367d744befc70bf328ecf994e089c05cc
Opcode Fuzzy Hash: 70ece7bdbb4dc715d907bd2a236840d020740cf76ef1a38845d62b0032dd139f
Instruction Fuzzy Hash: 8AC115B0E15219DFDB08CFAAD58059EFBF2BF89300F54D56AD815AB228D7309942CF54

Function 07B54A58 Relevance: 2.7, Strings: 2, Instructions: 166COMMON

Download Yara Rule

Strings

\~$, xrefs: 07B54B88
or, xrefs: 07B54ABE

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID:
String ID: \~$$or
API String ID: 0-2796768027
Opcode ID: 57cce0421eeeac05217027d3bb3a702998aacd2f70eaab5de7a993e4042028d4
Instruction ID: 6ec9d1c5f75655b9b8bda99e6a05a5c7d3be3051e9b153c76003c20b0097d8b9
Opcode Fuzzy Hash: 57cce0421eeeac05217027d3bb3a702998aacd2f70eaab5de7a993e4042028d4
Instruction Fuzzy Hash: 356167B4E1421ADFDB48CFA6C5416AEFBF2EF89300F10806AD815A7354E7349A81CF94

Function 07B54A68 Relevance: 2.7, Strings: 2, Instructions: 165COMMON

Download Yara Rule

Strings

\~$, xrefs: 07B54B88
or, xrefs: 07B54ABE

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID:
String ID: \~$$or
API String ID: 0-2796768027
Opcode ID: 5d9298e8ddcad96f8dd540cee096355aaefc38be7c49955e80fca942bda57122
Instruction ID: 893f6bc5ec6137540e255521195c0b24c08a9662d2c5b0e7461d612cef6e04bc
Opcode Fuzzy Hash: 5d9298e8ddcad96f8dd540cee096355aaefc38be7c49955e80fca942bda57122
Instruction Fuzzy Hash: 106158B4E1421ACFDB44CFA6D5416AEFBF2EF89300F10902AD815A7354E7349A81CF94

Function 07B52E28 Relevance: 2.7, Strings: 2, Instructions: 158COMMON

Download Yara Rule

Strings

aY, xrefs: 07B53029
18', xrefs: 07B52F82

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID:
String ID: 18'$aY
API String ID: 0-535677718
Opcode ID: c8fbe0b8a29f9f6ef8d40e8299649e5e6de05f1c73e8bfec34e1287b5c7833f2
Instruction ID: 32915e5ecb48b21ba1d1d851d75a699c19197ac30b627c4e40784cd5cab30585
Opcode Fuzzy Hash: c8fbe0b8a29f9f6ef8d40e8299649e5e6de05f1c73e8bfec34e1287b5c7833f2
Instruction Fuzzy Hash: E261F2B4E1120ACFDB04CF99D580AEEFBB2BF89210F188556D815A7305D734A982CFA5

Function 07B54703 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

i#)6, xrefs: 07B547A1
p, xrefs: 07B54708

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID:
String ID: i#)6$p
API String ID: 0-1147749353
Opcode ID: bfd26274324a71002f0467417729134940f05f65f67f9abb4ca078ef716ec883
Instruction ID: ca2ed1a4709687ef33318c4ac65c69823afa53b2a3365d588f8d72ee6125f46a
Opcode Fuzzy Hash: bfd26274324a71002f0467417729134940f05f65f67f9abb4ca078ef716ec883
Instruction Fuzzy Hash: 8E413CB0E1524ACFDB08CFA6C5816AEFBF1EF86300F24946AC515AB254D3349B458F95

Function 07B563E0 Relevance: 1.5, Strings: 1, Instructions: 270COMMON

Download Yara Rule

Strings

?w=>, xrefs: 07B566AC

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID:
String ID: ?w=>
API String ID: 0-1933253675
Opcode ID: 9ebf0d87a819bc1540e57e12d16e597c3a08c1782749b0cfe80fb03b1f438202
Instruction ID: 0f20f844574688aa924c93e156e38cbe6733d3d48a46b17554594474494c46a5
Opcode Fuzzy Hash: 9ebf0d87a819bc1540e57e12d16e597c3a08c1782749b0cfe80fb03b1f438202
Instruction Fuzzy Hash: 35B129B0D15219DFEB18CFA6D98069EFBB2FF89300F50D46AD415AB214DB349902CF54

Function 07B563D3 Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

?w=>, xrefs: 07B566AC

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID:
String ID: ?w=>
API String ID: 0-1933253675
Opcode ID: 5dfac6126a3dbe5ac72e4849e744a91f236536a231b25aaa32a4f454ae02a8f2
Instruction ID: 2d1674c3cb34538b49466d4330aacb58fe852661bdc3eeeae4ef8afdd4702ac4
Opcode Fuzzy Hash: 5dfac6126a3dbe5ac72e4849e744a91f236536a231b25aaa32a4f454ae02a8f2
Instruction Fuzzy Hash: CFB129B0E15219DFEB18CFA6D98069EFBB2FF89300F10D56AD415AB254DB349902CF54

Function 07B50006 Relevance: 1.4, Strings: 1, Instructions: 188COMMON

Download Yara Rule

Strings

]]o, xrefs: 07B5008F

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID:
String ID: ]]o
API String ID: 0-2636374853
Opcode ID: 8f79bc7dcf3114a285b2005eaf355575a0994787354dea7938ce5589e2d83665
Instruction ID: 53d643a415d00f92ff3f4dd01375dcaa1d80a562cd57d460056857cc7c3a5088
Opcode Fuzzy Hash: 8f79bc7dcf3114a285b2005eaf355575a0994787354dea7938ce5589e2d83665
Instruction Fuzzy Hash: 15713AB4D1520ADFDB44DFA9C481AEEFBB2FF89310F1480A6D915A7212D3349A81CF91

Function 07B50040 Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

]]o, xrefs: 07B5008F

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID:
String ID: ]]o
API String ID: 0-2636374853
Opcode ID: b53ac2de2a3299dd3f9d409b4f3c8009a69c082fb878b52c116c7c46b7d007ac
Instruction ID: f8ccdbb4dfa3eec30695d9c28bfd88967b71cf5cd68c05a7a047a143c08449eb
Opcode Fuzzy Hash: b53ac2de2a3299dd3f9d409b4f3c8009a69c082fb878b52c116c7c46b7d007ac
Instruction Fuzzy Hash: 187137B4E1520ADFDB44DFA9C481AAEFBB2FF89310F148166E815A7315D3349A81CF94

Function 07B54710 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

i#)6, xrefs: 07B547A1

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID:
String ID: i#)6
API String ID: 0-3600651614
Opcode ID: a7e1015f861945fd1e078d4bede8c2ce204035880904a46f1a5b369bb107125d
Instruction ID: ffbfa8dee1575f89c07d3fa4e181a63a66db359421f81e1eb9a836eee4ac996c
Opcode Fuzzy Hash: a7e1015f861945fd1e078d4bede8c2ce204035880904a46f1a5b369bb107125d
Instruction Fuzzy Hash: 94410BB0E1520ADBDB48CFA6C5456AEFBF1EF86300F20D46AC515AB254D33497818F95

Function 08350040 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1736053995.0000000008350000.00000040.00000800.00020000.00000000.sdmp, Offset: 08350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8350000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b69fd924af93ea5f87e9dda1fa217184147c3c099cb63450b323df630be2c96
Instruction ID: 296f0b6d360ecbdd2224d2d34d740866fe9e2ea6a778f8c1d2ab47058fc3a51d
Opcode Fuzzy Hash: 2b69fd924af93ea5f87e9dda1fa217184147c3c099cb63450b323df630be2c96
Instruction Fuzzy Hash: A8E1F774E10519CFCB18CFA9C5909AEBBB2FF89305F248169D814AB356DB31AD81CF61

Function 07B5D768 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f3d638825c16c5322be17bd54470b3ef456dfabd38de32be0525809b7eb89d9
Instruction ID: 0c8a919b8de61d4eeb834c62dc76610b51a910cf5e32158c7c399963d1ca337c
Opcode Fuzzy Hash: 2f3d638825c16c5322be17bd54470b3ef456dfabd38de32be0525809b7eb89d9
Instruction Fuzzy Hash: D5E1D9B4E10119CFDB14CFA9C584AAEBBB2FF89304F249159E814A7355DB30AD81CF64

Function 07B5D330 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87fcd56164602c69d73af31933d9ef0b405804d37a880e3a9143c8dbdb491099
Instruction ID: d0bbf01cdb73c42dfdb73b8085b6fc90851e0e9989195a35eddec3138bd0cfa1
Opcode Fuzzy Hash: 87fcd56164602c69d73af31933d9ef0b405804d37a880e3a9143c8dbdb491099
Instruction Fuzzy Hash: 34E1D9B4E10119CBDB14DF99C580AAEBBF2FF89304F2492A9D814A7355DB30AD81CF61

Function 07B5EF68 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf4266fa4cf19d14a8b5b2eb1a01e0c639cb5d0135dda0a64cdc6a55459ab4fb
Instruction ID: 3a8a7fb175a75f92eac433389f92829c5a79abe397c2c11381c7ce5089238c9c
Opcode Fuzzy Hash: bf4266fa4cf19d14a8b5b2eb1a01e0c639cb5d0135dda0a64cdc6a55459ab4fb
Instruction Fuzzy Hash: 9DE1D7B4E101198FDB14CFA9C580AAEFBB2FF89304F249159E814AB355DB35AD81CF64

Function 07B5F840 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f0f562496878bd89ef4a7f52af36c9ba477d9a878edf139763b55354222d205
Instruction ID: e6f1b37ab39ec914c69d424d870eda0a61e2bde89963c9b928f65a812d34c210
Opcode Fuzzy Hash: 5f0f562496878bd89ef4a7f52af36c9ba477d9a878edf139763b55354222d205
Instruction Fuzzy Hash: F6E1D6B4E00119CFDB14CBA9C580AAEFBB2FF89304F249169D814AB355DB34AD81CF61

Function 063412C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732712585.0000000006340000.00000040.00000800.00020000.00000000.sdmp, Offset: 06340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6340000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4af717e378ae310adcc102df1fd0900fc41570c35a04cb5c64d17467b572509d
Instruction ID: 4dba065047d19248b125854b5f6270a1eb71054ab4d654faab4181d4b54833b4
Opcode Fuzzy Hash: 4af717e378ae310adcc102df1fd0900fc41570c35a04cb5c64d17467b572509d
Instruction Fuzzy Hash: 84E1043182476A8ECB01EB64D990A99F7B1FF96300F50C79AD5493B221EF706EC5CB91

Function 063412F8 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732712585.0000000006340000.00000040.00000800.00020000.00000000.sdmp, Offset: 06340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6340000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b69710c09f1f84d3caf1c84a3bc0b07ba29ee3366117306bedee159c565b942c
Instruction ID: 1383b840426e83e97cb5c09edaab2a21264e3d2ee472624bd2c1eef226c16d20
Opcode Fuzzy Hash: b69710c09f1f84d3caf1c84a3bc0b07ba29ee3366117306bedee159c565b942c
Instruction Fuzzy Hash: 86D1D431C2075A8ACB11EB65D990A99F7B1FF95300F50C79AD5493B220EF706EC5CB91

Function 07B536D8 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed44588d760abe62ed7c16c531b9bf51c139d8876f7edb92710c72821f5e1ad4
Instruction ID: bc979bac74fe04f4df0d37fb2889f389b26ebe9f7399f3b4f838cd4ae539b2ef
Opcode Fuzzy Hash: ed44588d760abe62ed7c16c531b9bf51c139d8876f7edb92710c72821f5e1ad4
Instruction Fuzzy Hash: 0F6116B4E15209CFDB44CFA9C5809DEFBF2FF8A250F24946AD805B7354D734AA418B64

Function 07B536E8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 355c7e9dd39f8401e6642fa3916660edfa0ac5340139c02eca0036e9e30ff3ef
Instruction ID: f44f1db3fa1220818650067e331022aaca855827c2d9d714521980475ee2b5de
Opcode Fuzzy Hash: 355c7e9dd39f8401e6642fa3916660edfa0ac5340139c02eca0036e9e30ff3ef
Instruction Fuzzy Hash: 657116B4E15209DFDB44CFA9C5809DEFBF2FF8A250F24946AD805B7314D734AA418B64

Function 08350006 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1736053995.0000000008350000.00000040.00000800.00020000.00000000.sdmp, Offset: 08350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8350000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c92cc36b5ac64687c65dbcc6cd98f467b4a935d9520122e799ab503e32a9875
Instruction ID: 0c90b7d641bdf3ce873ce9829810d53e2dd10cf2036cb76549649435b6e6c6c2
Opcode Fuzzy Hash: 8c92cc36b5ac64687c65dbcc6cd98f467b4a935d9520122e799ab503e32a9875
Instruction Fuzzy Hash: 42518F74D04259CFCB09CF69C9909AEBBF2FF8A301F1481AAD818AB252D7355D42CF61

Function 07B54EA0 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa4548de3c17a0759ffb34342658166a8605d383b2b6fe4607efadc7fac3d3d4
Instruction ID: 50fc00fc1d996de4a08f215a891ed7865e4e5a82794358d5c71bb138483b6174
Opcode Fuzzy Hash: aa4548de3c17a0759ffb34342658166a8605d383b2b6fe4607efadc7fac3d3d4
Instruction Fuzzy Hash: 6C5129B4D1935ACFDF08CFAAD4402EEFBB1EF8A201F14946AD81AB7254E33846458F55

Function 07B5C828 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afb8ebc8ac8d1739eb3722171bbdfff103257b362735f4fff4d8d4ee49ec0221
Instruction ID: 914fe705510d5886a0bab7d2dd8cdb6e66f9fc3a9da6884c9dcab95398ce4334
Opcode Fuzzy Hash: afb8ebc8ac8d1739eb3722171bbdfff103257b362735f4fff4d8d4ee49ec0221
Instruction Fuzzy Hash: F651D4B4E1920ACBDB04CF99D4446EEFBF6FB8A310F149166E819B7211D7349941CF64

Function 07B54EB0 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14df513375c99a2f324c03a48506edb5c5cff0f4d489a59eec97c5be1a7f7375
Instruction ID: 6e300abe44187f875525d88aad2d87a42e43bfa07a3fe2e1705f904391de886f
Opcode Fuzzy Hash: 14df513375c99a2f324c03a48506edb5c5cff0f4d489a59eec97c5be1a7f7375
Instruction Fuzzy Hash: 92512AB4D15319CFDF04CFAAD4406EEFBF2EF89200F14946AC81AB6214E37886458F55

Function 07B5F82F Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b08b899cb092b67c65456c873e0c4976c3ecee211be1ed08c05c4c38b4b4f30e
Instruction ID: 981e6ab2d292e87c9ccfa73a0bcc1ddea0186241f81f842942cea55252c19894
Opcode Fuzzy Hash: b08b899cb092b67c65456c873e0c4976c3ecee211be1ed08c05c4c38b4b4f30e
Instruction Fuzzy Hash: 91511BB4E042198FDB14CFA9C5846AEFBF2FF89304F2481AAD858A7256D7319D41CF61

Function 07B5EF58 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7373909d4093a9e60c139863b7e5b2fcab1eda53bc185324110fafb5ce332cad
Instruction ID: 2ab7ba56beab83180548391a3524a6cfa4122cc9155e47af53b419c1a3244b8f
Opcode Fuzzy Hash: 7373909d4093a9e60c139863b7e5b2fcab1eda53bc185324110fafb5ce332cad
Instruction Fuzzy Hash: AF510CB4E102198FDB14CFA9C5445AEFBF2FF89304F2481A9D818A7255DB359D42CFA1

Function 07B5D759 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05a66cfa3ad0c73243a3ea71bf4471f5c2f38853643a68ee93005aede4c36712
Instruction ID: 78380310df23f7c2a352a30f4bd527ec3131fef45e322a28b67e6b4cf8df0c9f
Opcode Fuzzy Hash: 05a66cfa3ad0c73243a3ea71bf4471f5c2f38853643a68ee93005aede4c36712
Instruction Fuzzy Hash: DE510AB4E002198BDB14CFA9C5845AEBBF2FF89304F2481A9D818A7256DB309D41CFA1

Function 07B534B8 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e59d738ebea1cbe1f260c0fb11444c88f46455c4ab69180756c485c25948491
Instruction ID: d46c3a1c7d3574b57ba25abe82f8379ff3831f81c55f877fd40db4fe0ffa53a6
Opcode Fuzzy Hash: 6e59d738ebea1cbe1f260c0fb11444c88f46455c4ab69180756c485c25948491
Instruction Fuzzy Hash: 334138B0D1520A9BDB44CFAAC4816AEFBF2BF89344F24D06AC815E7354E7349A41CF94

Function 07B534C8 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735587816.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 954d08052093843cc3cc29ca81102ec3bc7f689993ebd2a78778f7b6576bc3d8
Instruction ID: f7e48901b65a84cd717e361dff58c250745e90ab46d119c3e486162d7a4e5d32
Opcode Fuzzy Hash: 954d08052093843cc3cc29ca81102ec3bc7f689993ebd2a78778f7b6576bc3d8
Instruction Fuzzy Hash: DF4107B0D1520ADBDB44CFAAD5816EEFBF2BB89340F24D06AC815E7354E7349A418F94

Function 0634E8C1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732712585.0000000006340000.00000040.00000800.00020000.00000000.sdmp, Offset: 06340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6340000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 377ec8016881d00074da6dec370cdeefd68b2db37c93e603392c5c56e262dadf
Instruction ID: 937095e8e9d340c7d9097700c5ae1f3dfa848021eb61efdf4751d11be29ad810
Opcode Fuzzy Hash: 377ec8016881d00074da6dec370cdeefd68b2db37c93e603392c5c56e262dadf
Instruction Fuzzy Hash: 90210071E057598BEB58CF6BD80069EFFF3AFC9200F08C0BAD458A6264DB3419458F55

Function 0634F370 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732712585.0000000006340000.00000040.00000800.00020000.00000000.sdmp, Offset: 06340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6340000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a6c4abc5d3c36430be0f8ddd2f01c2a6e9b3784fc11f33815b635ccecadec89
Instruction ID: e036cda5f426d48e1c3dd4fb9aa70dbd4d7ae429ca3b34e4b6ec6d9bd1637bdc
Opcode Fuzzy Hash: 7a6c4abc5d3c36430be0f8ddd2f01c2a6e9b3784fc11f33815b635ccecadec89
Instruction Fuzzy Hash: 83E0127265D316390EFC6CB80D056C7ABC71293364766B33ED011DA5D59E95050B74D1

Analysis Process: Contrarre.exePID: 7816, Parent PID: 7488COMMON

Executed Functions

Function 00F1C530 Relevance: 4.3, Strings: 1, Instructions: 3069COMMON

Download Yara Rule

Strings

N, xrefs: 00F1F910

Memory Dump Source

Source File: 00000006.00000002.2963148159.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_Contrarre.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: e149e9111ce9254fc383236b69fb24378681c2e88e585b3d26160949d69bf0cf
Instruction ID: d5bbfb148ec00912db8f320744a90b309f6a07a02d47860fbea1b7e8b6393b04
Opcode Fuzzy Hash: e149e9111ce9254fc383236b69fb24378681c2e88e585b3d26160949d69bf0cf
Instruction Fuzzy Hash: 0273D631D1075A8EDB11EF68C854AD9FBB1FF99310F11D69AE44867221EB70AAC4CF81

Function 00F12DD1 Relevance: 2.9, Strings: 2, Instructions: 403COMMON

Download Yara Rule

Strings

$^q, xrefs: 00F12DF6
Xbq, xrefs: 00F12E0F

Memory Dump Source

Source File: 00000006.00000002.2963148159.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_Contrarre.jbxd

Similarity

API ID:
String ID: Xbq$$^q
API String ID: 0-1593437937
Opcode ID: 94943840b1d739dc9e9e55c5b95200f7dce12bfd2ba6ef3f7a5cb74aa2ccf777
Instruction ID: 4d8cb8531d029d4c9eeca9f1c58bd03cae50954944d5fabc94e2ce8cb7fef317
Opcode Fuzzy Hash: 94943840b1d739dc9e9e55c5b95200f7dce12bfd2ba6ef3f7a5cb74aa2ccf777
Instruction Fuzzy Hash: B6E18D74F052489FDB08DFB9D8546AEBBB2BF88300F18842AE446F7358DE349946DB51

Function 00F19480 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963148159.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaae7c533b8d167401b5957971c8cf56ac1b533a84a346876d6e93916605979d
Instruction ID: 61c6e36dec30f9022a24131e53859e113ff7fe1c647140064ef02960303d5ca8
Opcode Fuzzy Hash: eaae7c533b8d167401b5957971c8cf56ac1b533a84a346876d6e93916605979d
Instruction Fuzzy Hash: 36C18074E00218CFDB14DFA5D994B9DBBB2FF89300F2085A9E809AB355DB359A85CF50

Function 00F1C521 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963148159.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a88e4e0aff1f5c225ef9d4d1fabd6d812a23789a3bfaf66cf80b56ef911d56c4
Instruction ID: af56be8c0cb204e953bb4c358a2cf99d143aef94a99098c8159cdaddf58accab
Opcode Fuzzy Hash: a88e4e0aff1f5c225ef9d4d1fabd6d812a23789a3bfaf66cf80b56ef911d56c4
Instruction Fuzzy Hash: 02A12571D116198EDB14DFA9C8847DDFBB1EF89310F14C2AAE408A7260EB709AC5CF41

Function 00F19A30 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963148159.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3f5fb0601da33429b65e02328493eaf737783e2c12ad3b50647b00c289f09b0
Instruction ID: 5914f8694047d05e31eadeb16941c594a381aeafcbcffe3bc26fbc78697106a1
Opcode Fuzzy Hash: c3f5fb0601da33429b65e02328493eaf737783e2c12ad3b50647b00c289f09b0
Instruction Fuzzy Hash: 05A11470E00208CFEB14DFA9D598BDDBBB1FF89314F209269E409AB2A1DB745985CF54

Function 00F19A40 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963148159.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d53b70ced3be9034753987d5156339872582b8dec2935ca254363a151a42310
Instruction ID: e9886114ce4c9c2863fa328730eccb7dc23651516b2b10d72b41cbbeaea228ee
Opcode Fuzzy Hash: 8d53b70ced3be9034753987d5156339872582b8dec2935ca254363a151a42310
Instruction Fuzzy Hash: A3A10470D00208CFEB14DFA9D994BDDBBB1FF89310F209269E409AB2A1DB745985CF54

Function 00F19D87 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963148159.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca64e0bddd9c90822daaab22df27836402f8789da67539f2a41a5882a58a47f0
Instruction ID: ec2d8a3dab9f476b1d396bd9bc02eb47fcdd0242697070810b1569b0d45da90b
Opcode Fuzzy Hash: ca64e0bddd9c90822daaab22df27836402f8789da67539f2a41a5882a58a47f0
Instruction Fuzzy Hash: 73910470D04208CFEB10DFA8D998BDCBBB1FF49310F209259E449AB2A1DBB49985CF55

Function 00F1946F Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963148159.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f95409c874555053edd57b1feb4c8fbf2ca1f0fa21aaf9e44acdeb47ce79c04d
Instruction ID: a9d2477ebec91ef5b4e091be17ff288b51216d1d8e8a8b7a952cd604e45fefab
Opcode Fuzzy Hash: f95409c874555053edd57b1feb4c8fbf2ca1f0fa21aaf9e44acdeb47ce79c04d
Instruction Fuzzy Hash: 5041F5B4D04208CBEB18DFAAD8546DDFBF2BF89300F24D12AD415AB254EB385946CF50

Function 00F1B500 Relevance: 6.7, Strings: 5, Instructions: 401COMMON

Download Yara Rule

Strings

Hbq, xrefs: 00F1B54E
Hbq, xrefs: 00F1B749
Hbq, xrefs: 00F1B6EA
8cq, xrefs: 00F1B941
TJcq, xrefs: 00F1B97A

Memory Dump Source

Source File: 00000006.00000002.2963148159.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_Contrarre.jbxd

Similarity

API ID:
String ID: 8cq$Hbq$Hbq$Hbq$TJcq
API String ID: 0-1895975235
Opcode ID: 54f27d5cf26ccf63104a2ae79d8090b2d66d25aa00f0804a7607f0a4f0423869
Instruction ID: ecfca20a1784610a190fe9075b0db73bc60e69fd4ffa120839cc3b9e0c225398
Opcode Fuzzy Hash: 54f27d5cf26ccf63104a2ae79d8090b2d66d25aa00f0804a7607f0a4f0423869
Instruction Fuzzy Hash: E0D10371B04204CFCB15DB68C890AEE7BB6EF89320F2844A5E505EB3A5CB35DC82DB51

Function 00F13F78 Relevance: 6.4, Strings: 5, Instructions: 125COMMON

Download Yara Rule

Strings

LjAp, xrefs: 00F14088
PH^q, xrefs: 00F140F2
0oAp, xrefs: 00F13FDA
PH^q, xrefs: 00F140E1
LjAp, xrefs: 00F14078

Memory Dump Source

Source File: 00000006.00000002.2963148159.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_Contrarre.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: e7e6548ba664873ebab2b6a712c16d0c25ca474674417b45a5d45ec2eed29ca8
Instruction ID: c29f46f84601f24de12bb49e62527ac8bb0ccbd7956910840829eb1ed28e6457
Opcode Fuzzy Hash: e7e6548ba664873ebab2b6a712c16d0c25ca474674417b45a5d45ec2eed29ca8
Instruction Fuzzy Hash: DD51B674E01208DFCB44DFAAD594A9DBBF2BF89310F148429E815BB364DB35A986DF10

Function 00F119B8 Relevance: 5.8, Strings: 4, Instructions: 845COMMON

Download Yara Rule

Strings

Xbq, xrefs: 00F11B2F
Xbq, xrefs: 00F11A76
Xbq, xrefs: 00F11AB0
Xbq, xrefs: 00F11B7C

Memory Dump Source

Source File: 00000006.00000002.2963148159.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_Contrarre.jbxd

Similarity

API ID:
String ID: Xbq$Xbq$Xbq$Xbq
API String ID: 0-2732225958
Opcode ID: 0d5464aab226b465ec2eac6a371fc72518effda83f0ca2f1b6525ccadeb7d6c2
Instruction ID: 470b883e60ce62253fc60d5bfc1c38aded7ec893eb07ce651eaf2e7caa56bfbe
Opcode Fuzzy Hash: 0d5464aab226b465ec2eac6a371fc72518effda83f0ca2f1b6525ccadeb7d6c2
Instruction Fuzzy Hash: 99421E52F2D2D18FDBAA4BB04CBA195BFE09E92110FB899BFC0C166882F554448FD753

Function 00F1AF78 Relevance: 5.3, Strings: 4, Instructions: 322COMMON

Download Yara Rule

Strings

Hbq, xrefs: 00F1B206
, xrefs: 00F1B065
Hbq, xrefs: 00F1B1D3
Hbq, xrefs: 00F1B239

Memory Dump Source

Source File: 00000006.00000002.2963148159.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_Contrarre.jbxd

Similarity

API ID:
String ID: $Hbq$Hbq$Hbq
API String ID: 0-580995494
Opcode ID: 7fa9e9c3c9e3fe19c9a85c190eae508666b66d6a33b0847ec561e0f5472f52dd
Instruction ID: c4d0114d5554befe507b4623fc7a44f2f1a425e1d6469444526af121b98699f4
Opcode Fuzzy Hash: 7fa9e9c3c9e3fe19c9a85c190eae508666b66d6a33b0847ec561e0f5472f52dd
Instruction Fuzzy Hash: BEB12531B04244DFDB15AF78E8692AE3BA2FF89320B24412AE466DB3D1CF359D42D751

Function 00F1AF73 Relevance: 5.2, Strings: 4, Instructions: 240COMMON

Download Yara Rule

Strings

Hbq, xrefs: 00F1B206
Hbq, xrefs: 00F1B1D3
Hbq, xrefs: 00F1B239
, xrefs: 00F1B015

Memory Dump Source

Source File: 00000006.00000002.2963148159.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_Contrarre.jbxd

Similarity

API ID:
String ID: $Hbq$Hbq$Hbq
API String ID: 0-580995494
Opcode ID: a887ce8016899550d4953691e24e5e63ff69cb2e70db7cc70b0a015d9ab6a9c4
Instruction ID: b8539113f75adb6772b84c65e2d404e466573df9561aa077d4426ba95e3c7c97
Opcode Fuzzy Hash: a887ce8016899550d4953691e24e5e63ff69cb2e70db7cc70b0a015d9ab6a9c4
Instruction Fuzzy Hash: 2481F231B04240DFDB15AF78D8692AE3BA2FF89360B20452AE456D73D1CF399C42CB51

Function 00F12C78 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

Xbq, xrefs: 00F12CBE
Xbq, xrefs: 00F12C95

Memory Dump Source

Source File: 00000006.00000002.2963148159.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_Contrarre.jbxd

Similarity

API ID:
String ID: Xbq$Xbq
API String ID: 0-1243427068
Opcode ID: df8dec102d87a2fa55296aa775e651546d412792e04320e53601ca788fa3c7c3
Instruction ID: b989ebcd1fe58633ecc2bce5a2eb0271f0f64508e39d5a286f81da244da595b6
Opcode Fuzzy Hash: df8dec102d87a2fa55296aa775e651546d412792e04320e53601ca788fa3c7c3
Instruction Fuzzy Hash: 27312835B042158BDFA846B9A9942FEBAA6BBC4320F14443ED902D3394DB74CC95A391

Function 00F1B869 Relevance: 2.6, Strings: 2, Instructions: 101COMMON

Download Yara Rule

Strings

8cq, xrefs: 00F1B941
TJcq, xrefs: 00F1B97A

Memory Dump Source

Source File: 00000006.00000002.2963148159.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_Contrarre.jbxd

Similarity

API ID:
String ID: 8cq$TJcq
API String ID: 0-1920894394
Opcode ID: e7464b048507f57dc495fcd644ff76df7a1ddca48bcd329c001fcad8dfc2cc05
Instruction ID: d803df4d415b6baef25d8b9cfad54537d5910f8a9dc0bec14985320bfc11930d
Opcode Fuzzy Hash: e7464b048507f57dc495fcd644ff76df7a1ddca48bcd329c001fcad8dfc2cc05
Instruction Fuzzy Hash: 84313735B001098FCB04EFA8C580EDDBBB2EF88320F555094E505AB365CB70EC868B90

Function 00F1B89D Relevance: 2.6, Strings: 2, Instructions: 100COMMON

Download Yara Rule

Strings

8cq, xrefs: 00F1B941
TJcq, xrefs: 00F1B97A

Memory Dump Source

Source File: 00000006.00000002.2963148159.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_Contrarre.jbxd

Similarity

API ID:
String ID: 8cq$TJcq
API String ID: 0-1920894394
Opcode ID: 805b0cbd14d9a6dfc09bbb5cef50d048bb8d69c9e3aa2c804d2e111b535326b0
Instruction ID: ddc0dd02676c0ed57cead16b6e0c68ff0fe1367bec44f5b6cd851a52f1bfef2d
Opcode Fuzzy Hash: 805b0cbd14d9a6dfc09bbb5cef50d048bb8d69c9e3aa2c804d2e111b535326b0
Instruction Fuzzy Hash: 5B311735B401098FCB45EFA8C980EDDBBB2EF88320F555494E505AB3B5CB71ED868B91

Function 00F10B20 Relevance: 1.5, Strings: 1, Instructions: 205COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00F10B62

Memory Dump Source

Source File: 00000006.00000002.2963148159.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_Contrarre.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: c3d7ede9e3af9f7730fe66efe5e6835ed56988a09b714fc42d3474aef2222b8b
Instruction ID: 2541df2e1c3292281d707417fca44bf41005a0a9acb1918341ee88218a3b81c0
Opcode Fuzzy Hash: c3d7ede9e3af9f7730fe66efe5e6835ed56988a09b714fc42d3474aef2222b8b
Instruction Fuzzy Hash: E1A1BE78A00249CFCF05EFA8E995A9DBBB1FF48305B104629D415AB36DDB74AD46CF80

Function 00F10B30 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00F10B62

Memory Dump Source

Source File: 00000006.00000002.2963148159.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_Contrarre.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 2b2d729205c904c837bdca52c178212cf8160fcbacd32ce4e0e6a77ec63058c9
Instruction ID: 502f67b3f87085ce255838fdaccf8ab21fd5e56bdf6046bb20b23b77a49d5c90
Opcode Fuzzy Hash: 2b2d729205c904c837bdca52c178212cf8160fcbacd32ce4e0e6a77ec63058c9
Instruction Fuzzy Hash: C1A1BF78A00249CFCF05EFA8E995A9DBBB1FF48305B104529D415AB36DDB74AD46CF80

Function 00F1BC28 Relevance: 1.4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

Strings

Hbq, xrefs: 00F1BD2D

Memory Dump Source

Source File: 00000006.00000002.2963148159.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_Contrarre.jbxd

Similarity

API ID:
String ID: Hbq
API String ID: 0-1245868
Opcode ID: 242c5b594bf691d4fa93145cb6ae00dded42417f3797872c921e89297d88df82
Instruction ID: ec1d42a610f7bd695b24ea6ac8bd1702461242a53802453fa69dbd6797f0e531
Opcode Fuzzy Hash: 242c5b594bf691d4fa93145cb6ae00dded42417f3797872c921e89297d88df82
Instruction Fuzzy Hash: 0141A031B00248DFCB05EBB8D8566AE7FB6EF89340B1444B9E545DB352DE389D42D790

Function 00F1BDE8 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

Hbq, xrefs: 00F1BE36

Memory Dump Source

Source File: 00000006.00000002.2963148159.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_Contrarre.jbxd

Similarity

API ID:
String ID: Hbq
API String ID: 0-1245868
Opcode ID: 87e0cd1d9a7ab8974d18bde96dd20473c5cc0e09b4fa06c2f551fb0914151db5
Instruction ID: 05b7fd5079194ee30eb7ba77e20db75d3e52457fac8c079d151ebfe8e63f0149
Opcode Fuzzy Hash: 87e0cd1d9a7ab8974d18bde96dd20473c5cc0e09b4fa06c2f551fb0914151db5
Instruction Fuzzy Hash: FA319C30704244DFC708EF78C895AAE7BB6FF89310B2480A9E5468B365CB359D42DB90

Function 00F1BF80 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963148159.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bd35cb141187efef4a57a192b14615084914d868983d7d9d9c0b5795a777bd4
Instruction ID: 8d679a6e4b39674a06069eadebc1447fe22de96abf6e96a3585fd12c06c43f4c
Opcode Fuzzy Hash: 2bd35cb141187efef4a57a192b14615084914d868983d7d9d9c0b5795a777bd4
Instruction Fuzzy Hash: EB61E272B40205EFCB14CBBDD854AEEBBB5EBC8324B14852AE459D7350DA31DC818BA0

Function 00F13168 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963148159.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94916b7361b62b01be594ad396cd37d678edc47000bae11b61fcad2eb5386e1a
Instruction ID: 486ac6321980531751413107e82975cc4ba7c2ea8f3046a5235979a4884b4e3a
Opcode Fuzzy Hash: 94916b7361b62b01be594ad396cd37d678edc47000bae11b61fcad2eb5386e1a
Instruction Fuzzy Hash: CB419075E012089FCB08DFAAD884ADDBBB2FF89310F249429E805BB364DB359945CF14

Function 00F19249 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963148159.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9383708a2b1e007472de5a78542d3afce358b6deb9605662f7ed19b637fd578
Instruction ID: b373f8a43a9d4cc147fbb7858a5619d7500939bad46425434cf7850275f65b27
Opcode Fuzzy Hash: a9383708a2b1e007472de5a78542d3afce358b6deb9605662f7ed19b637fd578
Instruction Fuzzy Hash: BC31B7B503624A8FD2053B21A6AE17EBFB4FB4F323704AC01F00AC24519F38458ADB60

Function 00F118C8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963148159.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0cf0c3546d053011cd55dd9867fc28cf54b087973222cf56cadda071450210a
Instruction ID: dd0b1fab8fd0a643a67ea44a005711c485398ba9ff924b90c8676edd8c3ca4b7
Opcode Fuzzy Hash: e0cf0c3546d053011cd55dd9867fc28cf54b087973222cf56cadda071450210a
Instruction Fuzzy Hash: 8E21BD71A001069FCF24DF34C4509EE37A5FB99764B60C01AE95E9B240EA38EE46DBD2

Function 00ECD005 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2962913755.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ecd000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c470e98b7b232e97e28315d7036703bbe905d237eaefe0b70c81d7e8e121255
Instruction ID: 2ed516310bc7b9b48eaabcb69fa0558a5d9ff2390075cedf96ccaa663bfd38fb
Opcode Fuzzy Hash: 3c470e98b7b232e97e28315d7036703bbe905d237eaefe0b70c81d7e8e121255
Instruction Fuzzy Hash: 4D212B7150D3C49FD703CB24D994B11BF71AB46214F29C5EBD8898F2A7C23A985ACB62

Function 00ECD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2962913755.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ecd000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b9894c83b6819d4c835d18ba7c3693088b97bd841c86b5fc69d752d91bc0eb7
Instruction ID: 4b245f81dd8abb74daeb51e232ae425b01fb5e65f60b118bb5c83101ede7bdc0
Opcode Fuzzy Hash: 1b9894c83b6819d4c835d18ba7c3693088b97bd841c86b5fc69d752d91bc0eb7
Instruction Fuzzy Hash: 0521D071508204EFCB14DF18DE81F26BBA6EB84318F24C57ED8495A296C37BD847CA62

Function 00F10EC8 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963148159.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 507d21bbf8c608f780072a2aa6d3ef5f84a2c4525f525256bf4553972723ab4e
Instruction ID: d35c22d26197db4c7c65e52f985e3208059bed9a99bc692f389d3103584bd805
Opcode Fuzzy Hash: 507d21bbf8c608f780072a2aa6d3ef5f84a2c4525f525256bf4553972723ab4e
Instruction Fuzzy Hash: 5E219D74E002089FCB05EFB9C5127EEBBB2EB85304F1084B9D4146B398DBB48A86CF40

Function 00F117B8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963148159.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc4386034b0bc7d582f306a0517e8d54abc337c71417b263d77a624fa330f1c0
Instruction ID: c813497b65ea20f7985c36d72e28e0d58dcd7afeeecc1c2287851e5b1a497905
Opcode Fuzzy Hash: cc4386034b0bc7d582f306a0517e8d54abc337c71417b263d77a624fa330f1c0
Instruction Fuzzy Hash: 652114B5D0520A8FCB05DFA8D9846EEBFF0FF0A314F04416AD445B6264EB354A85CBA1

Function 00F1BB48 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963148159.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 852e896dca34a86f4edceacecc1df32f37a0dbe78cdeeea64fdfe838f2bea7a3
Instruction ID: 73c799e44b7a43281335f6c8414e542caae574016a0834bbe023f2a66bddad2f
Opcode Fuzzy Hash: 852e896dca34a86f4edceacecc1df32f37a0dbe78cdeeea64fdfe838f2bea7a3
Instruction Fuzzy Hash: DE118876704204CFC714DB69E988A9AB7E6FFC8721B20846AE14ACB774CB71EC44CB50

Function 00F14850 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963148159.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e055192380b16f8317de4ba176890207ea65da254c45e0cef7d358aa2d7576b
Instruction ID: 49c09afcc055132f3c8038970d8b7630688136b6b6199925d6956a3691c7ed79
Opcode Fuzzy Hash: 3e055192380b16f8317de4ba176890207ea65da254c45e0cef7d358aa2d7576b
Instruction Fuzzy Hash: CB01F172F003015FE724ABB988586AB37EAAFC83343048479C949CB318FE74DC428792

Function 00F14860 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963148159.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 387a510630e29142fbaa20902f818dd3fcaf7333a13fd00a8d2b083cc0f46ae2
Instruction ID: d68d31aabd725a18116d050c5e20eed1aef5aed7385b03804da035d22d601f90
Opcode Fuzzy Hash: 387a510630e29142fbaa20902f818dd3fcaf7333a13fd00a8d2b083cc0f46ae2
Instruction Fuzzy Hash: 2901AD36F002115FD724ABBA894866F76EBAFC87343108839D909C7318FE71DC028792

Function 00F1A508 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963148159.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1827e427ba0bdca0cc1bb92fa80c66e8e433f582e818e04fe1bed45712e72117
Instruction ID: 3959b61c2ba231bce5ba0cd8e5850a3ca2053fff113fce2ddc3794c2cc2615e6
Opcode Fuzzy Hash: 1827e427ba0bdca0cc1bb92fa80c66e8e433f582e818e04fe1bed45712e72117
Instruction Fuzzy Hash: 78019EB1E002099FCF10DF69D8495AE7FBAFB88350B00402AF91AD3241DF348D11CBA1

Function 00F1BB46 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963148159.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 372eb0653b25daa6fff5428604456028bed147e49b16600582be4c664a988093
Instruction ID: 0221eff6afb1c917bbf97a8fc298734db37f2c91f174be0e7431a569fcdf648b
Opcode Fuzzy Hash: 372eb0653b25daa6fff5428604456028bed147e49b16600582be4c664a988093
Instruction Fuzzy Hash: 47017C76B04200CFD714DB69DA98BA6B3E6BF88721F148469E14ACB764CB70EC84CB10

Function 00F1A4F9 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963148159.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85ab1f44276d195a4cdf3490848e6782bd0185e67ac80a1c8175111c398d96f0
Instruction ID: 5c57be836c9815e95781ca12583f49682cb3bd1b82b4ef9cb94e8cacb59fbd5b
Opcode Fuzzy Hash: 85ab1f44276d195a4cdf3490848e6782bd0185e67ac80a1c8175111c398d96f0
Instruction Fuzzy Hash: 8C0184B1E0411A9FCF15DFA9D8489EE7FB5FB89310B10412AF959D3241DB348D11DB92

Function 00F1BEF8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963148159.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e84ac99d749eaca881a4b7b1e3e13bfde705a77c79d2414edad9f7516692a4a
Instruction ID: e0e33f136ea8e99fec87dac0811b601eea9f33ff884de6a0b1cc31349b850ce9
Opcode Fuzzy Hash: 8e84ac99d749eaca881a4b7b1e3e13bfde705a77c79d2414edad9f7516692a4a
Instruction Fuzzy Hash: 3FF0C2367002549BCB156AB4A80A1AD3FEAEBC9321F14482AE54AC7385DF3ACC439B40

Function 00F1C1B0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963148159.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 432de315b44123aed2d9feb966d729956eb93577fd19d361239e5cb81c1e0919
Instruction ID: 73bafdbfd695e61e2698b2d651131c5a36f6957279efcd5cb51ac2f7f28fd066
Opcode Fuzzy Hash: 432de315b44123aed2d9feb966d729956eb93577fd19d361239e5cb81c1e0919
Instruction Fuzzy Hash: 64F02032B402119BCB199B6AE8109AEB7AAEFC4730710007AF509EB351CF32CC028790

Function 00F1B9EA Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963148159.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6452d8b1b3232a4c2ee0500efe94f17751503b3f890c61421509dea6b9cbe038
Instruction ID: 0878218dc7cf0b9dfc66fb7fa6feb3a0664a543b2058331ff77f63e2399dddd7
Opcode Fuzzy Hash: 6452d8b1b3232a4c2ee0500efe94f17751503b3f890c61421509dea6b9cbe038
Instruction Fuzzy Hash: E1F024B2A00204AFCB41DFB9A9409EFBFF5FB48310B000526E105E3601E7349A069BE0

Function 00F1B9F8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963148159.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63f341498b07a84463276be372e4a146b694827921abc4c1c6be83a1bff84602
Instruction ID: 9372493e2045b41278ab27cb11ecee7901280ac3e308db09982a483b4faafb7f
Opcode Fuzzy Hash: 63f341498b07a84463276be372e4a146b694827921abc4c1c6be83a1bff84602
Instruction Fuzzy Hash: FEF08272A042089F8B50DFAED8409DFFBF5FB88350B10453AE509D3611E770AA559BE1

Function 00F146C9 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963148159.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d52ff2d43991865fd61e4b10aaffa4a580851aa6303bd66b6297c39639417eea
Instruction ID: 31f35ae6a2e7654c805807edab5d159298b306f3c440a1ed2491ea1195f8d988
Opcode Fuzzy Hash: d52ff2d43991865fd61e4b10aaffa4a580851aa6303bd66b6297c39639417eea
Instruction Fuzzy Hash: 53F0A576065B428FD3106B66FCACA6ABB30FF0B317B442D64E01AA1071CB72209ACF14

Function 00F146D8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963148159.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89758bd50903beb1211566d8150903c62fdf2f750a60689bf6130d4b537eb0ac
Instruction ID: 1007ec9090a3bffd15f4476b4e61f476e26fba218b7e1dbb096aab5f11076adb
Opcode Fuzzy Hash: 89758bd50903beb1211566d8150903c62fdf2f750a60689bf6130d4b537eb0ac
Instruction Fuzzy Hash: 77E00A76021B068FD3142B66B9ACA7A7A65FB0B317B806D24E00EA10718F72748A9E54

Function 00F11877 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963148159.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61e58b762fdf102ef67891be5dfd734379ee483160261207b3d71746d610d132
Instruction ID: e217a4f3a0440275b0bcb789a8e2e72d29d58e2b4f2f7efd1532be36f2169f1e
Opcode Fuzzy Hash: 61e58b762fdf102ef67891be5dfd734379ee483160261207b3d71746d610d132
Instruction Fuzzy Hash: 3AE08672D202265BCB019EA0DC016EEB774EFD1315F954226D45873140FB71655A8BA1

Function 00F11888 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963148159.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26a0a56d6e3863fdb83dd12405e30e0ba01e168435e54ad385ecccf12e715e92
Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
Opcode Fuzzy Hash: 26a0a56d6e3863fdb83dd12405e30e0ba01e168435e54ad385ecccf12e715e92
Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2

Function 00F14831 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963148159.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_Contrarre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f804737a4c4c526db5bfc79c5dda16ef43a8ea63e0cb6725981af25510b0deb9
Instruction ID: 2ff142f1b5a198e23c50cee6c2718a06e2e13b760ef2b6056a61640d27fc35f6
Opcode Fuzzy Hash: f804737a4c4c526db5bfc79c5dda16ef43a8ea63e0cb6725981af25510b0deb9
Instruction Fuzzy Hash: 74C0487440D3C40FCB2B937405B90A97F709A13200B6808CBD0C28A0A7E42AA006E342

Non-executed Functions

Function 00F11A40 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

Xbq, xrefs: 00F11B2F
Xbq, xrefs: 00F11A76
Xbq, xrefs: 00F11AB0
Xbq, xrefs: 00F11B7C

Memory Dump Source

Source File: 00000006.00000002.2963148159.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_Contrarre.jbxd

Similarity

API ID:
String ID: Xbq$Xbq$Xbq$Xbq
API String ID: 0-2732225958
Opcode ID: d06b3afe6e5f5ff9cd76d6d4b34fbb3ed2aad8bb9738f1fd17e1da6573463c2e
Instruction ID: 76310d9d244cc0181849cd7f36587a378909922fdb9806e6399de45cfcf6a22c
Opcode Fuzzy Hash: d06b3afe6e5f5ff9cd76d6d4b34fbb3ed2aad8bb9738f1fd17e1da6573463c2e
Instruction Fuzzy Hash: 53318371E0421D8BDF64CBA989803EEBAB6BF94320F144479C519A3254EB34CDC1EB92

Analysis Process: DWKfptrbzzV.exePID: 7912, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	79
Total number of Limit Nodes:	6

Executed Functions

Function 0287C570 Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.1764277567.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2870000_DWKfptrbzzV.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e207f83e23458e2c8d5a6ff64579caaca2a263dde5fad64437fc528fb461bb46
Instruction ID: eb808947b339c47ee7c5ac8ceaade480edd7d2986efe2ef0dce6f69566ac8e52
Opcode Fuzzy Hash: e207f83e23458e2c8d5a6ff64579caaca2a263dde5fad64437fc528fb461bb46
Instruction Fuzzy Hash: 80711078A00B058FDB24DF69D08075ABBF2BB88704F10892ED48ADBA50DB75E945CB91

Function 02875D94 Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02875E51

Memory Dump Source

Source File: 00000007.00000002.1764277567.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2870000_DWKfptrbzzV.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 94006e3277759ab5cdc45715ae691fefae8a4c7c059356cf456838049ca5dbf6
Instruction ID: 8fdeb4108e1cef05d2108b9458e45d73dbb87d328250f95fd773dc2726d58177
Opcode Fuzzy Hash: 94006e3277759ab5cdc45715ae691fefae8a4c7c059356cf456838049ca5dbf6
Instruction Fuzzy Hash: 4241E3B5C00619CBDB24DFA9C8847DEBBF5BF49304F24806AD408AB254DB75A94ACF90

Function 02874524 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02875E51

Memory Dump Source

Source File: 00000007.00000002.1764277567.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2870000_DWKfptrbzzV.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b0924ab661b69b2381fa0afbc4eded571e80fbb8fb352059449a17308c4d5bf8
Instruction ID: c8890f579c66b42e49350bccf3a781e949cdc8765413076011038123a7d7110b
Opcode Fuzzy Hash: b0924ab661b69b2381fa0afbc4eded571e80fbb8fb352059449a17308c4d5bf8
Instruction Fuzzy Hash: 0441E2B5C0061DCBDB24DFA9C844B8EBBF5BF89304F60806AD408AB255DB75A946CF90

Function 0287E5D8 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0287EA0E,?,?,?,?,?), ref: 0287EACF

Memory Dump Source

Source File: 00000007.00000002.1764277567.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2870000_DWKfptrbzzV.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 844be1734af17b334e05da2c782783ad495c362f943c4e36a2966f5b8b9f0895
Instruction ID: 0160f9fe45e708100270f214512e7e1ef4dff231d62254d9c886c1f13f5d34d2
Opcode Fuzzy Hash: 844be1734af17b334e05da2c782783ad495c362f943c4e36a2966f5b8b9f0895
Instruction Fuzzy Hash: D02103B59002489FDB10CFAAD584ADEFFF8FB48310F14806AE958A7310D378A950CFA4

Function 072BFB48 Relevance: 1.6, APIs: 1, Instructions: 52
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 072BFBB2

Memory Dump Source

Source File: 00000007.00000002.1770288724.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_72b0000_DWKfptrbzzV.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d17b4d0eb1c6eee6401f2c80cd2a010a78bd9f00ac9845cb77b5a643862985d4
Instruction ID: 4c9b1aadae8947741fe01a00f3dea7f3bcf5e1eb8ba6db6c0cfab7bb37431fcb
Opcode Fuzzy Hash: d17b4d0eb1c6eee6401f2c80cd2a010a78bd9f00ac9845cb77b5a643862985d4
Instruction Fuzzy Hash: 2E1158B19003598FDB20DFAAC8457EEFBF4EB88324F248429D459A7240CB78A544CFA4

Function 0287C224 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,0287C58C), ref: 0287C7C6

Memory Dump Source

Source File: 00000007.00000002.1764277567.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2870000_DWKfptrbzzV.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c6b2d7524298577daaa84a5b8a7fd626a167f9002245d5632d19f36d4d8954f9
Instruction ID: 0bf8cba3f6c1525f9f07884e628335d32f0cb126ad6b2177c9be89456391a77d
Opcode Fuzzy Hash: c6b2d7524298577daaa84a5b8a7fd626a167f9002245d5632d19f36d4d8954f9
Instruction Fuzzy Hash: 231132BAD003498FCB10DF9AC444ADEFBF8EB88314F10842AD918B7600C778A545CFA5

Function 0287B072 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(0000004B), ref: 0287B0E5

Memory Dump Source

Source File: 00000007.00000002.1764277567.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2870000_DWKfptrbzzV.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: d1edd18c28d3c7991d928177cd6575efe13175d3640bf23a3efafedd6cf257bc
Instruction ID: 44f86adda69fcc0ae705ed827d4b024c2f3e54ca80cf17e55a04ef4506425479
Opcode Fuzzy Hash: d1edd18c28d3c7991d928177cd6575efe13175d3640bf23a3efafedd6cf257bc
Instruction Fuzzy Hash: 7511BBB9904389CFDB10CF55E1053EEBBF0EB45328F20809AD599A7252C7389A45CF65

Function 0287B080 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(0000004B), ref: 0287B0E5

Memory Dump Source

Source File: 00000007.00000002.1764277567.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2870000_DWKfptrbzzV.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 8231ada4102edcad16ed336c3f3fffb41b4fae520c13bdbc34c10f927525cf80
Instruction ID: c22244c7ac85dbb7e3e11911ecf75d499c9b39a656e349914d4b99448f89c4dd
Opcode Fuzzy Hash: 8231ada4102edcad16ed336c3f3fffb41b4fae520c13bdbc34c10f927525cf80
Instruction Fuzzy Hash: 6111DDB5800388CFDB10DF5AD0043EEBFF4EB45328F108099D598A3242C339AA04CFA5

Function 072BFB50 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 072BFBB2

Memory Dump Source

Source File: 00000007.00000002.1770288724.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_72b0000_DWKfptrbzzV.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 7c6da3f3192c71e18a4b2c7c96777f1ca6842159d275ad104a86db397302c850
Instruction ID: da1acd315bbeec8363341c8d89d0c78b77b2a23dddc4dc4303026a869f47b283
Opcode Fuzzy Hash: 7c6da3f3192c71e18a4b2c7c96777f1ca6842159d275ad104a86db397302c850
Instruction Fuzzy Hash: 0A113AB19003498FCB20DFAAC5457DEFBF4EB88324F208429D559A7250C779A544CF95

Function 027DD1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1762342651.00000000027DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27dd000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 626c6c3343eed24ba45ae6522d8f368bcb84144c8f3f19c87cb96e1f784dad24
Instruction ID: 780b7b1fd75fbe3bc6f21fb93213a16fb3a94a64cc47447c696b4e1327a95f0a
Opcode Fuzzy Hash: 626c6c3343eed24ba45ae6522d8f368bcb84144c8f3f19c87cb96e1f784dad24
Instruction Fuzzy Hash: 3421FFB2504200DFDB25DF14D9C4B2BBFB5FB88314F24C6A9E9095A256C336E416CBA1

Function 027DD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1762342651.00000000027DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27dd000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d876a05ac7ae815bf16bc7dd222c49f40c91d49b142db7f9053be90c804d0da5
Instruction ID: 5e4e40d163ad85eca42f73d1b076fcfe2766723093cc8de89ad6a0e56baf99e5
Opcode Fuzzy Hash: d876a05ac7ae815bf16bc7dd222c49f40c91d49b142db7f9053be90c804d0da5
Instruction Fuzzy Hash: B6212572540240DFDB25DF14D9C0B27BF75FB88318F24C569E80A0B256C336E456CBA1

Function 027ED01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1762609526.00000000027ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 027ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27ed000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbe7aabb5a0658677144c000ad1a1bc60630067d09fa61919acc80eb18ceb05e
Instruction ID: 52337ad829f3617dbbfafb1137d86cecadff89c9fa7ca43e2b6eaf8db01fba3a
Opcode Fuzzy Hash: bbe7aabb5a0658677144c000ad1a1bc60630067d09fa61919acc80eb18ceb05e
Instruction Fuzzy Hash: 9C21FF71604204DFDF24DF24D9C4B26BFA9FB88314F28C569E80A4B296C33AD847CA71

Function 027ED1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1762609526.00000000027ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 027ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27ed000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9dd2cbab02914b866cb0ae62677d282422aa5e785430bc470d04c38ac03879a
Instruction ID: 2296469a03058124c1a4e9bfeeac18c2bef4bbb47559368fa05c1296d8bf555d
Opcode Fuzzy Hash: d9dd2cbab02914b866cb0ae62677d282422aa5e785430bc470d04c38ac03879a
Instruction Fuzzy Hash: 7F21D075504200EFDF25DF14DA80B26BBADFB88314F20C669E80A4B296C336D446CA71

Function 027ED007 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1762609526.00000000027ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 027ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27ed000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3088c0ec5e7e9046fbc3d1eb5a71f5d8d818eeabbcf8559fea00e8da29ec0afa
Instruction ID: 42cd02ca2b78b80a47eaa06d82b1f1d40caba43b5a149a9efd71b7451edde9cb
Opcode Fuzzy Hash: 3088c0ec5e7e9046fbc3d1eb5a71f5d8d818eeabbcf8559fea00e8da29ec0afa
Instruction Fuzzy Hash: 902181755093C08FDB12CF24D994715BF71EB4A214F28C5DAD8498F6A7C33AD80ACB62

Function 027DD1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1762342651.00000000027DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27dd000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
Instruction ID: 71b141709bf285def9e05f1eeef163fce11af44fcc6f6c7b88c85a8bbfd45567
Opcode Fuzzy Hash: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
Instruction Fuzzy Hash: 8021B176504240DFDB16CF50D9C4B56BF72FB88314F28C5A9DD090B656C33AE42ACBA1

Function 027DD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1762342651.00000000027DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27dd000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 05aee3a47db8e3f9b5c35cb96d4fcc65ac06e81c70822f26eae281fd76ea5de0
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 1E11E676504280DFCB16CF14D5C4B16BF72FB84318F24C6A9DC4A0B656C336D45ACBA1

Function 027ED1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1762609526.00000000027ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 027ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27ed000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: c10a9228da64e2910ce092df3dd344efce5be71436aa4b71c4df4e8f6dd41dfa
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 0C118B75504280DFDB16CF14D5C4B16BBA5FB88228F24C6AAD84A4B696C33AD44ACB61

Analysis Process: DWKfptrbzzV.exePID: 8164, Parent PID: 7912COMMON

Executed Functions

Function 00E1C530 Relevance: 4.3, Strings: 1, Instructions: 3069COMMON

Download Yara Rule

Strings

N, xrefs: 00E1F910

Memory Dump Source

Source File: 0000000B.00000002.2963237592.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: e7f5c0bedcd11156737f224eeced13b7a4514fb6b92f2d784995ecd1f7fcd9e7
Instruction ID: d7b419e2296bb1157c24a50d5a0409fd5e0ee15bb4c72ecd8c29a7d1d36b0528
Opcode Fuzzy Hash: e7f5c0bedcd11156737f224eeced13b7a4514fb6b92f2d784995ecd1f7fcd9e7
Instruction Fuzzy Hash: DB73D531D10B598EDB11EF68C854A99FBB1FF99300F11D69AE44977221EB70AAC4CF81

Function 00E19480 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2963237592.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a56eb8603327ee76cef5fb40dc9dc92d55938fad313971fe0eadeae7bde9fd60
Instruction ID: 6261d0a729baee57ab7ccbaced696ad054995c4cd852ff72ac8889a992cc2c8b
Opcode Fuzzy Hash: a56eb8603327ee76cef5fb40dc9dc92d55938fad313971fe0eadeae7bde9fd60
Instruction Fuzzy Hash: CFC19274E00218CFDB14DFA5D994B9DBBB2BF89300F2085AAD809AB355DB359E85CF10

Function 00E1C521 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2963237592.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d2a77b199d2eab9157317951d57783b71757a787d3b5f8e76f9bf4ca810a401
Instruction ID: 0917eda9cb24b7151d6e0344c8c4fa6a21c805821db61f6edef5951c0c78959d
Opcode Fuzzy Hash: 2d2a77b199d2eab9157317951d57783b71757a787d3b5f8e76f9bf4ca810a401
Instruction Fuzzy Hash: 10A10271D016198EDB14DFA9C8846DDFBB1EF89300F14D6AAE418B7261EB70AAC5CF41

Function 00E19A30 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2963237592.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c1d2c6b7a02f8d5b0f46c1eb329d5e75e680584583c888a1754d5b14c2724af
Instruction ID: d166232e386ae2bd0a0658e59cbfd19b9d49a770d74fe9972273fee11f75e41a
Opcode Fuzzy Hash: 1c1d2c6b7a02f8d5b0f46c1eb329d5e75e680584583c888a1754d5b14c2724af
Instruction Fuzzy Hash: 0CA10270D00608CFEB14DFA9D594BDDBBB1FF89304F209269E409AB2A2DB749985CF54

Function 00E19A40 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2963237592.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f92c0c2c973d1f5af0cc2864b3acd66ea7dfbec00de6a014492578931d697f
Instruction ID: f552f52d313cf23aeb0d179f981040a1abd2f72f0e1853fc0d0a02130b4c14a3
Opcode Fuzzy Hash: f5f92c0c2c973d1f5af0cc2864b3acd66ea7dfbec00de6a014492578931d697f
Instruction Fuzzy Hash: 39A1F370D00608CFEB14DFA9D594BDDBBB1FF89304F209269E409A72A2DB745985CF54

Function 00E19D87 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2963237592.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e928bf1acee4265c31d769ff64c5bcd018d7b668aa709a1f35c386f4f07d7a79
Instruction ID: 85a76693b5ec7170baa92086c30ec909201456b89f2afa2672ad4c5309ef7814
Opcode Fuzzy Hash: e928bf1acee4265c31d769ff64c5bcd018d7b668aa709a1f35c386f4f07d7a79
Instruction Fuzzy Hash: C891DE70900608CFEB14DFA8D998BDCBBB1FF49314F249269E409BB292DB749985CF54

Function 00E1946F Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2963237592.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c29f3603ff59e5e94e35855c3252a8406c07c445ebab1594ce1ccbed6f47734b
Instruction ID: 2d7020f65dc113267cfd4f329d8882a7805a08b72c38ccd1f2a4fcaa45732e07
Opcode Fuzzy Hash: c29f3603ff59e5e94e35855c3252a8406c07c445ebab1594ce1ccbed6f47734b
Instruction Fuzzy Hash: 80410474D00648CBEB18CFAAD8546DDBBF2BF89300F24D12AD815BB255EB345946CF10

Function 00E1B500 Relevance: 6.6, Strings: 5, Instructions: 380COMMON

Download Yara Rule

Strings

Hbq, xrefs: 00E1B6EA
8cq, xrefs: 00E1B941
Hbq, xrefs: 00E1B54E
Hbq, xrefs: 00E1B749
TJcq, xrefs: 00E1B97A

Memory Dump Source

Source File: 0000000B.00000002.2963237592.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID: 8cq$Hbq$Hbq$Hbq$TJcq
API String ID: 0-1895975235
Opcode ID: c086674d09e64592e25e836c70ed337d200a42c8fe7f977d9ce113ab022a970c
Instruction ID: 866889d89be8ca7a966cda7bce0f86de11486fa0c659115cd2a31ed99def78c2
Opcode Fuzzy Hash: c086674d09e64592e25e836c70ed337d200a42c8fe7f977d9ce113ab022a970c
Instruction Fuzzy Hash: 6CD1C131B042048FDB15DB68C491AEE7BB7EF89324F245569E505EB3A1CB35DC82CBA1

Function 00E13F78 Relevance: 6.4, Strings: 5, Instructions: 126COMMON

Download Yara Rule

Strings

LjAp, xrefs: 00E14078
PH^q, xrefs: 00E140F2
PH^q, xrefs: 00E140E1
0oAp, xrefs: 00E13FDA
LjAp, xrefs: 00E14088

Memory Dump Source

Source File: 0000000B.00000002.2963237592.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 2fc3d0c0695f8cbfd9ec58ae9dcc2dc4e60885c05a4b25084cc0453717ab1bfa
Instruction ID: 193c1c441a81ba0affab81aea7e476a75006f1bafde2c0284f2e4edb4bc4ee9c
Opcode Fuzzy Hash: 2fc3d0c0695f8cbfd9ec58ae9dcc2dc4e60885c05a4b25084cc0453717ab1bfa
Instruction Fuzzy Hash: E951A074E00208DFCB48DFAAD59499DBBF2BF89310F249429E815BB364DB34A981CF50

Function 00E1AD3D Relevance: 5.5, Strings: 4, Instructions: 463COMMON

Download Yara Rule

Strings

Hbq, xrefs: 00E1B1D3
Hbq, xrefs: 00E1B206
, xrefs: 00E1B015
Hbq, xrefs: 00E1B239

Memory Dump Source

Source File: 0000000B.00000002.2963237592.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID: $Hbq$Hbq$Hbq
API String ID: 0-580995494
Opcode ID: 327a5878a9ceb874f8065e30134c95b17371c1b1f79849831cc3a4768f784379
Instruction ID: 49bebb76e6bfd93eabf9219b5582dcae41164a5dfd9de94d121785534adc1dac
Opcode Fuzzy Hash: 327a5878a9ceb874f8065e30134c95b17371c1b1f79849831cc3a4768f784379
Instruction Fuzzy Hash: 0861C130700544DBDB14AF7894292AE3BA2FF89364F254529F526AB3D0DF398D42CBA5

Function 00E1AF78 Relevance: 5.2, Strings: 4, Instructions: 224COMMON

Download Yara Rule

Strings

, xrefs: 00E1B065
Hbq, xrefs: 00E1B1D3
Hbq, xrefs: 00E1B206
Hbq, xrefs: 00E1B239

Memory Dump Source

Source File: 0000000B.00000002.2963237592.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID: $Hbq$Hbq$Hbq
API String ID: 0-580995494
Opcode ID: ade71f8a15fe84a7756efcad7e123974073c94a7f2593d41cac068149e9b0402
Instruction ID: f633d0a055c1a70fa51ba670551feb3d2bf38146757feb555ec07c7511c72755
Opcode Fuzzy Hash: ade71f8a15fe84a7756efcad7e123974073c94a7f2593d41cac068149e9b0402
Instruction Fuzzy Hash: 3A71D531700544DBDF146F78D4592AE3AA3EF89364F214229F526A73D0DF398D42C755

Function 00E12B29 Relevance: 2.8, Strings: 2, Instructions: 273COMMON

Download Yara Rule

Strings

Xbq, xrefs: 00E12C95
Xbq, xrefs: 00E12CBE

Memory Dump Source

Source File: 0000000B.00000002.2963237592.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID: Xbq$Xbq
API String ID: 0-1243427068
Opcode ID: e153fe7b51f88e32d4cc1dcb8b4080bad2ba7376acd81382668502ed16ccb91c
Instruction ID: 1b934c354ffa83d3f8e63b81158e34ef58ff16bfadd6f870e6336a265754eb89
Opcode Fuzzy Hash: e153fe7b51f88e32d4cc1dcb8b4080bad2ba7376acd81382668502ed16ccb91c
Instruction Fuzzy Hash: 7A81A33164824ECFDB3809284CA46FAAF619AED318744341EFBC366D45F5944CEB42D7

Function 00E1B869 Relevance: 2.6, Strings: 2, Instructions: 101COMMON

Download Yara Rule

Strings

8cq, xrefs: 00E1B941
TJcq, xrefs: 00E1B97A

Memory Dump Source

Source File: 0000000B.00000002.2963237592.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID: 8cq$TJcq
API String ID: 0-1920894394
Opcode ID: aded5d6241514bc64bb4e30977b81d9ba0b50182467788518043209ac16c3aff
Instruction ID: d17fd0da359f9e5d4f0909f801b6aa9b3976c22f087b7458aa4c7d41ee91f3e5
Opcode Fuzzy Hash: aded5d6241514bc64bb4e30977b81d9ba0b50182467788518043209ac16c3aff
Instruction Fuzzy Hash: DD311835B401098FCB45DFA8C580EDDBBB2EF88324F195594E505AB3A5CB70ED868BA1

Function 00E1B89D Relevance: 2.6, Strings: 2, Instructions: 100COMMON

Download Yara Rule

Strings

8cq, xrefs: 00E1B941
TJcq, xrefs: 00E1B97A

Memory Dump Source

Source File: 0000000B.00000002.2963237592.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID: 8cq$TJcq
API String ID: 0-1920894394
Opcode ID: b1389d4a8c8464871f3fab29c5c11d4a40661eadbe52a33cc79c8a7840b85303
Instruction ID: b5b6f6d9a16ed4b0754d884d883fc38d900e77548b6c90a71d78e5a4e5495450
Opcode Fuzzy Hash: b1389d4a8c8464871f3fab29c5c11d4a40661eadbe52a33cc79c8a7840b85303
Instruction Fuzzy Hash: 9F313935B401098FCB45EFA8C580EDDBBB2EF88324F155054E505AB3A5CB70EC868BA0

Function 00E10B20 Relevance: 1.5, Strings: 1, Instructions: 208COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00E10B62

Memory Dump Source

Source File: 0000000B.00000002.2963237592.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: aab629f7efbc5ebce32db7a95c192ce901720f961f6c8b9f72b74a86a13847b8
Instruction ID: eb7f2c3c2474536007ef7a19acb8010793f9ea10aa4d935b391469c099069778
Opcode Fuzzy Hash: aab629f7efbc5ebce32db7a95c192ce901720f961f6c8b9f72b74a86a13847b8
Instruction Fuzzy Hash: ACA1D27890530ACFCF45EFA8E99599DBBB1FF88704B104529D405AB369DB30AD45CF90

Function 00E10B30 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00E10B62

Memory Dump Source

Source File: 0000000B.00000002.2963237592.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: b9dcbb1bb531c18ac4e637aee60d092ca0f9adb8f5d08f0fedc042da89277eaf
Instruction ID: 2b314c1c9adb658e3be425d323801a1b50ea5ef27ca3f704a4a4243dae5a8d63
Opcode Fuzzy Hash: b9dcbb1bb531c18ac4e637aee60d092ca0f9adb8f5d08f0fedc042da89277eaf
Instruction Fuzzy Hash: 7FA1E178A0530ACFCF45EFA8E99599DBBB1FF84704B104529D405AB369DB30AD45CF90

Function 00E1BC28 Relevance: 1.4, Strings: 1, Instructions: 150COMMON

Download Yara Rule

Strings

Hbq, xrefs: 00E1BD2D

Memory Dump Source

Source File: 0000000B.00000002.2963237592.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID: Hbq
API String ID: 0-1245868
Opcode ID: f1c724a9082bb06ebe078350e2282e1aa839da98ee98c9ab2cbd0a6c51e539be
Instruction ID: d111815c5a69879f403b952a25e12655e648882cbcea92346eee4cae32b1812a
Opcode Fuzzy Hash: f1c724a9082bb06ebe078350e2282e1aa839da98ee98c9ab2cbd0a6c51e539be
Instruction Fuzzy Hash: 7F419F31B002489FDB04ABB9D8566AE7FFAEF89340B1444B9F505DB392DE349D42C7A1

Function 00E1BDE8 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

Hbq, xrefs: 00E1BE36

Memory Dump Source

Source File: 0000000B.00000002.2963237592.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID: Hbq
API String ID: 0-1245868
Opcode ID: 7d299136e3a60f02c6207f713be0111207f733c85008b87a3c42892c6091aed2
Instruction ID: 81fc4f2fe813d5d794de3cc9dd0f7b10943d5cab58e2a2c742137fb4b4805ce1
Opcode Fuzzy Hash: 7d299136e3a60f02c6207f713be0111207f733c85008b87a3c42892c6091aed2
Instruction Fuzzy Hash: B53182357001099FDB04EF79C895AAE7BB6FF99310F248069E50697365CF359D42CB90

Function 00E1BF80 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2963237592.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fc29c6cfe7d0356529f1e60faf0cdffd1ce5997bbdbbaed79c6cb6eb76bdf6a
Instruction ID: fffa61c637513f79558da3e22cf88e60736a5e52e642dd8bc358ecdff35f9bf3
Opcode Fuzzy Hash: 9fc29c6cfe7d0356529f1e60faf0cdffd1ce5997bbdbbaed79c6cb6eb76bdf6a
Instruction Fuzzy Hash: CD61D176B406059FCB14CEB9D8909EEBBF5FBCC324B24952AE519E7740DA31DC8187A0

Function 00E13168 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2963237592.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d51cf7da5e38801a34ddb0150dec248429986d90d81f570187ddb3cf767cae47
Instruction ID: b024927d6d5c8d87c24d014ce0ead8750eaa0fe1d334374eaae3b56c810ef6b5
Opcode Fuzzy Hash: d51cf7da5e38801a34ddb0150dec248429986d90d81f570187ddb3cf767cae47
Instruction Fuzzy Hash: 16418B74E012089FCB08DFAAD89499DBBF2BF89310F249569E805BB364DB359981CB54

Function 00E19249 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2963237592.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98d87ceba050224004ea18587f0232be049aa084721ab5e98e2298ca14d6cb6f
Instruction ID: 01859e425ecb28a37e1247ff27065408861b66a6ef5d7bdfcced272a8ed7519a
Opcode Fuzzy Hash: 98d87ceba050224004ea18587f0232be049aa084721ab5e98e2298ca14d6cb6f
Instruction Fuzzy Hash: 0431A830032A0ADFC2406B69A5AE27EBFA0FB0F363B04AD04F11A815159F78448ACB21

Function 00E118C8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2963237592.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f39445af3dfc6761a56b92489b6a156ee402319c5373025d320632f39b947415
Instruction ID: edf41d9bf1e4258ee7874ba04f96e7d2def3a95d10a64b42971960717f8e69d5
Opcode Fuzzy Hash: f39445af3dfc6761a56b92489b6a156ee402319c5373025d320632f39b947415
Instruction Fuzzy Hash: 2021B071A001069FCF14DF34C4509EE37A5EBDA768B10C05AD95EAB240EA34EE46CBD2

Function 00DBD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2962878429.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_dbd000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8136cc4e66e93338057b020f66cf2c8e868ba8184eee5c3c1445add7fc50ab24
Instruction ID: eaca8b1712aafe791a3bff86f2d05661b75faeb89ae8f0c9fdb170b9826af570
Opcode Fuzzy Hash: 8136cc4e66e93338057b020f66cf2c8e868ba8184eee5c3c1445add7fc50ab24
Instruction Fuzzy Hash: 5521FF71604204DFCB14EF14D9C0B66BBA6EB84314F24C66DE84A4B296D33AD846CA72

Function 00DBD005 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2962878429.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_dbd000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cc7e44dce3d4a6760225393058bd9614c1fdfb6f7d5b08c0403ef495a0496ce
Instruction ID: 08870f16ec5fab47273523bbae87d579f539a84402a16edeeb0a2b5530e39d85
Opcode Fuzzy Hash: 5cc7e44dce3d4a6760225393058bd9614c1fdfb6f7d5b08c0403ef495a0496ce
Instruction Fuzzy Hash: 65215C7150D3C09FCB03DB24D994751BF71AB46214F29C5DBD8898F2A7D23A980ACB62

Function 00E10EC8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2963237592.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b953a596b3e7d20ddcaf4320dfb877bf75f86f404879e9ed29af2076054b00bb
Instruction ID: 0869001b2406a1e2bbb970d3837695f9d9509a4526009ca914410198f97eb995
Opcode Fuzzy Hash: b953a596b3e7d20ddcaf4320dfb877bf75f86f404879e9ed29af2076054b00bb
Instruction Fuzzy Hash: E5216074E04208DFCB04EFA9D4546EEBBB2FF89304F10C4A9A415AB395CBB49A85CF51

Function 00E117B8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2963237592.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b77e4efffe5b850bf1e11e44d8688b8e4d35feb584f9f0ea71fd5881228c6a4b
Instruction ID: e1d1d2a679c9d1b7fb28770f5ba197b0196e0fdb21afcdb6cd1bc17856622c29
Opcode Fuzzy Hash: b77e4efffe5b850bf1e11e44d8688b8e4d35feb584f9f0ea71fd5881228c6a4b
Instruction Fuzzy Hash: 7E2128B0D0524ACFCB05EFA8D8545EEBFF0EF0A304F1451AAD445B7261EB345A85CBA1

Function 00E1BB48 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2963237592.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f4ffb6d8c07072b653a4180600aabaf45b3a071ce268d874bd5947f88e2e7cb
Instruction ID: 88a4a9e7e49930f2237c80c7afdfb5fe430ccea3dba4c17382393393ce46858f
Opcode Fuzzy Hash: 7f4ffb6d8c07072b653a4180600aabaf45b3a071ce268d874bd5947f88e2e7cb
Instruction Fuzzy Hash: 5D114C767042048FC714DB69E988E9AB7F6FF98725B208469E14ACB774CB71EC44CB50

Function 00E14850 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2963237592.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb7fae9cf81992771a650d25d276ebc328c95cdd27d4bc897236642a4010d1ea
Instruction ID: c7880a6cf7ce438a2a343b569544c84f82b49f03345271857f0c2f923047aff5
Opcode Fuzzy Hash: cb7fae9cf81992771a650d25d276ebc328c95cdd27d4bc897236642a4010d1ea
Instruction Fuzzy Hash: F101F172F002024FE728AB79985867B27E7AF88318314843AD909DB3A4FE34DC028791

Function 00E1BB37 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2963237592.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8fe891dfe4f98c011d54c571fb4fdff820ec9b984109b56ff49678df4a7eb56
Instruction ID: 8f5971d73a8a49bcfede577483fc29b2544fec269b6387b5f7ae7264ccdaa83a
Opcode Fuzzy Hash: f8fe891dfe4f98c011d54c571fb4fdff820ec9b984109b56ff49678df4a7eb56
Instruction Fuzzy Hash: AF1157327042008FD718DF6AD988F9AB7E6FF89724F108469E14A8B764CB71EC85CB10

Function 00E14860 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2963237592.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03261244b0368e221e60ce911423c87d1624e7eecbdbf456865646f6866eec84
Instruction ID: d8491221232e530b1f383a2b6e1b2fec1a523094f2c11c1b2097207ce2693171
Opcode Fuzzy Hash: 03261244b0368e221e60ce911423c87d1624e7eecbdbf456865646f6866eec84
Instruction Fuzzy Hash: 5101A272B002125FE718AB79985866F76EBAFC4728310483AD909D7354FE70DC024792

Function 00E1A508 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2963237592.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f465d8a3bbc317e8b60c13415163254f800123e7b2a0d36a1875bccc9fb37229
Instruction ID: 35137cbc7c6be8d007b4d8ea5f9633ddd5509755ad0acaf61c93ee46337b3a99
Opcode Fuzzy Hash: f465d8a3bbc317e8b60c13415163254f800123e7b2a0d36a1875bccc9fb37229
Instruction Fuzzy Hash: 48014C75A106199FCB14DFA9D8495AE7FB6FB88350B104439F91A93241DE348D11CBA1

Function 00E1A4F9 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2963237592.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac648426fb885656d4f465b837fc58c93ab0c51b87b0072cd7f52920190a670f
Instruction ID: 3312fec940f8bdade61061655b60e65e1440623880d28d9f10cedc0b5839ebc7
Opcode Fuzzy Hash: ac648426fb885656d4f465b837fc58c93ab0c51b87b0072cd7f52920190a670f
Instruction Fuzzy Hash: B7015A71A1460AAFCB11DF68E8559EE7FB5FB88310B10403AF969A3241DB348D11CBA2

Function 00E1BEF8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2963237592.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86cd066de80993d08e336de337c9d3ce143191bf9ec55f8e228f477b1638817a
Instruction ID: 109fe2cdece89e6d0cf4e957bd391b56ea13a0e500e09b0b4e565b9a922c830e
Opcode Fuzzy Hash: 86cd066de80993d08e336de337c9d3ce143191bf9ec55f8e228f477b1638817a
Instruction Fuzzy Hash: 77F0C2327102489BCB152AB8A8095AD3FEAEBC9710F14446AF60AC7381DE79CC43CB90

Function 00E1C1B0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2963237592.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a42f5d6c319978f8bb2afb0200605eabcfb67cb341d0fa9057404a31c9f5eb27
Instruction ID: 337e296522fdb4c94cba87e63fba9c7ccde5ed4b93f164f6546c9462a86f5dfa
Opcode Fuzzy Hash: a42f5d6c319978f8bb2afb0200605eabcfb67cb341d0fa9057404a31c9f5eb27
Instruction Fuzzy Hash: 3CF02032B406209BCB19566AE4109AEB7EAEFC4730710007AF009EB351CF32CC028790

Function 00E1B9EA Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2963237592.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7128dffda41c5f1bba6cebfbbbadf31b29442d5880535c477f6e48a08b028959
Instruction ID: 6aa2d1039207696f326d1196d765b8406ae08e5a189bc84832d80cfa077a6b7a
Opcode Fuzzy Hash: 7128dffda41c5f1bba6cebfbbbadf31b29442d5880535c477f6e48a08b028959
Instruction Fuzzy Hash: BAF0B472904208AF8B50DFAED8819DFBBF5FF88350B04453AE505E3605D770A941CBE1

Function 00E146C9 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2963237592.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f668e4c9e9d2541e4fcc9c0b5ab6abfced6b0916ef66da9c583b3c5a26ad5a7
Instruction ID: 41f4313835534f3054dfd745c70964f91c715d56a9ca81c69f01a91cddf65ebc
Opcode Fuzzy Hash: 3f668e4c9e9d2541e4fcc9c0b5ab6abfced6b0916ef66da9c583b3c5a26ad5a7
Instruction Fuzzy Hash: 36F01574525B42CFD3122F60BCAC3AA7BB1EF0B307B452E41E00AC1276CF7044008A34

Function 00E1B9F8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2963237592.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2fbac7dfc8cb55bf16b8de5a582a52c59e3429954e0b04a62c4292b430298bd
Instruction ID: da7668d1bd6380a4a2cc1d6b42e3fe04833d581bd0080860647cbc973c02d39b
Opcode Fuzzy Hash: c2fbac7dfc8cb55bf16b8de5a582a52c59e3429954e0b04a62c4292b430298bd
Instruction Fuzzy Hash: 72F08271A042089F8B50DFAED8409DFFBF5FB88350B10453AE519E3611E770AA558BE1

Function 00E146D8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2963237592.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2cd51f535ab41ef736f2754e31bbf9c13d2745dbcb116940368f68923d66bd5
Instruction ID: aa8413cefba6fdec6062df5c9f5a7cfcf02f88d430692c7c3928f04ce710095c
Opcode Fuzzy Hash: e2cd51f535ab41ef736f2754e31bbf9c13d2745dbcb116940368f68923d66bd5
Instruction Fuzzy Hash: DDE09930422B03CBD6613F60B9AC37A7BA5EB0B317B802E00A00ED12798F7094448A34

Function 00E11877 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2963237592.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd4a3e17645e290992893b28444263542d369ae7062296f338fc069a7894c76f
Instruction ID: 120a1dd01c5773de529bc4671fa7e06eb8b69f1e9dc9f88f84ad8eadc52b54c5
Opcode Fuzzy Hash: cd4a3e17645e290992893b28444263542d369ae7062296f338fc069a7894c76f
Instruction Fuzzy Hash: 54E08635D1062ACBC701BFB4E8440EEBB74EEC5315B5685A7C0A837161EF30266EC792

Function 00E11888 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2963237592.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5934d63e48b142b65ccf912d5d397addb4ae9489b4b69ed43e0b3db334dcebe
Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
Opcode Fuzzy Hash: f5934d63e48b142b65ccf912d5d397addb4ae9489b4b69ed43e0b3db334dcebe
Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2

Function 00E14831 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2963237592.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47773b064400f64430beb9f7959d9296dbb117366f4d9edb66ce62160f59a8a2
Instruction ID: 8b484fb8ba06188f51481747434ad49db342dd0be97567cbd9cd5cdb94c9f7f2
Opcode Fuzzy Hash: 47773b064400f64430beb9f7959d9296dbb117366f4d9edb66ce62160f59a8a2
Instruction Fuzzy Hash: 40C04CA540D6CA5BEB178A5064760557B60E91730876508CFC0428904B9518D9058709

Non-executed Functions

Function 00E11A40 Relevance: 5.1, Strings: 4, Instructions: 93COMMON

Download Yara Rule

Strings

Xbq, xrefs: 00E11B7C
Xbq, xrefs: 00E11A76
Xbq, xrefs: 00E11AB0
Xbq, xrefs: 00E11B2F

Memory Dump Source

Source File: 0000000B.00000002.2963237592.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_DWKfptrbzzV.jbxd

Similarity

API ID:
String ID: Xbq$Xbq$Xbq$Xbq
API String ID: 0-2732225958
Opcode ID: eada892025a4367bd61d383f46c620098e1d884024d05919a0ad4f2c150801e1
Instruction ID: e9c1db280229e7f8a027e6218ad168f285bd0c6a5eadfbec3bbd772fa5351227
Opcode Fuzzy Hash: eada892025a4367bd61d383f46c620098e1d884024d05919a0ad4f2c150801e1
Instruction Fuzzy Hash: 66316030E0421E8BDF649B6989407EEBBA6AF84314F1554A9C659B7254EB30CDC0CB92

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Contrarre.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Contrarre.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DWKfptrbzzV.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b0qu3gam.4dg.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ddnza5ve.txp.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dennhzjv.3gz.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l1xeu1is.11h.ps1

C:\Users\user\AppData\Local\Temp\tmp303B.tmp

C:\Users\user\AppData\Local\Temp\tmp3F7E.tmp

C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe

C:\Users\user\AppData\Roaming\DWKfptrbzzV.exe:Zone.Identifier

Static File Info

Windows Analysis Report
Contrarre.exe

Function 063480B8 Relevance: 6.9, Strings: 5, Instructions: 651
COMMON

Function 03034208 Relevance: 3.1, Strings: 2, Instructions: 588
COMMON

Function 03037D98 Relevance: 3.1, Strings: 2, Instructions: 580
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre